This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 839993 - captest --drop-caps output changed in RHEL7
captest --drop-caps output changed in RHEL7
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libcap-ng (Show other bugs)
7.0
All Linux
high Severity high
: beta
: ---
Assigned To: Steve Grubb
BaseOS QE Security Team
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-13 07:58 EDT by Miroslav Vadkerti
Modified: 2015-08-13 04:48 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-13 04:48:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miroslav Vadkerti 2012-07-13 07:58:07 EDT
Description of problem:
RHEL6 output:
Attemping to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    00000003, FFFFFFFF
Permitted:    00000003, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 00000003, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS

RHEL7 output:
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS
Attempting to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    0000000F, FFFFFFFF
Permitted:    0000000F, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 0000000F, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS

Version-Release number of selected component (if applicable):
libcap-ng-0.6.6-2.el7

How reproducible:
100%

Steps to Reproduce:
1. captest --drop-caps
  
Actual results:
Resutls differ

Expected results:
Results the same as in RHEL6

Additional info:
If this problem is expected, please let me know and I fix the test
Comment 1 Steve Grubb 2012-07-13 09:06:03 EDT
Unless I missed something, the only difference I see is that there are more capabilities in RHEL7 than RHEL6. This is like the explanation in bz 839995. I think this can be closed.
Comment 2 Karel Srot 2015-08-12 10:24:59 EDT
Hello Steve, 
I am sorry for reopening but I don't think that the difference makes newly introduced capabilities.

RHEL-6:

# uname -a
Linux palava.usersys.redhat.com 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q libcap-ng
libcap-ng-0.6.4-3.el6_0.1.x86_64

# capsh --print
Current: =ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin
Securebits: 00/0x0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0


# captest --drop-caps
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS
Attemping to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    00000003, FFFFFFFF
Permitted:    00000003, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 00000003, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS

# capsh --decode=00000003
0x0000000000000003=cap_chown,cap_dac_override


RHEL-7:

# uname -a
Linux qeos-10.lab.eng.rdu2.redhat.com 3.10.0-302.el7.x86_64 #1 SMP Fri Jul 31 18:34:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q libcap-ng
libcap-ng-0.7.5-2.el7.x86_64

# captest --drop-caps
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS
Attempting to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    0000001F, FFFFFFFF
Permitted:    0000001F, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 0000001F, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS

# capsh --decode=0000001F
0x000000000000001f=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid

So the difference in capabilities that WERE NOT dropped on RHEL-7 is: cap_dac_read_search,cap_fowner,cap_fsetid
As can be seen in the RHEL-6 output all 3 capabilities are known on RHEL-6.

Same issue is with --text and --lock.
Comment 4 Steve Grubb 2015-08-12 11:20:56 EDT
Note that the ones on the left are higher order bits than just 0x1F. They are capabilities 32 - 37. You can use the --text option to captest to get translated output instead of numbers.
Comment 5 Karel Srot 2015-08-13 04:48:30 EDT
I see, sorry for my mistake.

Note You need to log in before you can comment on or make changes to this bug.