839993 – captest --drop-caps output changed in RHEL7

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 839993 - captest --drop-caps output changed in RHEL7

Summary: captest --drop-caps output changed in RHEL7

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libcap-ng
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-07-13 11:58 UTC by Miroslav Vadkerti
Modified:	2015-08-13 08:48 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-13 08:48:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Miroslav Vadkerti 2012-07-13 11:58:07 UTC

Description of problem:
RHEL6 output:
Attemping to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    00000003, FFFFFFFF
Permitted:    00000003, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 00000003, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS

RHEL7 output:
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS
Attempting to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    0000000F, FFFFFFFF
Permitted:    0000000F, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 0000000F, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS

Version-Release number of selected component (if applicable):
libcap-ng-0.6.6-2.el7

How reproducible:
100%

Steps to Reproduce:
1. captest --drop-caps
  
Actual results:
Resutls differ

Expected results:
Results the same as in RHEL6

Additional info:
If this problem is expected, please let me know and I fix the test

Comment 1 Steve Grubb 2012-07-13 13:06:03 UTC

Unless I missed something, the only difference I see is that there are more capabilities in RHEL7 than RHEL6. This is like the explanation in bz 839995. I think this can be closed.

Comment 2 Karel Srot 2015-08-12 14:24:59 UTC

Hello Steve, 
I am sorry for reopening but I don't think that the difference makes newly introduced capabilities.

RHEL-6:

# uname -a
Linux palava.usersys.redhat.com 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q libcap-ng
libcap-ng-0.6.4-3.el6_0.1.x86_64

# capsh --print
Current: =ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin
Securebits: 00/0x0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0


# captest --drop-caps
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS
Attemping to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    00000003, FFFFFFFF
Permitted:    00000003, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 00000003, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS

# capsh --decode=00000003
0x0000000000000003=cap_chown,cap_dac_override


RHEL-7:

# uname -a
Linux qeos-10.lab.eng.rdu2.redhat.com 3.10.0-302.el7.x86_64 #1 SMP Fri Jul 31 18:34:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q libcap-ng
libcap-ng-0.7.5-2.el7.x86_64

# captest --drop-caps
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS
Attempting to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    0000001F, FFFFFFFF
Permitted:    0000001F, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 0000001F, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS

# capsh --decode=0000001F
0x000000000000001f=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid

So the difference in capabilities that WERE NOT dropped on RHEL-7 is: cap_dac_read_search,cap_fowner,cap_fsetid
As can be seen in the RHEL-6 output all 3 capabilities are known on RHEL-6.

Same issue is with --text and --lock.

Comment 4 Steve Grubb 2015-08-12 15:20:56 UTC

Note that the ones on the left are higher order bits than just 0x1F. They are capabilities 32 - 37. You can use the --text option to captest to get translated output instead of numbers.

Comment 5 Karel Srot 2015-08-13 08:48:30 UTC

I see, sorry for my mistake.

Note You need to log in before you can comment on or make changes to this bug.