Detailed explanation of the setcap command

Detailed explanation of setcap command

Detailed explanation of the setcap command. In Linux, the most common use of the setcap command is to restrict the use of ports above 1024, also known as privileged ports. Port restrictions can be performed without going through a firewall. The main purpose is to divide the privileges of the root user, that is, to divide the root privileges into different capabilities, each of which represents a certain privileged operation.

uzbox

2022-10-31

What is setcap command

Detailed explanation of setcap command, in Linuxsetcap CommandThe most common method is to restrict the use of ports above 1024, also known as privileged ports, which can be restricted without going through a firewall. The main purpose is to divide the privileges of the root user, that is, to divide the root privileges into different capabilities, each of which represents a certain privileged operation.

The main idea of Capabilities is to divide the privileges of the root user, that is, to divide the root privileges into different capabilities, each capability represents a certain privileged operation. For example: the capability CAP_SYS_MODULE represents the privileged operation that the user can load (or unload) the kernel module, and CAP_SETUID represents the privileged operation that the user can modify the user identity of the process. In Capbilities, the system will perform access control for privileged operations based on the capabilities of the process.
In Capilities, only processes and executable files have capabilities. Each process has three sets of capabilities, namely cap_effective, cap_inheritable, and cap_permitted (respectively abbreviated as: pE, pI, and pP). Among them, cap_permitted represents the maximum capability set possessed by the process; cap_effective represents the capability set currently available to the process, which can be regarded as a subset of cap_permitted; and cap_inheitable represents the capability set that the process can pass to its child processes. The system performs access control based on the process's cap_effective capability set. cap_effective is a subset of cap_permitted. The process can give up some of the privileges of the process by canceling some capabilities in cap_effective. Executable files also have three sets of capability sets, corresponding to the three sets of capability sets of processes, called cap_effective, cap_allowed and cap_forced (abbreviated as fE, fI, fP respectively). Among them, cap_allowed represents the capability set that can be integrated from the cap_inheritable of the original process when the program is running, cap_forced represents the capability set that must be possessed when the file is running to complete its service; and cap_effective represents the capabilities that can be used when the file starts running.
1. Implementation mechanism of Capabilities in Linux kernel
The concept and mechanism of Capabilities have been added to the Linux kernel since version 2.2, and have been gradually improved with each version upgrade. In Linux, root permissions are divided into the following 29 capabilities:
CAP_CHOWN: Change the permissions of the file owner
CAP_DAC_OVERRIDE: Ignore the DAC access restrictions of the file
CAP_DAC_READ_SEARCH: Ignore DAC access restrictions for file read and directory search
CAP_FOWNER: Ignore the restriction that the file owner ID must match the process user ID
CAP_FSETID: Allows setting the setuid bit of a file
CAP_KILL: Allows sending signals to processes that do not belong to you
CAP_SETGID: Allows changing the group ID of a process
CAP_SETUID: Allows changing the user ID of a process
CAP_SETPCAP: Allows transfer of capabilities to other processes and removal of capabilities from other processes
CAP_LINUX_IMMUTABLE: Allows modification of the IMMUTABLE and APPEND attribute flags of a file
CAP_NET_BIND_SERVICE: Allows binding to ports less than 1024
CAP_NET_BROADCAST: Allows network broadcast and multicast access
CAP_NET_ADMIN: Allows you to perform network administration tasks
CAP_NET_RAW: Allows use of raw sockets
CAP_IPC_LOCK: Allows locking of shared memory segments
CAP_IPC_OWNER: Ignore IPC ownership check
CAP_SYS_MODULE: Allows insertion and removal of kernel modules
CAP_SYS_RAWIO: Allows direct access to /devport, /dev/mem, /dev/kmem and raw block devices
CAP_SYS_CHROOT: Allows use of the chroot() system call
CAP_SYS_PTRACE: Allows tracing of any process
CAP_SYS_PACCT: Allows BSD-style auditing of processes
CAP_SYS_ADMIN: Allows you to perform system administration tasks, such as loading or unloading file systems, setting disk quotas, etc.
CAP_SYS_BOOT: Allows rebooting the system
CAP_SYS_NICE: Allows raising the priority of processes and setting the priority of other processes
CAP_SYS_RESOURCE: Ignore resource limits
CAP_SYS_TIME: Allows changing the system clock
CAP_SYS_TTY_CONFIG: Allows configuration of TTY devices
CAP_MKNOD: Allows use of the mknod() system call
CAP_LEASE: Allows modification of the FL_LEASE flag of the file lock

Example:

When installing Wireshark, one step is to give dumpcap permission to read the network card, so that ordinary users can also use Wireshark to capture packets.
# setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/sbin/dumpcap

Use SetUID chmod u+s /path/to/application

As the root user, use the setcap command to add the "cap_net_admin,cap_net_raw+ep" permissions to the executable file /bin/ping, so that ordinary users can use ping.
#setcap 'cap_net_admin,cap_net_raw+ep' /bin/ping

Check:
[root@rhel671 ~]# getcap /bin/ping
/bin/ping = cap_net_admin,cap_net_raw+ep

Note: setcap is generally used for binary executable files. setcap is invalid when used for script files (such as script files starting with #!/bin/python)

Ports within 1024:
setcap cap_net_bind_service=+eip /home/tengine/nginx/tengine/sbin/nginx

-r is to clear additional permissions:
setcap -r nginx

Set TOMCAT to allow non-ROOT users to start ports below 1024

setcap cap_net_bind_service=+eip /opt/tomcat/bin/startup.sh

score