[pkg-bacula-devel] Hardening systemd

Sven Hartge sven at svenhartge.de
Sun Dec 30 23:46:02 GMT 2018 

On 31.12.18 00:20, Sven Hartge wrote:
> Um 20:37 Uhr am 29.12.18 schrieb Sven Hartge:
> 
>> It would be nice if there was some form of audit wrapper one could use 
>> to see which capabilities a program uses.
> 
> There is:
> 
> http://www.brendangregg.com/blog/2016-10-01/linux-bcc-security-capabilities.html
> https://github.com/iovisor/bcc/blob/master/tools/capable.py
> 
> in combination with bpfcc-tools in Debian. Needs a 64bit system though.

Also "grep ^Cap /proc/PID/status" shows the capability mask of a process:

$ grep ^Cap /proc/`pidof bacula-fd`/status
CapInh: 0000000000000000
CapPrm: 00000001982a83ff
CapEff: 00000001982a83ff
CapBnd: 00000001982a83ff
CapAmb: 0000000000000000

CapEff are the effective capabilites, CapBnd is the Bounding-Set.

capsh from libcap2-bin decodes this:

$ /sbin/capsh --decode=0x00000001982a83ff
0x00000001982a83ff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_ipc_owner,cap_sys_rawio,cap_sys_ptrace,cap_sys_admin,cap_mknod,cap_lease,cap_setfcap,cap_mac_override

Since "0000003fffffffff" is the maximum value currently, one can
substract "00000001982a83ff" from this to get all removed capabilities:

0x0000003e67d57c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_module,cap_sys_chroot,cap_sys_pacct,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_audit_write,cap_audit_control,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read

Doing this for a user-process shows:

$ grep ^Cap /proc/$$/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000

So while the bounding set has all bits set, the effective capabilities
are already zero, which makes setting the CapabilityBoundingSet for
bacula-sd and bacula-dir a NOOP and safe to do, but it protects against
an attacker who compromises the process and would be able to gain
elevated permissions. Having no capabilities would severely hinder any
further abuse.


Grüße,
Sven.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-bacula-devel/attachments/20181231/4083cf19/attachment.sig>

More information about the pkg-bacula-devel mailing list