Search code examples
linuxsetuidlinux-capabilities

How Linux Capabilities relate to zero/non-zero UID?

The capabilities manpage is rather long and I do not fully understand some things.

How would look, for example, a function that decides whether we have access to CAP_NET_RAW?

Input:

  • a = Effective uid is 0
  • b = There are some real/saved/whatever uid that is 0
  • c = CAP_NET_RAW is +e
  • d = CAP_NET_RAW is +i
  • e = CAP_NET_RAW is +p
  • f = CAP_NET_RAW is excluded from the "bounding set"

Output:

  • x = we can now call socket and not get EPERM
  • y = after some trickery (not involving filesystem-based chmod +s or setcap access elevations or connecting to external helpers), e.g. with capsetp we can finally allow ourselves to open the raw socket.

As I currently understand it is something like this:

  • x = !f && (a || c)
  • y = !f && (b || a || c || e)

How is it in reality?

Solution

  • Read the docs a bit more, now it seems like it is this:

    x = c
can_regain_caps_without_execve = (a || b) && !NO_NEW_PRIVS && (!SECBIT_NO_SETUID_FIXUP || ( CAP_SETPCAP && !SECBIT_NO_SETUID_FIXUP_LOCKED))
y = c || e || can_regain_caps_without_execve

    I.e.

    • Zero/nonzero uid is only meaningful when it changes and "root hacks" are active;
    • Only effective capabilities are used for checks; everything else is capability management;
    • Bounding set and inherited capabilities are about execve => out of scope for this answer.