What are Capabilities in Linux? How do they different from SUID?
Before Capabilities in Linux, there was only SUID and GUID bits to permit a non-root user to perform an action that only privileged users could. SUID bits allow a binary to be executed as the file owner, not the user which executes it. Same is true for GUID bits but for the group owner. SUID and GUID are easily exploited since it allows any user to perform any action that the file owner could (when misconfigured).
Capabilities are more secure because the restrictions are set on specific kernel calls, rather than??. All kernel calls are split and grouped by related functionality which can be assigned to a binary. Linux privilege escalation allows a more effective privilege control. However just like SUID and GUID bits, Capabilities are also vulnerable to misconfigurations. Capabilities can provide privileged escalation to the root user.
Now with Linux capabilities explained, let’s see how to exploit them for Linux privilege escalation.
How to exploit Capabilities for Privilege Escalation?
Unlike finding SUID or GUID bits which uses “find” command, Capabilities can only be found by the following command-
getcap -r / 2>/dev/null
Here,
- “getcap” is the main command that finds and outputs the capabilities.
- “-r / “ means to search recursively in the root directory, which means in the whole file system.
- “2>/dev/null” does not output any errors which mostly caused by inaccessible directories
- Read more
No comments:
Post a Comment