Capabilities on executables

Note on Linux Kernel capabilities

Suraj Deshmukh

1 minute read

File capabilities allow users to execute programs with higher privileges. Best example is network utility ping.

A ping binary has capabilities CAP_NET_ADMIN and CAP_NET_RAW. A normal user doesn’t have CAP_NET_ADMIN privilege, since the executable file ping has that capability you can run it.

$ getcap `which ping`
/usr/bin/ping = cap_net_admin,cap_net_raw+p

Which normally works as follows:

$ ping -c 1 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=55 time=36.9 ms

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 36.885/36.885/36.885/0.000 ms

If you copy file as a normal user the binary loses its privilege and the command ceases to work:

$ cp `which ping` /tmp/ping

$ /tmp/ping -c 1 1.1.1.1
ping: socket: Operation not permitted

References

Linux Capabilities: making them work

comments powered by Disqus