PoiNtEr->: How to Remove Linux kernel capabilities and make root handicap??

                             Difference between a dream and an aim. A dream requires soundless sleep, whereas an aim requires sleepless efforts.

Search This Blog

Tuesday, August 9, 2011

How to Remove Linux kernel capabilities and make root handicap??

As you may know, Linux has capabilities. Maybe you don’t need all capabilities, if this is your case, you are in luck, since you can remove it using the lcap tool.
To list all Linux capabilities:
~# lcap
Current capabilities: 0xFFFDFCFF
   0) *CAP_CHOWN                     1) *CAP_DAC_OVERRIDE
   2) *CAP_DAC_READ_SEARCH           3) *CAP_FOWNER
   4) *CAP_FSETID                    5) *CAP_KILL
   6) *CAP_SETGID                    7) *CAP_SETUID
   8) *CAP_SETPCAP                   9) *CAP_LINUX_IMMUTABLE
  12) *CAP_NET_ADMIN                13) *CAP_NET_RAW
  14) *CAP_IPC_LOCK                 15) *CAP_IPC_OWNER
  16) *CAP_SYS_MODULE               17)  CAP_SYS_RAWIO
  18) *CAP_SYS_CHROOT               19) *CAP_SYS_PTRACE
  20) *CAP_SYS_PACCT                21) *CAP_SYS_ADMIN
  22) *CAP_SYS_BOOT                 23) *CAP_SYS_NICE
  24) *CAP_SYS_RESOURCE             25) *CAP_SYS_TIME
  26) *CAP_SYS_TTY_CONFIG           27) *CAP_MKNOD
  28) *CAP_LEASE                    29) *CAP_AUDIT_WRITE
    * = Capabilities currently allowed
For example, I want to disable CAP_CHOWN, so I don’t want that any user (including root) has the possibility to change the file owner. So, in this case, the file is UNCHOWNABLE.
Usual way:
# touch filename
# chown vishal filename
Now the file is owned by vishal
My preferred way:
First, we remove CHOWN capability
(as root)
# lcap CAP_CHOWN
# touch filename
# chown vishal filename
chown: changing ownership of `filename’: Operation not permitted
As you can see, chown does not work as expected, since we have removed that capability. To restore it, you need to reboot.
You can disable any capability at your own risk ;)
This tool is interesting  with a few changes/updates and you are up with increase security, for example, to remove the possibility to load/unload a module use CAP_SYS_MODULE,  it helps a bit for rootkits,  for files that you don’t want to be modified in anyway, you can use CAP_LINUX_IMMUTABLE on /bin, /usr/bin, /sbin, /usr/sbin to have expected binaries (checksums). Try to play with any capabilitiy and see if is interesting for you.
For further info: man lcap
or click here

No comments:

Post a Comment