Run Your Applications with Necessary Privileges: Linux Capabilities

Photo by Dimitri Houtteman on Unsplash
If the effective user id is zero or the user space has enough privilege to do this.

How to Run Netcat (on the Port 80) and iftop Without Switching to Root User?

My console output is:

root@adil:~# su - example
example@adil:~$ nc -l -p 80
nc: Permission denied
example@adil:~$ iftop
pcap_open_live(ens3): ens3: You don’t have permission to capture on that device (socket: Operation not permitted)
root@adil:~# setcap cap_net_bind_service+ep /bin/nc.openbsd
root@adil:~# setcap cap_net_raw+ep /usr/sbin/iftop
root@adil:~# su — example
example@adil:~$ nc -l -p 80
example@adil:~$ iftop

What does +ep stand for?

Things get complicated. Please fasten your seatbelts.

Let’s make some analogies

Analogy #1

You have dual citizenship: US/UK. You are living in the US now.
So, you are permitted to enter the US and the UK. You are effectively living in the US now.

Analogy #2

You are a citizen of Turkey. Your dad has a dual citizenship: Turkey/Australia. So, you can be a citizen of Australia (inheritable) since your dad is a citizen of Australia. You can effectively live in Australia since your citizenship was inherited from your dad.

Analogy #3

Let’s say there are 3 countries in the world: A, B, and C. Your boundaries are A, B, and C. If another country is discovered, then you can expand your boundary. (bounding). It is like adding a new privilege to the Linux Kernel.

Let’s go back to the beginning

sudo setcap cap_net_raw+ep /usr/sbin/iftop

Hey, all users can run iftop now. I want to allow only the test1 user run the iftop command.

There is a PAM module, which is called pam_cap. You can set the capabilities per user.

sudo setcap cap_net_raw+ie /usr/sbin/iftop
root@adil:~# grep test1 /etc/security/capability.conf
cap_net_raw test1
root@adil:~# setcap cap_net_raw=+ie /usr/sbin/iftop
test1@adil:~$ iftop # it is working fine
ubuntu@adil:~$ iftop # it is not working
You don’t have permission to capture on that device (socket: Operation not permitted)
grep Cap /proc/$(pgrep iftop)/status
CapInh: 0000000000002000
CapPrm: 0000000000002000
CapEff: 0000000000002000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
root@adil:~# capsh --decode=0000000000002000
0x0000000000002000=cap_net_raw

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store