Linux User Capabilities and Namespace Management

Linux user namespaces and capabilities play a critical role in managing system security and permissions. Users and groups are assigned unique IDs, and processes are associated with the user's ID. The kernel enforces permission checks based on user IDs and group IDs, allowing root access to bypass certain checks. Capabilities provide a finer-grained approach to granting privileged operations, enhancing system security through the principle of least privilege. Explore various capabilities that allow processes to perform specific privileged tasks while restricting full root access.

• Linux
• User namespaces
• Capabilities
• System security
• Permissions

esa Follow

Uploaded on Jul 10, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. User Namespaces and Capabilities Marion Sudvarg, Chris Gill CSE 522S Advanced Operating Systems Washington University in St. Louis St. Louis, MO 63130 1

2. Linux Users and Groups Every user and group in Linux is assigned a unique ID Every process is associated with the uid and gidof the user that ran it The kernel checks the process uid and gid for appropriate permissions when performing certain operations, e.g.: Opening a file (checks against the file s access control list) Sending a signal (checks recipient process for matching uid) Performing administrative tasks The kernel bypasses these permission checks for processes running as the root user (uid 0) A set-user-ID (set-group-ID) program runs as the user (group) that owns the executable Settable by the owner of the file (or the root user) Allows non-superusers to run programs as root (e.g. passwd) CSE 522S Advanced Operating Systems 2

3. Capabilities Overview Traditionally, full access to kernel functionality only conferred to processes running as root Capabilities divide root access into distinct units associated with different privileged operations Allow a process to execute with a subset of system privileges (principle of least privilege) Finer-grained than traditional privileged/nonprivileged dichotomy CSE 522S Operating Systems Organization 3

4. Example Capabilities I Capability Description Change a file s uid or gid with no restrictions CAP_CHOWN CAP_DAC_OVERRIDE Bypass file read, write, and execute permission checks CAP_IPC_LOCK Override memory-locking restrictions, allow huge TLB flags for memory mapping CAP_KILL Send signals to any process CAP_NET_ADMIN Perform network-related operations CAP_SETFCAP Set file capabilities (explained in another slide) CAP_SETPCAP Set capabilities in a process s permitted set CAP_SYS_ADMIN Catch-all for various system administration operations CAP_SYS_BOOT Reboot the system CSE 522S Advanced Operating Systems 4

5. Example Capabilities II Capability Description CAP_SYS_CHROOT Use chroot CAP_SYS_MODULE Load and unload kernel modules CAP_SYS_NICE Set scheduler policies and nice values CAP_SYS_PTRACE Trace arbitrary processes with ptrace CAP_SYS_RESOURCE Manage resource limits (covered next time) CAP_SYS_TIME Set the system date and time The capabilities presented here are just a subset There are 41 capabilities in total (as of Linux 5.16) See https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h for the complete list CSE 522S Advanced Operating Systems 5

6. Process and File Capabilities Process Capability Sets Capabilities associated with a running process Effective: the current capabilities the process presents to the kernel Permitted: the capabilities the process may enable in its Effective set How do processes gain permitted capabilities? When a process exec()s a binary, check its File Capability Sets Capabilities associated with an executable file Permitted (forced): Capabilities added to the process s permitted set Inheritable (allowed): Capabilities added to the process s permitted set if also in the process s inheritable set A process retains its inheritable set after exec() Effective: A single bit: 0: Process Effective set all 0s after exec() 1: Process Effective set equal to its Permitted set after exec() CSE 522S Advanced Operating Systems 6

7. More on Capability Inheritance Capability Bounding Set Per-thread attribute Capabilities not in this set cannot be added to process permitted or inheritable sets A process with CAP_SETPCAPcan irreversibly remove capabilities from this set Typically, initprocess s bounding set starts with all capabilities A process run by the root user (or a set-user-ID root program) has all capabilities CSE 522S Advanced Operating Systems 7

8. Capability Introspection and Control /proc/PID/status shows process capabilities: CapInh: Inheritable CapPrm: Permitted CapEff: Effective ls -l shows set-user-ID and set-group-ID programs (s) libcap provides C interface for process and file capabilities getcap and setcap utilities read and write file capabilities File capabilities are stored in the security.capability file extended attribute. CAP_SETFCAP required to update. CSE 522S Advanced Operating Systems 8

9. User Namespaces Isolates the set of user and group IDs Most notably, this allows a non-root user to have uid 0 in the namespace Create with: clone( , ,CLONE_NEWUSER, ) unshare(CLONE_NEWUSER) User namespaces are nested after clone or unsharethe process s previous namespace is the parent of the new one CSE 522S Advanced Operating Systems 9

10. Mapping User and Group IDs Processes in a user namespace share /proc/PID/uid_map and /proc/PID/gid_map files Each file has one or more lines of: ID-inside-ns ID-outside-ns length Mapping Begins From ID-inside-ns To ID-outside-ns Mapping Ends ID-inside-ns + length - 1 ID-outside-ns + length - 1 ID-outside-ns Viewed by process inside namespace: uid/gid of parent user namespace Viewed by process outside namespace: uid/gid of process s user namespace These files can only be written once per namespace Writing process must have CAP_SETUID/CAP_SETGID in the namespace and Belong to that namespace or the parent namespace CSE 522S Advanced Operating Systems 10

11. Capabilities in User Namespaces A process calling clone(CLONE_NEWUSER) or unshare(CLONE_NEWUSER) has full capabilities in the new namespace The child process of clone(CLONE_NEWUSER) has full capabilities in the new namespace A process with a capability in a user namespace also has it in all descendant namespaces Careful: a non-root user callingexec() loses capabilities unless the binary has file capabilities! This means uid/gid mapping must be performed by parent or before exec() CSE 522S Advanced Operating Systems 11

12. Combining with Other Namespaces A process requires CAP_SYS_ADMINto create most namespaces A process needs no capabilities to create user namespaces! The process gains all capabilities (including CAP_SYS_ADMIN) in the new namespace Implies the process can create any other type of namespace from the new user namespace with another call to clone() Shortcut: Kernel allows combined calls, e.g. clone(CLONE_NEWUSER | CLONE_NEWPID) These capabilities are restricted to the user namespace, do not confer the process superuser privileges within the wider system Provides the foundation for isolation required by containers a container can administer itself without impacting the system as a whole! CSE 522S Advanced Operating Systems 12

13. Reading Assignments LSP pp. 18-20: A brief overview of users, groups, and permissions LSP pp. 163-167: A review of users and groups man 7 capabilities: Coverage of Linux capabilities man 8 getcap: The libcap utility for reading file capabilities man 8 setcap: The libcap utility for writing file capabilities LWN Namespaces Series: read the following parts: Part 5: User Namespaces Part 6: More on User Namespaces (Optional) LPI 9.1-9.4: A detailed description of user IDs and set- user-ID programs (Optional) LPI 39.1-39.7: A description of Linux process and file capabilities CSE 522S Advanced Operating Systems 13

14. Studio Exercises Today Capabilities Copy a utility that requires root privileges, e.g. Use set-user-ID to run utility as non-root with root privileges Use File Capabilities to run utility with just the necessary privileges cp /bin/hostname ~ /hostname User Namespaces Create a new user namespace Map user and group IDs to gain root privileges in the namespace Incorporate these concepts into your simple container environment CSE 522S Advanced Operating Systems 14