Chris's Wiki :: blog/linux/LsShowCapabilities Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/LsShowCapabilities?atomcommentsDWiki2012-04-20T17:54:55ZRecent comments in Chris's Wiki :: blog/linux/LsShowCapabilities.By Chris Siebenmann on /blog/linux/LsShowCapabilitiestag:CSpace:blog/linux/LsShowCapabilities:584d4cd7ad7186a2f6e3c5361595057a15b030baChris Siebenmann<div class="wikitext"><p>My best understanding is that <code>cap_net_raw</code> is the capability to send
and receive 'raw' network packets, ones that are completely created by
yourself. Ping uses this to create and receive ICMP packets. The magic
flags at the end are sort of documented in the <code>cap_to_text(3)</code>
manpage and mean that ping is both given this capability and permitted
to have it.</p>
<p>It turns out that the capabilities(7) manpage at least vaguely
covers all of the capabilities (under the same names that <code>getcap</code>
uses), so you can at least sort of decode what any special capabilities
based privileges a program has.</p>
<p>I believe that capabilities require filesystem support and a suitably
enabled kernel. They evidently don't require SELinux.</p>
</div>2012-04-20T17:54:55ZFrom 146.6.208.14 on /blog/linux/LsShowCapabilitiestag:CSpace:blog/linux/LsShowCapabilities:2f0f885c61ab52b17d6d0ff5956da967e81613e0From 146.6.208.14<div class="wikitext"><p>For those of us that are neither lucky nor well informed, how does ping elevate privs in F16?</p>
</div>2012-04-20T16:04:10ZBy Chris Siebenmann on /blog/linux/LsShowCapabilitiestag:CSpace:blog/linux/LsShowCapabilities:228e97fc5e26213d2f0ee126cce83392f5364693Chris Siebenmann<div class="wikitext"><p>If I was modifying <code>ls</code> to do this right, I think I'd change what the
setuid bit displays as (perhaps 'c' for capabilities, or 'C' if the file
both has capabilities and is setuid). Sticking another character on the
end starts getting unwieldy, and SELinux and ACLs are already camping
there.</p>
<p>(As far as I know a file can have both capabilities and SELinux
attributes.)</p>
<p>The colour thing is interesting behavior on ls's part. However, one
problem with it is that it's completely undocumented; when you see a
non-setuid executable show up with the setuid red background, how are
you supposed to know what it means? Ls's use of colours makes this
somewhat visible but it doesn't really help to make it discoverable.</p>
<p>(And at least for my version of <code>ls</code> with my terminal colours, the only
difference between setuid files and files with capabilities is that one
has white text on red and the other has black text on red, where black
text is my normal text colour.)</p>
</div>2012-04-18T15:01:24ZFrom 92.75.38.185 on /blog/linux/LsShowCapabilitiestag:CSpace:blog/linux/LsShowCapabilities:de4678858f83500c34ea3cb3e76dad290624682cFrom 92.75.38.185<div class="wikitext"><p>ls -l already does this using colors here:</p>
<pre>
% ls --color=always -F -l /tmp/x /usr/bin/dumpcap
-rwxr-xr-- 1 chris users 0 Apr 18 00:03 /tmp/x*
-rwxr-xr-- 1 root wireshark 68704 Mar 27 22:50 /usr/bin/dumpcap*
% getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
</pre>
<p>The first file has the usual green color, while the second file is black on red, which certainly stands out.</p>
<p>(I know you don't use colors in terminals, but things like these made me give in.)</p>
</div>2012-04-17T22:07:28ZFrom 216.105.40.123 on /blog/linux/LsShowCapabilitiestag:CSpace:blog/linux/LsShowCapabilities:4fd7ad2a77923f9036d8158189bf3de1f1001aa5From 216.105.40.123<div class="wikitext"><p>When I do an ls -l my permission bits look like:</p>
<p>-rw-r--r--.</p>
<p>the . indicates SE Linux attributes IIRC. And I think a + indicates ACLs. Seems like some another character might be in order for capabilities.</p>
</div>2012-04-17T17:23:34Z