Last active
September 15, 2022 16:29
-
-
Save JohnStrunk/e61592f681d6a42b997ef28ccc575cb9 to your computer and use it in GitHub Desktop.
What capabilities are needed to manipulate files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM registry.access.redhat.com/ubi9:latest | |
| RUN rpm -i http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/attr-2.5.1-3.el9.x86_64.rpm | |
| ADD script.sh / | |
| RUN chmod a+rx /script.sh | |
| CMD [ "/script.sh" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| set -e -o pipefail | |
| docker build -t capability-experiment . | |
| docker run --rm capability-experiment |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| echo; echo Starting caps: | |
| capsh --print | grep Current: | |
| # Set up files | |
| mkdir /original | |
| echo "hello" > /original/ownedbyroot | |
| chmod 600 /original/ownedbyroot | |
| cp /original/ownedbyroot /original/ownedby1111 | |
| chown 1111:1111 /original/ownedby1111 | |
| chmod 600 /original/ownedby1111 | |
| read -r -d '' COMMANDS << EOF | |
| echo; echo | |
| capsh --print | grep Current: | awk '{print "Using Caps: " \$2}' | |
| echo -n "Read root: " | |
| if cat /original/ownedbyroot >& /dev/null; then echo "yes"; else echo "NO"; fi | |
| echo -n "Read file uid 1111: " | |
| if cat /original/ownedby1111 >& /dev/null; then echo "yes"; else echo "NO"; fi | |
| echo -n "Copy file uid 1111: " | |
| if cp -a /original/ownedby1111 /test/; then echo "yes"; else echo "NO"; fi | |
| echo -n "Copied file still has uid 1111: " | |
| if [[ \$(stat -c %u /test/ownedby1111) == 1111 ]]; then echo "yes"; else echo "NO"; fi | |
| echo -n "chmod 1111: " | |
| if chmod g+x /test/ownedby1111; then echo "yes"; else echo "NO"; fi | |
| echo -n "chgrp 1111: " | |
| if chgrp 2222 /test/ownedby1111; then echo "yes"; else echo "NO"; fi | |
| echo -n "chown 1111: " | |
| if chown 2222 /test/ownedby1111; then echo "yes"; else echo "NO"; fi | |
| echo -n "setgid 1111: " | |
| if chmod 2640 /test/ownedby1111; then echo "yes"; else echo "NO"; fi | |
| echo -n "sticky /test: " | |
| if chmod 1777 /test; then echo "yes"; else echo "NO"; fi | |
| echo -n "mtime: " | |
| if touch -d 2022-02-01 -m /test/ownedby1111; then echo "yes"; else echo "NO"; fi | |
| echo -n "atime: " | |
| if touch -d 2022-03-01 -a /test/ownedby1111; then echo "yes"; else echo "NO"; fi | |
| echo -n "dump ext attrs: " | |
| if getfattr -m - -d /test/ownedby1111 > /dev/null; then echo "yes"; else echo "NO"; fi | |
| echo -n "set normal ext attr: " | |
| if setfattr -n user.foo -v hello /test/ownedby1111; then echo "yes"; else echo "NO"; fi | |
| echo -n "set security ext attr: " | |
| if setfattr -n security.foo -v hello /test/ownedby1111; then echo "yes"; else echo "NO"; fi | |
| echo; echo "File attributes:" | |
| stat -c "%N %F u:%u g:%g m:%a c:%w m:%y a:%x" /original /original/* /test /test/* | |
| EOF | |
| # Drop all | |
| rm -rf /test; mkdir /test | |
| capsh --drop="cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap" -- -c "$COMMANDS" | |
| # cap_dac_override | |
| rm -rf /test; mkdir /test | |
| capsh --drop="cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap" -- -c "$COMMANDS" | |
| # cap_chown,cap_dac_override | |
| rm -rf /test; mkdir /test | |
| capsh --drop="cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap" -- -c "$COMMANDS" | |
| # cap_chown,cap_dac_override,cap_fowner, | |
| rm -rf /test; mkdir /test | |
| capsh --drop="cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap" -- -c "$COMMANDS" | |
| # Needed caps: | |
| # - cap_chown: Set file ownership/group | |
| # - cap_dac_override: read/write all file data | |
| # - cap_fowner: set permissions (setgid bit), times | |
| # - cap_sys_admin: set security ext attrs (man xattr) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Output: