Scribd Logo
Upload

Welcome to Scribd!

  • 369 views

    Lab 1

    Uploaded by

    Nguyễn Như Quỳnh
    This document describes a Linux capabilities exploration lab conducted by students. It includes: 1) Installing the libcap library and demonstrating various Linux capabilities like DAC overrides, process ownership changes, and raw network access. 2) Creating programs to test each capability and observing the different results when capabilities are enabled versus disabled. 3) Compiling a sample program and assigning specific capabilities to executable files.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Lab 1

    Uploaded by

    Nguyễn Như Quỳnh
    369 views21 pages
    This document describes a Linux capabilities exploration lab conducted by students. It includes: 1) Installing the libcap library and demonstrating various Linux capabilities like DAC overrides, process ownership changes, and raw network access. 2) Creating programs to test each capability and observing the different results when capabilities are enabled versus disabled. 3) Compiling a sample program and assigning specific capabilities to executable files.

    Original Title

    lab1.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document describes a Linux capabilities exploration lab conducted by students. It includes: 1) Installing the libcap library and demonstrating various Linux capabilities like DAC overrides, process ownership changes, and raw network access. 2) Creating programs to test each capability and observing the different results when capabilities are enabled versus disabled. 3) Compiling a sample program and assigning specific capabilities to executable files.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    369 views21 pages

    Lab 1

    Uploaded by

    Nguyễn Như Quỳnh
    This document describes a Linux capabilities exploration lab conducted by students. It includes: 1) Installing the libcap library and demonstrating various Linux capabilities like DAC overrides, process ownership changes, and raw network access. 2) Creating programs to test each capability and observing the different results when capabilities are enabled versus disabled. 3) Compiling a sample program and assigning specific capabilities to executable files.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 21

    1

    Linux Capability Exploration Lab

    VIETNAM NATIONAL UNIVERSITY HO CHI MINH


    CITY
    UNIVERSITY OF INFOMATION TECHNOLOGY

    Linux Capability Exploration Lab

    Group: 17

    Teacher: Tran Tuan Dung


    Class: NT113.K11.ATCL

    Name and ID Student: 17520966 Nguyễn Như Quỳnh


    17521281 Trương Thảo Vy

    GROUP 17 1
    2
    Linux Capability Exploration Lab

     Install Libcap

    Hình 1

    Hình 2

    Hình 3

    GROUP 17 2
    3
    Linux Capability Exploration Lab

    Hình 4

    GROUP 17 3
    4
    Linux Capability Exploration Lab

    Hình 5

    GROUP 17 4
    5
    Linux Capability Exploration Lab

    Hình 6

    TASK 1: Experiencing Capabilities

    - Login as a normal user, and run the following command:


    % ping www.google.com

    GROUP 17 5
    6
    Linux Capability Exploration Lab

    Hình 7

     The program run successfully.

    - Now, we turn /bin/ping into a non-Set-UID program. This can be done via the following command
    (you need to login as the root):
    # chmod u-s /bin/ping.

    Hình 8

    GROUP 17 6
    7
    Linux Capability Exploration Lab

    Hình 9

    Hình 10

    Question 1: Please turn the following Set-UID programs into non-Set-UID programs,
    without affecting the behaviors of these programs.
    • /usr/bin/passwd

    Hình 11

    Question 2: You have seen what we can do with the cap net raw capability. We would like
    you to get familiar with several other capabilities. For each of the following capabilities, do
    the following: (1) explain the purpose of this capability; (2) find a program to demonstrate
    the effect of these capabilities (you can run the application with and without the capability,
    and explain the difference in the results). You can also write your own applications if you
    prefer, as long as they can demonstrate the effect of the capability. Here is the list of
    capabilities that you need to work on (read include/linux/capability.h to learn about the
    capabilities).
    • cap dac read search

    GROUP 17 7
    8
    Linux Capability Exploration Lab

    • cap dac override


    • cap chown
    • cap setuid
    • cap kill
    • cap net raw
    Create own program named test under directory /bin/

    Hình 12

    Compile it and set it as a set-uid program

    Hình 13

    1) cap_dac_read_search: Bypass file read permission checks and directory read and
    execute permission checks. After enable this capability, it can run any program that without
    read permission.

    Hình 14

    Hình 15

    GROUP 17 8
    9
    Linux Capability Exploration Lab

    Hình 16

    To test this command, I change captest.c to 000, when we run it as normal user, it shows
    permission denied. After that I setcap cap_dac_read_search to read command ‘cat’, then run
    it again, surprisingly, we can read the content of the program. Therefore,
    cap_dac_read_search really do bypass the read permission, it can run any program that
    without read permission.

    2) cap_dac_override: Bypass file read, write, and execute permission checks. (DAC is an
    abbreviation of "discretionary access control"). In first example, I am trying to read the
    content of captest.c.

    Hình 17

    First remove the capability that appeared in previous test, try to read the program, we found
    that permission denied, then enable cap_dac_override capability to read permission ’cat’,
    then we can successfully read the program.

    GROUP 17 9
    10
    Linux Capability Exploration Lab

    Another example is bypassing edit or write permission after we enable the capability of
    cap_dac_override. Before enable this capability, when we type “vi shadow”, we cannot even
    open the /etc/shadow file.

    Hình 18

    The following code is we enable the capability on “vi” command, and then try to open it.

    Hình 19

    The following screenshot is the result, we successfully opened the file, and you can
    insert any sentence in this file.

    GROUP 17 10
    11
    Linux Capability Exploration Lab

    Hình 20

    3) cap_chown: Make arbitrary changes to file UIDs and GIDs

    Hình 21

    From above screenshot, first we remove the capability set by previous test, then intent to
    change the owner of the file captest.c from root to seed, it turns out that Operation not
    permitted, then we set cat_chown capability to the command ‘chown’, after that, we do
    chown command again, it successfully change the owner of the file to seed.

    GROUP 17 11
    12
    Linux Capability Exploration Lab

    4) cap_setuid: make forged UID when passing socket credentials via UNIX domain
    sockets.
    First we create a file name sidcontent which contents the sentence that going to show out .
    Then create the program which will forge a uid when passing socket.

    Hình 22

    Hình 23

    Then create the program which will forge a uid when passing socket. The program
    named sid.c

    Hình 24

    Then we set the content program sidcontent to no read permission for others, then do cat
    sidcontent, we can see from below picture, it shows permission denied. Then we go to
    compile the sid.c program and run it, it also says permission denied.

    GROUP 17 12
    13
    Linux Capability Exploration Lab

    Hình 25

    After we setcap cap_setuid to ./sid, then run it , it successfully run the program by showing
    out the content in sidcontent file.

    5) cap_kill: Bypass permission checks for sending signals . In this task, I run top on other
    terminal in root permission, and then use seed try to kill the process, but as we observed in
    the following screenshot, it shows operation not permitted, then we setcap cap_kill
    capability to kill, and run it again, it finally successfully kill the process.

    GROUP 17 13
    14
    Linux Capability Exploration Lab

    Hình 26

    6) cap_net_raw: Enable normal user to use RAW and PACKET sockets.In this example,
    we first check whether ping has any capability, it shows it has one then we remove it, and
    run ping, it show permission denied, then we setcap cap_net_raw to ping , and run it again,
    it works !

    Hình 27

    GROUP 17 14
    15
    Linux Capability Exploration Lab

    TASK 2: Adjusting Privileges

    Hình 28

    Hình 29

    GROUP 17 15
    16
    Linux Capability Exploration Lab

    Hình 30

    GROUP 17 16
    17
    Linux Capability Exploration Lab

    Hình 31

    Hình 32

    GROUP 17 17
    18
    Linux Capability Exploration Lab

    Hình 33

    Hình 34

    GROUP 17 18
    19
    Linux Capability Exploration Lab

    Hình 35

    Hình 36

    Question 3:
    Compile use_cap.c

    GROUP 17 19
    20
    Linux Capability Exploration Lab

    Hình 37

    Assign the cap_dac_read_search capability to the executable file ” ./use_cap”. And login as
    normal user, run the program

    Hình 38

    Explain the result:


    Compare with the code and the result, program cannot open shadow file , it comes(b) open
    failed, then after we enable it , it can get the capability and it shows (c)is successfully open,
    if we drop the capability, (d)open failed, and we cannot enable it again after drop the
    capability, though, in the code, even we tried to enable its capability again, (e)still open
    failed.

    Question4: If we want to dynamically adjust the amount of privileges in ACL based


    access control, what should we do? Compared to capabilities, which access control is
    more convenient to do so?

    Answer: ACL is a list of access control entry, which give access permission to a user or
    group on a given file or folder. In ACL, if we want to grant permission to other
    user/group, we always need to login as root or superuser, and use “chmod” command
    to grand permission on file to the aimed user. While by using capabilities, we can bypass
    some permission check, even if we were not supposed to have permission on accessing
    this file. It is more convenient for normal user since you do not need to ask access
    permission from root, but it is more danger.

    Question5: After a program (running as normal user)disables a capability A, it is


    compromised by a buffer-overflow attack, the attacker successfully injects his
    malicious code into this program’s stack space and starts to run it. Can this attacker use

    GROUP 17 20
    21
    Linux Capability Exploration Lab

    the capability A? What if the process deleted the capability, can the attacker uses the
    capability?

    Answer: Yes. After normal user disables a capability A, the attacker can still use the
    capability A by enabling it in his malicious code, but if the process deleted the
    capability, the attacker cannot use the capability.

    Question6: The same as the previous question, except replacing the buffer-overflow
    attack with the race condition attack, Namely, if the attacker exploits the race condition
    in this program, can he use the capability A if the capability is disabled? What if the
    capability is deleted?

    Answer: If the attacker exploits the race condition in this program, he can still use the
    capability A no matter the capability is disabled or deleted. That is because the
    malicious code will always run before the capability statement in the race condition
    attack.

    GROUP 17 21

    You might also like