Linux System Calls, Permissions, and Capabilities

You will need to be running as a normal, non-privileged user (not root) for these examples to make any sense.

setuid

# Check that you aren't root already 
whoami 

# Do this in your home directory
ch ~

# Look at permissions and ownership for the sleep executable
ls -l $(which sleep)

# Make your own copy and look at its ownership 
cp /usr/bin/sleep .
ls -l mysleep

# Run this copy
./mysleep 100

Open a second terminal and look at the executable you just started

ps -fC mysleep

Go back to terminal 1 and stop the executable if it’s still running. Now let’s make it a setuid file owned by root.

sudo chown root ./mysleep
sudo chmod +s ./mysleep
ls -l mysleep

# Run it again 
./mysleep 100

From the second terminal:

ps -fC mysleep 

This process should be running under root, not your normal user ID.

Use a setuid executable to escalate privileges

You can take advantage of setuid to escalate privileges from a container, as shown in this example

Linux Capabilities

# Capabilities on a file
getcap $(which ping)

# Capabilities on a process
getpcaps $(pgrep journal)

# A process with no capabilities
getpcaps $$

References

• p. 16 — A beginner’s guide to syscalls — Liz Rice (O’Reilly, OSCON 2017 video)
• p. 16 — Wikipedia: “Everything is a file”
• p. 17 — Linux Journal: Mastering Linux File Permissions and Ownership
• p. 21 — Root your Docker host in 10 seconds for fun and profit (Electricmonk.nl)
• p. 21 — setuid example
• p. 23 — Adrian Mouat: Why Linux Capabilities Exist and How They Work
• p. 23 — CERT-EU Security Advisory 2018-022: Apache Struts
• p. 23 — BleepingComputer: Critical Apache Struts RCE vulnerability wasn’t fully fixed, patch now
• p. 23 — BleepingComputer: New critical Apache Struts flaw exploited to find vulnerable servers

Back to index