 So, yes, it just began, so we just began, okay? I'm extremely surprised of the amount of people. I mean, it's not only the weather, it's the title. This talk was for Debian Day and I was extremely surprised for the amount of people there too, but this is gonna be the advanced version because come on, you are Debian developers, so, yeah. So, just to know, how many of you know something about capabilities? Uh-huh, and from that amount, how many of you, it's only a rough idea, but not the details? That's great, that's talk is for you. Uh-huh, okay, so there is somebody who has no idea about capabilities. Okay, great, great. Awesome. So, let's try to go there. So, you know the problem that we have in Unix systems. So, otherwise, you are root, you are got, you are full power, or you are a simple user without any power at all. So, this is the typical root, non-root problem. So, Linux Capability wants to tackle this, this kind of issues. Um, we have some solutions for that. One is, one is the bit sweet. How do you pronounce that in English? I said sweet. You said? S-U-I-D. S-U-I-D, okay, S-U-I-D. And the other one is Suda. So, I hope that many of you are familiar with those concepts. So, now we are talking about capabilities. So, these two approaches are a way to give a full power to a task, to a process, to a user, but only for a temporal moment, for some kind of limited scope. But, we would like to be more precise than that. So, let's go to the example of Ping. So, many of you probably know that Ping is with the bit S-U-I-D. Yes, so it's not working. And it's not working because Ping requires open a raw socket. Just that. And only root can open a raw socket. In the same way that only root can open a port under the 1024 and that kind of things. So, we need to give you, we need to give to Ping the capability of open a raw socket, but only that. I think it's this capability. Let me check here. See, so this version of Ping, which is the same one but without the bit suite, the bit S-U-I-D can make the task without this bit. Because it has the capability of open this raw port. So, this is the classical basic example. So, hands up if you get it. Let's continue. Yes, and why capability is important because tries to make something about the minimum privilege, which is not the case with the other, with the pseudo or with the S-U-I-D. So, this concept of capabilities have been in the kernel since 2.2, which was quite a long. But it has the current form that is useful somehow since 2624 and requires extended file attributes. So, doesn't work on NFS and the kind of things. And the two basic commands are get cap and set cap. So, these two commands are in this package. Comes with some of the other nice tools. Get pickups, it's a way to know which is the capability of one process running. So, let me show you. So, let's run Ping here. So, this process is running with this capability. This is the way that you use set cap. So, you need of course the capability from the sets of capabilities. You can find that set in the man page capabilities. It's like 35 different capabilities. Let's make it rough. So, for example, this one can change the owner of, can tone something. Is that the word? Isn't it? Yeah, tone. You can kill any process with this one. Yes. You can open a raw circuit. You can, this one can allows you to bind a port less than 1024. Of course, there is a capability for set capabilities. Yep. So, you put the capability, you put an operator and you put a set. That set, it works like, yeah. I think it's the next slide. So, let's work on that after that. And of course, the file. And there's other package, libcapngutills, which include other tools. Netcap lists the capabilities of the demons running in ports. File cap, it's for files. And pscaps is an extended version of getpegcaps. So, this is the example just for documentation. Uh-huh. So, this looks like a way to avoid bit. Azure ID. We have many of those. We have a list of those indeed. The list is collected by the security group. Debian, security, data, yes. Suite. Yep. It's extremely huge. List is extremely outdated. And let me check how many of those refers to root. Yes, like 300 of those are SUID of root. Yes. In Lenin because this is based on Lenin. That's a bit, a bit, just a bit old. So, the thing is only for SUID for root. Otherwise, we don't need this kind of things. We don't need capabilities because we are not running with any capabilities. So, for example, Unix, CH, PWED used to run with bit SUID, but not anymore, so that's fixed somehow. And a funny other thing is that could be useful for other tools. So, let me show you Wireshark. So, you're familiar with Wireshark. I love this program. And it's useful for SNF, the network. But if you're running as a simple user, you can't SNF in any interface, if you run Wireshark as root, you can. So, that's great. But you have a warning saying, please don't run this program as root. So, it's not that useful if you can't run Wireshark as root. So, a way to fix this is with this command. So, I'm extending this binary dump cap, which is the process in charge of doing the actual SNFing with the capability of SNF. And in this case, I can SNF as a simple user without all the problems that I can have. I mean, Wireshark needs to parse a lot of things and that's the typical buffer over for problems. So, I can be safe somehow if I run in this way instead of root. So, probably you are all agree if I said that this is a better way to run Wireshark instead of root. So, the same case for TCP dump, which is of course another SNFer. We can run these capabilities for NTP date, but somebody says to me that this program, okay, never mind, yeah. So, as you can see, we can run all these programs with these capabilities. For example, this module which allows you to load the module to the kernel for that binary. And in that case, something nice happens. For example, in the case of the ping, if I run the, yes, if I put this capability to the actual ping, which has the bit SUID, I get a message in the kernel that, I get this message in the kernel. So, the kernel notice that this program has the ability to run with all the capabilities and only with this capability and select with the minimum privilege. So, it's great. So, in the same way you can run these binaries with the capability and one run as root with all the capabilities. We'll run as root, but only with few capabilities. Yes. So, now you need to be careful with who can run this program. So, of course, if I modify my Wireshack, everybody in my computer can run Wireshack as an independent word. So, you need to be worn about that. So, this thing about the flux sets. So, I'm pretty sure that many of you are familiar with this concept, but in the permanent set you have the capability that is in your toolbox. And in the effective set, it's the capability that you have in your hand. So, you can drop the capability from your hand to the toolbox. If you drop the capability from the toolbox, you can't access that capability anymore. And if you drop from your hand, you can get it again from your toolbox. So, it's a way to drop intermediate things and a way to disable temporary capabilities. In the case of the last one, it's a way, yeah, I mean, yeah, it's the amount of capability that you allow for the SSEC SIS call. The fork is not included here because the fork is a copy of the memory. So, the fork gonna get the same amount of capabilities that the father. So, there's another lovely package called lip-pump-cup, which is a capability module for PUM. This is the way to use it. In this scenario, I would like to give a user call it SemiRoot, the capability of remove any file in my system without check the permissions. So, I need to give that capability to the user that gonna put that capability in the P in the toolbox. And in this case, for example, it's not in the toolbox. Otherwise, anybody can run a RAM without any check. This capability disable the DAC check. So, I should be careful not to put a P here. So, when a RAM met SemiRoot, all the capabilities are there and then SemiRoot can remove any file in the system. Yes, and all it works for a RAM, of course, not for unlink or the kind of things. I have a demo of this, but let me show you something. I close it? Yes, okay. So, it's not working now because it's a release critical bar, so please close it. So, let's talk a bit about process capability. So, that is a way to drop these capabilities. I made a wonderful example in C, which is extremely long. So, I made the same version in Python, which is seven lines. So, I will show you the seven lines version. It's a web server, which runs in the 80 port. Let me show you. So, this LibCupNG has binding for Python. So, that's why. The basic part of the server is not this one, it's just this one. So, I'm set a handler and open a port here, and then I'm looping. Yes? So, of course, if I run it like that, everything goes nice. But remember NetCup, which is the version that checks the, in this case, this HTTP server runs with full capabilities. Yes? So, let's modify this. Let's include CapNG, and let's drop all the capabilities except this one, CapNetBindService. So, if somebody exploits this process, the only capability that they have is or just bind a port under the 1024. So, that's right. Of course, there is some drawbacks. So, maybe the question here should be why we don't support this more out of the box. And probably the answer is because the normal tools doesn't support extend the attributes like move, CPHR, especially, these start over, right? I have no idea what start for, but yeah. That doesn't support it actually. Somehow it's a bit, something a bit not to explore. So, that's great that you are here because now you can explore more about this. Yesterday or the day before Luke asked me how to include capabilities in his packages. So, that's great. But there is bigger problems even more. So, the problem is that in some situations, give a capability to a user, yes. Okay, so I don't understand why is it necessary that tools support this kind of capabilities because this is managed by the kernel, right? Yes, but the file capability are supported by the file system. And for example, each time that I upgrade my Wireshark, I need to set the capability again because I lose the e-node. So. Okay, so it would not be a security hole, it would just be losing the possibility to use the tool with the needed capabilities. Yes, okay, yes. Yes, it's somehow inconvenient. And we are an operating system, so we want to be convenient. So, in some scenarios, some capabilities can be root equivalent, especially in scenarios where the arbitrary code execution is possible. For example, if you have the capability to override a DAAC, if you ignore the DAAC checks, of course, you can change the et cetera password and get root easily. If you have the possibility to change the permission of a file, you can change the owner of et cetera password and get access easily. And the same applies to shadow. In this case, for example, you can only rate it, but you can make a rainbow attack or something and you get root easily. And many, many, many, many, many, many of these. This one is fancy. So, in this case, if you have kill and buying service, you can just change the service and steal credentials, for example. That's a nice one. So, you can imagine a lot of we are scenarios where one capability gives you root access. So, even if you don't have any capability, the fact that you're running with root, it can allow you to do something. For example, if you only have root, you can write on the Chrome hourly your script and eventually, Chrome runs with root with all the capabilities and the binary will be executed. Did you get that last example? Yes, probably, yes. So, there is even worse scenario where include capability can open new holds. So, there is a fancy, fancy, fancy document. Let me, mm-hmm. This document is called exploiting capabilities. Wow. So, in this case, the mode just, yeah, yeah, it's not prepared to run without the capability, but it's prepared to run as root. And, yeah, that is some attack where you can manipulate the empty, empty temp. So, it's an insecure temp file in the et cetera, and yeah. Of course, mode is already fixed, but if your application is somehow not prepared for capabilities, not think about capabilities, you make open a hold there. So, be careful. So, yes. I think something that may illustrate this managing worse than the cure, is that we, well, as developers, we should all know to fear SUID binaries. And the thing is, you did this check and you found 300. But when you do an LS or a simple check on the file system, files with capabilities do not show. So, you think you're safe. You think you have a system with no strange permissions. And I think that's also an important point. Yes. So, let me transform that in a scenario. So, you can build a backdoor with capabilities and nobody will notice. So, I think that's a lack of tools. So, I mentioned somewhere here, but, yeah, here. So, somehow there is a lack of tools. So, a rootkit scanner should include this kind of check, somehow. Yeah, but even, I mean, when you did an LS on SBIN root, it was shown in rev. That could be nice. Because LS looks at that. So, it's not even a specific security scanning tool. It's just the most everyday command you run. Yes. And we are aware of SUID. I agree. Yes. I agree. Yes. I agree. So, the second point is this thing that could be useful for not set user ID programs. The Wireshack example, I think it's a good example. I have some other examples. So, I make this, I run this command PS... Yes, Cap? What? Yes. Let me put this bigger. So, as you can see, there are some of them which are running with capabilities. For example, Bluetooth D and genome curing, them on. So, I asked myself, okay, how they make it. So, I download the source. Thank you, David. Yes, in the post-installed, I'm not sure if it's clear enough to read it. I can... It's better? No, it's not better. It is better. Okay. So, this guy just ran SetCup after the install the thing. Probably it's not the most elegant way. We have tools to set permissions. Maybe we should extend those tools in order to support this. If something funny, maybe Fedora 15 release without any bit SUID, and that was like two years ago, one year ago. So, somehow they are afraid of those bits. I don't know. I think it's a common feeling, afraid these bits. On the other hand, they usually be in binaries that have been in system forever, like ping. So, nobody should be afraid of that. But yeah, they decide to remove every bit set user ID in Fedora 15. And Ubuntu is planning to do the same. I'm not really sure. Maybe it's not worthy. I don't know. It's a lot of work. And maybe the profit is... Maybe there is no profit. With Fedora already has SE Linux support, right? And so, how would this tie to SE Linux? Yeah, the short answer is I don't know. Okay. I think they try to go to similar problems. But yes, I try to use SE Linux and it's extremely complex. And maybe this is a way in the middle, not that complex. But I have no idea how they integrate both. You started out with ping as the first example for how to use capabilities. And ping per default is set user ID root, so everyone is able to use it. With turning on the capability, you won't need to set you ID root anymore. But you'll also bring up examples like TCP dump and mount, which are not set you ID root. By setting the capability, everyone would be able to use it with full extent. If they can't execute it, they will exercise the capability. So you need to remove the execution for everyone. Okay. Just a little. Okay. So this point of capabilities are hard to understand. I think it's not that hard, but as a Linux. So maybe it's, but yes, I was thinking here should I defend capability? I don't feel an expert in capabilities and I give in this talk somehow. So yeah, yeah, I'm not sure if it's the path to go. Guna there. I can give you another microphone. Well, I was thinking maybe one of the reasons that Fedora was able to implement this and Ubuntu are underway too, is precisely because they support very much more conservative setups. I mean, they can say, well, we will install with extended four, we will not run on NFS because a very small fraction of their user base uses it. I don't say that the majority of Debian installs run on NFS, but we do have a, every time something is bound to break a little minority of the systems, we have a framework. Recently we had this one about run, for example. I totally agree, yes. Yeah, so. And then, do we have two of those? I mean, microphones, no Debian developers. Do you know anything about the technical details, how Ubuntu is going to implement this? Do they put the capabilities into the data tar dot gets? They just have a list of, they want to remove the bit. But if you install a package, I suppose they will set the capabilities on the file system in some automatic way. Yes, I have. You don't have to do it manually. Yes, I have no idea what they did. Yeah, because if I understood you correctly, it would be possible to have the pro ping, for example, be set UID and automatically set the capabilities and do the right thing if you have extended attributes and just skip the attributes and still do the thing it does today if you don't have extended attributes. Exactly, if you have both, the kernel selects the less privileged one, yes. Yeah. Yes, they maybe have the tools that we like to support better, they just extend the attribute in post install and the kind of things. You can check it in the code. Just as a remark, I think it's, in my opinion, it sounds quite worth playing because it's a security improvement and it's kind of an easier one than all the other alternatives, like running a full SE Linux system or up armor. But on the other hand, what scares me a bit is that capabilities seem to be a lot of a mess. I mean, you showed it, there are silly capabilities that are root equivalent and there was, I think, a few months ago, LWN article about this too, they're discussing this mess. So I think maybe we should also wait if the mess gets cleaned up first. Uh-huh, yes, but meanwhile, I suggest that you have better tools for that. Yes. Okay, yes, you are not so there. Could you use it in the context of say, like a daemon where you want to prevent it from writing to temp as an example? So any program can write to temp now. Yes. Can you reduce its privilege, you know, a normal privilege that any process would have, can you eliminate it? No, no, we are talking about root capabilities. Just root capabilities, okay. Yes, this is 35 things that root can do and somehow we split it and we can give those, yes. So we left a lot of links here. Lucky enough, our PENTA now support slides attached. So you can download those from PENTA. Especially, well, this document is the scary one, but yes, the other ones are nice too. So if you, so any of you have any more comments? I hope that you can learn something new today. Just one. Yes, sure. What do we do with K-free BST? Not that I care, but if we do it in Daemon, it should somehow work there too. Yes. Does it? Probably not. They call it Linux capabilities, I don't know. No, but they have something very similar. I mean, basically Linux capabilities were copied over. At least I first knew them in OpenBSD. But I'm pretty sure that HARD doesn't. They have some kind of project to do. No, no, but HARD has a herd of demons. Okay. No, but K-freeBSD will support, I don't know if it's the same set or the same nomenclature, but they do have capabilities. But it's another question. I mean, this tool improvement should include somehow. Yeah. Do we still have time, maybe? Is it possible to do a CH UID with... Yes, it is there. So, and CH ROOT, thank you. You're welcome. Gunnar or Ronda? Basically, anything that ROOT can do was divided in a set of small things. Yeah, but 35 groups of actions. So, whatever ROOT can do that a regular user cannot do is in one of those sets. That's why, for example, I mean, it could sound counterintuitive that he's presenting capabilities as a way to not require ROOT. But one of the capabilities is becoming ROOT. So, well, that's the reason. CH UID, not set UID. CH. Yes, yes. No, I mean, with set UID, you can just set UID zero and you're ROOT. I mean, so, I was trying to illustrate the example that Gunnar says. If you give this capability to a process, the process can set UID zero and it's ROOT with all the capabilities. Yep. Yes, Rhonda. If you want, I mean. There was a question on ISC about how is the user space memory layout? Is there any chance to stuff out? Oh, sorry, I mean, the wrong one. That's from the other channel. I was like, what the fuck? Any other comments? So again, I hope that you could learn something new today and okay, thank you for your time.