coupleprogramming

If you want to find out which capabilities a binary needs, you have several options:

1. You use strace and determine them from the output
2. You use capable_probe

The first method is quite simple, but you have to deduct the caps from the error messages, which can be a bit difficult.
The second method is more convenient and simple, so I’m going to describe this method further.
capable_probe is a loadable kernel module developed by Serge Hallyn [0]. It uses the kprobe kernel mechanism [1] to insert a Jprobe.  And what does it do exactly?

When this kernel module is inserted, any calls to cap_capable() are replaced by a call to the cr_capable() function. This function prints the name of the program that requires capabilities and the capability being checked. It then continues executing the actual cap_capable() call through the call to jprobe_return(). [0]

The signature of cr_capable has to be the same as the signature of cap_capable. The signature changed from
int cap_capable (struct task_struct *tsk, int cap)
to
int cr_capable (struct task_struct *tsk, const struct cred *cred, int cap, int audit).
So to get capable_probe to work you need to change the signature or use the one from my repository [2].

There is a good README by Chris Friedhoff [3], which describes how to install and use it.

Important: Don’t forget to unload capable_probe after you determined the caps, as it will spam your /var/log/messages extremely.

To see capable_probe in action here is how to determine the caps for passwd:

• Remove suid
  chown -s /bin/passwd
• tail -f /var/log/messages | grep passwd
• modprobe capable_probe
• Try to change your password
• This is what you get from passwd:
  superkfr@totoro ~ $ passwd
Changing password for superkfr.
(current) UNIX password:
Password:
Retype new password:
passwd: Authentication token lock busy
passwd: password unchanged
Not very informative.
• modprobe -r capable_probe
• Let’s see what we got from capable_probe:
  Jul 5 15:20:54 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 15:20:54 totoro kernel: cr_capable: asking for capability 2 for passwd
Jul 5 15:20:54 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 15:20:54 totoro kernel: cr_capable: asking for capability 2 for passwd
Jul 5 15:20:54 totoro kernel: cr_capable: asking for capability 24 for passwd

• What does this all mean?
  The numbers stand for different caps, you can look them up in /usr/include/linux/capability.h.

  /* Override all DAC access, including ACL execute access if
  [_POSIX_ACL] is defined. Excluding DAC access covered by
  CAP_LINUX_IMMUTABLE. */

  #define CAP_DAC_OVERRIDE 1

  /* Overrides all DAC restrictions regarding read and search on files
  and directories, including ACL restrictions if [_POSIX_ACL] is
  defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */

  #define CAP_DAC_READ_SEARCH 2
  ...

  /* Override resource limits. Set resource limits. */
  /* Override quota limits. */
  /* Override reserved space on ext2 filesystem */
  /* Modify data journaling mode on ext3 filesystem (uses journaling
  resources) */
  /* NOTE: ext2 honors fsuid when checking for resource overrides, so
  you can override using fsuid too */
  /* Override size restrictions on IPC message queues */
  /* Allow more than 64hz interrupts from the real-time clock */
  /* Override max number of consoles on console allocation */
  /* Override max number of keymaps */

  #define CAP_SYS_RESOURCE 24

• Now, which caps seem plausible? passwd needs to read and write /etc/shadow so it needs CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH is a subset, is does not have to be set additionally. There is no indication, that passwd could need CAP_SYS_RESOURCE. So we try it out with CAP_DAC_OVERRIDE.
• sudo setcap cap_dac_override=ep /bin/passwd
sudo modprobe capable_probe
passwd
  And it fails again.
• Jul 5 16:02:50 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:02:50 totoro kernel: cr_capable: asking for capability 2 for passwd
Jul 5 16:02:50 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:02:50 totoro kernel: cr_capable: asking for capability 24 for passwd
Jul 5 16:03:01 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:03:01 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:03:01 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:03:01 totoro kernel: cr_capable: asking for capability 0 for passwd
Jul 5 16:03:01 totoro kernel: cr_capable: asking for capability 1 for passwd
It also asks for CAP_CHOWN(0) now, that seems also plausible, so grant it and repeat.
• It fails again, what is still missing?
  Jul 5 16:03:56 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:03:56 totoro kernel: cr_capable: asking for capability 2 for passwd
Jul 5 16:03:56 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:03:56 totoro kernel: cr_capable: asking for capability 24 for passwd
Jul 5 16:04:06 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:04:06 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:04:06 totoro kernel: cr_capable: asking for capability 1 for passwd
Jul 5 16:04:06 totoro kernel: cr_capable: asking for capability 0 for passwd
Jul 5 16:04:06 totoro kernel: cr_capable: asking for capability 0 for passwd
Jul 5 16:04:06 totoro kernel: cr_capable: asking for capability 3 for passwd
Jul 5 16:04:06 totoro kernel: cr_capable: asking for capability 1 for passwd
It also wants CAP_FOWNER(3)
• Add that to the set and it works.
• Don’t forget:
  modprobe -r capable_probe

This example is a little more complicated than the standard ping-example, but I wanted to do a different one. Hope that helps :).

[0] http://www.ibm.com/developerworks/library/l-posixcap.html
[1] You need CONFIG_KPROBES=y in your kernel
[2] http://github.com/constanze/GSoC2010_Gentoo_Capabilities/tree/master/capable_probe/
[3] http://www.friedhoff.org/posixfilecaps.html