GithubHelp home page GithubHelp logo

aeolusp / cap_readfile Goto Github PK

View Code? Open in Web Editor NEW
0.0 1.0 0.0 22 KB

This is simple demonstration of Linux capability cap_dac_read_search.

License: GNU General Public License v3.0

Shell 47.28% C++ 52.72%

cap_readfile's Introduction

cap_readfile

This is simple demonstration of Linux capability cap_dac_read_search. The program reads the given file and prints the file content.

1. compile

g++ readfile.cpp -o readfile

2. setup - YOU MUST RUN WITH ROOT USER

./setup.sh

Note: The script will setup the test environment. It creates below directory and files with shown permissions

 drwxr-xr-x   root:root   /readall/all.txt
 drwxr-x---   root:root   /restricted/r.txt

3. check for capabilities - output shall be empty

getcap readfile

4. Run without any capabilities - YOU MUST RUN AS NON-ROOT USER

./readfile /readall/all.txt 	- shall show contents of hello.txt
./readfile /restricted/r.txt 	- fails with permission denied error

5. set file capabilities for readfile - YOU NEED TO RUN THIS AS ROOT USER

setcap 'cap_dac_read_search+ep' readfile

Note: The capability, CAP_DAC_READ_SEARCH, bypass file read permission checks and directory read and execute permission checks;

6. check the file capabilities - the output shall include cap_dac_read_search=ep

getcap readfile

7. run again with NON-ROOT user - both commands shall succeed

./readfile /readall/all.txt
./readfile /restricted/r.txt

8. now cleanup - YOU MUST RUN AS ROOT USE

./cleanup.sh

CONCLUSION

If the service is reading privileged directory/files, then the service can be still run as non-root with only cap_dac_read_search. This capability bypasses file read permission checks and directory read and execute permission checks.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.