Setting capabilities can lead to privilege escalation.
Linux capabilities allow you to assign narrow slices of root's permissions to files or processes. A thread with capabilities bypasses
the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring (additional) root
privileges.
Ask Yourself Whether
Capabilities are granted:
- To a process that does not require all capabilities to do its job.
- To a not trusted process.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary
capabilities are assigned to files and processes.
Sensitive Code Example
When setting capabilities:
cap_t caps = cap_init();
cap_value_t cap_list[2];
cap_list[0] = CAP_FOWNER;
cap_list[1] = CAP_CHOWN;
cap_set_flag(caps, CAP_PERMITTED, 2, cap_list, CAP_SET);
cap_set_file("file", caps); // Sensitive
cap_set_fd(fd, caps); // Sensitive
cap_set_proc(caps); // Sensitive
capsetp(pid, caps); // Sensitive
capset(hdrp, datap); // Sensitive: is discouraged to be used because it is a system call
When setting SUID/SGID attributes:
chmod("file", S_ISUID|S_ISGID); // Sensitive
fchmod(fd, S_ISUID|S_ISGID); // Sensitive
See
