User privileges and capabilities

Functions
int	amxrt_caps_apply (void)
	Apply the user, group and capabilities as defined in the configuration. More...
void	amxrt_caps_dump (void)
	Dumps the capabilities of the process. More...

Detailed Description

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes:

• privileged processes (whose effective user ID is 0, referred to as superuser or root).
• unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with Linux 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

In the config section it is possible to define to which user the started process must switch. Typically the process is started as a privileged process (started with root user), but it can drop the root privileges and switch to an unprivileged process (user id is nonzero).

When setting the user name (or id), by default all capabilities are dropped as well. It is possible to retain all capabilities are (keep all) or only retain some.

Function Documentation

amxrt_caps_apply()

int amxrt_caps_apply

(

void

)

Apply the user, group and capabilities as defined in the configuration.

When everything is initialized user privileges and capabilities can be dropped.

The user and group to which the process needs to switch (privileges dropping) can be defined in the configuration.

Which capabilities needs to be retained can be defined in the configuration.

Returns

returns 0 if no error occurred.

Definition at line 101 of file amxrt_cap.c.

                           {
    int rv = -1;
    amxc_var_t* config = amxrt_get_config();
    amxc_var_t* privileges = GET_ARG(config, "privileges");
    amxc_var_t* caps = GET_ARG(privileges, "capabilities");
    amxc_var_t* user = GET_ARG(privileges, "user");
    amxc_var_t* group = GET_ARG(privileges, "group");
 
    capng_get_caps_process();
    when_null_status(privileges, exit, rv = 0);
 
    if(!GET_BOOL(privileges, "keep-all")) {
        capng_clear(CAPNG_SELECT_BOTH);
 
        amxc_var_for_each(cap, caps) {
            int id = -1;
 
            if(amxc_var_type_of(cap) == AMXC_VAR_ID_CSTRING) {
                const char* cap_name = GET_CHAR(cap, NULL);
                amxc_string_t str_cap_name;
                int offset = 0;
 
                /* work-around for musl-c issue.
                   when using strncasecmp which is defined in <strings.h>
                   and using musl-c the following compilation error/warning
                   is given
                   In file included from amxrt_cap.c:62:
                   /home/sahbot/workspace/build/buildsystem/staging_dir/toolchain-x86_64_gcc-8.4.0_musl/include/fortify/strings.h:19:2: error: #include_next is a GCC extension [-Werror]
                 #include_next <strings.h>
                   ^~~~~~~~~~~~
 
                   muslc strings.h uses include_next. The use of include_next should be
                   avoided as it can lead to confusion.
 
                   see https://gcc.gnu.org/onlinedocs/cpp/Wrapper-Headers.html
                 */
                amxc_string_init(&str_cap_name, 0);
                amxc_string_set(&str_cap_name, cap_name);
                amxc_string_to_upper(&str_cap_name);
                offset = strncmp(amxc_string_get(&str_cap_name, 0), "CAP_", 4) == 0 ? 4 : 0;
                amxc_string_clean(&str_cap_name);
 
                id = capng_name_to_capability(cap_name + offset);
                if(id == -1) {
                    amxrt_print_error("Unknown capability - [%s]", cap_name);
                    continue;
                }
            } else {
                id = GET_INT32(cap, NULL);
                if((id < 0) || (id > CAP_LAST_CAP)) {
                    amxrt_print_error("Invalid capability id - [%d]", GET_INT32(cap, NULL));
                    continue;
                }
            }
            rv = capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED | CAPNG_BOUNDING_SET | CAPNG_INHERITABLE), id);
            if(rv != 0) {
                amxrt_print_error("Apply capability [%d] failed with %d\n", id, rv);
            }
        }
    }
 
exit:
    if((user == NULL) && (group == NULL)) {
        amxrt_dm_create_dir(amxrt_get_parser(), 0, 0);
        rv = capng_apply(CAPNG_SELECT_BOTH);
    } else {
        int32_t uid = amxrt_get_user_id(user);
        int32_t gid = amxrt_get_group_id(group);
        amxrt_print_message("Switching to user id %d and group id %d", uid, gid);
        amxrt_dm_create_dir(amxrt_get_parser(), uid, gid);
        rv = capng_change_id(uid, gid, (capng_flags_t) (CAPNG_DROP_SUPP_GRP));
    }
    if(rv != 0) {
        amxrt_print_error("Apply capabilities failed with %d\n", rv);
    }
 
    return rv;
}

amxrt_caps_dump()

void amxrt_caps_dump

(

void

)

Dumps the capabilities of the process.

Print all capabilities of the process to stdout.

Definition at line 180 of file amxrt_cap.c.

                           {
    capng_print_caps_numeric(CAPNG_PRINT_STDOUT, CAPNG_SELECT_BOTH);
 
    printf("\nCAPNG_EFFECTIVE:\n");
    capng_print_caps_text(CAPNG_PRINT_STDOUT, CAPNG_EFFECTIVE);
    printf("\nCAPNG_PERMITTED:\n");
    capng_print_caps_text(CAPNG_PRINT_STDOUT, CAPNG_PERMITTED);
    printf("\nCAPNG_INHERITABLE:\n");
    capng_print_caps_text(CAPNG_PRINT_STDOUT, CAPNG_INHERITABLE);
    printf("\nCAPNG_BOUNDING_SET:\n");
    capng_print_caps_text(CAPNG_PRINT_STDOUT, CAPNG_BOUNDING_SET);
    printf("\n");
}