This is the third video of the Course 6. This video is about the capability feature on Linux. On a Linux meaning utilities, and also third part software use the SETUID bits to give special power to some executable. Example to do backup, to manage website or for server like HTTP server that need some permission to create privilege circuits, for example. But, in the Linux community we think that this way is maybe overkill. We're giving the root privilege to an executable that does not really need it, is clearly a possible security issue. The Linux now include new feature that allow user to give special power to executable without giving all the root privilege. [inaudible] that come in is called setcap and will have you to give some capability to an executable file without giving the root power. The executable will still execute as the user launch it. But this executable, will have some more power, will have some superpower to do some action. In the table on the right I list few capability we can add to an executable. We have the CAP_KILL that allow this executable to kill any process on the system so it's maybe interesting to have this privilege. Someone that manage the system, or we do backup and need to kill some application that use file to be able to backup it for example. Capability make notes so it will be able to create entry in this slash dev folder to make note that would be able to talk with the device. Again, it can be a capability, very interesting for a software that directly interact with some hardware. Some of the capability are more dangerous than other, it's why I present them in red in the table. For example, this one here FSETID so if a program had this capability, can modify a file that had the SETUID bits without receiving the SETUID bit. If they have this possibility the executable will be able to modify a file and if they have this capability will be able to modify a file as password, for example. After modifying this file, the change dib will be run as root the next time someone will launch the executable. Having this capability is exactly as dangerous as giving full root privilege to an executable. This slide show another part of the list of capability Linux support. Again, some of them are presented in red just because they are a lot more dangerous than other. For example, a change file capabilities. If an executable have this capability, it can change all the capability of another file so it can give other dangerous capability and then gain full root access on the system. Here it's the same thing, the kept sys module, Halloween, and executable to load a kernel module. If the executable is able to load any kernel module you want will be able to load a malicious kernel module and the kernel module are not protected by the operating system. They can do all what they want, they are in the kernel, they are the other part of the operating system that decide who and when the operation can be done. Having a system module is having a full control of this operating system. This slide also show where another part of this is capability. Again, we have a capability that is shown as red. CAP_SYS_PTRACE allow a process to debug any other process on the system. If they can do that they can debug process that is running as root, and they can take advantage and gain root privileges. Should the program use the capabilities or the SETUID as root. When they need a superpower? The answer is first is simple. The answer is, use capability if possible. Just because the SETUID as root is a very big security issue. If someone take control of this as executable or is able to modify it in any way it would be a very large security problem because the hacker will instantly get all privilege on the system. The program with the capability does not have the same possible power. If the hacker take control of the program with some capability, yes, it will get superpower but limited one, so always use capability if possible. Always use the minimum capability the program really need to do the job. If possible avoid to use the SETUID as root. If the capability the program need is one of the red capability, so capability that can easily lead to gaining the full root privilege, it's should even be used rather than SETUID as root just because this way at least the hacker that will gain this, the access to this program with dangerous capabilities call them this way for now, will need to do an extra step to get the full root privilege and it can make the exploit a little bit more harder. Try to avoid SETUID as root and rather use capability. It show that SETUID as root is really dangerous feature. But don't forget that in some cases, you can use the SETUID as another user. If you want to use the SETUID to access some data file only, you can create a user handler system. Give the capability to this user not the capability, but this permission to this user to access the special files and trade program that use SETUID as this user to access this special file. This way you don't make the the whole system in danger just to access some very specific file. This is the end of this video. The next video is about program with superpower on Windows.
