Linux Capabilities Revisited: A Deep Dive into Granular Privilege Management

By /

Listen to this Post

Featured Image
Linux capabilities provide a fine-grained access control mechanism, offering more precision than the traditional all-or-nothing root model. Attackers often exploit misconfigured capabilities to escalate privileges or establish persistent backdoors. Understanding and managing these capabilities is crucial for securing Linux systems.

You Should Know:

1. Viewing Capabilities

To check capabilities assigned to a binary:

getcap -r / 2>/dev/null

This recursively searches the filesystem for files with capabilities.

2. Setting Capabilities

Use `setcap` to assign capabilities to a binary:

sudo setcap 'cap_net_bind_service=+ep' /path/to/binary

This grants the binary the ability to bind to privileged ports (<1024).

3. Removing Capabilities

To strip capabilities:

sudo setcap -r /path/to/binary

4. Common Exploitable Capabilities

  • CAP_DAC_OVERRIDE: Bypasses file permission checks.
  • CAP_SETUID: Allows changing UID (can lead to root escalation).
  • CAP_SYS_ADMIN: Near-root privileges (mount filesystems, debug processes).

5. Hardening Linux Systems

  • Audit capabilities regularly: 
    getcap -r / > /var/log/capabilities_audit.log
  • Restrict unnecessary capabilities in containers: 
    docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE my_image

6. Detecting Malicious Use

Monitor capability changes with auditd:

sudo auditctl -w /usr/bin/setcap -p x -k capabilities

7. Exploit Example (CAP_SETUID Abuse)

If a binary has CAP_SETUID, an attacker can escalate privileges: 

./vulnerable_binary
whoami  Now root?

What Undercode Say:

Linux capabilities are powerful but dangerous if mismanaged. Regularly audit and restrict them, especially in containerized environments. Attackers increasingly target misconfigured capabilities for privilege escalation. Combine capability restrictions with SELinux/AppArmor for defense-in-depth.

Expected Output:

$ getcap /usr/bin/ping 
/usr/bin/ping = cap_net_raw+ep

For further reading, visit the original article: Linux Capabilities Revisited.

Prediction:

As cloud-native environments grow, capability-based attacks will rise. Expect more automated tools for capability auditing and exploitation in red-team toolkits.

References:

Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: