def capabilities(pid): permitted = None capng.capng_setpid(pid) capng.capng_clear(capng.CAPNG_SELECT_BOTH) capng.capng_get_caps_process() caps = capng.capng_have_capabilities(capng.CAPNG_SELECT_CAPS) if caps > capng.CAPNG_NONE: if caps == capng.CAPNG_PARTIAL: permitted = capng.capng_print_caps_text(capng.CAPNG_PRINT_BUFFER, capng.CAPNG_PERMITTED) if capng.capng_have_capabilities( capng.CAPNG_SELECT_BOUNDS) == capng.CAPNG_FULL: permitted += "+" else: permitted = "full" return permitted
import time load_path = '../' if False: sys.path.insert(0, load_path) import capng last = capng.CAP_LAST_CAP try: with open('/proc/sys/kernel/cap_last_cap', 'r') as f: last = int(f.readline()) except IOError as e: print "Error opening /proc/sys/kernel/cap_last_cap: {0}".format(e.strerror) print("Doing basic bit tests...") capng.capng_clear(capng.CAPNG_SELECT_BOTH) if capng.capng_have_capabilities(capng.CAPNG_SELECT_BOTH) != capng.CAPNG_NONE: print("Failed clearing capabilities\n") sys.exit(1) capng.capng_fill(capng.CAPNG_SELECT_BOTH) if capng.capng_have_capabilities(capng.CAPNG_SELECT_BOTH) != capng.CAPNG_FULL: print("Failed filling capabilities") sys.exit(1) text = capng.capng_print_caps_numeric(capng.CAPNG_PRINT_BUFFER, capng.CAPNG_SELECT_CAPS) len = len(text) if len < 80 and last > 30: last = 30
#---------------------------------------------------------------------------# # drop root privileges retaining capability CAP_NET_BIND_SERVICE #---------------------------------------------------------------------------# def getsgroups(gid): grnam = grp.getgrgid(gid).gr_name sgroups = [] groups = grp.getgrall() for group in groups: if grnam in group.gr_mem: sgroups.append(grp.getgrnam(group.gr_name).gr_gid) return sgroups try: capng.capng_clear(capng.CAPNG_SELECT_BOTH) capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE|capng.CAPNG_PERMITTED, capng.CAP_NET_BIND_SERVICE) if config.sgroups: sgroups = getsgroups(config.gid) if sgroups: os.setgroups(sgroups) capng.capng_change_id(config.uid, config.gid, capng.CAPNG_CLEAR_BOUNDING) else: capng.capng_change_id(config.uid, config.gid, capng.CAPNG_CLEAR_BOUNDING|capng.CAPNG_DROP_SUPP_GRP) logger.debug("Changed uid/gid to %d:%d." % (config.uid, config.gid)) except OSError: logger.critical("Cannot change uid/gid to %d:%d. Nonexistent uid/gid or insufficient privileges." % (config.uid, config.gid)) os._exit(1) #---------------------------------------------------------------------------# # signal handler