Making Root Unprivileged

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <sys/capability.h>

int main(int argc, char * argv[])
{
    int   i, ret;
    char  *cmd;
    char  **argvp;
    cap_t cap = cap_get_proc();
    int   v[CAP_LAST_CAP+1];

    if (!cap)
        return -1;

    for (i=0; i<=CAP_LAST_CAP; i++)
        v[i] = i;

    if (cap_set_flag(cap, CAP_INHERITABLE,
                     CAP_LAST_CAP+1, v, CAP_SET))
        return -1;

    if (cap_set_proc(cap))
        return -1;

    cap_free(cap);

    ret = prctl(PR_SET_SECUREBITS, 0xf);
    if (ret) {
        perror("prctl securebits");
        exit(ret);
    }
    argvp = &argv[1];
    cmd   = argvp[0];
    ret   = execv(cmd, argvp);
    perror("execv");
    return ret;
}

The wrapper locks itself into secure_noroot and secure_nosuidfixup mode using the prctl() system call. Then, it executes its first argument (ssh), passing the remaining arguments to the newly executed program, ssh. Compile capwrap, and copy it into /sbin:

# gcc -o capwrap capwrap.c -lcap
# cp capwrap /sbin/

Then, edit /etc/init.d/sshd to execute capwrap. Find the start() function, and place /sbin/capwrap in front of the line that actually executes sshd. That line then becomes:

/sbin/capwrap $SSHD $OPTIONS && success || failure

Of course, sshd will require some privilege to change userid and groupid among other things. Being lazy, for now, just set all capabilities using the command:

hallyn@kvm# setcap all=ei /usr/sbin/sshd

If you try restarting sshd right now, you'll be met with a silent failure. Instead, try this to start it by hand and see debugging output:

hallyn@kvm# /etc/init.d/sshd stop
hallyn@kvm# /sbin/capwrap /usr/sbin/sshd -Dd

Among other things, you'll see:

debug1: permanently_set_uid: 74/74
permanently_set_uid: was able to restore old [e]gid

sshd is complaining that it is able to restore its uid after switching to uid 74 (the ssh userid). This is problematic. Because you locked ssh into nosuid_fixup mode, switching from uid 0 to a non-0 uid does not clear out pE automatically. This means the process keeps CAP_SETUID and CAP_SETGID, so it is able to reset itsuid to 0 at any time.

The right solution is to modify the sshd source to separate the privilege handling from the userid handling. But, for this experiment, let's just stop sshd from complaining! It is wrong, but perhaps not quite as bad as it seems, because when sshd executes the user's login shell, pP and pE will be recalculated anyway.

Download opensshd_caps.patch (see Resources), and use the following steps to apply the above patch:

# yum install audit-libs-devel tcp_wrappers-devel libedit-devel
# yumdownloader --source openssh
# rpm -i openssh-*.rpm
# cd /root/rpmbuild/
# rpmbuild -bc SPECS/openssh*
# cd BUILD/openssh-*/
# patch < /usr/src/opensshd_caps.patch
# make && make install
# setcap all=ei /usr/sbin/sshd
# /etc/init.d/sshd start

Now ssh in as root, and use capsh to print your capability status:

root@kvm# /sbin/capsh --print
Current: =
Bounding set =(full set of capabilities)
Securebits: 057/0x2f
secure-noroot: yes (locked)
secure-no-suid-fixup: yes (locked)
secure-keep-caps: no (unlocked)
uid=0

SSH logins are locked in secure-noroot and secure-nosuid-fixup.

The root userid now carries no privileges, but the system still requires administration. That requires privilege. So, let's define several partially privileged users. At login, each will receive inheritable capabilities sufficient to achieve some task. Working out the most useful combinations of capabilities to assign to select users is an interesting exercise, but for now let's focus on three users: netadmin, which can change network settings; useradmin, which can add and delete users, kill their processes and modify their files; and privadmin, which can change file capabilities and users' inheritable capabilities.

Create the users:

# adduser -m privadmin
# passwd privadmin
# adduser -m useradmin
# passwd useradmin
# chown privadmin /etc/security/capability.conf

The new capability.conf file follows:

cap_net_admin netadmin
cap_chown,cap_dac_overide,cap_fowner,cap_kill useradmin
cap_setfcap privadmin
none *

privadmin may set file capabilities (cap_setfcap), so make him the owner of the capabilities.conf file, so he can set pI for users. useradmin can manipulate other users' files and processes. netadmin remains unchanged. (Note, privadmin can give himself whatever privilege he wants. A good audit policy and a limited tool for editing capability.conf would help mitigate that risk.)

You also need to set some inheritable file capabilities on system administration utilities to grant these users privilege. Listing 2 shows a small list to get started. For brevity, let's just assign all capabilities to the inheritable set. You can apply these using the script in Listing 3 using sh loopcaps.sh admincaplist. Finally, you'll need to let useradmin execute useradd using chmod o+x /usr/sbin/useradd.