Combine unshare and capsh to restrict a user or program

Share your own howto's etc. Not for support questions!

Combine unshare and capsh to restrict a user or program

Postby ruffwoof » 2018-06-01 20:26

Imagine where firefox is running and a flaw in the code enables a breakout and remote command execution. Initially the hacker will have dropped to the same authority as the owner of the firefox task, typically a normal userid. From there however they might try and privilege escalate - look for a means to elevate themselves to remote root authority.

What however it they broke out of the browser, dropped into the users authority and then upon looking around saw that PID 0 was a simple /bin/sh, all others PID's were apparently hidden away, and also that the authority level of the userid they'd broken into was so restricted it was pretty much useless.

Here's a simple example as a guide to how that might be setup using the unshare and capsh commands (I ran all of this under Debian Stretch) ...

I created a test script called capsh-test containing ...
Code: Select all
#!/bin/sh
unshare -p --mount-proc=/proc -f /sbin/capsh --drop=cap_chown  --keep=1 --user=root -- -c /bin/sh --

Made it executable (chmod +x capsh-test) and ran it ...

#./capsh-test

... running ps -ef indicates PID 0 is /bin/sh i.e. it can't see other PID's
Code: Select all
sh-4.4# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 21:19 pts/0    00:00:00 /bin/sh
root         2     1  0 21:19 pts/0    00:00:00 ps -ef
sh-4.4#

Creating a file and then attempting to chown that file isn't permitted, despite being root
Code: Select all
sh-4.4# echo >tst
sh-4.4# ls -l tst
-rw-r--r-- 1 root root 1 Jun  1 21:21 tst
sh-4.4# chown nobody tst
chown: changing ownership of 'tst': Operation not permitted
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root)

Exiting from the script, back to normal root and we can chown the file as usual
Code: Select all
sh-4.4# exit
exit
# ls -l tst
-rw-r--r-- 1 root root 1 Jun  1 21:21 tst
# chown nobody tst
# ls -l tst
-rw-r--r-- 1 nobody root 1 Jun  1 21:21 tst
#

The above snippet of code restricted just PID visibility and the chown command. We can extend that further however to be much more restrictive ... in Debian Stretch when I run firefox-esr I'm capsh'ing (--drop= capsh values of) ...
Code: Select all
--drop=cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read

and where I run a script (that sets up the enviroment I prefer) that in turn runs firefox-esr instead of just running /bin/sh as per the second to last command in the script above.

Of course I also set that to a non-root userid (--user=xxxxx parameter). That way firefox is running with pretty extreme restrictions. If a flaw in the browser enabled a breakout then the hacker drops to the same authority as the parent i.e. non-root userid and into a environment where commands such as chown (and a whole bunch of others) are restricted.

Of course nothing is truly safe, however what with Firefox internally running tasks in sandboxes and where the parent of the running firefox process is in effect decapitated, but where firefox still runs as expected ... then that's additional hurdles/barriers that a potential hacker has to overcome/circumvent.

So far with that setup/script for firefox-esr I've managed to post as per here, watch youtubes, install the usual noscript/ublock-origin/user-agent spoofer ...etc. and all seems to be working fine. No guarantees however as something might still yet pop out unexpectedly. [user agent spoofer?? What's that?? I use one pretty religiously as broadcasting what operating system and browser (along with versions) you are running openly - opens you up to attacks being specifically targetted against that combination of OS and browser/version. A user agent extension enables you to broadcast a different OS/browser, so any specific attacks launched at that combation of OS/browser are most unlikely to be successful. Debian/firefox-esr being used, MacOS/Safari browser apparrently being used. Yes that can have some web sites display incorrectly, but its easy to turn user-agent off and reload the web page for such cases].
ruffwoof
 
Posts: 271
Joined: 2016-08-20 21:00

Re: Combine unshare and capsh to restrict a user or program

Postby chaanakya » 2018-06-26 18:59

Why not use firejail? It has quite a bit of fine-grained control :)
chaanakya
 
Posts: 7
Joined: 2011-10-17 15:03


Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 4 guests

fashionable