Removing Linux kernel capabilities


As you may know, Linux has capabilities. Maybe you don’t need all capabilities, if this is your case, you are in luck, since you can remove it using the lcap tool.

To list all Linux capabilities:

~# lcap
Current capabilities: 0xFFFDFCFF
   0) *CAP_CHOWN                     1) *CAP_DAC_OVERRIDE
   2) *CAP_DAC_READ_SEARCH           3) *CAP_FOWNER
   4) *CAP_FSETID                    5) *CAP_KILL
   6) *CAP_SETGID                    7) *CAP_SETUID
   8) *CAP_SETPCAP                   9) *CAP_LINUX_IMMUTABLE
  12) *CAP_NET_ADMIN                13) *CAP_NET_RAW
  14) *CAP_IPC_LOCK                 15) *CAP_IPC_OWNER
  16) *CAP_SYS_MODULE               17)  CAP_SYS_RAWIO
  18) *CAP_SYS_CHROOT               19) *CAP_SYS_PTRACE
  20) *CAP_SYS_PACCT                21) *CAP_SYS_ADMIN
  22) *CAP_SYS_BOOT                 23) *CAP_SYS_NICE
  24) *CAP_SYS_RESOURCE             25) *CAP_SYS_TIME
  26) *CAP_SYS_TTY_CONFIG           27) *CAP_MKNOD
  28) *CAP_LEASE                    29) *CAP_AUDIT_WRITE
    * = Capabilities currently allowed

For example, I want to disable CAP_CHOWN, so I don’t want that any user (including root) has the possibility to change the file owner. So, in this case, the file is UNCHOWNABLE.

Usual way:
# touch file
# chown paul file
Now the file is owned by paul

My preferred way:
First, we remove CHMOD capability
(as root)
# lcap CAP_CHOWN
# touch file
# chown paul file
chown: changing ownership of `file’: Operation not permitted

As you can see, chmod does not work as expected, since we have removed that capability. To restore it, you need to reboot.

You can disable any capability at your own risk ;)

This tool is interesting on servers with a few changes/updates and you want to increase security, for example, to remove the possibility to load/unload a module use CAP_SYS_MODULE,  it helps a bit for rootkits,  for files that you don’t want to be modified in anyway, you can use CAP_LINUX_IMMUTABLE on /bin, /usr/bin, /sbin, /usr/sbin to have expected binaries (checksums). Try to play with any capabilitiy and see if is interesting for you.

For further info: man lcap

See you!


2 thoughts on “Removing Linux kernel capabilities

  1. This strikes me as a very dangerous utility…which is my favorite kind! Thanks very much! I had no idea this existed.

    It doesn’t seem to come by default with Slackware, RHEL/CentOS, or Debian/Ubuntu. Did you have to install it, or did it come with your distro (and which was it?)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s