LinSec userspace tools

Userspace tools

lspasswd

Tool for setting & changing linsec password. No command line options.

lsenable & lsdisable

lsenable & lsdisable ask for linsec password.

If password is ok, lsenable sets all capabilities in parent’s process inheritable capset. lsdisable clears parents’ pI capset.

In order to use other tools (capadm & adadm), don’t forget to ‘lsenable’.

capadm

Capability manipulation tool. If you start it without command line options, you will get general help. capadm usage is devided in five sections:

File capabilities manipulation (switch -F)
User capabilities manipulation (switch -U)
User capability groups manipulation (switch -G)
Process capabilities manipulation (switch -P)
Global bounding capability set manipulation (switch -B)

File capabilities manipulation

You can add & remove capabilities to/from files, or, set full, or clear all capabilities to/from files. Type: capadm -F for help.

It is very important to understand that, in case of files, there are three capability sets: Allowed (fA), Forced (fF) and Effective (fE). Also, very important is to understand how those capability sets are calculated into process capability sets (Permitted, Effective, Inheritable). The best way to understand is to read very extensive documentation.

File capabilities help

=> capadm -F [-a | -r] filename [fA | fF | fE] caps…
[-f | -l] filename [fA | fF | FE]
[-v] filename

-a Add capability(ies) to file fA/fF/fE capset
-r Remove capability(ies) from file fA/fF/fE capset
-f Set full capability set to file fA/fF/fE capset
-l Clear all capabilities from file fA/fF/fE capset
-v View file capability sets

User capabilities manipulation

First of all, both capadm and adadm (Access Domain manipulation tool) use the very same user structures for storing user’s data (somewhere in /etc/linsec). In order to do anything with users, you have to create user structure.

Capadm provides you abillity to create, delete or view user structure. User can be identified either by username or by UID.

Every user has its own permitted (called uP – user permitted) and bounding (called uB – user bounding) set. You can manipulate both with uP and uB (add/remove capabilities).

On the other hand, there is something called ‘user capability group’. You may consider user capability group as a template.

Every user is, by default, member of default capability group 0. With capadm, you may add a user to one or more, previously created, groups.

User capabilities help

=> capadm -U [-c | -d | -v] username
[-a | -r] username [uP | uB] caps…
[-f | -l] username [uP | uB]
[-g | -t] username cgrp
[-s]
-c Create user structure
-d Delete user structure
-v View user structure
-a Add capability(ies) to user uP/uB capset
-r Remove capability(ies) from user uP/uB capset
-f Set full capability set to user uP/uB capset
-l Clear all capabilities from user uP/uB capset
-g Add capability group (cgrp) to user
-t Remove capability group (cgrp) from user
-s Show all created user capability structures

User capability groups manipulation

As for users, in order to manipulate with capability groups, first create group structure.

User capability groups help

=> capadm -G [-c | -d | -v] cgrp
[-a | -r] cgrp caps…
[-f | -l] cgrp
[-s | -h]

-c Create capability group structure
-d Delete capability group structure
-v View capability group structure
-a Add capability(ies) to capability group
-r Remove capability(ies) from capability group
-f Set full capability set to capabilty group
-s Show all created capability groups
-h This help

Process capability manipulation

Every process has three capability sets: Effective, Permitted and Inheritable. With capadm you can add/remove capabilities, etc.

Process capabilities help

=> capadm -P [-a | -r] pid [pE | pP | pI] caps…
[-f | -l] pid [pE | pP | pI]
[-v] pid

-a Add capability(ies) to process’ pE/pP/pI capset
-r Remove capability(ies) from process’ pE/pP/pI capset
-f Set full capability set to process’ pE/pP/pI capset
-l Clear all capabilities from process’ pE/pP/pI capset
-v View process capability sets

Global bounding capability set manipulation

Global bounding set capabilities help

=> capadm -B [-a | -r] caps..
[-f | -l]
[-v]

-a Add capability(ies) to global bounding set
-r Remove capability(ies) from global bounding set
-f Set full capability set
-l Clear all capabilities from global bounding set
-v View global bounding set

adadm

Access Domain manipulation tool. Usage is devided in three sections:

Access Domain Group manipulation (switch -G)
Group Members (files) manipulation (switch -F)
User Access Domain manipulation (switch -U)

Access Domain Group manipulation

Every AD group consists of elements and members. Elements are, usually, directories, while members are ordinary files. As for user capability groups, first you have to create a group. AD groups 0 and 1 are default (0 – RW default, 1 – RO default), so you will have to create them, at least.

For further explanation of Access Domain functionality (flags, inheritance, etc), please, read documentation.

Access Domain Groups help

=> adadm -G [-c | -d | -v | -u] adgrp
[-a] adgrp FLAG file
[-r] adgrp file
[-s | -h]

-c Create access domain group structures
-d Delete access domain group structures
-v View access domain group structures
-u Update access domain group structures
-a Add element (file) to access domain group
-r Remove element (file) from access domain group
-s Show all created access domain groups
-h This help

FLAGS:
NONE – Without flags
EXCL – Exclusion
NINH – No inheritable
BOTH – EXCL & NINH

Group members manipulation

Once you’ve created all necessary AD groups, you may start adding members. File can be a member of some group in two ways: read only and read/write.

File Access Domain help

=> adadm -F [-a] filename [ro | rw] ADgrp
[-m] filename ADgrp element FLAG
[-r] filename ADgrp
[-v] filename

-a Add file to access domain group
-r Remove file from access domain group
-m Add file to ad group with modified element’s flag
-v View file access domain info

FLAGS:
NONE – Without flags
EXCL – Exclusion
NINH – No inheritable
BOTH – EXCL & NINH
User Access Domain manipulation

adadm and capadm use the same files & structures to store users’ data. If you create user structure from, for example, capadm, you don’t have to create it from adadm.

Every user has its own, so called ‘default access domain’, where, usually you will put user’s home directory.

Also, user can be a member of a Access Domain group.

User Access Domain help
=> capadm -U [-c | -d | -v] username
[-a | -r] username element
[-g | -t] username [ro | rw] adgrp
[-s]
-c Create user structure
-d Delete user structure
-v View user structure
-a Add element to user default access domain
-r Remove element from user default access domain
-g Add ad group to user
-t Remove ad group from user
-s Show all created users