deescalate API¶
Functions¶
-
lockdown_account
(uid=None, gid=None, caps_to_keep=None)[source]¶ Deescalate the privileges of the running process.
lockdown_account will:
- set the secure bits noroot, keep_caps, no_setuid_fixup and their locked companions
- perform a setgid and a setuid
- restrict the 3 cap sets and the bounding set to the list given in caps_to_keep
- set no_new_privs
Parameters: - uid (int or string, optional) -- switch to this UID
- gid (int or string, optional) -- switch to this GID
- caps_to_keep (list of bytes, optional) -- a list of capabilities to keep
Raises: RuntimeError
-- if some capability operation failsOSError
-- operation not permitted
Note
When not on Linux, only setgid and setuid will be performed
Examples
>>> lockdown_account('www-data', 'www-data', 'net_bind_service') >>> lockdown_account('scapy', 'scapy', ['net_admin', 'net_raw'])
-
get_securebits
()[source]¶ Return the currently defined secure bits
Returns: 2uple (the securebits as an int, a dict of securebits)
-
set_noroot
(locked=True)[source]¶ Set the SECBIT_NOROOT securebit.
Parameters: locked (bool) -- if True, also set SECBIT_NOROOT_LOCKED Raises: RuntimeError
-- if operation fails
-
set_keep_caps
(locked=True)[source]¶ Set the SECBIT_KEEP_CAPS securebit.
Parameters: locked (bool) -- if True, also set SECBIT_KEEP_CAPS_LOCKED Raises: RuntimeError
-- if operation fails
-
set_no_setuid_fixup
(locked=True)[source]¶ Set the SECBIT_NO_SETUID_FIXUP securebit.
Parameters: locked (bool) -- if True, also set SECBIT_NO_SETUID_FIXUP_LOCKED Raises: RuntimeError
-- if operation fails
-
set_no_new_privs
()[source]¶ Set no_new_privs.
Notes
- With no_new_privs set, execve promises not to grant the privilege to do anything that could not have been done without the execve call.
- See prctl manual page
Capability sets¶
-
class
CapabilitySet
(capset)[source]¶ Bases:
deescalate._deescalate.C_CapabilitySet
Represent a set of capabilities.
Notes
Usually a CapabilitySet is used directly from one of its instance object (effective, permitted, inheritable).
A CapabilitySet is iterable, so to get the capabilities it countains:
set(effective)
To check if a capability is in the set:
b'net_admin' in effective
Arithmetic operators can be used to add/remove capabilities:
effective -= b'net_admin' permitted += b'net_raw' inheritable += b'setuid, setgid' inheritable -= [b'sys_chroot', b'sys_ptrace']
References
-
class
BoundingSet
[source]¶ Bases:
deescalate._deescalate.C_BoundingSet
Represents the bounding capability set.
Notes
BoundindSet is iterable:
list_of_caps = list(bounding_set)
To check if a capability is in the bounding set:
b'net_admin' in bounding_set
The BoundingSet just supports removing some capabilities it countains. Use:
bounding_set -= b'net_admin,mac_override' bounding_set -= [b'syslog', b'wake_alarm']
-
permitted
= <deescalate.main.CapabilitySet object>¶ Permitted capability set
-
effective
= <deescalate.main.CapabilitySet object>¶ Effective capability set
-
inheritable
= <deescalate.main.CapabilitySet object>¶ Inheritable capability set
-
bounding_set
= <deescalate.main.BoundingSet object>¶ Capability bounding set
Constants¶
-
class
C
[source]¶ Bases:
object
Gather the various constants used by deescalate.
-
HARD_CODED_CAPS
= ['chown', 'dac_override', 'dac_read_search', 'fowner', 'fsetid', 'kill', 'setgid', 'setuid', 'setpcap', 'linux_immutable', 'net_bind_service', 'net_broadcast', 'net_admin', 'net_raw', 'ipc_lock', 'ipc_owner', 'sys_module', 'sys_rawio', 'sys_chroot', 'sys_ptrace', 'sys_pacct', 'sys_admin', 'sys_boot', 'sys_nice', 'sys_resource', 'sys_time', 'sys_tty_config', 'mknod', 'lease', 'audit_write', 'audit_control', 'setfcap', 'mac_override', 'mac_admin', 'syslog', 'wake_alarm', 'block_suspend']¶ List of usual capabilities on Linux
-
NB_HARD_CODED
= 37¶ number of caps in HARD_CODED_CAPS
-
SECBIT_KEEP_CAPS
= 16¶ SECBIT_KEEP_CAPS securebit
-
SECBIT_KEEP_CAPS_LOCKED
= 32¶ SECBIT_KEEP_CAPS_LOCKED securebit
-
SECBIT_NOROOT
= 1¶ NOROOT securebit
-
SECBIT_NOROOT_LOCKED
= 2¶ NOROOT_LOCKED securebit
-
SECBIT_NO_SETUID_FIXUP
= 4¶ NO_SETUID_FIXUP securebit
-
SECBIT_NO_SETUID_FIXUP_LOCKED
= 8¶ NO_SETUID_FIXUP_LOCKED securebit
-
SUPPORTED_CAPS
= {}¶ capabilities supported by the running platform
-
UNSUPPORTED_CAPS
= ['chown', 'dac_override', 'dac_read_search', 'fowner', 'fsetid', 'kill', 'setgid', 'setuid', 'setpcap', 'linux_immutable', 'net_bind_service', 'net_broadcast', 'net_admin', 'net_raw', 'ipc_lock', 'ipc_owner', 'sys_module', 'sys_rawio', 'sys_chroot', 'sys_ptrace', 'sys_pacct', 'sys_admin', 'sys_boot', 'sys_nice', 'sys_resource', 'sys_time', 'sys_tty_config', 'mknod', 'lease', 'audit_write', 'audit_control', 'setfcap', 'mac_override', 'mac_admin', 'syslog', 'wake_alarm', 'block_suspend']¶ capabilities not supported by the running platform
-