LCAP - Linux Kernel Capability Remover
Copyright (C) 1999-2000 spoon@ix.netcom.com

"Capabilities" are a form of kernel-based access control.  Linux kernel
versions 2.2.11 and greater include the idea of a "capability bounding set".
The bounding set is a list of capabilities that can be held by any process
on the system.  If a capability is removed from the bounding set, the
capability may not be used by any process on the system (even processes
owned by root!).

LCAP allows a system administrator to remove specific capabilities
from the kernel in order to make the system more secure.
LCAP modifies the value in the sysctl file "/proc/sys/kernel/cap-bound".

For example, if a system administrator wishes to disallow the loading
of kernel modules, the following command line would be executed:

  lcap CAP_SYS_MODULE

LCAP would then remove the capability from the bounding set.  No more
modules may be loaded into the kernel on this system.

The only process that may add capabilities back to the kernel is
init.  Capabilities that have been removed are added again at the
next system boot.  LCAP would be a handy program to call in 
/etc/rc.d/rc.local in order to set up the desired security of your
system

LCAP also has the ability to set certain functionality in the Linux
Intrusion Detection System (LIDS) kernel patch
(http://www.turbolinux.com.cn/lids/).

Messing around with LCAP can severly mess up your system, so be very
careful.  You may need to reboot quite often when testing out
the deletion of various capabilities.

Syntax:
  lcap -h
    Shows a help message.
  lcap
    Shows current settings.
  lcap [-v[v]] capability ...
    Remove capabilities (using either name or bit number) from bounding
    set.  The -v[v] option provides verbose and more verbose messages.
  lcap [-v[v]] -z capability ...
    Zero out the bounding set except for the capabilities listed.
    This allows for shorter command lines if more capabilities are to
    be zeroed out than kept.




bit capability (short description)
----------------------------------
00  CAP_CHOWN (chown(2)/chgrp(2)) ---------------------------------------+
01  CAP_DAC_OVERRIDE (DAC access) --------------------------------------+|
02  CAP_DAC_READ_SEARCH (DAC read) ------------------------------------+||
03  CAP_FOWNER (owner ID not equal to user ID) -----------------------+|||
04  CAP_FSETID (effective user ID not equal to owner ID) ------------+||||
05  CAP_KILL (real/effective ID not equal to process ID) -----------+|||||
06  CAP_SETGID (setgid(2)) ----------------------------------------+||||||
07  CAP_SETUID (set*uid(2)) --------------------------------------+|||||||
08  CAP_SETPCAP (transfer capability) ---------------------------+||||||||
09  CAP_LINUX_IMMUTABLE (immutable and append file attributes) -+|||||||||
10  CAP_NET_BIND_SERVICE (binding to ports below 1024) --------+||||||||||
11  CAP_NET_BROADCAST (broadcast/listening to multicast) -----+|||||||||||
12  CAP_NET_ADMIN (interface/firewall/routing changes) ------+||||||||||||
13  CAP_NET_RAW (raw sockets) ------------------------------+|||||||||||||
14  CAP_IPC_LOCK (locking of shared memory segments) ------+||||||||||||||
15  CAP_IPC_OWNER (IPC ownership checks) -----------------+|||||||||||||||
16  CAP_SYS_MODULE                                         |||||||||||||||
      (insertion and removal of kernel modules) ---------+||||||||||||||||
17  CAP_SYS_RAWIO (ioperm(2)/iopl(2) access) -----------+|||||||||||||||||
18  CAP_SYS_CHROOT (chroot(2)) ------------------------+||||||||||||||||||
19  CAP_SYS_PTRACE (ptrace(2)) -----------------------+|||||||||||||||||||
20  CAP_SYS_PACCT                                     ||||||||||||||||||||
      (configuration of process accounting) ---------+||||||||||||||||||||
21  CAP_SYS_ADMIN (tons of admin stuff) ------------+|||||||||||||||||||||
22  CAP_SYS_BOOT (reboot(2)) ----------------------+||||||||||||||||||||||
23  CAP_SYS_NICE (nice(2)) -----------------------+|||||||||||||||||||||||
24  CAP_SYS_RESOURCE (setting resource limits) --+||||||||||||||||||||||||
25  CAP_SYS_TIME (setting system time) ---------+|||||||||||||||||||||||||
26  CAP_SYS_TTY_CONFIG (tty configuration) ----+||||||||||||||||||||||||||
                                               |||||||||||||||||||||||||||
kernel_cap_t                              00000000000000000000000000000000


LIDS Functionality

functionality (short description)
---------------------------------
LIDS_INIT (protect all children of init)
LIDS_FIREWALL (lock IP firewall rules)
LIDS_MODULE (disallow module loading/unloading)
LIDS_MOUNT (disallow mounting/unmounting)
LIDS_RELOAD (reload configuration file)



Author:
  spoon@ix.netcom.com

Take a look at the following file for more information:
  /usr/include/linux/capability.h

Take a look at the following URLs for more information:
  http://www.netcom.com/~spoon/lcap/
  http://www.lwn.net/1999/1202/kernel.phtml
  http://www.lwn.net/1999/1202/capabilities.phtml


----
$Id: README,v 1.5 2000/01/22 17:02:26 spoon Exp $

