Linux Capabilities Bounding Set Support #202

pull jrmithdobbs wants to merge 2 commits into bitcoin:master from jrmithdobbs:master changing 4 files +127 −0
  1. jrmithdobbs commented at 12:33 AM on May 8, 2011: contributor

    This addition adds a build-time option that's linux specific.

    It drops any capabilities assigned to the process at launch time (if it were launched as root, root loses all special meaning). It also removes all capabilities from the binding set and locks all options related to privilege escalation so that they may not be changed.

    For these options to work (if built) the binary must be setuid root (horrible) or setcap cap_setpcap+eip bitcoind; (awesome) It only needs this capability so that it can clear the bounding set which it does in main() of bitcoind very first thing. I am not sure where the code needs to go to make it function in bitcoin gui client?

    For more details make sure you have libcap2-dev installed and: man 7 capabilities man 2 prctl

    The relevant sections of prctl(2) are: PR_CAPBSET_DROP and PR_SET_SECUREBITS.

    This patch will make it so that (barring issues in the posix.1e implementation in the kernel itself) any code execution vulnerabilities in the future will be unable to gain escalated privileges through the bitcoind process. Even by exec()'ing suid binaries and exploiting known issues with them.

    Forum thread: http://www.bitcoin.org/smf/index.php?topic=7582.0

  2. jrmithdobbs commented at 12:33 AM on May 8, 2011: contributor

    Now with less USE_UPNP removal.

  3. jrmithdobbs commented at 12:35 AM on May 8, 2011: contributor

    FYI These are syscalls and system lib deps that shoud be available to any linux distro running 2.6.32+.

  4. sipa commented at 12:06 PM on May 8, 2011: member

    Can you create a forum thread about this?

  5. jrmithdobbs commented at 3:13 PM on May 8, 2011: contributor

    Done: http://www.bitcoin.org/smf/index.php?topic=7582.0

  6. Add linux capabilities bounding set support. e10e744b80
  7. Add linux capabilities bounding set support. 20dfcf709f
  8. sgimenez commented at 6:12 PM on July 14, 2011: contributor

    Isn't it possible to use setcap to choose exactly which capabilities shall be kept and which shall be drop ? What's the point of modifying them from bitcoin code ?

  9. jgarzik closed this on Jul 15, 2011
  10. jgarzik commented at 3:54 AM on July 15, 2011: contributor

    I just don't see many other security-related/crypto-related programs using this, and guarding against running as root is really tilting at windmills. There is a long list of dumb things you should not do, such as run wallet software as root, and I think it's low on the priority list, as it does not seem to be a prime attack vector.

  11. jrmithdobbs commented at 3:46 AM on July 20, 2011: contributor

    This has nothing to do with guarding against running as root. That is just a side effect?!

    Also, quite a bit of software uses these mechanisms. For instance: (off the top of my head) bind uses it. The entirety of the priv escalation code in the kernel (setuid binary processing, etc) uses it. The bounding set feature that lets you set a mask of capabilities that can be re-enabled is fairly new but the underlying mechanisms have been in place since 2.4 iirc.

    And to answer you sgimenez this code isn't just removing all capabilities. It's setting the capabilities bounding set so that nothing spawned from the bitcoin process can ever re-enable them. See the referenced documentation in the original pull.

  12. zathras-crypto referenced this in commit c42e09be3f on Nov 17, 2014
  13. sipa referenced this in commit 9d09322b41 on Mar 27, 2015
  14. TheBlueMatt referenced this in commit 582b2934e6 on Oct 20, 2015
  15. deadalnix referenced this in commit 514dcd3816 on Jan 6, 2017
  16. deadalnix referenced this in commit 2473f17121 on Jan 19, 2017
  17. deadalnix referenced this in commit 7e860e99bd on Jan 19, 2017
  18. classesjack referenced this in commit 1f20fd7d2b on Jan 2, 2018
  19. attilaaf referenced this in commit 25d3301277 on Jan 13, 2020
  20. cryptapus referenced this in commit bdcd5ab484 on May 3, 2021
  21. rajarshimaitra referenced this in commit e7fd91964b on Aug 5, 2021
  22. DrahtBot locked this on Sep 8, 2021
Contributors
jrmithdobbssipasgimenezjgarzik
Linked (view graph)
#25323 miniscript fuzzer failing after qa-assets update
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 21:16 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me