Linux Capabilities instead of setuid

This seems like a pretty poor idea for Linux to have implemented:

The command setcap sets file capabilities on an executable. The cap_setuid capability allows a process to make arbitrary manipulations of user IDs (UIDs), including setting the UID to a value that would otherwise be restricted (i.e. UID 0, the root user). setcap takes a set of parameters, where

• e: Effective means the capability is activated;
• p: Permitted means the capability can be used/is allowed.

Putting this together, we’re adding the cap_setuid capabilities to the Python binary:

setcap cap_setuid+ep /usr/bin/python3.12

And hey presto, "/usr/bin/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'" now works. Ouch

Tags: linux permissions setuid capabilities setcap infosec security root