Bug 218361

Summary: setcap command run without file name argument runs on EVERY available file
Product: Tools Reporter: Martin Stenzel (m.stenzel)
Component: libcapAssignee: Tools/Libcap default virtual assignee (tools_libcap)
Status: RESOLVED INVALID    
Severity: high CC: morgan
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:

Description Martin Stenzel 2024-01-10 12:11:05 UTC 
Hi team,
 
if you run "setcap cap_net_raw" without the file name argument this results in running the setcap command on each and every file of the system.
You do not get any warning.
 
I accidently ran this command and forgot to add the file name argument and found out that more than 100.000 files were changed (all in the /opt directory).
 
Fortunately I use bareos.org for backup, and therefore was able to recreate the original files.
 
This is an x86_64 system, libcap-progs version 2.25 (cannot verify if this attitude still exists in latest verstions).
 
Thank you!
Comment 1 Artem S. Tashkinov 2024-01-10 14:05:02 UTC 
Can't confirm:

$ setcap cap_net_raw
fatal error: Invalid argument
usage: setcap [-h] [-q] [-v] [-n <rootid>] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.
 -r          remove capability from file
 -           read capability text from stdin
 <capsN>     cap_from_text(3) formatted file capability

 -h          this message and exit status 0
 -q          quietly
 -v          validate supplied capability matches file
 -n <rootid> write a user namespace limited capability
 --license   display the license info

libcap-2.48-8.fc38.x86_64
Comment 2 Andrew G. Morgan 2024-01-10 14:51:34 UTC 
That doesn't look plausible with that version of libcap:

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tree/progs/setcap.c?h=libcap-2.25

Indeed:

$ wget https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.25.tar.gz
$ tar zvfx libcap-2.25.tar.gz 
$ cd libcap-2.25/
$ make
$ cd progs
$ sudo -s
# # LD_LIBRARY_PATH=../libcap ./setcap cap_net_raw
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.
Comment 3 Martin Stenzel 2024-01-10 15:28:06 UTC 
Thank you for investigating,

yes, this is what I receive, too, but the command run(s) nevertheless.
Did you check that the files did not get changed (e. g. by checking the modification time)?

To me, it is not really plausible. Only (many!) files in /opt were changed.
The files were changed in a time frame of about 5 minutes.
The setcap is not aliased in any way, there is no change of the binaries, no hacker activities, and such.

Martin.

P. S. Any other explanation? Well, the "rpm -Va >/tmp/rpm" resulted in a file 1000 times bigger than usual, due to the fact that the modification time was changed on the files.
Comment 4 Andrew G. Morgan 2024-01-11 02:13:37 UTC 
Yes, I did look to confirm no capabilities were actually added to any file.

The program, setcap, is single threaded. If it exits, it should have no further consequences. If what you observe is happening, it is not coming from the libcap sources.
Comment 5 Martin Stenzel 2024-01-11 15:41:21 UTC 
Thank you again,

I cannot add any useful information here.