218361 – setcap command run without file name argument runs on EVERY available file

Bug 218361 - setcap command run without file name argument runs on EVERY available file

Summary: setcap command run without file name argument runs on EVERY available file

Status:	RESOLVED INVALID

Alias:	None

Product:	Tools
Classification:	Unclassified
Component:	libcap (show other bugs)
Hardware:	All Linux

Importance:	P3 high
Assignee:	Tools/Libcap default virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-01-10 12:11 UTC by Martin Stenzel
Modified:	2024-01-11 15:41 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Martin Stenzel 2024-01-10 12:11:05 UTC

Hi team,
 
if you run "setcap cap_net_raw" without the file name argument this results in running the setcap command on each and every file of the system.
You do not get any warning.
 
I accidently ran this command and forgot to add the file name argument and found out that more than 100.000 files were changed (all in the /opt directory).
 
Fortunately I use bareos.org for backup, and therefore was able to recreate the original files.
 
This is an x86_64 system, libcap-progs version 2.25 (cannot verify if this attitude still exists in latest verstions).
 
Thank you!

Comment 1 Artem S. Tashkinov 2024-01-10 14:05:02 UTC

Can't confirm:

$ setcap cap_net_raw
fatal error: Invalid argument
usage: setcap [-h] [-q] [-v] [-n <rootid>] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.
 -r          remove capability from file
 -           read capability text from stdin
 <capsN>     cap_from_text(3) formatted file capability

 -h          this message and exit status 0
 -q          quietly
 -v          validate supplied capability matches file
 -n <rootid> write a user namespace limited capability
 --license   display the license info

libcap-2.48-8.fc38.x86_64

Comment 2 Andrew G. Morgan 2024-01-10 14:51:34 UTC

That doesn't look plausible with that version of libcap:

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tree/progs/setcap.c?h=libcap-2.25

Indeed:

$ wget https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.25.tar.gz
$ tar zvfx libcap-2.25.tar.gz 
$ cd libcap-2.25/
$ make
$ cd progs
$ sudo -s
# # LD_LIBRARY_PATH=../libcap ./setcap cap_net_raw
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.

Comment 3 Martin Stenzel 2024-01-10 15:28:06 UTC

Thank you for investigating,

yes, this is what I receive, too, but the command run(s) nevertheless.
Did you check that the files did not get changed (e. g. by checking the modification time)?

To me, it is not really plausible. Only (many!) files in /opt were changed.
The files were changed in a time frame of about 5 minutes.
The setcap is not aliased in any way, there is no change of the binaries, no hacker activities, and such.

Martin.

P. S. Any other explanation? Well, the "rpm -Va >/tmp/rpm" resulted in a file 1000 times bigger than usual, due to the fact that the modification time was changed on the files.

Comment 4 Andrew G. Morgan 2024-01-11 02:13:37 UTC

Yes, I did look to confirm no capabilities were actually added to any file.

The program, setcap, is single threaded. If it exits, it should have no further consequences. If what you observe is happening, it is not coming from the libcap sources.

Comment 5 Martin Stenzel 2024-01-11 15:41:21 UTC

Thank you again,

I cannot add any useful information here.

Note You need to log in before you can comment on or make changes to this bug.