Linux Capabilities and rsync, from presentation to practice

Hazel Smith gave an excellent talk at FLOSSUK’s Unconference in London about Linux Capabilities and using them as part of “least privilege” when running backups of Linux systems.

Hazel explained that by using Capabilities you can allow a single user (in this example backuphelper) when running a single binary (rsync) to read any file on the system. Hazel stressed in the presentation that this isn’t a privilege to give out lightly, however the ability to read any file isn’t a direct path to root. This level of privilege will allow access to for example hashed passwords or contents of any user’s files.

My personal backups use BackupPC which can pull backups with tar, smbclient or as I use rsync over ssh.

The second half of this post documents how I put Hazel’s talk into practice on my Debian based systems. I have also uploaded to GitHub an example Ansible task I used to roll out the changes to my systems.

Target System Setup

First off install the support packages for capabilities.

sudo apt-get install libcap2-bin libpam-cap
sudo pam-auth-update

Run  pam-auth-update and enable “Inheritable Capabilities Management”, if you prefer to manually manage the pam config files then add the line “auth optional pam_cap.so” to /etc/pam.d/common-auth

You will also need to add following line to /etc/security/capability.conf to allow backuphelper to retain cap_dac_read_search. The rules applied in order so make sure it’s above the default deny line “none  *”

cap_dac_read_search backuphelper

This next command sets cap_dac_read_search as Inheritable and Effective for the rsync binary. The net effect is that when the backuphelper user runs rsync that process can read any file on the system.

sudo setcap cap_dac_read_search+ei /usr/bin/rsync

The “belt and braces” setup Hazel recommended both locking down ssh access for the backuphelper user to ssh-keys only and locking the password on the account. To follow this advice add the following lines to /etc/ssh/sshd_config.

Match User backuphelper
 PasswordAuthentication no

And run the following command to lock the backuphelper account’s password

sudo passwd -l backuphelper

BackupPC Server Setup

The change needed here is very simple, you only need to change the user that pulls backups from your other systems. You will need to ensure that you have correctly setup the ssh keys etc for the backuphelper user.

This can be done either via the web UI or by editing the .pl config file directly. You need to change “-l root” to “-l backuphelper” for the RsyncClientCmd. An example from one of my systems is

$Conf{RsyncClientCmd} = '$sshPath -q -x -l backuphelper $host $rsyncPath $argList+';

Debugging

Always be careful working with PAM, you can lock yourself out! It is worth having a root shell open “just in case” until you are familiar with the process.

A simple test is to login via ssh as backuphelper and run “rsync -avn /root” and you shouldn’t get any permission denied errors and should see a list of files.

Something to bear in mind when debugging this is that running sudo from root -> user doesn’t give the user capabilities, you need to login directly to test things.

If you want to see whether pam_cap is working when logged in you can do this:

grep CapInh /proc/$$/status

Use capsh –decode= on the resulting bit string to understand what permissions you’ve got.