I always assumed that /proc/[PID]/status
shows capabilities that PID has in the user namesapce of the process that opens /proc/[PID]/status
, not in the user namespace of PID, but it seems that I was wrong.
Let’s move one bash shell into a new user namespace and check that it see itself as root with all capabilities:
$ unshare -rU
# cat /proc/$$/status | grep Cap
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
# echo $$
965344
Let’s open a second bash shell (in the parent user namespace) and check the capabilities of the first shell:
$ cat /proc/965344/status | grep Cap
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
It shows the same set of capabilities as seen from inside the user namespace!
We can confirm that the first bash shell doesn’t have real capabilities by trying to kill a process owned by other user.
$ sudo su test
$ whoami
test
$ echo $$
978809
From the first shell:
# kill -s SIGKILL 978809
-bash: kill: (978809) - Operation not permitted
From a real root:
$ sudo kill -s SIGKILL 978809
-> Process got killed.
Am I right in my conclusion that capabilities in /proc/PID/status
are always shown in the user namespace of PID? If so, is it possible to see which set of capabilities process has in the user namespace of the opening process (or at least in the “root” user namespace)? Without it it’s impossible to determine if a process really have privileges or not.