How to configure sshd and PAM to make SSH session processes have specified capabilities?

[tickinbuaa]

I want my SSH session process to have the cap_sys_admin capability when SSHing into a remote Ubuntu 22.04 server. However, I encountered issues. I configured the following:

1. Added cap_sys_admin @mygroup to /etc/security/capability.conf.
2. Enabled UsePAM yes in /etc/ssh/sshd_config.

After logging in via SSH key, capsh --print output as follows:

Current: cap_sys_admin=i
Bounding set=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB: cap_sys_admin
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=1001(hulei) euid=1001(hulei)
gid=1001(hulei)
groups=27(sudo),998(docker),1001(hulei),1005(dev)
Guessed mode: UNCERTAIN (0)

The cap_sys_admin capability has been added to the Inheritable set but not to the Effective set. How can I fix this?

------Update----
My primary goal is to add the cap_sys_admin capability to users in a specific group, so that when members of this group SSH into the machine, they will have the cap_sys_admin capability and can use tools like perf. I am aware that configuring the perf_event_paranoid value can allow non-privileged users to use perf, but this is a global modification and should be avoided.

 

[CaffeineAddict]

Add effective capability to sshd:

sudo setcap cap_sys_admin+ep sshd

Verify capability is added:

sudo setcap -v cap_sys_admin+ep sshd

 

[tickinbuaa]

Add effective capability to sshd:

sudo setcap cap_sys_admin+ep sshd

Verify capability is added:

sudo setcap -v cap_sys_admin+ep sshd

I tried your approach, but it didn’t work. I checked the processes related to the current SSH session, as shown below:

The capabilities for each process are as follows:

It looks like both the sshd process and its immediate child processes have the cap_sys_admin capability, but the terminal process does not have this cap_sys_admin capability. Is there a missing configuration?

 

[CaffeineAddict]

It looks like both the sshd process and its immediate child processes have the cap_sys_admin capability, but the terminal process does not have this cap_sys_admin capability. Is there a missing configuration?

From your screenshot, processes 5367 and 7763 are running as root, which means they do not require cap_sys_admin as that's already implied due to being already privileged.

And process 7821 inherited the cap_sys_admin capability from process 7763.

IMO it works as it should.

 

[tickinbuaa]

From your screenshot, processes 5367 and 7763 are running as root, which means they do not require cap_sys_admin as that's already implied due to being already privileged.

And process 7821 inherited the cap_sys_admin capability from process 7763.

IMO it works as it should.

To add the CAP_SYS_ADMIN capability to the effective capability set of my current terminal process, how can I achieve this?

 

[CaffeineAddict]

To add the CAP_SYS_ADMIN capability to the effective capability set of my current terminal process, how can I achieve this?

Which process number is that from your screenshot?

 

[tickinbuaa]

Which process number is that from your screenshot?

I reconnected to the system via remote login. The current shell process ID and its parent process hierarchy should be structured as follows, along with the capabilities of relevant processes:

In addition, I reset the capabilities of sshd.

I want the process 9384 have the capability cap_sys_admin in its effective set.

 

[CaffeineAddict]

I want the process 9384 have the capability cap_sys_admin in its effective set.

This is bash shell not sshd, so probably sudo setcap cap_sys_admin+ep bash
But this doesn't look right to me to do it.

 

[tickinbuaa]

This is bash shell not sshd, so probably sudo setcap cap_sys_admin+ep bash
But this doesn't look right to me to do it.

My primary goal is to allow unprivileged users to execute programs requiring the CAP_SYS_ADMIN capability (e.g., perf) after SSHing into an Ubuntu 22.04 server, while preventing them from using sudo commands.

 

[tickinbuaa]

This is bash shell not sshd, so probably sudo setcap cap_sys_admin+ep bash
But this doesn't look right to me to do it.

I am also using some remote profiling tools such as NVIDIA Compute. I need them to have the CAP_SYS_ADMIN capability after SSHing to the target machine to perform profiling. I assume these tools shouldn't be able to execute the sudo setcap command, right?

 

[CaffeineAddict]

My primary goal is to allow unprivileged users to execute programs requiring the CAP_SYS_ADMIN capability (e.g., perf) after SSHing into an Ubuntu 22.04 server, while preventing them from using sudo commands.

Modifying shell capability is certainly a bad thing because it would apply to everyone, not just remote ssh users.

My approach would be to create a separate group called sshd_users or similar and then configure sshd so that remote users use this group instead of default root.

You can then modify group permissions however you like.
I don't know exact steps but this would be my approach to implement it.