Ok. One way to "audit" a process would be to look at it's capabilities. Since kernel-2.2x they're incorporated in the kernel, see the
Linux capabilities FAQ.
Touching on security the Linux kernel handles a "global" capabilities list in /proc/sys/kernel/capbound: bounding capabilities. These global caps can be taken away using "lcap". They are not permanent, but can not be changed or restored unless you shutdown -r or give the box the three-finger salute (ALT+SYSRQ+B), so be carefull.
Now a process can have caps too. Caps determine what an app has access to, like CAP_SYS_RAWIO or the ability to write to /dev/kmem. Note this is one of the worst kinds of access and serves as one of the vectors Silvio Cesare describes to break out of a chroot.
A cap of interest in case of Apache would be CAP_NET_BIND_SERVICE or the ability to bind to ports below 1024.
With the extremely lazy and simple script [removed] (and it's dependency in place) you can have a quick glance at what effective caps a process has.
Here's example output of running Apache-SSL:
Code:
for i in $(/sbin/pidof httpsd); do showcaps ${i}; done
httpsd 7283
+ CAP_CHOWN chown(2)/chgrp(2)
httpsd 10880
+ CAP_CHOWN chown(2)/chgrp(2)
(etc, etc until finally:)
httpsd 16258
+ CAP_NET_BIND_SERVICE binding to ports below 1024
+ CAP_SYS_PTRACE ptrace(2)
"man lcap" sez :
0 CAP CHOWN
Override restrictions on changing file ownership.
In a system with the [_POSIX_CHOWN_RESTRICTED]
option defined, this overrides the restriction of
changing file ownership and group ownership.
10 CAP NET BIND SERVICE
Allow binding to sockets below 1024. Allows bind_
ing to TCP/UDP sockets below 1024. Allows binding
to ATM VCIs below 32.
19 CAP SYS PTRACE
Allow tracing of any process.
Since we're looking at
effectivecapabilities, this means that after dropping all other capabilities these remain, kewl by me.
// Work In Progress, or "this leaves two questions open":
I. why does the main process (still) has those caps? (Your original question) and (parent->child, need to explain from code, rhhaaahhh),
II. can it regain capabilities? (I need to shove some example in like SUID mtr
seteuid stylee).
I'll try 'n find an answer to these the coming week. Should make for a good excercise :-]