• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/bash
2# vim:expandtab:tabstop=4
3#
4# author:    chris friedhoff - chris@friedhoff.org
5# version:   pcaps4convenience  2  Tue Mar 11 2008
6#
7#
8# changelog:
9# 1 - initial release pcaps4convenience
10# 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code
11#
12#
13# the user has the necessary POSIX Capabilities in his Inheritance
14# set and the applications are accepting the needed PCaps through
15# their Inheritance set.
16# a user who has not the PCaps in his Inheritance set CAN NOT
17# successfully execute the apps
18# --> SET=ie
19# (if SET=pe than you relax the security level of your machine)
20#
21#
22#
23
24
25##HERE WE ADD APPS
26##################
27
28## these apps uses their POSIX Caps
29###################################
30# see /usr/include/linux/capability.h
31# adjust - if needed and wanted - /etc/security/capability.conf
32#eject=cap_dac_read_search,cap_sys_rawio
33eject=2,17
34#killall=cap_kill
35killall=5
36#modprobe=cap_sys_module
37modprobe=16
38#ntpdate=cap_net_bind_service,cap_sys_time
39ntpdate=10,25
40#qemu=cap_net_admin
41qemu=12
42#route=cap_net_admin
43route=12
44
45
46# this apps were converted/reverted
47###################################
48APPSARRAY=( eject killall modprobe ntpdate qemu route )
49
50
51# we put it into this set
52#########################
53SET=ie
54
55
56##FROM HERE ONLY LOGIC
57######################
58
59#save assumption!?
60export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin
61
62p4c_test(){
63    # are we sane?
64    WICH=`which which 2>/dev/null`
65    if [ $WICH == "" ]; then
66        # thats bad
67        echo "Sorry, I haven't found which"
68        exit
69    fi
70
71    # we needt his apps
72    SETCAP=`which setcap 2>/dev/null`
73    if [ "$SETCAP" == "" ]; then
74        echo "Sorry, I'm missing setcap !"
75        exit
76    fi
77
78    # checking setcap for SET_SETFCAP PCap ?
79    # for now we stick to root
80    if [ "$( id -u )" != "0" ]; then
81        echo "Sorry, you must be root !"
82        exit 1
83    fi
84}
85
86
87
88p4c_app_convert(){
89    # convert a single app
90    # $1 is app name; $2 is POSIX Caps
91    # well symlinks to apps, so we use -a ...
92    APP=`which -a $1 2>/dev/null`
93    if [ "$APP" != "" ]; then
94        FOUND=no
95        for i in $APP; do
96            # ... and are looking for symlinks
97            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
98                echo "converting $i"
99                setcap $2=$SET $i
100                FOUND=yes
101            fi
102        done
103        if [ "$FOUND" == "no" ]; then
104            # 'which' found only symlinks
105            echo "1 haven't found $1"
106        fi
107    else
108        # 'which' hasn't anything given back
109        echo "haven't found $1"
110    fi
111}
112
113
114
115p4c_app_revert(){
116    # revert a singel app
117    # $1 is app name
118    APP=`which -a $1 2>/dev/null`
119    if [ "$APP" != "" ]; then
120        FOUND=no
121        for i in $APP; do
122            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
123                echo "reverting $i"
124                setcap -r $i 2>/dev/null
125                FOUND=yes
126            fi
127        done
128        if [ "$FOUND" == "no" ]; then
129            echo "1 haven't found $1"
130        fi
131    else
132        echo "haven't found $1"
133    fi
134}
135
136
137
138p4c_convert(){
139    # we go throug the APPSARRAY and call s2p_app_convert to do the job
140    COUNTER=0
141    let UPPER=${#APPSARRAY[*]}-1
142    until [ $COUNTER == $UPPER ]; do
143        p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
144        let COUNTER+=1
145    done
146}
147
148
149
150p4c_revert(){
151    COUNTER=0
152    let UPPER=${#APPSARRAY[*]}-1
153    until [ $COUNTER == $UPPER ]; do
154        p4c_app_revert ${APPSARRAY[$COUNTER]}
155        let COUNTER+=1
156    done
157
158}
159
160
161
162p4c_usage(){
163    echo
164    echo "pcaps4convenience"
165    echo
166    echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to"
167    echo "run successful into their Inheritance and Effective Set."
168    echo "The user who wants to execute this binaries successful has to have the"
169    echo "necessary POSIX Capabilities in his Inheritable Set. This might be done"
170    echo "through the PAM module pam_cap.so."
171    echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute"
172    echo "these binaries successful."
173    echo "(well, still per sudo or su -c - but thats not the point here)"
174    echo
175    echo "You need and I will check fot the utilities which and setcap."
176    echo
177    echo "Your Filesystem has to support extended attributes and your kernel must have"
178    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
179    echo
180    echo "Usage:  pcaps4convenience [con(vert)|rev(ert)|help]"
181    echo
182    echo "         con|convert - from setuid0 to POSIX Capabilities"
183    echo "         rev|revert  - from POSIX Capabilities back to setui0"
184    echo "         help        - this help message"
185    echo
186}
187
188
189
190case "$1" in
191    con|convert)
192        p4c_test
193        p4c_convert
194        exit 0
195        ;;
196    rev|revert)
197        p4c_test
198        p4c_revert
199        exit 0
200        ;;
201    help)
202        p4c_usage
203        exit 0
204        ;;
205    *)
206        echo "Try 'pcaps4convenience help' for more information"
207        exit 1
208        ;;
209esac
210