1#!/bin/bash 2# vim:expandtab:tabstop=4 3# 4# author: chris friedhoff - chris@friedhoff.org 5# version: pcaps4suid0 3 Tue Mar 11 2008 6# 7# 8# changelog: 9# 1 - initial release suid02pcaps 10# 2 - renamend to pcaps4suid0 11# implement idea of change between permitted/effective set 12# or iherited/effective set (pam_cap.so) 13# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code 14# 15# 16# 17# change different suid-0 binaries away from suid-0 to using 18# POSIX Capabilities through their Permitted and Effective Set 19# --> legacy support 20# --> use SET=pe 21# 22# 23# OR change different suid-0 binaries away from suid-0 to using 24# POSIX Capabilities through their Inherited and Effective Set 25# --> PAM support to set Inheritance set through pam_cap.so 26# --> use SET=ie 27# 28# 29# 30# 31############################################################### 32# for example use this find call: 33# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \; 34############################################################### 35 36 37 38##HERE WE ADD APPS 39################## 40 41## these apps uses their POSIX Caps 42################################### 43# see /usr/include/linux/capability.h 44#ping=cap_net_raw 45ping=13 46#traceroute=cap_net_raw 47traceroute=13 48chsh=0,2,4,7 49chfn=0,2,4,7 50Xorg=1,6,7,17,21,26 51chage=2 52#passwd=0,2,4,7 53#passwd 0,1 54passwd=0,1,3 #PAM 55unix_chkpwd=1 56mount=1,21 57umount=1,21 58 59# this apps were converted/reverted 60################################### 61APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount ) 62 63 64# we put it into this set 65######################### 66#SET=pe 67SET=ie 68 69 70##FROM HERE ONLY LOGIC 71###################### 72 73#save assumption!? 74export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin 75 76p4s_test(){ 77 # are we sane? 78 WICH=`which which 2>/dev/null` 79 if [ $WICH == "" ]; then 80 # thats bad 81 echo "Sorry, I haven't found which" 82 exit 83 fi 84 85 # we needt his apps 86 CHMOD=`which chmod 2>/dev/null` 87 SETCAP=`which setcap 2>/dev/null` 88 if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then 89 echo "Sorry, I'm missing chmod or setcap !" 90 exit 91 fi 92 93 # checking setcap for SET_SETFCAP PCap ? 94 # for now we stick to root 95 if [ "$( id -u )" != "0" ]; then 96 echo "Sorry, you must be root !" 97 exit 1 98 fi 99} 100 101 102 103p4s_app_convert(){ 104 # convert a single app 105 # $1 is app name; $2 is POSIX Caps 106 # well symlinks to apps, so we use -a ... 107 APP=`which -a $1 2>/dev/null` 108 if [ "$APP" != "" ]; then 109 FOUND=no 110 for i in $APP; do 111 # ... and are looking for symlinks 112 if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then 113 echo "converting $i" 114 chmod u-s $i 115 setcap $2=$SET $i 116 FOUND=yes 117 fi 118 done 119 if [ "$FOUND" == "no" ]; then 120 # 'which' found only symlinks 121 echo "1 haven't found $1" 122 fi 123 else 124 # 'which' hasn't anything given back 125 echo "haven't found $1" 126 fi 127} 128 129 130 131p4s_app_revert(){ 132 # revert a singel app 133 # $1 is app name 134 APP=`which -a $1 2>/dev/null` 135 if [ "$APP" != "" ]; then 136 FOUND=no 137 for i in $APP; do 138 if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then 139 echo "reverting $i" 140 chmod u+s $i 141 setcap -r $i 2>/dev/null 142 FOUND=yes 143 fi 144 done 145 if [ "$FOUND" == "no" ]; then 146 echo "1 haven't found $1" 147 fi 148 else 149 echo "haven't found $1" 150 fi 151} 152 153 154 155p4s_convert(){ 156 # we go throug the APPSARRAY and call s2p_app_convert to do the job 157 COUNTER=0 158 let UPPER=${#APPSARRAY[*]}-1 159 until [ $COUNTER == $UPPER ]; do 160 p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} 161 let COUNTER+=1 162 done 163} 164 165 166 167p4s_revert(){ 168 COUNTER=0 169 let UPPER=${#APPSARRAY[*]}-1 170 until [ $COUNTER == $UPPER ]; do 171 p4s_app_revert ${APPSARRAY[$COUNTER]} 172 let COUNTER+=1 173 done 174 175} 176 177 178 179p4s_usage(){ 180 echo 181 echo "pcaps4suid0" 182 echo 183 echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0" 184 echo "to using POSIX Capabilities by granting the necessary Privileges" 185 echo "This is done by storing the needed POSIX Capabilities into the extended" 186 echo "attribute capability through setcap." 187 echo "Following the idea of setuid - granting a binary the privilege regardless" 188 echo "of the user, the POSIX Capabilities are stored into the Permitted and" 189 echo "Effective set." 190 echo "If you are using pam_cap.so, you might want to change the set into the" 191 echo "Inherited and Effective set (check for the SET var)." 192 echo 193 echo "You need and I will check fot the utilities which, chmod and setcap." 194 echo 195 echo "Your Filesystem has to support extended attributes and your kernel must have" 196 echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." 197 echo 198 echo "Usage: pcaps4suid0 [con(vert)|rev(ert)|help]" 199 echo 200 echo " con|convert - from setuid0 to POSIX Capabilities" 201 echo " rev|revert - from POSIX Capabilities back to setui0" 202 echo " help - this help message" 203 echo 204} 205 206 207 208case "$1" in 209 con|convert) 210 p4s_test 211 p4s_convert 212 exit 0 213 ;; 214 rev|revert) 215 p4s_test 216 p4s_revert 217 exit 0 218 ;; 219 help) 220 p4s_usage 221 exit 0 222 ;; 223 *) 224 echo "Try 'pcaps4suid0 help' for more information" 225 exit 1 226 ;; 227esac 228