1*2810ac1bSKiyoung Kim#!/bin/bash 2*2810ac1bSKiyoung Kim# vim:expandtab:tabstop=4 3*2810ac1bSKiyoung Kim# 4*2810ac1bSKiyoung Kim# author: chris friedhoff - [email protected] 5*2810ac1bSKiyoung Kim# version: pcaps4convenience 2 Tue Mar 11 2008 6*2810ac1bSKiyoung Kim# 7*2810ac1bSKiyoung Kim# 8*2810ac1bSKiyoung Kim# changelog: 9*2810ac1bSKiyoung Kim# 1 - initial release pcaps4convenience 10*2810ac1bSKiyoung Kim# 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code 11*2810ac1bSKiyoung Kim# 12*2810ac1bSKiyoung Kim# 13*2810ac1bSKiyoung Kim# the user has the necessary POSIX Capabilities in his Inheritance 14*2810ac1bSKiyoung Kim# set and the applications are accepting the needed PCaps through 15*2810ac1bSKiyoung Kim# their Inheritance set. 16*2810ac1bSKiyoung Kim# a user who has not the PCaps in his Inheritance set CAN NOT 17*2810ac1bSKiyoung Kim# successfully execute the apps 18*2810ac1bSKiyoung Kim# --> SET=ie 19*2810ac1bSKiyoung Kim# (if SET=pe than you relax the security level of your machine) 20*2810ac1bSKiyoung Kim# 21*2810ac1bSKiyoung Kim# 22*2810ac1bSKiyoung Kim# 23*2810ac1bSKiyoung Kim 24*2810ac1bSKiyoung Kim 25*2810ac1bSKiyoung Kim##HERE WE ADD APPS 26*2810ac1bSKiyoung Kim################## 27*2810ac1bSKiyoung Kim 28*2810ac1bSKiyoung Kim## these apps uses their POSIX Caps 29*2810ac1bSKiyoung Kim################################### 30*2810ac1bSKiyoung Kim# see /usr/include/linux/capability.h 31*2810ac1bSKiyoung Kim# adjust - if needed and wanted - /etc/security/capability.conf 32*2810ac1bSKiyoung Kim#eject=cap_dac_read_search,cap_sys_rawio 33*2810ac1bSKiyoung Kimeject=2,17 34*2810ac1bSKiyoung Kim#killall=cap_kill 35*2810ac1bSKiyoung Kimkillall=5 36*2810ac1bSKiyoung Kim#modprobe=cap_sys_module 37*2810ac1bSKiyoung Kimmodprobe=16 38*2810ac1bSKiyoung Kim#ntpdate=cap_net_bind_service,cap_sys_time 39*2810ac1bSKiyoung Kimntpdate=10,25 40*2810ac1bSKiyoung Kim#qemu=cap_net_admin 41*2810ac1bSKiyoung Kimqemu=12 42*2810ac1bSKiyoung Kim#route=cap_net_admin 43*2810ac1bSKiyoung Kimroute=12 44*2810ac1bSKiyoung Kim 45*2810ac1bSKiyoung Kim 46*2810ac1bSKiyoung Kim# this apps were converted/reverted 47*2810ac1bSKiyoung Kim################################### 48*2810ac1bSKiyoung KimAPPSARRAY=( eject killall modprobe ntpdate qemu route ) 49*2810ac1bSKiyoung Kim 50*2810ac1bSKiyoung Kim 51*2810ac1bSKiyoung Kim# we put it into this set 52*2810ac1bSKiyoung Kim######################### 53*2810ac1bSKiyoung KimSET=ie 54*2810ac1bSKiyoung Kim 55*2810ac1bSKiyoung Kim 56*2810ac1bSKiyoung Kim##FROM HERE ONLY LOGIC 57*2810ac1bSKiyoung Kim###################### 58*2810ac1bSKiyoung Kim 59*2810ac1bSKiyoung Kim#save assumption!? 60*2810ac1bSKiyoung Kimexport PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin 61*2810ac1bSKiyoung Kim 62*2810ac1bSKiyoung Kimp4c_test(){ 63*2810ac1bSKiyoung Kim # are we sane? 64*2810ac1bSKiyoung Kim WICH=`which which 2>/dev/null` 65*2810ac1bSKiyoung Kim if [ $WICH == "" ]; then 66*2810ac1bSKiyoung Kim # that's bad 67*2810ac1bSKiyoung Kim echo "Sorry, I haven't found which" 68*2810ac1bSKiyoung Kim exit 69*2810ac1bSKiyoung Kim fi 70*2810ac1bSKiyoung Kim 71*2810ac1bSKiyoung Kim # we need this app 72*2810ac1bSKiyoung Kim SETCAP=`which setcap 2>/dev/null` 73*2810ac1bSKiyoung Kim if [ "$SETCAP" == "" ]; then 74*2810ac1bSKiyoung Kim echo "Sorry, I'm missing setcap!" 75*2810ac1bSKiyoung Kim exit 76*2810ac1bSKiyoung Kim fi 77*2810ac1bSKiyoung Kim 78*2810ac1bSKiyoung Kim # checking setcap for SET_SETFCAP PCap? 79*2810ac1bSKiyoung Kim # for now we stick to root 80*2810ac1bSKiyoung Kim if [ "$( id -u )" != "0" ]; then 81*2810ac1bSKiyoung Kim echo "Sorry, you must be root!" 82*2810ac1bSKiyoung Kim exit 1 83*2810ac1bSKiyoung Kim fi 84*2810ac1bSKiyoung Kim} 85*2810ac1bSKiyoung Kim 86*2810ac1bSKiyoung Kim 87*2810ac1bSKiyoung Kim 88*2810ac1bSKiyoung Kimp4c_app_convert(){ 89*2810ac1bSKiyoung Kim # convert a single app 90*2810ac1bSKiyoung Kim # $1 is app name; $2 is POSIX Caps 91*2810ac1bSKiyoung Kim # well symlinks to apps, so we use -a ... 92*2810ac1bSKiyoung Kim APP=`which -a $1 2>/dev/null` 93*2810ac1bSKiyoung Kim if [ "$APP" != "" ]; then 94*2810ac1bSKiyoung Kim FOUND=no 95*2810ac1bSKiyoung Kim for i in $APP; do 96*2810ac1bSKiyoung Kim # ... and are looking for symlinks 97*2810ac1bSKiyoung Kim if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then 98*2810ac1bSKiyoung Kim echo "converting $i" 99*2810ac1bSKiyoung Kim setcap $2=$SET $i 100*2810ac1bSKiyoung Kim FOUND=yes 101*2810ac1bSKiyoung Kim fi 102*2810ac1bSKiyoung Kim done 103*2810ac1bSKiyoung Kim if [ "$FOUND" == "no" ]; then 104*2810ac1bSKiyoung Kim # 'which' found only symlinks 105*2810ac1bSKiyoung Kim echo "1 haven't found $1" 106*2810ac1bSKiyoung Kim fi 107*2810ac1bSKiyoung Kim else 108*2810ac1bSKiyoung Kim # 'which' hasn't anything given back 109*2810ac1bSKiyoung Kim echo "haven't found $1" 110*2810ac1bSKiyoung Kim fi 111*2810ac1bSKiyoung Kim} 112*2810ac1bSKiyoung Kim 113*2810ac1bSKiyoung Kim 114*2810ac1bSKiyoung Kim 115*2810ac1bSKiyoung Kimp4c_app_revert(){ 116*2810ac1bSKiyoung Kim # revert a single app 117*2810ac1bSKiyoung Kim # $1 is app name 118*2810ac1bSKiyoung Kim APP=`which -a $1 2>/dev/null` 119*2810ac1bSKiyoung Kim if [ "$APP" != "" ]; then 120*2810ac1bSKiyoung Kim FOUND=no 121*2810ac1bSKiyoung Kim for i in $APP; do 122*2810ac1bSKiyoung Kim if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then 123*2810ac1bSKiyoung Kim echo "reverting $i" 124*2810ac1bSKiyoung Kim setcap -r $i 2>/dev/null 125*2810ac1bSKiyoung Kim FOUND=yes 126*2810ac1bSKiyoung Kim fi 127*2810ac1bSKiyoung Kim done 128*2810ac1bSKiyoung Kim if [ "$FOUND" == "no" ]; then 129*2810ac1bSKiyoung Kim echo "1 haven't found $1" 130*2810ac1bSKiyoung Kim fi 131*2810ac1bSKiyoung Kim else 132*2810ac1bSKiyoung Kim echo "haven't found $1" 133*2810ac1bSKiyoung Kim fi 134*2810ac1bSKiyoung Kim} 135*2810ac1bSKiyoung Kim 136*2810ac1bSKiyoung Kim 137*2810ac1bSKiyoung Kim 138*2810ac1bSKiyoung Kimp4c_convert(){ 139*2810ac1bSKiyoung Kim # we go through the APPSARRAY and call s2p_app_convert to do the job 140*2810ac1bSKiyoung Kim COUNTER=0 141*2810ac1bSKiyoung Kim let UPPER=${#APPSARRAY[*]}-1 142*2810ac1bSKiyoung Kim until [ $COUNTER == $UPPER ]; do 143*2810ac1bSKiyoung Kim p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} 144*2810ac1bSKiyoung Kim let COUNTER+=1 145*2810ac1bSKiyoung Kim done 146*2810ac1bSKiyoung Kim} 147*2810ac1bSKiyoung Kim 148*2810ac1bSKiyoung Kim 149*2810ac1bSKiyoung Kim 150*2810ac1bSKiyoung Kimp4c_revert(){ 151*2810ac1bSKiyoung Kim COUNTER=0 152*2810ac1bSKiyoung Kim let UPPER=${#APPSARRAY[*]}-1 153*2810ac1bSKiyoung Kim until [ $COUNTER == $UPPER ]; do 154*2810ac1bSKiyoung Kim p4c_app_revert ${APPSARRAY[$COUNTER]} 155*2810ac1bSKiyoung Kim let COUNTER+=1 156*2810ac1bSKiyoung Kim done 157*2810ac1bSKiyoung Kim 158*2810ac1bSKiyoung Kim} 159*2810ac1bSKiyoung Kim 160*2810ac1bSKiyoung Kim 161*2810ac1bSKiyoung Kim 162*2810ac1bSKiyoung Kimp4c_usage(){ 163*2810ac1bSKiyoung Kim echo 164*2810ac1bSKiyoung Kim echo "pcaps4convenience" 165*2810ac1bSKiyoung Kim echo 166*2810ac1bSKiyoung Kim echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to" 167*2810ac1bSKiyoung Kim echo "run successful into their Inheritance and Effective Set." 168*2810ac1bSKiyoung Kim echo "The user who wants to execute this binaries successful has to have the" 169*2810ac1bSKiyoung Kim echo "necessary POSIX Capabilities in his Inheritable Set. This might be done" 170*2810ac1bSKiyoung Kim echo "through the PAM module pam_cap.so." 171*2810ac1bSKiyoung Kim echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute" 172*2810ac1bSKiyoung Kim echo "these binaries successful." 173*2810ac1bSKiyoung Kim echo "(well, still per sudo or su -c - but that's not the point here)" 174*2810ac1bSKiyoung Kim echo 175*2810ac1bSKiyoung Kim echo "You need and I will check for the utilities which and setcap." 176*2810ac1bSKiyoung Kim echo 177*2810ac1bSKiyoung Kim echo "Your Filesystem has to support extended attributes and your kernel must have" 178*2810ac1bSKiyoung Kim echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." 179*2810ac1bSKiyoung Kim echo 180*2810ac1bSKiyoung Kim echo "Usage: pcaps4convenience [con(vert)|rev(ert)|help]" 181*2810ac1bSKiyoung Kim echo 182*2810ac1bSKiyoung Kim echo " con|convert - from setuid0 to POSIX Capabilities" 183*2810ac1bSKiyoung Kim echo " rev|revert - from POSIX Capabilities back to setui0" 184*2810ac1bSKiyoung Kim echo " help - this help message" 185*2810ac1bSKiyoung Kim echo 186*2810ac1bSKiyoung Kim} 187*2810ac1bSKiyoung Kim 188*2810ac1bSKiyoung Kim 189*2810ac1bSKiyoung Kim 190*2810ac1bSKiyoung Kimcase "$1" in 191*2810ac1bSKiyoung Kim con|convert) 192*2810ac1bSKiyoung Kim p4c_test 193*2810ac1bSKiyoung Kim p4c_convert 194*2810ac1bSKiyoung Kim exit 0 195*2810ac1bSKiyoung Kim ;; 196*2810ac1bSKiyoung Kim rev|revert) 197*2810ac1bSKiyoung Kim p4c_test 198*2810ac1bSKiyoung Kim p4c_revert 199*2810ac1bSKiyoung Kim exit 0 200*2810ac1bSKiyoung Kim ;; 201*2810ac1bSKiyoung Kim help) 202*2810ac1bSKiyoung Kim p4c_usage 203*2810ac1bSKiyoung Kim exit 0 204*2810ac1bSKiyoung Kim ;; 205*2810ac1bSKiyoung Kim *) 206*2810ac1bSKiyoung Kim echo "Try 'pcaps4convenience help' for more information" 207*2810ac1bSKiyoung Kim exit 1 208*2810ac1bSKiyoung Kim ;; 209*2810ac1bSKiyoung Kimesac 210