1*2810ac1bSKiyoung Kim#!/bin/bash 2*2810ac1bSKiyoung Kim# vim:expandtab:tabstop=4 3*2810ac1bSKiyoung Kim# 4*2810ac1bSKiyoung Kim# author: chris friedhoff - [email protected] 5*2810ac1bSKiyoung Kim# version: pcaps4suid0 3 Tue Mar 11 2008 6*2810ac1bSKiyoung Kim# 7*2810ac1bSKiyoung Kim# 8*2810ac1bSKiyoung Kim# changelog: 9*2810ac1bSKiyoung Kim# 1 - initial release suid02pcaps 10*2810ac1bSKiyoung Kim# 2 - renamend to pcaps4suid0 11*2810ac1bSKiyoung Kim# implement idea of change between permitted/effective set 12*2810ac1bSKiyoung Kim# or iherited/effective set (pam_cap.so) 13*2810ac1bSKiyoung Kim# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code 14*2810ac1bSKiyoung Kim# 15*2810ac1bSKiyoung Kim# 16*2810ac1bSKiyoung Kim# 17*2810ac1bSKiyoung Kim# change different suid-0 binaries away from suid-0 to using 18*2810ac1bSKiyoung Kim# POSIX Capabilities through their Permitted and Effective Set 19*2810ac1bSKiyoung Kim# --> legacy support 20*2810ac1bSKiyoung Kim# --> use SET=pe 21*2810ac1bSKiyoung Kim# 22*2810ac1bSKiyoung Kim# 23*2810ac1bSKiyoung Kim# OR change different suid-0 binaries away from suid-0 to using 24*2810ac1bSKiyoung Kim# POSIX Capabilities through their Inherited and Effective Set 25*2810ac1bSKiyoung Kim# --> PAM support to set Inheritance set through pam_cap.so 26*2810ac1bSKiyoung Kim# --> use SET=ie 27*2810ac1bSKiyoung Kim# 28*2810ac1bSKiyoung Kim# 29*2810ac1bSKiyoung Kim# 30*2810ac1bSKiyoung Kim# 31*2810ac1bSKiyoung Kim############################################################### 32*2810ac1bSKiyoung Kim# for example use this find call: 33*2810ac1bSKiyoung Kim# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \; 34*2810ac1bSKiyoung Kim############################################################### 35*2810ac1bSKiyoung Kim 36*2810ac1bSKiyoung Kim 37*2810ac1bSKiyoung Kim 38*2810ac1bSKiyoung Kim##HERE WE ADD APPS 39*2810ac1bSKiyoung Kim################## 40*2810ac1bSKiyoung Kim 41*2810ac1bSKiyoung Kim## these apps uses their POSIX Caps 42*2810ac1bSKiyoung Kim################################### 43*2810ac1bSKiyoung Kim# see /usr/include/linux/capability.h 44*2810ac1bSKiyoung Kim#ping=cap_net_raw 45*2810ac1bSKiyoung Kimping=13 46*2810ac1bSKiyoung Kim#traceroute=cap_net_raw 47*2810ac1bSKiyoung Kimtraceroute=13 48*2810ac1bSKiyoung Kimchsh=0,2,4,7 49*2810ac1bSKiyoung Kimchfn=0,2,4,7 50*2810ac1bSKiyoung KimXorg=1,6,7,17,21,26 51*2810ac1bSKiyoung Kimchage=2 52*2810ac1bSKiyoung Kim#passwd=0,2,4,7 53*2810ac1bSKiyoung Kim#passwd 0,1 54*2810ac1bSKiyoung Kimpasswd=0,1,3 #PAM 55*2810ac1bSKiyoung Kimunix_chkpwd=1 56*2810ac1bSKiyoung Kimmount=1,21 57*2810ac1bSKiyoung Kimumount=1,21 58*2810ac1bSKiyoung Kim 59*2810ac1bSKiyoung Kim# this apps were converted/reverted 60*2810ac1bSKiyoung Kim################################### 61*2810ac1bSKiyoung KimAPPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount ) 62*2810ac1bSKiyoung Kim 63*2810ac1bSKiyoung Kim 64*2810ac1bSKiyoung Kim# we put it into this set 65*2810ac1bSKiyoung Kim######################### 66*2810ac1bSKiyoung Kim#SET=pe 67*2810ac1bSKiyoung KimSET=ie 68*2810ac1bSKiyoung Kim 69*2810ac1bSKiyoung Kim 70*2810ac1bSKiyoung Kim##FROM HERE ONLY LOGIC 71*2810ac1bSKiyoung Kim###################### 72*2810ac1bSKiyoung Kim 73*2810ac1bSKiyoung Kim#save assumption!? 74*2810ac1bSKiyoung Kimexport PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin 75*2810ac1bSKiyoung Kim 76*2810ac1bSKiyoung Kimp4s_test(){ 77*2810ac1bSKiyoung Kim # are we sane? 78*2810ac1bSKiyoung Kim WICH=`which which 2>/dev/null` 79*2810ac1bSKiyoung Kim if [ $WICH == "" ]; then 80*2810ac1bSKiyoung Kim # that's bad 81*2810ac1bSKiyoung Kim echo "Sorry, I haven't found which" 82*2810ac1bSKiyoung Kim exit 83*2810ac1bSKiyoung Kim fi 84*2810ac1bSKiyoung Kim 85*2810ac1bSKiyoung Kim # we need these apps 86*2810ac1bSKiyoung Kim CHMOD=`which chmod 2>/dev/null` 87*2810ac1bSKiyoung Kim SETCAP=`which setcap 2>/dev/null` 88*2810ac1bSKiyoung Kim if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then 89*2810ac1bSKiyoung Kim echo "Sorry, I'm missing chmod or setcap!" 90*2810ac1bSKiyoung Kim exit 91*2810ac1bSKiyoung Kim fi 92*2810ac1bSKiyoung Kim 93*2810ac1bSKiyoung Kim # checking setcap for SET_SETFCAP PCap? 94*2810ac1bSKiyoung Kim # for now we stick to root 95*2810ac1bSKiyoung Kim if [ "$( id -u )" != "0" ]; then 96*2810ac1bSKiyoung Kim echo "Sorry, you must be root!" 97*2810ac1bSKiyoung Kim exit 1 98*2810ac1bSKiyoung Kim fi 99*2810ac1bSKiyoung Kim} 100*2810ac1bSKiyoung Kim 101*2810ac1bSKiyoung Kim 102*2810ac1bSKiyoung Kim 103*2810ac1bSKiyoung Kimp4s_app_convert(){ 104*2810ac1bSKiyoung Kim # convert a single app 105*2810ac1bSKiyoung Kim # $1 is app name; $2 is POSIX Caps 106*2810ac1bSKiyoung Kim # well symlinks to apps, so we use -a ... 107*2810ac1bSKiyoung Kim APP=`which -a $1 2>/dev/null` 108*2810ac1bSKiyoung Kim if [ "$APP" != "" ]; then 109*2810ac1bSKiyoung Kim FOUND=no 110*2810ac1bSKiyoung Kim for i in $APP; do 111*2810ac1bSKiyoung Kim # ... and are looking for symlinks 112*2810ac1bSKiyoung Kim if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then 113*2810ac1bSKiyoung Kim echo "converting $i" 114*2810ac1bSKiyoung Kim chmod u-s $i 115*2810ac1bSKiyoung Kim setcap $2=$SET $i 116*2810ac1bSKiyoung Kim FOUND=yes 117*2810ac1bSKiyoung Kim fi 118*2810ac1bSKiyoung Kim done 119*2810ac1bSKiyoung Kim if [ "$FOUND" == "no" ]; then 120*2810ac1bSKiyoung Kim # 'which' found only symlinks 121*2810ac1bSKiyoung Kim echo "1 haven't found $1" 122*2810ac1bSKiyoung Kim fi 123*2810ac1bSKiyoung Kim else 124*2810ac1bSKiyoung Kim # 'which' hasn't anything given back 125*2810ac1bSKiyoung Kim echo "haven't found $1" 126*2810ac1bSKiyoung Kim fi 127*2810ac1bSKiyoung Kim} 128*2810ac1bSKiyoung Kim 129*2810ac1bSKiyoung Kim 130*2810ac1bSKiyoung Kim 131*2810ac1bSKiyoung Kimp4s_app_revert(){ 132*2810ac1bSKiyoung Kim # revert a single app 133*2810ac1bSKiyoung Kim # $1 is app name 134*2810ac1bSKiyoung Kim APP=`which -a $1 2>/dev/null` 135*2810ac1bSKiyoung Kim if [ "$APP" != "" ]; then 136*2810ac1bSKiyoung Kim FOUND=no 137*2810ac1bSKiyoung Kim for i in $APP; do 138*2810ac1bSKiyoung Kim if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then 139*2810ac1bSKiyoung Kim echo "reverting $i" 140*2810ac1bSKiyoung Kim chmod u+s $i 141*2810ac1bSKiyoung Kim setcap -r $i 2>/dev/null 142*2810ac1bSKiyoung Kim FOUND=yes 143*2810ac1bSKiyoung Kim fi 144*2810ac1bSKiyoung Kim done 145*2810ac1bSKiyoung Kim if [ "$FOUND" == "no" ]; then 146*2810ac1bSKiyoung Kim echo "1 haven't found $1" 147*2810ac1bSKiyoung Kim fi 148*2810ac1bSKiyoung Kim else 149*2810ac1bSKiyoung Kim echo "haven't found $1" 150*2810ac1bSKiyoung Kim fi 151*2810ac1bSKiyoung Kim} 152*2810ac1bSKiyoung Kim 153*2810ac1bSKiyoung Kim 154*2810ac1bSKiyoung Kim 155*2810ac1bSKiyoung Kimp4s_convert(){ 156*2810ac1bSKiyoung Kim # we go through the APPSARRAY and call s2p_app_convert to do the job 157*2810ac1bSKiyoung Kim COUNTER=0 158*2810ac1bSKiyoung Kim let UPPER=${#APPSARRAY[*]}-1 159*2810ac1bSKiyoung Kim until [ $COUNTER == $UPPER ]; do 160*2810ac1bSKiyoung Kim p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} 161*2810ac1bSKiyoung Kim let COUNTER+=1 162*2810ac1bSKiyoung Kim done 163*2810ac1bSKiyoung Kim} 164*2810ac1bSKiyoung Kim 165*2810ac1bSKiyoung Kim 166*2810ac1bSKiyoung Kim 167*2810ac1bSKiyoung Kimp4s_revert(){ 168*2810ac1bSKiyoung Kim COUNTER=0 169*2810ac1bSKiyoung Kim let UPPER=${#APPSARRAY[*]}-1 170*2810ac1bSKiyoung Kim until [ $COUNTER == $UPPER ]; do 171*2810ac1bSKiyoung Kim p4s_app_revert ${APPSARRAY[$COUNTER]} 172*2810ac1bSKiyoung Kim let COUNTER+=1 173*2810ac1bSKiyoung Kim done 174*2810ac1bSKiyoung Kim 175*2810ac1bSKiyoung Kim} 176*2810ac1bSKiyoung Kim 177*2810ac1bSKiyoung Kim 178*2810ac1bSKiyoung Kim 179*2810ac1bSKiyoung Kimp4s_usage(){ 180*2810ac1bSKiyoung Kim echo 181*2810ac1bSKiyoung Kim echo "pcaps4suid0" 182*2810ac1bSKiyoung Kim echo 183*2810ac1bSKiyoung Kim echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0" 184*2810ac1bSKiyoung Kim echo "to using POSIX Capabilities by granting the necessary Privileges" 185*2810ac1bSKiyoung Kim echo "This is done by storing the needed POSIX Capabilities into the extended" 186*2810ac1bSKiyoung Kim echo "attribute capability through setcap." 187*2810ac1bSKiyoung Kim echo "Following the idea of setuid - granting a binary the privilege regardless" 188*2810ac1bSKiyoung Kim echo "of the user, the POSIX Capabilities are stored into the Permitted and" 189*2810ac1bSKiyoung Kim echo "Effective set." 190*2810ac1bSKiyoung Kim echo "If you are using pam_cap.so, you might want to change the set into the" 191*2810ac1bSKiyoung Kim echo "Inherited and Effective set (check for the SET var)." 192*2810ac1bSKiyoung Kim echo 193*2810ac1bSKiyoung Kim echo "You need and I will check for the utilities which, chmod and setcap." 194*2810ac1bSKiyoung Kim echo 195*2810ac1bSKiyoung Kim echo "Your Filesystem has to support extended attributes and your kernel must have" 196*2810ac1bSKiyoung Kim echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." 197*2810ac1bSKiyoung Kim echo 198*2810ac1bSKiyoung Kim echo "Usage: pcaps4suid0 [con(vert)|rev(ert)|help]" 199*2810ac1bSKiyoung Kim echo 200*2810ac1bSKiyoung Kim echo " con|convert - from setuid0 to POSIX Capabilities" 201*2810ac1bSKiyoung Kim echo " rev|revert - from POSIX Capabilities back to setui0" 202*2810ac1bSKiyoung Kim echo " help - this help message" 203*2810ac1bSKiyoung Kim echo 204*2810ac1bSKiyoung Kim} 205*2810ac1bSKiyoung Kim 206*2810ac1bSKiyoung Kim 207*2810ac1bSKiyoung Kim 208*2810ac1bSKiyoung Kimcase "$1" in 209*2810ac1bSKiyoung Kim con|convert) 210*2810ac1bSKiyoung Kim p4s_test 211*2810ac1bSKiyoung Kim p4s_convert 212*2810ac1bSKiyoung Kim exit 0 213*2810ac1bSKiyoung Kim ;; 214*2810ac1bSKiyoung Kim rev|revert) 215*2810ac1bSKiyoung Kim p4s_test 216*2810ac1bSKiyoung Kim p4s_revert 217*2810ac1bSKiyoung Kim exit 0 218*2810ac1bSKiyoung Kim ;; 219*2810ac1bSKiyoung Kim help) 220*2810ac1bSKiyoung Kim p4s_usage 221*2810ac1bSKiyoung Kim exit 0 222*2810ac1bSKiyoung Kim ;; 223*2810ac1bSKiyoung Kim *) 224*2810ac1bSKiyoung Kim echo "Try 'pcaps4suid0 help' for more information" 225*2810ac1bSKiyoung Kim exit 1 226*2810ac1bSKiyoung Kim ;; 227*2810ac1bSKiyoung Kimesac 228