OpenGrok

#!/bin/sh
# vim: tabstop=4
#
# author:    chris friedhoff - chris (at] friedhoff.org
# version:   pcaps4server  5  Tue Mar 11 2008
#
#
# changelog:
# 1 - initial release pcaps4convenience
# 1 - 2007.02.15 - initial release
# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id
# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap
# 4 - renamed to pcaps4server
#      removed suid0 and convenience files,
#      they are now in pcaps4suid0 resp. pcaps4convenience
# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code
#
#
###########################################################################
# change the installation of different server to be able not to run as root
# and have their own unpriviledged user. The binary has the needed POSIX
# Capabilities.
# to ensure that the server is really started as his respective user, we set
# the suid bit (BUT NOT 0)!
# paths are hard coded and derive from a slackware system
# change it to your needs !!
###########################################################################


VERBOSE="-v"
#VERBOSE=""
APPS=""

message(){
	printRedMessage "$1"
}

printRedMessage(){
	# print message red and turn back to white
	echo -e "\n\033[00;31m $1 ...\033[00;00m\n"
}

printGreenMessage(){
	# print message red and turn back to white
	echo -e "\033[00;32m $1 ...\033[00;00m\n"
	sleep 0.5
}

checkReturnCode(){
    if [ "$?" != "0" ]; then
        printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!"
        exit 1
    else
        printGreenMessage ":-)"
		sleep 0.5
    fi
}


p4r_test(){
	#for now, we work with root
	if [ "$( id -u )" != "0" ]; then
		echo "Sorry, you must be root !"
		exit
	fi
}


# apache 1.3
########
#APPS="$APPS apache1"
apache1_convert(){
	message "converting apache1"
	if [ "$( id -g apache 2>/dev/null )" == "" ]; then
		groupadd -g 60 apache
	fi
	if [ "$( id -u apache 2>/dev/null )" == "" ]; then
		useradd -g apache -d / -u 600 apache
	fi
	sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf
	chown $VERBOSE -R apache:apache /var/run/apache/
	chown $VERBOSE -R apache:apache /etc/apache/
	chown $VERBOSE -R apache:apache /var/log/apache/
	chown $VERBOSE apache:apache /usr/sbin/httpd
	chmod $VERBOSE u+s /usr/sbin/httpd
	setcap cap_net_bind_service=ep /usr/sbin/httpd
	checkReturnCode
}
apache1_revert(){
	message "reverting apache1"
	chown $VERBOSE -R root:root /var/run/apache/
	chown $VERBOSE -R root:root /etc/apache/
	chown $VERBOSE -R root:root /var/log/apache/
	chown $VERBOSE root:root /usr/sbin/httpd
	chmod $VERBOSE u-s /usr/sbin/httpd
	setcap -r /usr/sbin/httpd
	checkReturnCode
	sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf
	userdel apache
	groupdel apache
}


# apache 2.x
########
APPS="$APPS apache2"
apache2_convert(){
	message "converting apache2"
	if [ "$( id -g apache 2>/dev/null )" == "" ]; then
		groupadd -g 60 apache
	fi
	if [ "$( id -u apache 2>/dev/null )" == "" ]; then
		useradd -g apache -d / -u 600 apache
	fi
	sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf
	chown $VERBOSE -R apache:apache /var/run/httpd/
	chown $VERBOSE -R apache:apache /etc/httpd/
	chown $VERBOSE -R apache:apache /var/log/httpd/
	chown $VERBOSE apache:apache /usr/sbin/httpd
	chmod $VERBOSE u+s /usr/sbin/httpd
	#setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd
	setcap cap_net_bind_service=ep /usr/sbin/httpd
	checkReturnCode
}
apache2_revert(){
	message "reverting apache2"
	chown $VERBOSE -R root:root /var/run/httpd/
	chown $VERBOSE -R root:root /etc/httpd/
	chown $VERBOSE -R root:root /var/log/httpd/
	chown $VERBOSE root:root /usr/sbin/httpd
	chmod $VERBOSE u-s /usr/sbin/httpd
	setcap -r /usr/sbin/httpd
	checkReturnCode
	sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf
	userdel apache
	groupdel apache
}


# samba
#######
APPS="$APPS samba"
samba_convert(){
	message "converting samba"
	if [ "$( id -g samba 2>/dev/null )" == "" ]; then
		groupadd -g 61 samba
	fi
	if [ "$( id -u samba 2>/dev/null )" == "" ]; then
		useradd -g samba -d / -u 610 samba
	fi
	chown $VERBOSE -R samba:samba /var/log/samba
	chown $VERBOSE -R samba:samba /etc/samba
	chown $VERBOSE -R samba:samba /var/run/samba
	chown $VERBOSE -R samba:samba /var/cache/samba
	chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd
	chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd
	setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd
	checkReturnCode
	setcap cap_net_bind_service=ep /usr/sbin/nmbd
	checkReturnCode
}

samba_revert(){
	message "reverting samba"
	chown $VERBOSE -R root:root /var/log/samba
	chown $VERBOSE -R root:root /etc/samba
	chown $VERBOSE -R root:root /var/run/samba
	chown $VERBOSE -R root:root /var/cache/samba
	chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd
	chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd
	setcap -r /usr/sbin/smbd
	checkReturnCode
	setcap -r /usr/sbin/nmbd
	checkReturnCode
	userdel samba
	groupdel samba
}


# bind
######
APPS="$APPS bind"
bind_convert(){
	message "converting bind"
	if [ "$( id -g bind 2>/dev/null )" == "" ]; then
		groupadd -g 62 bind
	fi
	if [ "$( id -u bind 2>/dev/null )" == "" ]; then
		useradd -g bind -d / -u 620 bind
	fi
	chown $VERBOSE -R bind:bind /var/run/named
	chown $VERBOSE -R bind:bind /var/named
	chown $VERBOSE bind:bind /etc/rndc.key
	chown $VERBOSE bind:bind /usr/sbin/named
	chmod $VERBOSE u+s /usr/sbin/named
	setcap cap_net_bind_service=ep /usr/sbin/named
	checkReturnCode
}
bind_revert(){
	message "reverting bind"
	chown $VERBOSE -R root:root /var/run/named
	chown $VERBOSE -R root:root /var/named
	chown $VERBOSE root:root /etc/rndc.key
	chown $VERBOSE root:root /usr/sbin/named
	chmod $VERBOSE u-s /usr/sbin/named
	setcap -r /usr/sbin/named
	checkReturnCode
	userdel bind
	groupdel bind
}


# dhcpd
#######
APPS="$APPS dhcpd"
dhcpd_convert(){
	message "converting dhcpd"
	if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then
		groupadd -g 63 dhcpd
	fi
	if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then
		useradd -g dhcpd -d / -u 630 dhcpd
	fi
	chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd
	chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf
	chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/
	chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd
	chmod $VERBOSE u+s /usr/sbin/dhcpd
	setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd
	checkReturnCode
}
dhcpd_revert(){
	message "reverting dhcpd"
	chown $VERBOSE root:root /var/run/dhcpd
	chown $VERBOSE root:root /etc/dhcpd.conf
	chown $VERBOSE -R root:root /var/state/dhcp/
	chown $VERBOSE root:root /usr/sbin/dhcpd
	chmod $VERBOSE u-s /usr/sbin/dhcpd
	setcap -r /usr/sbin/dhcpd
	checkReturnCode
	userdel dhcpd
	groupdel dhcpd
}


# cupsd
#######
APPS="$APPS cupsd"
cupsd_convert(){
	message "converting cupsd"
	if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then
		groupadd -g 64 cupsd
	fi
	if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then
		useradd -g cupsd -d / -u 640 cupsd
	fi
	sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf
	chown $VERBOSE -R cupsd:cupsd /etc/cups
	chown $VERBOSE -R cupsd:cupsd /var/cache/cups
	chown $VERBOSE -R cupsd:cupsd /var/log/cups
	chown $VERBOSE -R cupsd:cupsd /var/spool/cups
	chown $VERBOSE -R cupsd:cupsd /var/run/cups
	chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd
	chmod $VERBOSE u+s /usr/sbin/cupsd
	setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd
	checkReturnCode
}
cupsd_revert(){
	message "reverting cupsd"
	chown $VERBOSE -R root:root /etc/cups
	chown $VERBOSE -R root:lp /var/cache/cups
	chown $VERBOSE -R root:root /var/log/cups
	chown $VERBOSE -R root:root /var/spool/cups
	chown $VERBOSE root:lp /var/run/cups
	chown $VERBOSE lp:sys /var/run/cups/certs
	chmod $VERBOSE 750 /var/run/cups/certs
	chown $VERBOSE root:root /usr/sbin/cupsd
	chmod $VERBOSE u-s /usr/sbin/cupsd
	setcap -r /usr/sbin/cupsd
	checkReturnCode
	sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf
	userdel cupsd
	groupdel cupsd
}


usage_message(){
	echo "Try 'pcaps4server help' for more information"
}


p4r_usage(){
    echo
    echo "pcaps4server"
    echo
    echo "pcaps4server stores the needed POSIX Capabilities for server binaries to"
    echo "run successful into their Permitted and Effective Set."
    echo "The server are now able to run as an unpriviledged user."
	echo "For each server software an unpriviledged user is added the system."
    echo "The ownership of all the respective paths are	changed to this user."
	echo "To ensure that the server is starting as this unpriviledgesd user, the"
    echo "suid bit (NOT 0) is set."
	echo "Effectively this means every user can start this server daemons (for now)."
	echo "All paths are hard coded!"
	echo "You have been warned. Enjoy!"
    echo
    echo "Your Filesystem has to support extended attributes and your kernel must have"
    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
    echo
    echo "Usage:  pcaps4server [PROG] [con(vert)|rev(ert)|help]"
    echo
    echo "         con|convert - from setuid0 to POSIX Capabilities"
    echo "         rev|revert  - from POSIX Capabilities back to setui0"
    echo "         help        - this help message"
	echo
	echo "  PROG: $APPS"
    echo
}


case "$1" in
	con|convert)
		p4r_test
		for j in $APPS; do
			${j}_convert
		done
		exit
		;;
	rev|renvert)
		p4r_test
		for j in $APPS; do
			${j}_revert
		done
		exit
		;;
	help)
		p4r_usage
		exit
		;;
esac

for i in ${APPS}; do
	if [ "$1" == "$i" ]; then
		case "$2" in
			con|convert)
				p4r_test
				${i}_convert
				exit
				;;
			rev|revert)
				p4r_test
				${i}_revert
				exit
				;;
			*)
				usage_message
				exit 1
				;;
			esac
	fi
done

usage_message