1 #!/bin/bash 2 # vim:expandtab:tabstop=4 3 # 4 # author: chris friedhoff - chris (at] friedhoff.org 5 # version: pcaps4convenience 2 Tue Mar 11 2008 6 # 7 # 8 # changelog: 9 # 1 - initial release pcaps4convenience 10 # 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code 11 # 12 # 13 # the user has the necessary POSIX Capabilities in his Inheritance 14 # set and the applications are accepting the needed PCaps through 15 # their Inheritance set. 16 # a user who has not the PCaps in his Inheritance set CAN NOT 17 # successfully execute the apps 18 # --> SET=ie 19 # (if SET=pe than you relax the security level of your machine) 20 # 21 # 22 # 23 24 25 ##HERE WE ADD APPS 26 ################## 27 28 ## these apps uses their POSIX Caps 29 ################################### 30 # see /usr/include/linux/capability.h 31 # adjust - if needed and wanted - /etc/security/capability.conf 32 #eject=cap_dac_read_search,cap_sys_rawio 33 eject=2,17 34 #killall=cap_kill 35 killall=5 36 #modprobe=cap_sys_module 37 modprobe=16 38 #ntpdate=cap_net_bind_service,cap_sys_time 39 ntpdate=10,25 40 #qemu=cap_net_admin 41 qemu=12 42 #route=cap_net_admin 43 route=12 44 45 46 # this apps were converted/reverted 47 ################################### 48 APPSARRAY=( eject killall modprobe ntpdate qemu route ) 49 50 51 # we put it into this set 52 ######################### 53 SET=ie 54 55 56 ##FROM HERE ONLY LOGIC 57 ###################### 58 59 #save assumption!? 60 export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin 61 62 p4c_test(){ 63 # are we sane? 64 WICH=`which which 2>/dev/null` 65 if [ $WICH == "" ]; then 66 # thats bad 67 echo "Sorry, I haven't found which" 68 exit 69 fi 70 71 # we needt his apps 72 SETCAP=`which setcap 2>/dev/null` 73 if [ "$SETCAP" == "" ]; then 74 echo "Sorry, I'm missing setcap !" 75 exit 76 fi 77 78 # checking setcap for SET_SETFCAP PCap ? 79 # for now we stick to root 80 if [ "$( id -u )" != "0" ]; then 81 echo "Sorry, you must be root !" 82 exit 1 83 fi 84 } 85 86 87 88 p4c_app_convert(){ 89 # convert a single app 90 # $1 is app name; $2 is POSIX Caps 91 # well symlinks to apps, so we use -a ... 92 APP=`which -a $1 2>/dev/null` 93 if [ "$APP" != "" ]; then 94 FOUND=no 95 for i in $APP; do 96 # ... and are looking for symlinks 97 if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then 98 echo "converting $i" 99 setcap $2=$SET $i 100 FOUND=yes 101 fi 102 done 103 if [ "$FOUND" == "no" ]; then 104 # 'which' found only symlinks 105 echo "1 haven't found $1" 106 fi 107 else 108 # 'which' hasn't anything given back 109 echo "haven't found $1" 110 fi 111 } 112 113 114 115 p4c_app_revert(){ 116 # revert a singel app 117 # $1 is app name 118 APP=`which -a $1 2>/dev/null` 119 if [ "$APP" != "" ]; then 120 FOUND=no 121 for i in $APP; do 122 if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then 123 echo "reverting $i" 124 setcap -r $i 2>/dev/null 125 FOUND=yes 126 fi 127 done 128 if [ "$FOUND" == "no" ]; then 129 echo "1 haven't found $1" 130 fi 131 else 132 echo "haven't found $1" 133 fi 134 } 135 136 137 138 p4c_convert(){ 139 # we go throug the APPSARRAY and call s2p_app_convert to do the job 140 COUNTER=0 141 let UPPER=${#APPSARRAY[*]}-1 142 until [ $COUNTER == $UPPER ]; do 143 p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} 144 let COUNTER+=1 145 done 146 } 147 148 149 150 p4c_revert(){ 151 COUNTER=0 152 let UPPER=${#APPSARRAY[*]}-1 153 until [ $COUNTER == $UPPER ]; do 154 p4c_app_revert ${APPSARRAY[$COUNTER]} 155 let COUNTER+=1 156 done 157 158 } 159 160 161 162 p4c_usage(){ 163 echo 164 echo "pcaps4convenience" 165 echo 166 echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to" 167 echo "run successful into their Inheritance and Effective Set." 168 echo "The user who wants to execute this binaries successful has to have the" 169 echo "necessary POSIX Capabilities in his Inheritable Set. This might be done" 170 echo "through the PAM module pam_cap.so." 171 echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute" 172 echo "these binaries successful." 173 echo "(well, still per sudo or su -c - but thats not the point here)" 174 echo 175 echo "You need and I will check fot the utilities which and setcap." 176 echo 177 echo "Your Filesystem has to support extended attributes and your kernel must have" 178 echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." 179 echo 180 echo "Usage: pcaps4convenience [con(vert)|rev(ert)|help]" 181 echo 182 echo " con|convert - from setuid0 to POSIX Capabilities" 183 echo " rev|revert - from POSIX Capabilities back to setui0" 184 echo " help - this help message" 185 echo 186 } 187 188 189 190 case "$1" in 191 con|convert) 192 p4c_test 193 p4c_convert 194 exit 0 195 ;; 196 rev|revert) 197 p4c_test 198 p4c_revert 199 exit 0 200 ;; 201 help) 202 p4c_usage 203 exit 0 204 ;; 205 *) 206 echo "Try 'pcaps4convenience help' for more information" 207 exit 1 208 ;; 209 esac 210
