diff options
| author | Anas Nashif <anas.nashif@intel.com> | 2012-11-03 20:31:18 -0700 |
|---|---|---|
| committer | Anas Nashif <anas.nashif@intel.com> | 2012-11-03 20:31:18 -0700 |
| commit | b138da4a4b9d57b850ca4d0061969f5e3299861d (patch) | |
| tree | 3e20a6f4a29bfe91b2b51f416673d9fad1e0b7c7 /contrib | |
| download | libcap-b138da4a4b9d57b850ca4d0061969f5e3299861d.tar.gz libcap-b138da4a4b9d57b850ca4d0061969f5e3299861d.tar.bz2 libcap-b138da4a4b9d57b850ca4d0061969f5e3299861d.zip | |
Imported Upstream version 2.22upstream/2.22
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/Makefile | 3 | ||||
| -rw-r--r-- | contrib/bug400591/Makefile | 9 | ||||
| -rw-r--r-- | contrib/bug400591/bug.c | 43 | ||||
| -rw-r--r-- | contrib/pcaps4convenience | 209 | ||||
| -rw-r--r-- | contrib/pcaps4server | 369 | ||||
| -rw-r--r-- | contrib/pcaps4suid0 | 227 |
6 files changed, 860 insertions, 0 deletions
diff --git a/contrib/Makefile b/contrib/Makefile new file mode 100644 index 0000000..4749630 --- /dev/null +++ b/contrib/Makefile @@ -0,0 +1,3 @@ +.PHONY: all clean +all clean: + for x in bug* ; do make -C $$x $@ || exit 1 ; done diff --git a/contrib/bug400591/Makefile b/contrib/bug400591/Makefile new file mode 100644 index 0000000..320610c --- /dev/null +++ b/contrib/bug400591/Makefile @@ -0,0 +1,9 @@ +all: bug + +bug: bug.c ../../libcap Makefile + make -C ../../libcap + cc -g -I../../libcap/include --static -o $@ $< -L../../libcap -lcap + ./bug + +clean: + rm -f bug.o bug diff --git a/contrib/bug400591/bug.c b/contrib/bug400591/bug.c new file mode 100644 index 0000000..2ff2355 --- /dev/null +++ b/contrib/bug400591/bug.c @@ -0,0 +1,43 @@ +#include <assert.h> +#include <stdlib.h> +#include <sys/capability.h> + +/* + * Original from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400591 + * + * Modified to test more functions.. AGM - 2008/07/06. + */ + +int main (int argc, char *argv[]) +{ + cap_t caps, caps2; + ssize_t size, copy_size; + void *buffer; + char *text1, *text2; + + assert((caps = cap_get_pid(1))); + + text1 = cap_to_text(caps, NULL); + assert(text1); + + size = cap_size (caps); + assert (size>0 && size<1024); + + buffer = malloc (size); + assert (buffer); + + copy_size = cap_copy_ext (buffer, caps, size); + assert (copy_size == size); + + caps2 = cap_copy_int(buffer); + assert (caps2); + + text2 = cap_to_text(caps2, NULL); + assert(text2); + + assert(strcmp(text1, text2) == 0); + + assert(cap_compare(caps, caps2) == 0); + + return 0; +} diff --git a/contrib/pcaps4convenience b/contrib/pcaps4convenience new file mode 100644 index 0000000..c46735d --- /dev/null +++ b/contrib/pcaps4convenience @@ -0,0 +1,209 @@ +#!/bin/bash +# vim:expandtab:tabstop=4 +# +# author: chris friedhoff - chris@friedhoff.org +# version: pcaps4convenience 2 Tue Mar 11 2008 +# +# +# changelog: +# 1 - initial release pcaps4convenience +# 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code +# +# +# the user has the necessary POSIX Capabilities in his Inheritance +# set and the applications are accepting the needed PCaps through +# their Inheritance set. +# a user who has not the PCaps in his Inheritance set CAN NOT +# successfully execute the apps +# --> SET=ie +# (if SET=pe than you relax the security level of your machine) +# +# +# + + +##HERE WE ADD APPS +################## + +## these apps uses their POSIX Caps +################################### +# see /usr/include/linux/capability.h +# adjust - if needed and wanted - /etc/security/capability.conf +#eject=cap_dac_read_search,cap_sys_rawio +eject=2,17 +#killall=cap_kill +killall=5 +#modprobe=cap_sys_module +modprobe=16 +#ntpdate=cap_net_bind_service,cap_sys_time +ntpdate=10,25 +#qemu=cap_net_admin +qemu=12 +#route=cap_net_admin +route=12 + + +# this apps were converted/reverted +################################### +APPSARRAY=( eject killall modprobe ntpdate qemu route ) + + +# we put it into this set +######################### +SET=ie + + +##FROM HERE ONLY LOGIC +###################### + +#save assumption!? +export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin + +p4c_test(){ + # are we sane? + WICH=`which which 2>/dev/null` + if [ $WICH == "" ]; then + # thats bad + echo "Sorry, I haven't found which" + exit + fi + + # we needt his apps + SETCAP=`which setcap 2>/dev/null` + if [ "$SETCAP" == "" ]; then + echo "Sorry, I'm missing setcap !" + exit + fi + + # checking setcap for SET_SETFCAP PCap ? + # for now we stick to root + if [ "$( id -u )" != "0" ]; then + echo "Sorry, you must be root !" + exit 1 + fi +} + + + +p4c_app_convert(){ + # convert a single app + # $1 is app name; $2 is POSIX Caps + # well symlinks to apps, so we use -a ... + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + # ... and are looking for symlinks + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "converting $i" + setcap $2=$SET $i + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + # 'which' found only symlinks + echo "1 haven't found $1" + fi + else + # 'which' hasn't anything given back + echo "haven't found $1" + fi +} + + + +p4c_app_revert(){ + # revert a singel app + # $1 is app name + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "reverting $i" + setcap -r $i 2>/dev/null + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + echo "1 haven't found $1" + fi + else + echo "haven't found $1" + fi +} + + + +p4c_convert(){ + # we go throug the APPSARRAY and call s2p_app_convert to do the job + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} + let COUNTER+=1 + done +} + + + +p4c_revert(){ + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4c_app_revert ${APPSARRAY[$COUNTER]} + let COUNTER+=1 + done + +} + + + +p4c_usage(){ + echo + echo "pcaps4convenience" + echo + echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to" + echo "run successful into their Inheritance and Effective Set." + echo "The user who wants to execute this binaries successful has to have the" + echo "necessary POSIX Capabilities in his Inheritable Set. This might be done" + echo "through the PAM module pam_cap.so." + echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute" + echo "these binaries successful." + echo "(well, still per sudo or su -c - but thats not the point here)" + echo + echo "You need and I will check fot the utilities which and setcap." + echo + echo "Your Filesystem has to support extended attributes and your kernel must have" + echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." + echo + echo "Usage: pcaps4convenience [con(vert)|rev(ert)|help]" + echo + echo " con|convert - from setuid0 to POSIX Capabilities" + echo " rev|revert - from POSIX Capabilities back to setui0" + echo " help - this help message" + echo +} + + + +case "$1" in + con|convert) + p4c_test + p4c_convert + exit 0 + ;; + rev|revert) + p4c_test + p4c_revert + exit 0 + ;; + help) + p4c_usage + exit 0 + ;; + *) + echo "Try 'pcaps4convenience help' for more information" + exit 1 + ;; +esac diff --git a/contrib/pcaps4server b/contrib/pcaps4server new file mode 100644 index 0000000..af6f9ca --- /dev/null +++ b/contrib/pcaps4server @@ -0,0 +1,369 @@ +#!/bin/sh +# vim: tabstop=4 +# +# author: chris friedhoff - chris@friedhoff.org +# version: pcaps4server 5 Tue Mar 11 2008 +# +# +# changelog: +# 1 - initial release pcaps4convenience +# 1 - 2007.02.15 - initial release +# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id +# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap +# 4 - renamed to pcaps4server +# removed suid0 and convenience files, +# they are now in pcaps4suid0 resp. pcaps4convenience +# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code +# +# +########################################################################### +# change the installation of different server to be able not to run as root +# and have their own unpriviledged user. The binary has the needed POSIX +# Capabilities. +# to ensure that the server is really started as his respective user, we set +# the suid bit (BUT NOT 0)! +# paths are hard coded and derive from a slackware system +# change it to your needs !! +########################################################################### + + + +VERBOSE="-v" +#VERBOSE="" +APPS="" + +message(){ + printRedMessage "$1" +} + +printRedMessage(){ + # print message red and turn back to white + echo -e "\n\033[00;31m $1 ...\033[00;00m\n" +} + +printGreenMessage(){ + # print message red and turn back to white + echo -e "\033[00;32m $1 ...\033[00;00m\n" + sleep 0.5 +} + +checkReturnCode(){ + if [ "$?" != "0" ]; then + printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!" + exit 1 + else + printGreenMessage ":-)" + sleep 0.5 + fi +} + + + +p4r_test(){ + #for now, we work with root + if [ "$( id -u )" != "0" ]; then + echo "Sorry, you must be root !" + exit + fi +} + + + + +# apache 1.3 +######## +#APPS="$APPS apache1" +apache1_convert(){ + message "converting apache1" + if [ "$( id -g apache 2>/dev/null )" == "" ]; then + groupadd -g 60 apache + fi + if [ "$( id -u apache 2>/dev/null )" == "" ]; then + useradd -g apache -d / -u 600 apache + fi + sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf + chown $VERBOSE -R apache:apache /var/run/apache/ + chown $VERBOSE -R apache:apache /etc/apache/ + chown $VERBOSE -R apache:apache /var/log/apache/ + chown $VERBOSE apache:apache /usr/sbin/httpd + chmod $VERBOSE u+s /usr/sbin/httpd + setcap cap_net_bind_service=ep /usr/sbin/httpd + checkReturnCode +} +apache1_revert(){ + message "reverting apache1" + chown $VERBOSE -R root:root /var/run/apache/ + chown $VERBOSE -R root:root /etc/apache/ + chown $VERBOSE -R root:root /var/log/apache/ + chown $VERBOSE root:root /usr/sbin/httpd + chmod $VERBOSE u-s /usr/sbin/httpd + setcap -r /usr/sbin/httpd + checkReturnCode + sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf + userdel apache + groupdel apache +} + + +# apache 2.x +######## +APPS="$APPS apache2" +apache2_convert(){ + message "converting apache2" + if [ "$( id -g apache 2>/dev/null )" == "" ]; then + groupadd -g 60 apache + fi + if [ "$( id -u apache 2>/dev/null )" == "" ]; then + useradd -g apache -d / -u 600 apache + fi + sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf + chown $VERBOSE -R apache:apache /var/run/httpd/ + chown $VERBOSE -R apache:apache /etc/httpd/ + chown $VERBOSE -R apache:apache /var/log/httpd/ + chown $VERBOSE apache:apache /usr/sbin/httpd + chmod $VERBOSE u+s /usr/sbin/httpd + #setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd + setcap cap_net_bind_service=ep /usr/sbin/httpd + checkReturnCode +} +apache2_revert(){ + message "reverting apache2" + chown $VERBOSE -R root:root /var/run/httpd/ + chown $VERBOSE -R root:root /etc/httpd/ + chown $VERBOSE -R root:root /var/log/httpd/ + chown $VERBOSE root:root /usr/sbin/httpd + chmod $VERBOSE u-s /usr/sbin/httpd + setcap -r /usr/sbin/httpd + checkReturnCode + sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf + userdel apache + groupdel apache +} + + +# samba +####### +APPS="$APPS samba" +samba_convert(){ + message "converting samba" + if [ "$( id -g samba 2>/dev/null )" == "" ]; then + groupadd -g 61 samba + fi + if [ "$( id -u samba 2>/dev/null )" == "" ]; then + useradd -g samba -d / -u 610 samba + fi + chown $VERBOSE -R samba:samba /var/log/samba + chown $VERBOSE -R samba:samba /etc/samba + chown $VERBOSE -R samba:samba /var/run/samba + chown $VERBOSE -R samba:samba /var/cache/samba + chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd + chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd + setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd + checkReturnCode + setcap cap_net_bind_service=ep /usr/sbin/nmbd + checkReturnCode +} + +samba_revert(){ + message "reverting samba" + chown $VERBOSE -R root:root /var/log/samba + chown $VERBOSE -R root:root /etc/samba + chown $VERBOSE -R root:root /var/run/samba + chown $VERBOSE -R root:root /var/cache/samba + chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd + chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd + setcap -r /usr/sbin/smbd + checkReturnCode + setcap -r /usr/sbin/nmbd + checkReturnCode + userdel samba + groupdel samba +} + + +# bind +###### +APPS="$APPS bind" +bind_convert(){ + message "converting bind" + if [ "$( id -g bind 2>/dev/null )" == "" ]; then + groupadd -g 62 bind + fi + if [ "$( id -u bind 2>/dev/null )" == "" ]; then + useradd -g bind -d / -u 620 bind + fi + chown $VERBOSE -R bind:bind /var/run/named + chown $VERBOSE -R bind:bind /var/named + chown $VERBOSE bind:bind /etc/rndc.key + chown $VERBOSE bind:bind /usr/sbin/named + chmod $VERBOSE u+s /usr/sbin/named + setcap cap_net_bind_service=ep /usr/sbin/named + checkReturnCode +} +bind_revert(){ + message "reverting bind" + chown $VERBOSE -R root:root /var/run/named + chown $VERBOSE -R root:root /var/named + chown $VERBOSE root:root /etc/rndc.key + chown $VERBOSE root:root /usr/sbin/named + chmod $VERBOSE u-s /usr/sbin/named + setcap -r /usr/sbin/named + checkReturnCode + userdel bind + groupdel bind +} + + +# dhcpd +####### +APPS="$APPS dhcpd" +dhcpd_convert(){ + message "converting dhcpd" + if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then + groupadd -g 63 dhcpd + fi + if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then + useradd -g dhcpd -d / -u 630 dhcpd + fi + chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd + chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf + chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/ + chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd + chmod $VERBOSE u+s /usr/sbin/dhcpd + setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd + checkReturnCode +} +dhcpd_revert(){ + message "reverting dhcpd" + chown $VERBOSE root:root /var/run/dhcpd + chown $VERBOSE root:root /etc/dhcpd.conf + chown $VERBOSE -R root:root /var/state/dhcp/ + chown $VERBOSE root:root /usr/sbin/dhcpd + chmod $VERBOSE u-s /usr/sbin/dhcpd + setcap -r /usr/sbin/dhcpd + checkReturnCode + userdel dhcpd + groupdel dhcpd +} + + +# cupsd +####### +APPS="$APPS cupsd" +cupsd_convert(){ + message "converting cupsd" + if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then + groupadd -g 64 cupsd + fi + if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then + useradd -g cupsd -d / -u 640 cupsd + fi + sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf + chown $VERBOSE -R cupsd:cupsd /etc/cups + chown $VERBOSE -R cupsd:cupsd /var/cache/cups + chown $VERBOSE -R cupsd:cupsd /var/log/cups + chown $VERBOSE -R cupsd:cupsd /var/spool/cups + chown $VERBOSE -R cupsd:cupsd /var/run/cups + chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd + chmod $VERBOSE u+s /usr/sbin/cupsd + setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd + checkReturnCode +} +cupsd_revert(){ + message "reverting cupsd" + chown $VERBOSE -R root:root /etc/cups + chown $VERBOSE -R root:lp /var/cache/cups + chown $VERBOSE -R root:root /var/log/cups + chown $VERBOSE -R root:root /var/spool/cups + chown $VERBOSE root:lp /var/run/cups + chown $VERBOSE lp:sys /var/run/cups/certs + chmod $VERBOSE 750 /var/run/cups/certs + chown $VERBOSE root:root /usr/sbin/cupsd + chmod $VERBOSE u-s /usr/sbin/cupsd + setcap -r /usr/sbin/cupsd + checkReturnCode + sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf + userdel cupsd + groupdel cupsd +} + + +usage_message(){ + echo "Try 'pcaps4server help' for more information" +} + + +p4r_usage(){ + echo + echo "pcaps4server" + echo + echo "pcaps4server stores the needed POSIX Capabilities for server binaries to" + echo "run successful into their Permitted and Effective Set." + echo "The server are now able to run as an unpriviledged user." + echo "For each server software an unpriviledged user is added the system." + echo "The ownership of all the respective paths are changed to this user." + echo "To ensure that the server is starting as this unpriviledgesd user, the" + echo "suid bit (NOT 0) is set." + echo "Effectively this means every user can start this server daemons (for now)." + echo "All paths are hard coded!" + echo "You have been warned. Enjoy!" + echo + echo "Your Filesystem has to support extended attributes and your kernel must have" + echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." + echo + echo "Usage: pcaps4server [PROG] [con(vert)|rev(ert)|help]" + echo + echo " con|convert - from setuid0 to POSIX Capabilities" + echo " rev|revert - from POSIX Capabilities back to setui0" + echo " help - this help message" + echo + echo " PROG: $APPS" + echo +} + + + + +case "$1" in + con|convert) + p4r_test + for j in $APPS; do + ${j}_convert + done + exit + ;; + rev|renvert) + p4r_test + for j in $APPS; do + ${j}_revert + done + exit + ;; + help) + p4r_usage + exit + ;; +esac + +for i in ${APPS}; do + if [ "$1" == "$i" ]; then + case "$2" in + con|convert) + p4r_test + ${i}_convert + exit + ;; + rev|revert) + p4r_test + ${i}_revert + exit + ;; + *) + usage_message + exit 1 + ;; + esac + fi +done + +usage_message diff --git a/contrib/pcaps4suid0 b/contrib/pcaps4suid0 new file mode 100644 index 0000000..799df28 --- /dev/null +++ b/contrib/pcaps4suid0 @@ -0,0 +1,227 @@ +#!/bin/bash +# vim:expandtab:tabstop=4 +# +# author: chris friedhoff - chris@friedhoff.org +# version: pcaps4suid0 3 Tue Mar 11 2008 +# +# +# changelog: +# 1 - initial release suid02pcaps +# 2 - renamend to pcaps4suid0 +# implement idea of change between permitted/effective set +# or iherited/effective set (pam_cap.so) +# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code +# +# +# +# change different suid-0 binaries away from suid-0 to using +# POSIX Capabilities through their Permitted and Effective Set +# --> legacy support +# --> use SET=pe +# +# +# OR change different suid-0 binaries away from suid-0 to using +# POSIX Capabilities through their Inherited and Effective Set +# --> PAM support to set Inheritance set through pam_cap.so +# --> use SET=ie +# +# +# +# +############################################################### +# for example use this find call: +# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \; +############################################################### + + + +##HERE WE ADD APPS +################## + +## these apps uses their POSIX Caps +################################### +# see /usr/include/linux/capability.h +#ping=cap_net_raw +ping=13 +#traceroute=cap_net_raw +traceroute=13 +chsh=0,2,4,7 +chfn=0,2,4,7 +Xorg=1,6,7,17,21,26 +chage=2 +#passwd=0,2,4,7 +#passwd 0,1 +passwd=0,1,3 #PAM +unix_chkpwd=1 +mount=1,21 +umount=1,21 + +# this apps were converted/reverted +################################### +APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount ) + + +# we put it into this set +######################### +#SET=pe +SET=ie + + +##FROM HERE ONLY LOGIC +###################### + +#save assumption!? +export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin + +p4s_test(){ + # are we sane? + WICH=`which which 2>/dev/null` + if [ $WICH == "" ]; then + # thats bad + echo "Sorry, I haven't found which" + exit + fi + + # we needt his apps + CHMOD=`which chmod 2>/dev/null` + SETCAP=`which setcap 2>/dev/null` + if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then + echo "Sorry, I'm missing chmod or setcap !" + exit + fi + + # checking setcap for SET_SETFCAP PCap ? + # for now we stick to root + if [ "$( id -u )" != "0" ]; then + echo "Sorry, you must be root !" + exit 1 + fi +} + + + +p4s_app_convert(){ + # convert a single app + # $1 is app name; $2 is POSIX Caps + # well symlinks to apps, so we use -a ... + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + # ... and are looking for symlinks + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "converting $i" + chmod u-s $i + setcap $2=$SET $i + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + # 'which' found only symlinks + echo "1 haven't found $1" + fi + else + # 'which' hasn't anything given back + echo "haven't found $1" + fi +} + + + +p4s_app_revert(){ + # revert a singel app + # $1 is app name + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "reverting $i" + chmod u+s $i + setcap -r $i 2>/dev/null + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + echo "1 haven't found $1" + fi + else + echo "haven't found $1" + fi +} + + + +p4s_convert(){ + # we go throug the APPSARRAY and call s2p_app_convert to do the job + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} + let COUNTER+=1 + done +} + + + +p4s_revert(){ + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4s_app_revert ${APPSARRAY[$COUNTER]} + let COUNTER+=1 + done + +} + + + +p4s_usage(){ + echo + echo "pcaps4suid0" + echo + echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0" + echo "to using POSIX Capabilities by granting the necessary Privileges" + echo "This is done by storing the needed POSIX Capabilities into the extended" + echo "attribute capability through setcap." + echo "Following the idea of setuid - granting a binary the privilege regardless" + echo "of the user, the POSIX Capabilities are stored into the Permitted and" + echo "Effective set." + echo "If you are using pam_cap.so, you might want to change the set into the" + echo "Inherited and Effective set (check for the SET var)." + echo + echo "You need and I will check fot the utilities which, chmod and setcap." + echo + echo "Your Filesystem has to support extended attributes and your kernel must have" + echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." + echo + echo "Usage: pcaps4suid0 [con(vert)|rev(ert)|help]" + echo + echo " con|convert - from setuid0 to POSIX Capabilities" + echo " rev|revert - from POSIX Capabilities back to setui0" + echo " help - this help message" + echo +} + + + +case "$1" in + con|convert) + p4s_test + p4s_convert + exit 0 + ;; + rev|revert) + p4s_test + p4s_revert + exit 0 + ;; + help) + p4s_usage + exit 0 + ;; + *) + echo "Try 'pcaps4suid0 help' for more information" + exit 1 + ;; +esac |