diff options
Diffstat (limited to 'contrib/pcaps4convenience')
-rw-r--r-- | contrib/pcaps4convenience | 209 |
1 files changed, 209 insertions, 0 deletions
diff --git a/contrib/pcaps4convenience b/contrib/pcaps4convenience new file mode 100644 index 0000000..c46735d --- /dev/null +++ b/contrib/pcaps4convenience @@ -0,0 +1,209 @@ +#!/bin/bash +# vim:expandtab:tabstop=4 +# +# author: chris friedhoff - chris@friedhoff.org +# version: pcaps4convenience 2 Tue Mar 11 2008 +# +# +# changelog: +# 1 - initial release pcaps4convenience +# 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code +# +# +# the user has the necessary POSIX Capabilities in his Inheritance +# set and the applications are accepting the needed PCaps through +# their Inheritance set. +# a user who has not the PCaps in his Inheritance set CAN NOT +# successfully execute the apps +# --> SET=ie +# (if SET=pe than you relax the security level of your machine) +# +# +# + + +##HERE WE ADD APPS +################## + +## these apps uses their POSIX Caps +################################### +# see /usr/include/linux/capability.h +# adjust - if needed and wanted - /etc/security/capability.conf +#eject=cap_dac_read_search,cap_sys_rawio +eject=2,17 +#killall=cap_kill +killall=5 +#modprobe=cap_sys_module +modprobe=16 +#ntpdate=cap_net_bind_service,cap_sys_time +ntpdate=10,25 +#qemu=cap_net_admin +qemu=12 +#route=cap_net_admin +route=12 + + +# this apps were converted/reverted +################################### +APPSARRAY=( eject killall modprobe ntpdate qemu route ) + + +# we put it into this set +######################### +SET=ie + + +##FROM HERE ONLY LOGIC +###################### + +#save assumption!? +export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin + +p4c_test(){ + # are we sane? + WICH=`which which 2>/dev/null` + if [ $WICH == "" ]; then + # thats bad + echo "Sorry, I haven't found which" + exit + fi + + # we needt his apps + SETCAP=`which setcap 2>/dev/null` + if [ "$SETCAP" == "" ]; then + echo "Sorry, I'm missing setcap !" + exit + fi + + # checking setcap for SET_SETFCAP PCap ? + # for now we stick to root + if [ "$( id -u )" != "0" ]; then + echo "Sorry, you must be root !" + exit 1 + fi +} + + + +p4c_app_convert(){ + # convert a single app + # $1 is app name; $2 is POSIX Caps + # well symlinks to apps, so we use -a ... + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + # ... and are looking for symlinks + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "converting $i" + setcap $2=$SET $i + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + # 'which' found only symlinks + echo "1 haven't found $1" + fi + else + # 'which' hasn't anything given back + echo "haven't found $1" + fi +} + + + +p4c_app_revert(){ + # revert a singel app + # $1 is app name + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "reverting $i" + setcap -r $i 2>/dev/null + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + echo "1 haven't found $1" + fi + else + echo "haven't found $1" + fi +} + + + +p4c_convert(){ + # we go throug the APPSARRAY and call s2p_app_convert to do the job + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} + let COUNTER+=1 + done +} + + + +p4c_revert(){ + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4c_app_revert ${APPSARRAY[$COUNTER]} + let COUNTER+=1 + done + +} + + + +p4c_usage(){ + echo + echo "pcaps4convenience" + echo + echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to" + echo "run successful into their Inheritance and Effective Set." + echo "The user who wants to execute this binaries successful has to have the" + echo "necessary POSIX Capabilities in his Inheritable Set. This might be done" + echo "through the PAM module pam_cap.so." + echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute" + echo "these binaries successful." + echo "(well, still per sudo or su -c - but thats not the point here)" + echo + echo "You need and I will check fot the utilities which and setcap." + echo + echo "Your Filesystem has to support extended attributes and your kernel must have" + echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." + echo + echo "Usage: pcaps4convenience [con(vert)|rev(ert)|help]" + echo + echo " con|convert - from setuid0 to POSIX Capabilities" + echo " rev|revert - from POSIX Capabilities back to setui0" + echo " help - this help message" + echo +} + + + +case "$1" in + con|convert) + p4c_test + p4c_convert + exit 0 + ;; + rev|revert) + p4c_test + p4c_revert + exit 0 + ;; + help) + p4c_usage + exit 0 + ;; + *) + echo "Try 'pcaps4convenience help' for more information" + exit 1 + ;; +esac |