summaryrefslogtreecommitdiff
path: root/contrib/pcaps4convenience
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/pcaps4convenience')
-rw-r--r--contrib/pcaps4convenience209
1 files changed, 209 insertions, 0 deletions
diff --git a/contrib/pcaps4convenience b/contrib/pcaps4convenience
new file mode 100644
index 0000000..c46735d
--- /dev/null
+++ b/contrib/pcaps4convenience
@@ -0,0 +1,209 @@
+#!/bin/bash
+# vim:expandtab:tabstop=4
+#
+# author: chris friedhoff - chris@friedhoff.org
+# version: pcaps4convenience 2 Tue Mar 11 2008
+#
+#
+# changelog:
+# 1 - initial release pcaps4convenience
+# 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code
+#
+#
+# the user has the necessary POSIX Capabilities in his Inheritance
+# set and the applications are accepting the needed PCaps through
+# their Inheritance set.
+# a user who has not the PCaps in his Inheritance set CAN NOT
+# successfully execute the apps
+# --> SET=ie
+# (if SET=pe than you relax the security level of your machine)
+#
+#
+#
+
+
+##HERE WE ADD APPS
+##################
+
+## these apps uses their POSIX Caps
+###################################
+# see /usr/include/linux/capability.h
+# adjust - if needed and wanted - /etc/security/capability.conf
+#eject=cap_dac_read_search,cap_sys_rawio
+eject=2,17
+#killall=cap_kill
+killall=5
+#modprobe=cap_sys_module
+modprobe=16
+#ntpdate=cap_net_bind_service,cap_sys_time
+ntpdate=10,25
+#qemu=cap_net_admin
+qemu=12
+#route=cap_net_admin
+route=12
+
+
+# this apps were converted/reverted
+###################################
+APPSARRAY=( eject killall modprobe ntpdate qemu route )
+
+
+# we put it into this set
+#########################
+SET=ie
+
+
+##FROM HERE ONLY LOGIC
+######################
+
+#save assumption!?
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin
+
+p4c_test(){
+ # are we sane?
+ WICH=`which which 2>/dev/null`
+ if [ $WICH == "" ]; then
+ # thats bad
+ echo "Sorry, I haven't found which"
+ exit
+ fi
+
+ # we needt his apps
+ SETCAP=`which setcap 2>/dev/null`
+ if [ "$SETCAP" == "" ]; then
+ echo "Sorry, I'm missing setcap !"
+ exit
+ fi
+
+ # checking setcap for SET_SETFCAP PCap ?
+ # for now we stick to root
+ if [ "$( id -u )" != "0" ]; then
+ echo "Sorry, you must be root !"
+ exit 1
+ fi
+}
+
+
+
+p4c_app_convert(){
+ # convert a single app
+ # $1 is app name; $2 is POSIX Caps
+ # well symlinks to apps, so we use -a ...
+ APP=`which -a $1 2>/dev/null`
+ if [ "$APP" != "" ]; then
+ FOUND=no
+ for i in $APP; do
+ # ... and are looking for symlinks
+ if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
+ echo "converting $i"
+ setcap $2=$SET $i
+ FOUND=yes
+ fi
+ done
+ if [ "$FOUND" == "no" ]; then
+ # 'which' found only symlinks
+ echo "1 haven't found $1"
+ fi
+ else
+ # 'which' hasn't anything given back
+ echo "haven't found $1"
+ fi
+}
+
+
+
+p4c_app_revert(){
+ # revert a singel app
+ # $1 is app name
+ APP=`which -a $1 2>/dev/null`
+ if [ "$APP" != "" ]; then
+ FOUND=no
+ for i in $APP; do
+ if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
+ echo "reverting $i"
+ setcap -r $i 2>/dev/null
+ FOUND=yes
+ fi
+ done
+ if [ "$FOUND" == "no" ]; then
+ echo "1 haven't found $1"
+ fi
+ else
+ echo "haven't found $1"
+ fi
+}
+
+
+
+p4c_convert(){
+ # we go throug the APPSARRAY and call s2p_app_convert to do the job
+ COUNTER=0
+ let UPPER=${#APPSARRAY[*]}-1
+ until [ $COUNTER == $UPPER ]; do
+ p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
+ let COUNTER+=1
+ done
+}
+
+
+
+p4c_revert(){
+ COUNTER=0
+ let UPPER=${#APPSARRAY[*]}-1
+ until [ $COUNTER == $UPPER ]; do
+ p4c_app_revert ${APPSARRAY[$COUNTER]}
+ let COUNTER+=1
+ done
+
+}
+
+
+
+p4c_usage(){
+ echo
+ echo "pcaps4convenience"
+ echo
+ echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to"
+ echo "run successful into their Inheritance and Effective Set."
+ echo "The user who wants to execute this binaries successful has to have the"
+ echo "necessary POSIX Capabilities in his Inheritable Set. This might be done"
+ echo "through the PAM module pam_cap.so."
+ echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute"
+ echo "these binaries successful."
+ echo "(well, still per sudo or su -c - but thats not the point here)"
+ echo
+ echo "You need and I will check fot the utilities which and setcap."
+ echo
+ echo "Your Filesystem has to support extended attributes and your kernel must have"
+ echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
+ echo
+ echo "Usage: pcaps4convenience [con(vert)|rev(ert)|help]"
+ echo
+ echo " con|convert - from setuid0 to POSIX Capabilities"
+ echo " rev|revert - from POSIX Capabilities back to setui0"
+ echo " help - this help message"
+ echo
+}
+
+
+
+case "$1" in
+ con|convert)
+ p4c_test
+ p4c_convert
+ exit 0
+ ;;
+ rev|revert)
+ p4c_test
+ p4c_revert
+ exit 0
+ ;;
+ help)
+ p4c_usage
+ exit 0
+ ;;
+ *)
+ echo "Try 'pcaps4convenience help' for more information"
+ exit 1
+ ;;
+esac