summaryrefslogtreecommitdiff
path: root/contrib/pcaps4server
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/pcaps4server')
-rw-r--r--contrib/pcaps4server369
1 files changed, 369 insertions, 0 deletions
diff --git a/contrib/pcaps4server b/contrib/pcaps4server
new file mode 100644
index 0000000..af6f9ca
--- /dev/null
+++ b/contrib/pcaps4server
@@ -0,0 +1,369 @@
+#!/bin/sh
+# vim: tabstop=4
+#
+# author: chris friedhoff - chris@friedhoff.org
+# version: pcaps4server 5 Tue Mar 11 2008
+#
+#
+# changelog:
+# 1 - initial release pcaps4convenience
+# 1 - 2007.02.15 - initial release
+# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id
+# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap
+# 4 - renamed to pcaps4server
+# removed suid0 and convenience files,
+# they are now in pcaps4suid0 resp. pcaps4convenience
+# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code
+#
+#
+###########################################################################
+# change the installation of different server to be able not to run as root
+# and have their own unpriviledged user. The binary has the needed POSIX
+# Capabilities.
+# to ensure that the server is really started as his respective user, we set
+# the suid bit (BUT NOT 0)!
+# paths are hard coded and derive from a slackware system
+# change it to your needs !!
+###########################################################################
+
+
+
+VERBOSE="-v"
+#VERBOSE=""
+APPS=""
+
+message(){
+ printRedMessage "$1"
+}
+
+printRedMessage(){
+ # print message red and turn back to white
+ echo -e "\n\033[00;31m $1 ...\033[00;00m\n"
+}
+
+printGreenMessage(){
+ # print message red and turn back to white
+ echo -e "\033[00;32m $1 ...\033[00;00m\n"
+ sleep 0.5
+}
+
+checkReturnCode(){
+ if [ "$?" != "0" ]; then
+ printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!"
+ exit 1
+ else
+ printGreenMessage ":-)"
+ sleep 0.5
+ fi
+}
+
+
+
+p4r_test(){
+ #for now, we work with root
+ if [ "$( id -u )" != "0" ]; then
+ echo "Sorry, you must be root !"
+ exit
+ fi
+}
+
+
+
+
+# apache 1.3
+########
+#APPS="$APPS apache1"
+apache1_convert(){
+ message "converting apache1"
+ if [ "$( id -g apache 2>/dev/null )" == "" ]; then
+ groupadd -g 60 apache
+ fi
+ if [ "$( id -u apache 2>/dev/null )" == "" ]; then
+ useradd -g apache -d / -u 600 apache
+ fi
+ sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf
+ chown $VERBOSE -R apache:apache /var/run/apache/
+ chown $VERBOSE -R apache:apache /etc/apache/
+ chown $VERBOSE -R apache:apache /var/log/apache/
+ chown $VERBOSE apache:apache /usr/sbin/httpd
+ chmod $VERBOSE u+s /usr/sbin/httpd
+ setcap cap_net_bind_service=ep /usr/sbin/httpd
+ checkReturnCode
+}
+apache1_revert(){
+ message "reverting apache1"
+ chown $VERBOSE -R root:root /var/run/apache/
+ chown $VERBOSE -R root:root /etc/apache/
+ chown $VERBOSE -R root:root /var/log/apache/
+ chown $VERBOSE root:root /usr/sbin/httpd
+ chmod $VERBOSE u-s /usr/sbin/httpd
+ setcap -r /usr/sbin/httpd
+ checkReturnCode
+ sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf
+ userdel apache
+ groupdel apache
+}
+
+
+# apache 2.x
+########
+APPS="$APPS apache2"
+apache2_convert(){
+ message "converting apache2"
+ if [ "$( id -g apache 2>/dev/null )" == "" ]; then
+ groupadd -g 60 apache
+ fi
+ if [ "$( id -u apache 2>/dev/null )" == "" ]; then
+ useradd -g apache -d / -u 600 apache
+ fi
+ sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf
+ chown $VERBOSE -R apache:apache /var/run/httpd/
+ chown $VERBOSE -R apache:apache /etc/httpd/
+ chown $VERBOSE -R apache:apache /var/log/httpd/
+ chown $VERBOSE apache:apache /usr/sbin/httpd
+ chmod $VERBOSE u+s /usr/sbin/httpd
+ #setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd
+ setcap cap_net_bind_service=ep /usr/sbin/httpd
+ checkReturnCode
+}
+apache2_revert(){
+ message "reverting apache2"
+ chown $VERBOSE -R root:root /var/run/httpd/
+ chown $VERBOSE -R root:root /etc/httpd/
+ chown $VERBOSE -R root:root /var/log/httpd/
+ chown $VERBOSE root:root /usr/sbin/httpd
+ chmod $VERBOSE u-s /usr/sbin/httpd
+ setcap -r /usr/sbin/httpd
+ checkReturnCode
+ sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf
+ userdel apache
+ groupdel apache
+}
+
+
+# samba
+#######
+APPS="$APPS samba"
+samba_convert(){
+ message "converting samba"
+ if [ "$( id -g samba 2>/dev/null )" == "" ]; then
+ groupadd -g 61 samba
+ fi
+ if [ "$( id -u samba 2>/dev/null )" == "" ]; then
+ useradd -g samba -d / -u 610 samba
+ fi
+ chown $VERBOSE -R samba:samba /var/log/samba
+ chown $VERBOSE -R samba:samba /etc/samba
+ chown $VERBOSE -R samba:samba /var/run/samba
+ chown $VERBOSE -R samba:samba /var/cache/samba
+ chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd
+ chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd
+ setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd
+ checkReturnCode
+ setcap cap_net_bind_service=ep /usr/sbin/nmbd
+ checkReturnCode
+}
+
+samba_revert(){
+ message "reverting samba"
+ chown $VERBOSE -R root:root /var/log/samba
+ chown $VERBOSE -R root:root /etc/samba
+ chown $VERBOSE -R root:root /var/run/samba
+ chown $VERBOSE -R root:root /var/cache/samba
+ chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd
+ chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd
+ setcap -r /usr/sbin/smbd
+ checkReturnCode
+ setcap -r /usr/sbin/nmbd
+ checkReturnCode
+ userdel samba
+ groupdel samba
+}
+
+
+# bind
+######
+APPS="$APPS bind"
+bind_convert(){
+ message "converting bind"
+ if [ "$( id -g bind 2>/dev/null )" == "" ]; then
+ groupadd -g 62 bind
+ fi
+ if [ "$( id -u bind 2>/dev/null )" == "" ]; then
+ useradd -g bind -d / -u 620 bind
+ fi
+ chown $VERBOSE -R bind:bind /var/run/named
+ chown $VERBOSE -R bind:bind /var/named
+ chown $VERBOSE bind:bind /etc/rndc.key
+ chown $VERBOSE bind:bind /usr/sbin/named
+ chmod $VERBOSE u+s /usr/sbin/named
+ setcap cap_net_bind_service=ep /usr/sbin/named
+ checkReturnCode
+}
+bind_revert(){
+ message "reverting bind"
+ chown $VERBOSE -R root:root /var/run/named
+ chown $VERBOSE -R root:root /var/named
+ chown $VERBOSE root:root /etc/rndc.key
+ chown $VERBOSE root:root /usr/sbin/named
+ chmod $VERBOSE u-s /usr/sbin/named
+ setcap -r /usr/sbin/named
+ checkReturnCode
+ userdel bind
+ groupdel bind
+}
+
+
+# dhcpd
+#######
+APPS="$APPS dhcpd"
+dhcpd_convert(){
+ message "converting dhcpd"
+ if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then
+ groupadd -g 63 dhcpd
+ fi
+ if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then
+ useradd -g dhcpd -d / -u 630 dhcpd
+ fi
+ chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd
+ chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf
+ chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/
+ chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd
+ chmod $VERBOSE u+s /usr/sbin/dhcpd
+ setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd
+ checkReturnCode
+}
+dhcpd_revert(){
+ message "reverting dhcpd"
+ chown $VERBOSE root:root /var/run/dhcpd
+ chown $VERBOSE root:root /etc/dhcpd.conf
+ chown $VERBOSE -R root:root /var/state/dhcp/
+ chown $VERBOSE root:root /usr/sbin/dhcpd
+ chmod $VERBOSE u-s /usr/sbin/dhcpd
+ setcap -r /usr/sbin/dhcpd
+ checkReturnCode
+ userdel dhcpd
+ groupdel dhcpd
+}
+
+
+# cupsd
+#######
+APPS="$APPS cupsd"
+cupsd_convert(){
+ message "converting cupsd"
+ if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then
+ groupadd -g 64 cupsd
+ fi
+ if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then
+ useradd -g cupsd -d / -u 640 cupsd
+ fi
+ sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf
+ chown $VERBOSE -R cupsd:cupsd /etc/cups
+ chown $VERBOSE -R cupsd:cupsd /var/cache/cups
+ chown $VERBOSE -R cupsd:cupsd /var/log/cups
+ chown $VERBOSE -R cupsd:cupsd /var/spool/cups
+ chown $VERBOSE -R cupsd:cupsd /var/run/cups
+ chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd
+ chmod $VERBOSE u+s /usr/sbin/cupsd
+ setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd
+ checkReturnCode
+}
+cupsd_revert(){
+ message "reverting cupsd"
+ chown $VERBOSE -R root:root /etc/cups
+ chown $VERBOSE -R root:lp /var/cache/cups
+ chown $VERBOSE -R root:root /var/log/cups
+ chown $VERBOSE -R root:root /var/spool/cups
+ chown $VERBOSE root:lp /var/run/cups
+ chown $VERBOSE lp:sys /var/run/cups/certs
+ chmod $VERBOSE 750 /var/run/cups/certs
+ chown $VERBOSE root:root /usr/sbin/cupsd
+ chmod $VERBOSE u-s /usr/sbin/cupsd
+ setcap -r /usr/sbin/cupsd
+ checkReturnCode
+ sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf
+ userdel cupsd
+ groupdel cupsd
+}
+
+
+usage_message(){
+ echo "Try 'pcaps4server help' for more information"
+}
+
+
+p4r_usage(){
+ echo
+ echo "pcaps4server"
+ echo
+ echo "pcaps4server stores the needed POSIX Capabilities for server binaries to"
+ echo "run successful into their Permitted and Effective Set."
+ echo "The server are now able to run as an unpriviledged user."
+ echo "For each server software an unpriviledged user is added the system."
+ echo "The ownership of all the respective paths are changed to this user."
+ echo "To ensure that the server is starting as this unpriviledgesd user, the"
+ echo "suid bit (NOT 0) is set."
+ echo "Effectively this means every user can start this server daemons (for now)."
+ echo "All paths are hard coded!"
+ echo "You have been warned. Enjoy!"
+ echo
+ echo "Your Filesystem has to support extended attributes and your kernel must have"
+ echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
+ echo
+ echo "Usage: pcaps4server [PROG] [con(vert)|rev(ert)|help]"
+ echo
+ echo " con|convert - from setuid0 to POSIX Capabilities"
+ echo " rev|revert - from POSIX Capabilities back to setui0"
+ echo " help - this help message"
+ echo
+ echo " PROG: $APPS"
+ echo
+}
+
+
+
+
+case "$1" in
+ con|convert)
+ p4r_test
+ for j in $APPS; do
+ ${j}_convert
+ done
+ exit
+ ;;
+ rev|renvert)
+ p4r_test
+ for j in $APPS; do
+ ${j}_revert
+ done
+ exit
+ ;;
+ help)
+ p4r_usage
+ exit
+ ;;
+esac
+
+for i in ${APPS}; do
+ if [ "$1" == "$i" ]; then
+ case "$2" in
+ con|convert)
+ p4r_test
+ ${i}_convert
+ exit
+ ;;
+ rev|revert)
+ p4r_test
+ ${i}_revert
+ exit
+ ;;
+ *)
+ usage_message
+ exit 1
+ ;;
+ esac
+ fi
+done
+
+usage_message