diff options
Diffstat (limited to 'contrib/pcaps4server')
-rw-r--r-- | contrib/pcaps4server | 369 |
1 files changed, 369 insertions, 0 deletions
diff --git a/contrib/pcaps4server b/contrib/pcaps4server new file mode 100644 index 0000000..af6f9ca --- /dev/null +++ b/contrib/pcaps4server @@ -0,0 +1,369 @@ +#!/bin/sh +# vim: tabstop=4 +# +# author: chris friedhoff - chris@friedhoff.org +# version: pcaps4server 5 Tue Mar 11 2008 +# +# +# changelog: +# 1 - initial release pcaps4convenience +# 1 - 2007.02.15 - initial release +# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id +# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap +# 4 - renamed to pcaps4server +# removed suid0 and convenience files, +# they are now in pcaps4suid0 resp. pcaps4convenience +# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code +# +# +########################################################################### +# change the installation of different server to be able not to run as root +# and have their own unpriviledged user. The binary has the needed POSIX +# Capabilities. +# to ensure that the server is really started as his respective user, we set +# the suid bit (BUT NOT 0)! +# paths are hard coded and derive from a slackware system +# change it to your needs !! +########################################################################### + + + +VERBOSE="-v" +#VERBOSE="" +APPS="" + +message(){ + printRedMessage "$1" +} + +printRedMessage(){ + # print message red and turn back to white + echo -e "\n\033[00;31m $1 ...\033[00;00m\n" +} + +printGreenMessage(){ + # print message red and turn back to white + echo -e "\033[00;32m $1 ...\033[00;00m\n" + sleep 0.5 +} + +checkReturnCode(){ + if [ "$?" != "0" ]; then + printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!" + exit 1 + else + printGreenMessage ":-)" + sleep 0.5 + fi +} + + + +p4r_test(){ + #for now, we work with root + if [ "$( id -u )" != "0" ]; then + echo "Sorry, you must be root !" + exit + fi +} + + + + +# apache 1.3 +######## +#APPS="$APPS apache1" +apache1_convert(){ + message "converting apache1" + if [ "$( id -g apache 2>/dev/null )" == "" ]; then + groupadd -g 60 apache + fi + if [ "$( id -u apache 2>/dev/null )" == "" ]; then + useradd -g apache -d / -u 600 apache + fi + sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf + chown $VERBOSE -R apache:apache /var/run/apache/ + chown $VERBOSE -R apache:apache /etc/apache/ + chown $VERBOSE -R apache:apache /var/log/apache/ + chown $VERBOSE apache:apache /usr/sbin/httpd + chmod $VERBOSE u+s /usr/sbin/httpd + setcap cap_net_bind_service=ep /usr/sbin/httpd + checkReturnCode +} +apache1_revert(){ + message "reverting apache1" + chown $VERBOSE -R root:root /var/run/apache/ + chown $VERBOSE -R root:root /etc/apache/ + chown $VERBOSE -R root:root /var/log/apache/ + chown $VERBOSE root:root /usr/sbin/httpd + chmod $VERBOSE u-s /usr/sbin/httpd + setcap -r /usr/sbin/httpd + checkReturnCode + sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf + userdel apache + groupdel apache +} + + +# apache 2.x +######## +APPS="$APPS apache2" +apache2_convert(){ + message "converting apache2" + if [ "$( id -g apache 2>/dev/null )" == "" ]; then + groupadd -g 60 apache + fi + if [ "$( id -u apache 2>/dev/null )" == "" ]; then + useradd -g apache -d / -u 600 apache + fi + sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf + chown $VERBOSE -R apache:apache /var/run/httpd/ + chown $VERBOSE -R apache:apache /etc/httpd/ + chown $VERBOSE -R apache:apache /var/log/httpd/ + chown $VERBOSE apache:apache /usr/sbin/httpd + chmod $VERBOSE u+s /usr/sbin/httpd + #setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd + setcap cap_net_bind_service=ep /usr/sbin/httpd + checkReturnCode +} +apache2_revert(){ + message "reverting apache2" + chown $VERBOSE -R root:root /var/run/httpd/ + chown $VERBOSE -R root:root /etc/httpd/ + chown $VERBOSE -R root:root /var/log/httpd/ + chown $VERBOSE root:root /usr/sbin/httpd + chmod $VERBOSE u-s /usr/sbin/httpd + setcap -r /usr/sbin/httpd + checkReturnCode + sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf + userdel apache + groupdel apache +} + + +# samba +####### +APPS="$APPS samba" +samba_convert(){ + message "converting samba" + if [ "$( id -g samba 2>/dev/null )" == "" ]; then + groupadd -g 61 samba + fi + if [ "$( id -u samba 2>/dev/null )" == "" ]; then + useradd -g samba -d / -u 610 samba + fi + chown $VERBOSE -R samba:samba /var/log/samba + chown $VERBOSE -R samba:samba /etc/samba + chown $VERBOSE -R samba:samba /var/run/samba + chown $VERBOSE -R samba:samba /var/cache/samba + chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd + chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd + setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd + checkReturnCode + setcap cap_net_bind_service=ep /usr/sbin/nmbd + checkReturnCode +} + +samba_revert(){ + message "reverting samba" + chown $VERBOSE -R root:root /var/log/samba + chown $VERBOSE -R root:root /etc/samba + chown $VERBOSE -R root:root /var/run/samba + chown $VERBOSE -R root:root /var/cache/samba + chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd + chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd + setcap -r /usr/sbin/smbd + checkReturnCode + setcap -r /usr/sbin/nmbd + checkReturnCode + userdel samba + groupdel samba +} + + +# bind +###### +APPS="$APPS bind" +bind_convert(){ + message "converting bind" + if [ "$( id -g bind 2>/dev/null )" == "" ]; then + groupadd -g 62 bind + fi + if [ "$( id -u bind 2>/dev/null )" == "" ]; then + useradd -g bind -d / -u 620 bind + fi + chown $VERBOSE -R bind:bind /var/run/named + chown $VERBOSE -R bind:bind /var/named + chown $VERBOSE bind:bind /etc/rndc.key + chown $VERBOSE bind:bind /usr/sbin/named + chmod $VERBOSE u+s /usr/sbin/named + setcap cap_net_bind_service=ep /usr/sbin/named + checkReturnCode +} +bind_revert(){ + message "reverting bind" + chown $VERBOSE -R root:root /var/run/named + chown $VERBOSE -R root:root /var/named + chown $VERBOSE root:root /etc/rndc.key + chown $VERBOSE root:root /usr/sbin/named + chmod $VERBOSE u-s /usr/sbin/named + setcap -r /usr/sbin/named + checkReturnCode + userdel bind + groupdel bind +} + + +# dhcpd +####### +APPS="$APPS dhcpd" +dhcpd_convert(){ + message "converting dhcpd" + if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then + groupadd -g 63 dhcpd + fi + if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then + useradd -g dhcpd -d / -u 630 dhcpd + fi + chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd + chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf + chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/ + chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd + chmod $VERBOSE u+s /usr/sbin/dhcpd + setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd + checkReturnCode +} +dhcpd_revert(){ + message "reverting dhcpd" + chown $VERBOSE root:root /var/run/dhcpd + chown $VERBOSE root:root /etc/dhcpd.conf + chown $VERBOSE -R root:root /var/state/dhcp/ + chown $VERBOSE root:root /usr/sbin/dhcpd + chmod $VERBOSE u-s /usr/sbin/dhcpd + setcap -r /usr/sbin/dhcpd + checkReturnCode + userdel dhcpd + groupdel dhcpd +} + + +# cupsd +####### +APPS="$APPS cupsd" +cupsd_convert(){ + message "converting cupsd" + if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then + groupadd -g 64 cupsd + fi + if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then + useradd -g cupsd -d / -u 640 cupsd + fi + sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf + chown $VERBOSE -R cupsd:cupsd /etc/cups + chown $VERBOSE -R cupsd:cupsd /var/cache/cups + chown $VERBOSE -R cupsd:cupsd /var/log/cups + chown $VERBOSE -R cupsd:cupsd /var/spool/cups + chown $VERBOSE -R cupsd:cupsd /var/run/cups + chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd + chmod $VERBOSE u+s /usr/sbin/cupsd + setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd + checkReturnCode +} +cupsd_revert(){ + message "reverting cupsd" + chown $VERBOSE -R root:root /etc/cups + chown $VERBOSE -R root:lp /var/cache/cups + chown $VERBOSE -R root:root /var/log/cups + chown $VERBOSE -R root:root /var/spool/cups + chown $VERBOSE root:lp /var/run/cups + chown $VERBOSE lp:sys /var/run/cups/certs + chmod $VERBOSE 750 /var/run/cups/certs + chown $VERBOSE root:root /usr/sbin/cupsd + chmod $VERBOSE u-s /usr/sbin/cupsd + setcap -r /usr/sbin/cupsd + checkReturnCode + sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf + userdel cupsd + groupdel cupsd +} + + +usage_message(){ + echo "Try 'pcaps4server help' for more information" +} + + +p4r_usage(){ + echo + echo "pcaps4server" + echo + echo "pcaps4server stores the needed POSIX Capabilities for server binaries to" + echo "run successful into their Permitted and Effective Set." + echo "The server are now able to run as an unpriviledged user." + echo "For each server software an unpriviledged user is added the system." + echo "The ownership of all the respective paths are changed to this user." + echo "To ensure that the server is starting as this unpriviledgesd user, the" + echo "suid bit (NOT 0) is set." + echo "Effectively this means every user can start this server daemons (for now)." + echo "All paths are hard coded!" + echo "You have been warned. Enjoy!" + echo + echo "Your Filesystem has to support extended attributes and your kernel must have" + echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." + echo + echo "Usage: pcaps4server [PROG] [con(vert)|rev(ert)|help]" + echo + echo " con|convert - from setuid0 to POSIX Capabilities" + echo " rev|revert - from POSIX Capabilities back to setui0" + echo " help - this help message" + echo + echo " PROG: $APPS" + echo +} + + + + +case "$1" in + con|convert) + p4r_test + for j in $APPS; do + ${j}_convert + done + exit + ;; + rev|renvert) + p4r_test + for j in $APPS; do + ${j}_revert + done + exit + ;; + help) + p4r_usage + exit + ;; +esac + +for i in ${APPS}; do + if [ "$1" == "$i" ]; then + case "$2" in + con|convert) + p4r_test + ${i}_convert + exit + ;; + rev|revert) + p4r_test + ${i}_revert + exit + ;; + *) + usage_message + exit 1 + ;; + esac + fi +done + +usage_message |