diff options
Diffstat (limited to 'progs/old/execcap.c')
-rw-r--r-- | progs/old/execcap.c | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/progs/old/execcap.c b/progs/old/execcap.c new file mode 100644 index 0000000..330cc93 --- /dev/null +++ b/progs/old/execcap.c @@ -0,0 +1,68 @@ +/* + * This was written by Andrew G. Morgan <morgan@kernel.org> + * + * This is a program that is intended to exec a subsequent program. + * The purpose of this 'execcap' wrapper is to limit the inheritable + * capabilities of the exec()'d program. All environment variables + * are inherited. + */ + +#include <sys/types.h> +#include <errno.h> +#include <stdio.h> +#include <sys/capability.h> +#include <unistd.h> +#include <string.h> +#include <stdlib.h> + +static void usage(void) +{ + fprintf(stderr, +"usage: execcap <caps> <command-path> [command-args...]\n\n" +" This program is a wrapper that can be used to limit the Inheritable\n" +" capabilities of a program to be executed. Note, this wrapper is\n" +" intended to assist in overcoming a lack of support for filesystem\n" +" capability attributes and should be used to launch other files.\n" +" This program should _NOT_ be made setuid-0.\n\n" +"[Copyright (c) 1998 Andrew G. Morgan <morgan@kernel.org>]\n"); + + exit(1); +} + +int main(int argc, char **argv) +{ + cap_t new_caps; + + /* this program should not be made setuid-0 */ + if (getuid() && !geteuid()) { + usage(); + } + + /* check that we have at least 2 arguments */ + if (argc < 3) { + usage(); + } + + /* parse the first argument to obtain a set of capabilities */ + new_caps = cap_from_text(argv[1]); + if (new_caps == NULL) { + fprintf(stderr, "requested capabilities were not recognized\n"); + usage(); + } + + /* set these capabilities for the current process */ + if (cap_set_proc(new_caps) != 0) { + fprintf(stderr, "unable to set capabilities: %s\n", strerror(errno)); + usage(); + } + + /* exec the program indicated by args 2 ... */ + execvp(argv[2], argv+2); + + /* if we fall through to here, our exec failed -- announce the fact */ + fprintf(stderr, "Unable to execute command: %s\n", strerror(errno)); + + usage(); + + return 0; +} |