#!/bin/bash # vim:expandtab:tabstop=4 # # author: chris friedhoff - chris@friedhoff.org # version: pcaps4convenience 2 Tue Mar 11 2008 # # # changelog: # 1 - initial release pcaps4convenience # 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code # # # the user has the necessary POSIX Capabilities in his Inheritance # set and the applications are accepting the needed PCaps through # their Inheritance set. # a user who has not the PCaps in his Inheritance set CAN NOT # successfully execute the apps # --> SET=ie # (if SET=pe than you relax the security level of your machine) # # # ##HERE WE ADD APPS ################## ## these apps uses their POSIX Caps ################################### # see /usr/include/linux/capability.h # adjust - if needed and wanted - /etc/security/capability.conf #eject=cap_dac_read_search,cap_sys_rawio eject=2,17 #killall=cap_kill killall=5 #modprobe=cap_sys_module modprobe=16 #ntpdate=cap_net_bind_service,cap_sys_time ntpdate=10,25 #qemu=cap_net_admin qemu=12 #route=cap_net_admin route=12 # this apps were converted/reverted ################################### APPSARRAY=( eject killall modprobe ntpdate qemu route ) # we put it into this set ######################### SET=ie ##FROM HERE ONLY LOGIC ###################### #save assumption!? export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin p4c_test(){ # are we sane? WICH=`which which 2>/dev/null` if [ $WICH == "" ]; then # thats bad echo "Sorry, I haven't found which" exit fi # we needt his apps SETCAP=`which setcap 2>/dev/null` if [ "$SETCAP" == "" ]; then echo "Sorry, I'm missing setcap !" exit fi # checking setcap for SET_SETFCAP PCap ? # for now we stick to root if [ "$( id -u )" != "0" ]; then echo "Sorry, you must be root !" exit 1 fi } p4c_app_convert(){ # convert a single app # $1 is app name; $2 is POSIX Caps # well symlinks to apps, so we use -a ... APP=`which -a $1 2>/dev/null` if [ "$APP" != "" ]; then FOUND=no for i in $APP; do # ... and are looking for symlinks if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then echo "converting $i" setcap $2=$SET $i FOUND=yes fi done if [ "$FOUND" == "no" ]; then # 'which' found only symlinks echo "1 haven't found $1" fi else # 'which' hasn't anything given back echo "haven't found $1" fi } p4c_app_revert(){ # revert a singel app # $1 is app name APP=`which -a $1 2>/dev/null` if [ "$APP" != "" ]; then FOUND=no for i in $APP; do if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then echo "reverting $i" setcap -r $i 2>/dev/null FOUND=yes fi done if [ "$FOUND" == "no" ]; then echo "1 haven't found $1" fi else echo "haven't found $1" fi } p4c_convert(){ # we go throug the APPSARRAY and call s2p_app_convert to do the job COUNTER=0 let UPPER=${#APPSARRAY[*]}-1 until [ $COUNTER == $UPPER ]; do p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} let COUNTER+=1 done } p4c_revert(){ COUNTER=0 let UPPER=${#APPSARRAY[*]}-1 until [ $COUNTER == $UPPER ]; do p4c_app_revert ${APPSARRAY[$COUNTER]} let COUNTER+=1 done } p4c_usage(){ echo echo "pcaps4convenience" echo echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to" echo "run successful into their Inheritance and Effective Set." echo "The user who wants to execute this binaries successful has to have the" echo "necessary POSIX Capabilities in his Inheritable Set. This might be done" echo "through the PAM module pam_cap.so." echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute" echo "these binaries successful." echo "(well, still per sudo or su -c - but thats not the point here)" echo echo "You need and I will check fot the utilities which and setcap." echo echo "Your Filesystem has to support extended attributes and your kernel must have" echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." echo echo "Usage: pcaps4convenience [con(vert)|rev(ert)|help]" echo echo " con|convert - from setuid0 to POSIX Capabilities" echo " rev|revert - from POSIX Capabilities back to setui0" echo " help - this help message" echo } case "$1" in con|convert) p4c_test p4c_convert exit 0 ;; rev|revert) p4c_test p4c_revert exit 0 ;; help) p4c_usage exit 0 ;; *) echo "Try 'pcaps4convenience help' for more information" exit 1 ;; esac