#!/bin/bash # vim:expandtab:tabstop=4 # # author: chris friedhoff - chris@friedhoff.org # version: pcaps4suid0 3 Tue Mar 11 2008 # # # changelog: # 1 - initial release suid02pcaps # 2 - renamend to pcaps4suid0 # implement idea of change between permitted/effective set # or iherited/effective set (pam_cap.so) # 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code # # # # change different suid-0 binaries away from suid-0 to using # POSIX Capabilities through their Permitted and Effective Set # --> legacy support # --> use SET=pe # # # OR change different suid-0 binaries away from suid-0 to using # POSIX Capabilities through their Inherited and Effective Set # --> PAM support to set Inheritance set through pam_cap.so # --> use SET=ie # # # # ############################################################### # for example use this find call: # find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \; ############################################################### ##HERE WE ADD APPS ################## ## these apps uses their POSIX Caps ################################### # see /usr/include/linux/capability.h #ping=cap_net_raw ping=13 #traceroute=cap_net_raw traceroute=13 chsh=0,2,4,7 chfn=0,2,4,7 Xorg=1,6,7,17,21,26 chage=2 #passwd=0,2,4,7 #passwd 0,1 passwd=0,1,3 #PAM unix_chkpwd=1 mount=1,21 umount=1,21 # this apps were converted/reverted ################################### APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount ) # we put it into this set ######################### #SET=pe SET=ie ##FROM HERE ONLY LOGIC ###################### #save assumption!? export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin p4s_test(){ # are we sane? WICH=`which which 2>/dev/null` if [ $WICH == "" ]; then # thats bad echo "Sorry, I haven't found which" exit fi # we needt his apps CHMOD=`which chmod 2>/dev/null` SETCAP=`which setcap 2>/dev/null` if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then echo "Sorry, I'm missing chmod or setcap !" exit fi # checking setcap for SET_SETFCAP PCap ? # for now we stick to root if [ "$( id -u )" != "0" ]; then echo "Sorry, you must be root !" exit 1 fi } p4s_app_convert(){ # convert a single app # $1 is app name; $2 is POSIX Caps # well symlinks to apps, so we use -a ... APP=`which -a $1 2>/dev/null` if [ "$APP" != "" ]; then FOUND=no for i in $APP; do # ... and are looking for symlinks if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then echo "converting $i" chmod u-s $i setcap $2=$SET $i FOUND=yes fi done if [ "$FOUND" == "no" ]; then # 'which' found only symlinks echo "1 haven't found $1" fi else # 'which' hasn't anything given back echo "haven't found $1" fi } p4s_app_revert(){ # revert a singel app # $1 is app name APP=`which -a $1 2>/dev/null` if [ "$APP" != "" ]; then FOUND=no for i in $APP; do if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then echo "reverting $i" chmod u+s $i setcap -r $i 2>/dev/null FOUND=yes fi done if [ "$FOUND" == "no" ]; then echo "1 haven't found $1" fi else echo "haven't found $1" fi } p4s_convert(){ # we go throug the APPSARRAY and call s2p_app_convert to do the job COUNTER=0 let UPPER=${#APPSARRAY[*]}-1 until [ $COUNTER == $UPPER ]; do p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} let COUNTER+=1 done } p4s_revert(){ COUNTER=0 let UPPER=${#APPSARRAY[*]}-1 until [ $COUNTER == $UPPER ]; do p4s_app_revert ${APPSARRAY[$COUNTER]} let COUNTER+=1 done } p4s_usage(){ echo echo "pcaps4suid0" echo echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0" echo "to using POSIX Capabilities by granting the necessary Privileges" echo "This is done by storing the needed POSIX Capabilities into the extended" echo "attribute capability through setcap." echo "Following the idea of setuid - granting a binary the privilege regardless" echo "of the user, the POSIX Capabilities are stored into the Permitted and" echo "Effective set." echo "If you are using pam_cap.so, you might want to change the set into the" echo "Inherited and Effective set (check for the SET var)." echo echo "You need and I will check fot the utilities which, chmod and setcap." echo echo "Your Filesystem has to support extended attributes and your kernel must have" echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." echo echo "Usage: pcaps4suid0 [con(vert)|rev(ert)|help]" echo echo " con|convert - from setuid0 to POSIX Capabilities" echo " rev|revert - from POSIX Capabilities back to setui0" echo " help - this help message" echo } case "$1" in con|convert) p4s_test p4s_convert exit 0 ;; rev|revert) p4s_test p4s_revert exit 0 ;; help) p4s_usage exit 0 ;; *) echo "Try 'pcaps4suid0 help' for more information" exit 1 ;; esac