summaryrefslogtreecommitdiff
path: root/contrib/pcaps4server
blob: af6f9cae52b05d438eaa07c3c5b7f0738ccb1a70 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
#!/bin/sh
# vim: tabstop=4
#
# author:    chris friedhoff - chris@friedhoff.org
# version:   pcaps4server  5  Tue Mar 11 2008
#
#
# changelog:
# 1 - initial release pcaps4convenience
# 1 - 2007.02.15 - initial release
# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id
# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap
# 4 - renamed to pcaps4server
#      removed suid0 and convenience files,
#      they are now in pcaps4suid0 resp. pcaps4convenience
# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code
#
#
###########################################################################
# change the installation of different server to be able not to run as root
# and have their own unpriviledged user. The binary has the needed POSIX
# Capabilities.
# to ensure that the server is really started as his respective user, we set
# the suid bit (BUT NOT 0)!
# paths are hard coded and derive from a slackware system
# change it to your needs !!
###########################################################################



VERBOSE="-v"
#VERBOSE=""
APPS=""

message(){
	printRedMessage "$1"
}

printRedMessage(){
	# print message red and turn back to white
	echo -e "\n\033[00;31m $1 ...\033[00;00m\n"
}

printGreenMessage(){
	# print message red and turn back to white
	echo -e "\033[00;32m $1 ...\033[00;00m\n"
	sleep 0.5
}

checkReturnCode(){
    if [ "$?" != "0" ]; then
        printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!"
        exit 1
    else
        printGreenMessage ":-)"
		sleep 0.5
    fi
}



p4r_test(){
	#for now, we work with root
	if [ "$( id -u )" != "0" ]; then
		echo "Sorry, you must be root !"
		exit
	fi
}




# apache 1.3
########
#APPS="$APPS apache1"
apache1_convert(){
	message "converting apache1"
	if [ "$( id -g apache 2>/dev/null )" == "" ]; then
		groupadd -g 60 apache
	fi
	if [ "$( id -u apache 2>/dev/null )" == "" ]; then
		useradd -g apache -d / -u 600 apache
	fi
	sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf
	chown $VERBOSE -R apache:apache /var/run/apache/
	chown $VERBOSE -R apache:apache /etc/apache/
	chown $VERBOSE -R apache:apache /var/log/apache/
	chown $VERBOSE apache:apache /usr/sbin/httpd
	chmod $VERBOSE u+s /usr/sbin/httpd
	setcap cap_net_bind_service=ep /usr/sbin/httpd
	checkReturnCode
}
apache1_revert(){
	message "reverting apache1"
	chown $VERBOSE -R root:root /var/run/apache/
	chown $VERBOSE -R root:root /etc/apache/
	chown $VERBOSE -R root:root /var/log/apache/
	chown $VERBOSE root:root /usr/sbin/httpd
	chmod $VERBOSE u-s /usr/sbin/httpd
	setcap -r /usr/sbin/httpd
	checkReturnCode
	sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf
	userdel apache
	groupdel apache
}


# apache 2.x
########
APPS="$APPS apache2"
apache2_convert(){
	message "converting apache2"
	if [ "$( id -g apache 2>/dev/null )" == "" ]; then
		groupadd -g 60 apache
	fi
	if [ "$( id -u apache 2>/dev/null )" == "" ]; then
		useradd -g apache -d / -u 600 apache
	fi
	sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf
	chown $VERBOSE -R apache:apache /var/run/httpd/
	chown $VERBOSE -R apache:apache /etc/httpd/
	chown $VERBOSE -R apache:apache /var/log/httpd/
	chown $VERBOSE apache:apache /usr/sbin/httpd
	chmod $VERBOSE u+s /usr/sbin/httpd
	#setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd
	setcap cap_net_bind_service=ep /usr/sbin/httpd
	checkReturnCode
}
apache2_revert(){
	message "reverting apache2"
	chown $VERBOSE -R root:root /var/run/httpd/
	chown $VERBOSE -R root:root /etc/httpd/
	chown $VERBOSE -R root:root /var/log/httpd/
	chown $VERBOSE root:root /usr/sbin/httpd
	chmod $VERBOSE u-s /usr/sbin/httpd
	setcap -r /usr/sbin/httpd
	checkReturnCode
	sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf
	userdel apache
	groupdel apache
}


# samba
#######
APPS="$APPS samba"
samba_convert(){
	message "converting samba"
	if [ "$( id -g samba 2>/dev/null )" == "" ]; then
		groupadd -g 61 samba
	fi
	if [ "$( id -u samba 2>/dev/null )" == "" ]; then
		useradd -g samba -d / -u 610 samba
	fi
	chown $VERBOSE -R samba:samba /var/log/samba
	chown $VERBOSE -R samba:samba /etc/samba
	chown $VERBOSE -R samba:samba /var/run/samba
	chown $VERBOSE -R samba:samba /var/cache/samba
	chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd
	chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd
	setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd
	checkReturnCode
	setcap cap_net_bind_service=ep /usr/sbin/nmbd
	checkReturnCode
}

samba_revert(){
	message "reverting samba"
	chown $VERBOSE -R root:root /var/log/samba
	chown $VERBOSE -R root:root /etc/samba
	chown $VERBOSE -R root:root /var/run/samba
	chown $VERBOSE -R root:root /var/cache/samba
	chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd
	chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd
	setcap -r /usr/sbin/smbd
	checkReturnCode
	setcap -r /usr/sbin/nmbd
	checkReturnCode
	userdel samba
	groupdel samba
}


# bind
######
APPS="$APPS bind"
bind_convert(){
	message "converting bind"
	if [ "$( id -g bind 2>/dev/null )" == "" ]; then
		groupadd -g 62 bind
	fi
	if [ "$( id -u bind 2>/dev/null )" == "" ]; then
		useradd -g bind -d / -u 620 bind
	fi
	chown $VERBOSE -R bind:bind /var/run/named
	chown $VERBOSE -R bind:bind /var/named
	chown $VERBOSE bind:bind /etc/rndc.key
	chown $VERBOSE bind:bind /usr/sbin/named
	chmod $VERBOSE u+s /usr/sbin/named
	setcap cap_net_bind_service=ep /usr/sbin/named
	checkReturnCode
}
bind_revert(){
	message "reverting bind"
	chown $VERBOSE -R root:root /var/run/named
	chown $VERBOSE -R root:root /var/named
	chown $VERBOSE root:root /etc/rndc.key
	chown $VERBOSE root:root /usr/sbin/named
	chmod $VERBOSE u-s /usr/sbin/named
	setcap -r /usr/sbin/named
	checkReturnCode
	userdel bind
	groupdel bind
}


# dhcpd
#######
APPS="$APPS dhcpd"
dhcpd_convert(){
	message "converting dhcpd"
	if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then
		groupadd -g 63 dhcpd
	fi
	if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then
		useradd -g dhcpd -d / -u 630 dhcpd
	fi
	chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd
	chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf
	chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/
	chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd
	chmod $VERBOSE u+s /usr/sbin/dhcpd
	setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd
	checkReturnCode
}
dhcpd_revert(){
	message "reverting dhcpd"
	chown $VERBOSE root:root /var/run/dhcpd
	chown $VERBOSE root:root /etc/dhcpd.conf
	chown $VERBOSE -R root:root /var/state/dhcp/
	chown $VERBOSE root:root /usr/sbin/dhcpd
	chmod $VERBOSE u-s /usr/sbin/dhcpd
	setcap -r /usr/sbin/dhcpd
	checkReturnCode
	userdel dhcpd
	groupdel dhcpd
}


# cupsd
#######
APPS="$APPS cupsd"
cupsd_convert(){
	message "converting cupsd"
	if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then
		groupadd -g 64 cupsd
	fi
	if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then
		useradd -g cupsd -d / -u 640 cupsd
	fi
	sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf
	chown $VERBOSE -R cupsd:cupsd /etc/cups
	chown $VERBOSE -R cupsd:cupsd /var/cache/cups
	chown $VERBOSE -R cupsd:cupsd /var/log/cups
	chown $VERBOSE -R cupsd:cupsd /var/spool/cups
	chown $VERBOSE -R cupsd:cupsd /var/run/cups
	chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd
	chmod $VERBOSE u+s /usr/sbin/cupsd
	setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd
	checkReturnCode
}
cupsd_revert(){
	message "reverting cupsd"
	chown $VERBOSE -R root:root /etc/cups
	chown $VERBOSE -R root:lp /var/cache/cups
	chown $VERBOSE -R root:root /var/log/cups
	chown $VERBOSE -R root:root /var/spool/cups
	chown $VERBOSE root:lp /var/run/cups
	chown $VERBOSE lp:sys /var/run/cups/certs
	chmod $VERBOSE 750 /var/run/cups/certs
	chown $VERBOSE root:root /usr/sbin/cupsd
	chmod $VERBOSE u-s /usr/sbin/cupsd
	setcap -r /usr/sbin/cupsd
	checkReturnCode
	sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf
	userdel cupsd
	groupdel cupsd
}


usage_message(){
	echo "Try 'pcaps4server help' for more information"
}


p4r_usage(){
    echo
    echo "pcaps4server"
    echo
    echo "pcaps4server stores the needed POSIX Capabilities for server binaries to"
    echo "run successful into their Permitted and Effective Set."
    echo "The server are now able to run as an unpriviledged user."
	echo "For each server software an unpriviledged user is added the system."
    echo "The ownership of all the respective paths are	changed to this user."
	echo "To ensure that the server is starting as this unpriviledgesd user, the"
    echo "suid bit (NOT 0) is set."
	echo "Effectively this means every user can start this server daemons (for now)."
	echo "All paths are hard coded!"
	echo "You have been warned. Enjoy!"
    echo
    echo "Your Filesystem has to support extended attributes and your kernel must have"
    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
    echo
    echo "Usage:  pcaps4server [PROG] [con(vert)|rev(ert)|help]"
    echo
    echo "         con|convert - from setuid0 to POSIX Capabilities"
    echo "         rev|revert  - from POSIX Capabilities back to setui0"
    echo "         help        - this help message"
	echo
	echo "  PROG: $APPS"
    echo
}




case "$1" in
	con|convert)
		p4r_test
		for j in $APPS; do
			${j}_convert
		done
		exit
		;;
	rev|renvert)
		p4r_test
		for j in $APPS; do
			${j}_revert
		done
		exit
		;;
	help)
		p4r_usage
		exit
		;;
esac

for i in ${APPS}; do
	if [ "$1" == "$i" ]; then
		case "$2" in
			con|convert)
				p4r_test
				${i}_convert
				exit
				;;
			rev|revert)
				p4r_test
				${i}_revert
				exit
				;;
			*)
				usage_message
				exit 1
				;;
			esac
	fi
done

usage_message