1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
#!/bin/bash
# vim:expandtab:tabstop=4
#
# author: chris friedhoff - chris@friedhoff.org
# version: pcaps4suid0 3 Tue Mar 11 2008
#
#
# changelog:
# 1 - initial release suid02pcaps
# 2 - renamend to pcaps4suid0
# implement idea of change between permitted/effective set
# or iherited/effective set (pam_cap.so)
# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code
#
#
#
# change different suid-0 binaries away from suid-0 to using
# POSIX Capabilities through their Permitted and Effective Set
# --> legacy support
# --> use SET=pe
#
#
# OR change different suid-0 binaries away from suid-0 to using
# POSIX Capabilities through their Inherited and Effective Set
# --> PAM support to set Inheritance set through pam_cap.so
# --> use SET=ie
#
#
#
#
###############################################################
# for example use this find call:
# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \;
###############################################################
##HERE WE ADD APPS
##################
## these apps uses their POSIX Caps
###################################
# see /usr/include/linux/capability.h
#ping=cap_net_raw
ping=13
#traceroute=cap_net_raw
traceroute=13
chsh=0,2,4,7
chfn=0,2,4,7
Xorg=1,6,7,17,21,26
chage=2
#passwd=0,2,4,7
#passwd 0,1
passwd=0,1,3 #PAM
unix_chkpwd=1
mount=1,21
umount=1,21
# this apps were converted/reverted
###################################
APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount )
# we put it into this set
#########################
#SET=pe
SET=ie
##FROM HERE ONLY LOGIC
######################
#save assumption!?
export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin
p4s_test(){
# are we sane?
WICH=`which which 2>/dev/null`
if [ $WICH == "" ]; then
# thats bad
echo "Sorry, I haven't found which"
exit
fi
# we needt his apps
CHMOD=`which chmod 2>/dev/null`
SETCAP=`which setcap 2>/dev/null`
if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then
echo "Sorry, I'm missing chmod or setcap !"
exit
fi
# checking setcap for SET_SETFCAP PCap ?
# for now we stick to root
if [ "$( id -u )" != "0" ]; then
echo "Sorry, you must be root !"
exit 1
fi
}
p4s_app_convert(){
# convert a single app
# $1 is app name; $2 is POSIX Caps
# well symlinks to apps, so we use -a ...
APP=`which -a $1 2>/dev/null`
if [ "$APP" != "" ]; then
FOUND=no
for i in $APP; do
# ... and are looking for symlinks
if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
echo "converting $i"
chmod u-s $i
setcap $2=$SET $i
FOUND=yes
fi
done
if [ "$FOUND" == "no" ]; then
# 'which' found only symlinks
echo "1 haven't found $1"
fi
else
# 'which' hasn't anything given back
echo "haven't found $1"
fi
}
p4s_app_revert(){
# revert a singel app
# $1 is app name
APP=`which -a $1 2>/dev/null`
if [ "$APP" != "" ]; then
FOUND=no
for i in $APP; do
if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
echo "reverting $i"
chmod u+s $i
setcap -r $i 2>/dev/null
FOUND=yes
fi
done
if [ "$FOUND" == "no" ]; then
echo "1 haven't found $1"
fi
else
echo "haven't found $1"
fi
}
p4s_convert(){
# we go throug the APPSARRAY and call s2p_app_convert to do the job
COUNTER=0
let UPPER=${#APPSARRAY[*]}-1
until [ $COUNTER == $UPPER ]; do
p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
let COUNTER+=1
done
}
p4s_revert(){
COUNTER=0
let UPPER=${#APPSARRAY[*]}-1
until [ $COUNTER == $UPPER ]; do
p4s_app_revert ${APPSARRAY[$COUNTER]}
let COUNTER+=1
done
}
p4s_usage(){
echo
echo "pcaps4suid0"
echo
echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0"
echo "to using POSIX Capabilities by granting the necessary Privileges"
echo "This is done by storing the needed POSIX Capabilities into the extended"
echo "attribute capability through setcap."
echo "Following the idea of setuid - granting a binary the privilege regardless"
echo "of the user, the POSIX Capabilities are stored into the Permitted and"
echo "Effective set."
echo "If you are using pam_cap.so, you might want to change the set into the"
echo "Inherited and Effective set (check for the SET var)."
echo
echo "You need and I will check fot the utilities which, chmod and setcap."
echo
echo "Your Filesystem has to support extended attributes and your kernel must have"
echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
echo
echo "Usage: pcaps4suid0 [con(vert)|rev(ert)|help]"
echo
echo " con|convert - from setuid0 to POSIX Capabilities"
echo " rev|revert - from POSIX Capabilities back to setui0"
echo " help - this help message"
echo
}
case "$1" in
con|convert)
p4s_test
p4s_convert
exit 0
;;
rev|revert)
p4s_test
p4s_revert
exit 0
;;
help)
p4s_usage
exit 0
;;
*)
echo "Try 'pcaps4suid0 help' for more information"
exit 1
;;
esac
|