summaryrefslogtreecommitdiff
path: root/contrib/pcaps4suid0
blob: 799df28c000939027fcc60fac9b3c4c497f40700 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
#!/bin/bash
# vim:expandtab:tabstop=4
#
# author:    chris friedhoff - chris@friedhoff.org
# version:   pcaps4suid0  3  Tue Mar 11 2008
#
#
# changelog:
# 1 - initial release suid02pcaps
# 2 - renamend to pcaps4suid0
#      implement idea of change between permitted/effective set
#      or iherited/effective set (pam_cap.so)
# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code
#
#
#
# change different suid-0 binaries away from suid-0 to using
# POSIX Capabilities through their Permitted and Effective Set
# --> legacy support
# --> use SET=pe
#
# 
# OR change different suid-0 binaries away from suid-0 to using
# POSIX Capabilities through their Inherited and Effective Set
# --> PAM support to set Inheritance set through pam_cap.so
# --> use SET=ie
#
# 
#
#
###############################################################
# for example use this find call:
# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \;
###############################################################



##HERE WE ADD APPS
##################

## these apps uses their POSIX Caps
###################################
# see /usr/include/linux/capability.h
#ping=cap_net_raw
ping=13
#traceroute=cap_net_raw
traceroute=13
chsh=0,2,4,7
chfn=0,2,4,7
Xorg=1,6,7,17,21,26
chage=2
#passwd=0,2,4,7
#passwd 0,1
passwd=0,1,3 #PAM
unix_chkpwd=1
mount=1,21
umount=1,21

# this apps were converted/reverted
###################################
APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount )


# we put it into this set
#########################
#SET=pe
SET=ie


##FROM HERE ONLY LOGIC
######################

#save assumption!?
export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin

p4s_test(){
    # are we sane?
    WICH=`which which 2>/dev/null`
    if [ $WICH == "" ]; then
        # thats bad
        echo "Sorry, I haven't found which"
        exit
    fi

    # we needt his apps
    CHMOD=`which chmod 2>/dev/null`
    SETCAP=`which setcap 2>/dev/null`
    if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then
        echo "Sorry, I'm missing chmod or setcap !"
        exit
    fi

    # checking setcap for SET_SETFCAP PCap ?
    # for now we stick to root
    if [ "$( id -u )" != "0" ]; then
        echo "Sorry, you must be root !"
        exit 1
    fi
}



p4s_app_convert(){
    # convert a single app
    # $1 is app name; $2 is POSIX Caps
    # well symlinks to apps, so we use -a ...
    APP=`which -a $1 2>/dev/null`
    if [ "$APP" != "" ]; then
        FOUND=no
        for i in $APP; do
            # ... and are looking for symlinks
            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
                echo "converting $i"
                chmod u-s $i
                setcap $2=$SET $i
                FOUND=yes
            fi
        done
        if [ "$FOUND" == "no" ]; then
            # 'which' found only symlinks
            echo "1 haven't found $1"
        fi
    else
        # 'which' hasn't anything given back
        echo "haven't found $1"
    fi
}



p4s_app_revert(){
    # revert a singel app
    # $1 is app name
    APP=`which -a $1 2>/dev/null`
    if [ "$APP" != "" ]; then
        FOUND=no
        for i in $APP; do
            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
                echo "reverting $i"
                chmod u+s $i
                setcap -r $i 2>/dev/null
                FOUND=yes
            fi
        done
        if [ "$FOUND" == "no" ]; then
            echo "1 haven't found $1"
        fi
    else
        echo "haven't found $1"
    fi
}



p4s_convert(){
    # we go throug the APPSARRAY and call s2p_app_convert to do the job
    COUNTER=0
    let UPPER=${#APPSARRAY[*]}-1
    until [ $COUNTER == $UPPER ]; do
        p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
        let COUNTER+=1
    done
}



p4s_revert(){
    COUNTER=0
    let UPPER=${#APPSARRAY[*]}-1
    until [ $COUNTER == $UPPER ]; do
        p4s_app_revert ${APPSARRAY[$COUNTER]}
        let COUNTER+=1
    done

}



p4s_usage(){
    echo
    echo "pcaps4suid0"
    echo
    echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0"
    echo "to using POSIX Capabilities by granting the necessary Privileges"
    echo "This is done by storing the needed POSIX Capabilities into the extended"
    echo "attribute capability through setcap."
    echo "Following the idea of setuid - granting a binary the privilege regardless"
    echo "of the user, the POSIX Capabilities are stored into the Permitted and"
    echo "Effective set."
    echo "If you are using pam_cap.so, you might want to change the set into the"
    echo "Inherited and Effective set (check for the SET var)."
    echo
    echo "You need and I will check fot the utilities which, chmod and setcap."
    echo
    echo "Your Filesystem has to support extended attributes and your kernel must have"
    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
    echo
    echo "Usage:  pcaps4suid0 [con(vert)|rev(ert)|help]"
    echo
    echo "         con|convert - from setuid0 to POSIX Capabilities"
    echo "         rev|revert  - from POSIX Capabilities back to setui0"
    echo "         help        - this help message"
    echo
}



case "$1" in
    con|convert)
        p4s_test
        p4s_convert
        exit 0
        ;;
    rev|revert)
        p4s_test
        p4s_revert
        exit 0
        ;;
    help)
        p4s_usage
        exit 0
        ;;
    *)
        echo "Try 'pcaps4suid0 help' for more information"
        exit 1
        ;;
esac