source-git / libcap

Clone
Source Code
GIT

Blame contrib/pcaps4convenience

c8 c8s master
  1.   c8s
  2.   contrib
  3.   pcaps4convenience
Blob History Raw
Packit 3a1417 
#!/bin/bash
Packit 3a1417 
# vim:expandtab:tabstop=4
Packit 3a1417 
#
Packit 3a1417 
# author:    chris friedhoff - chris@friedhoff.org
Packit 3a1417 
# version:   pcaps4convenience  2  Tue Mar 11 2008
Packit 3a1417 
#
Packit 3a1417 
#
Packit 3a1417 
# changelog:
Packit 3a1417 
# 1 - initial release pcaps4convenience
Packit 3a1417 
# 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code
Packit 3a1417 
#
Packit 3a1417 
#
Packit 3a1417 
# the user has the necessary POSIX Capabilities in his Inheritance
Packit 3a1417 
# set and the applications are accepting the needed PCaps through
Packit 3a1417 
# their Inheritance set.
Packit 3a1417 
# a user who has not the PCaps in his Inheritance set CAN NOT
Packit 3a1417 
# successfully execute the apps
Packit 3a1417 
# --> SET=ie
Packit 3a1417 
# (if SET=pe than you relax the security level of your machine)
Packit 3a1417 
#
Packit 3a1417 
#
Packit 3a1417 
#
Packit 3a1417
Packit 3a1417
Packit 3a1417 
##HERE WE ADD APPS
Packit 3a1417 
##################
Packit 3a1417
Packit 3a1417 
## these apps uses their POSIX Caps
Packit 3a1417 
###################################
Packit 3a1417 
# see /usr/include/linux/capability.h
Packit 3a1417 
# adjust - if needed and wanted - /etc/security/capability.conf
Packit 3a1417 
#eject=cap_dac_read_search,cap_sys_rawio
Packit 3a1417 
eject=2,17
Packit 3a1417 
#killall=cap_kill
Packit 3a1417 
killall=5
Packit 3a1417 
#modprobe=cap_sys_module
Packit 3a1417 
modprobe=16
Packit 3a1417 
#ntpdate=cap_net_bind_service,cap_sys_time
Packit 3a1417 
ntpdate=10,25
Packit 3a1417 
#qemu=cap_net_admin
Packit 3a1417 
qemu=12
Packit 3a1417 
#route=cap_net_admin
Packit 3a1417 
route=12
Packit 3a1417
Packit 3a1417
Packit 3a1417 
# this apps were converted/reverted
Packit 3a1417 
###################################
Packit 3a1417 
APPSARRAY=( eject killall modprobe ntpdate qemu route )
Packit 3a1417
Packit 3a1417
Packit 3a1417 
# we put it into this set
Packit 3a1417 
#########################
Packit 3a1417 
SET=ie
Packit 3a1417
Packit 3a1417
Packit 3a1417 
##FROM HERE ONLY LOGIC
Packit 3a1417 
######################
Packit 3a1417
Packit 3a1417 
#save assumption!?
Packit 3a1417 
export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin
Packit 3a1417
Packit 3a1417 
p4c_test(){
Packit 3a1417 
    # are we sane?
Packit 3a1417 
    WICH=`which which 2>/dev/null`
Packit 3a1417 
    if [ $WICH == "" ]; then
Packit 3a1417 
        # thats bad
Packit 3a1417 
        echo "Sorry, I haven't found which"
Packit 3a1417 
        exit
Packit 3a1417 
    fi
Packit 3a1417
Packit 3a1417 
    # we needt his apps
Packit 3a1417 
    SETCAP=`which setcap 2>/dev/null`
Packit 3a1417 
    if [ "$SETCAP" == "" ]; then
Packit 3a1417 
        echo "Sorry, I'm missing setcap !"
Packit 3a1417 
        exit
Packit 3a1417 
    fi
Packit 3a1417
Packit 3a1417 
    # checking setcap for SET_SETFCAP PCap ?
Packit 3a1417 
    # for now we stick to root
Packit 3a1417 
    if [ "$( id -u )" != "0" ]; then
Packit 3a1417 
        echo "Sorry, you must be root !"
Packit 3a1417 
        exit 1
Packit 3a1417 
    fi
Packit 3a1417 
}
Packit 3a1417
Packit 3a1417
Packit 3a1417
Packit 3a1417 
p4c_app_convert(){
Packit 3a1417 
    # convert a single app
Packit 3a1417 
    # $1 is app name; $2 is POSIX Caps
Packit 3a1417 
    # well symlinks to apps, so we use -a ...
Packit 3a1417 
    APP=`which -a $1 2>/dev/null`
Packit 3a1417 
    if [ "$APP" != "" ]; then
Packit 3a1417 
        FOUND=no
Packit 3a1417 
        for i in $APP; do
Packit 3a1417 
            # ... and are looking for symlinks
Packit 3a1417 
            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
Packit 3a1417 
                echo "converting $i"
Packit 3a1417 
                setcap $2=$SET $i
Packit 3a1417 
                FOUND=yes
Packit 3a1417 
            fi
Packit 3a1417 
        done
Packit 3a1417 
        if [ "$FOUND" == "no" ]; then
Packit 3a1417 
            # 'which' found only symlinks
Packit 3a1417 
            echo "1 haven't found $1"
Packit 3a1417 
        fi
Packit 3a1417 
    else
Packit 3a1417 
        # 'which' hasn't anything given back
Packit 3a1417 
        echo "haven't found $1"
Packit 3a1417 
    fi
Packit 3a1417 
}
Packit 3a1417
Packit 3a1417
Packit 3a1417
Packit 3a1417 
p4c_app_revert(){
Packit 3a1417 
    # revert a singel app
Packit 3a1417 
    # $1 is app name
Packit 3a1417 
    APP=`which -a $1 2>/dev/null`
Packit 3a1417 
    if [ "$APP" != "" ]; then
Packit 3a1417 
        FOUND=no
Packit 3a1417 
        for i in $APP; do
Packit 3a1417 
            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
Packit 3a1417 
                echo "reverting $i"
Packit 3a1417 
                setcap -r $i 2>/dev/null
Packit 3a1417 
                FOUND=yes
Packit 3a1417 
            fi
Packit 3a1417 
        done
Packit 3a1417 
        if [ "$FOUND" == "no" ]; then
Packit 3a1417 
            echo "1 haven't found $1"
Packit 3a1417 
        fi
Packit 3a1417 
    else
Packit 3a1417 
        echo "haven't found $1"
Packit 3a1417 
    fi
Packit 3a1417 
}
Packit 3a1417
Packit 3a1417
Packit 3a1417
Packit 3a1417 
p4c_convert(){
Packit 3a1417 
    # we go throug the APPSARRAY and call s2p_app_convert to do the job
Packit 3a1417 
    COUNTER=0
Packit 3a1417 
    let UPPER=${#APPSARRAY[*]}-1
Packit 3a1417 
    until [ $COUNTER == $UPPER ]; do
Packit 3a1417 
        p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
Packit 3a1417 
        let COUNTER+=1
Packit 3a1417 
    done
Packit 3a1417 
}
Packit 3a1417
Packit 3a1417
Packit 3a1417
Packit 3a1417 
p4c_revert(){
Packit 3a1417 
    COUNTER=0
Packit 3a1417 
    let UPPER=${#APPSARRAY[*]}-1
Packit 3a1417 
    until [ $COUNTER == $UPPER ]; do
Packit 3a1417 
        p4c_app_revert ${APPSARRAY[$COUNTER]}
Packit 3a1417 
        let COUNTER+=1
Packit 3a1417 
    done
Packit 3a1417
Packit 3a1417 
}
Packit 3a1417
Packit 3a1417
Packit 3a1417
Packit 3a1417 
p4c_usage(){
Packit 3a1417 
    echo
Packit 3a1417 
    echo "pcaps4convenience"
Packit 3a1417 
    echo
Packit 3a1417 
    echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to"
Packit 3a1417 
    echo "run successful into their Inheritance and Effective Set."
Packit 3a1417 
    echo "The user who wants to execute this binaries successful has to have the"
Packit 3a1417 
    echo "necessary POSIX Capabilities in his Inheritable Set. This might be done"
Packit 3a1417 
    echo "through the PAM module pam_cap.so."
Packit 3a1417 
    echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute"
Packit 3a1417 
    echo "these binaries successful."
Packit 3a1417 
    echo "(well, still per sudo or su -c - but thats not the point here)"
Packit 3a1417 
    echo
Packit 3a1417 
    echo "You need and I will check fot the utilities which and setcap."
Packit 3a1417 
    echo
Packit 3a1417 
    echo "Your Filesystem has to support extended attributes and your kernel must have"
Packit 3a1417 
    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
Packit 3a1417 
    echo
Packit 3a1417 
    echo "Usage:  pcaps4convenience [con(vert)|rev(ert)|help]"
Packit 3a1417 
    echo
Packit 3a1417 
    echo "         con|convert - from setuid0 to POSIX Capabilities"
Packit 3a1417 
    echo "         rev|revert  - from POSIX Capabilities back to setui0"
Packit 3a1417 
    echo "         help        - this help message"
Packit 3a1417 
    echo
Packit 3a1417 
}
Packit 3a1417
Packit 3a1417
Packit 3a1417
Packit 3a1417 
case "$1" in
Packit 3a1417 
    con|convert)
Packit 3a1417 
        p4c_test
Packit 3a1417 
        p4c_convert
Packit 3a1417 
        exit 0
Packit 3a1417 
        ;;
Packit 3a1417 
    rev|revert)
Packit 3a1417 
        p4c_test
Packit 3a1417 
        p4c_revert
Packit 3a1417 
        exit 0
Packit 3a1417 
        ;;
Packit 3a1417 
    help)
Packit 3a1417 
        p4c_usage
Packit 3a1417 
        exit 0
Packit 3a1417 
        ;;
Packit 3a1417 
    *)
Packit 3a1417 
        echo "Try 'pcaps4convenience help' for more information"
Packit 3a1417 
        exit 1
Packit 3a1417 
        ;;
Packit 3a1417 
esac

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation