source-git / libcap

Clone
Source Code
GIT

Blame contrib/pcaps4server

c8 c8s master
  1.   c8
  2.   contrib
  3.   pcaps4server
Blob History Raw
Packit Service 410935 
#!/bin/sh
Packit Service 410935 
# vim: tabstop=4
Packit Service 410935 
#
Packit Service 410935 
# author:    chris friedhoff - chris@friedhoff.org
Packit Service 410935 
# version:   pcaps4server  5  Tue Mar 11 2008
Packit Service 410935 
#
Packit Service 410935 
#
Packit Service 410935 
# changelog:
Packit Service 410935 
# 1 - initial release pcaps4convenience
Packit Service 410935 
# 1 - 2007.02.15 - initial release
Packit Service 410935 
# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id
Packit Service 410935 
# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap
Packit Service 410935 
# 4 - renamed to pcaps4server
Packit Service 410935 
#      removed suid0 and convenience files,
Packit Service 410935 
#      they are now in pcaps4suid0 resp. pcaps4convenience
Packit Service 410935 
# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code
Packit Service 410935 
#
Packit Service 410935 
#
Packit Service 410935 
###########################################################################
Packit Service 410935 
# change the installation of different server to be able not to run as root
Packit Service 410935 
# and have their own unpriviledged user. The binary has the needed POSIX
Packit Service 410935 
# Capabilities.
Packit Service 410935 
# to ensure that the server is really started as his respective user, we set
Packit Service 410935 
# the suid bit (BUT NOT 0)!
Packit Service 410935 
# paths are hard coded and derive from a slackware system
Packit Service 410935 
# change it to your needs !!
Packit Service 410935 
###########################################################################
Packit Service 410935
Packit Service 410935
Packit Service 410935
Packit Service 410935 
VERBOSE="-v"
Packit Service 410935 
#VERBOSE=""
Packit Service 410935 
APPS=""
Packit Service 410935
Packit Service 410935 
message(){
Packit Service 410935 
	printRedMessage "$1"
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935 
printRedMessage(){
Packit Service 410935 
	# print message red and turn back to white
Packit Service 410935 
	echo -e "\n\033[00;31m $1 ...\033[00;00m\n"
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935 
printGreenMessage(){
Packit Service 410935 
	# print message red and turn back to white
Packit Service 410935 
	echo -e "\033[00;32m $1 ...\033[00;00m\n"
Packit Service 410935 
	sleep 0.5
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935 
checkReturnCode(){
Packit Service 410935 
    if [ "$?" != "0" ]; then
Packit Service 410935 
        printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!"
Packit Service 410935 
        exit 1
Packit Service 410935 
    else
Packit Service 410935 
        printGreenMessage ":-)"
Packit Service 410935 
		sleep 0.5
Packit Service 410935 
    fi
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935
Packit Service 410935 
p4r_test(){
Packit Service 410935 
	#for now, we work with root
Packit Service 410935 
	if [ "$( id -u )" != "0" ]; then
Packit Service 410935 
		echo "Sorry, you must be root !"
Packit Service 410935 
		exit
Packit Service 410935 
	fi
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935
Packit Service 410935
Packit Service 410935 
# apache 1.3
Packit Service 410935 
########
Packit Service 410935 
#APPS="$APPS apache1"
Packit Service 410935 
apache1_convert(){
Packit Service 410935 
	message "converting apache1"
Packit Service 410935 
	if [ "$( id -g apache 2>/dev/null )" == "" ]; then
Packit Service 410935 
		groupadd -g 60 apache
Packit Service 410935 
	fi
Packit Service 410935 
	if [ "$( id -u apache 2>/dev/null )" == "" ]; then
Packit Service 410935 
		useradd -g apache -d / -u 600 apache
Packit Service 410935 
	fi
Packit Service 410935 
	sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf
Packit Service 410935 
	chown $VERBOSE -R apache:apache /var/run/apache/
Packit Service 410935 
	chown $VERBOSE -R apache:apache /etc/apache/
Packit Service 410935 
	chown $VERBOSE -R apache:apache /var/log/apache/
Packit Service 410935 
	chown $VERBOSE apache:apache /usr/sbin/httpd
Packit Service 410935 
	chmod $VERBOSE u+s /usr/sbin/httpd
Packit Service 410935 
	setcap cap_net_bind_service=ep /usr/sbin/httpd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
}
Packit Service 410935 
apache1_revert(){
Packit Service 410935 
	message "reverting apache1"
Packit Service 410935 
	chown $VERBOSE -R root:root /var/run/apache/
Packit Service 410935 
	chown $VERBOSE -R root:root /etc/apache/
Packit Service 410935 
	chown $VERBOSE -R root:root /var/log/apache/
Packit Service 410935 
	chown $VERBOSE root:root /usr/sbin/httpd
Packit Service 410935 
	chmod $VERBOSE u-s /usr/sbin/httpd
Packit Service 410935 
	setcap -r /usr/sbin/httpd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
	sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf
Packit Service 410935 
	userdel apache
Packit Service 410935 
	groupdel apache
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935 
# apache 2.x
Packit Service 410935 
########
Packit Service 410935 
APPS="$APPS apache2"
Packit Service 410935 
apache2_convert(){
Packit Service 410935 
	message "converting apache2"
Packit Service 410935 
	if [ "$( id -g apache 2>/dev/null )" == "" ]; then
Packit Service 410935 
		groupadd -g 60 apache
Packit Service 410935 
	fi
Packit Service 410935 
	if [ "$( id -u apache 2>/dev/null )" == "" ]; then
Packit Service 410935 
		useradd -g apache -d / -u 600 apache
Packit Service 410935 
	fi
Packit Service 410935 
	sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf
Packit Service 410935 
	chown $VERBOSE -R apache:apache /var/run/httpd/
Packit Service 410935 
	chown $VERBOSE -R apache:apache /etc/httpd/
Packit Service 410935 
	chown $VERBOSE -R apache:apache /var/log/httpd/
Packit Service 410935 
	chown $VERBOSE apache:apache /usr/sbin/httpd
Packit Service 410935 
	chmod $VERBOSE u+s /usr/sbin/httpd
Packit Service 410935 
	#setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd
Packit Service 410935 
	setcap cap_net_bind_service=ep /usr/sbin/httpd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
}
Packit Service 410935 
apache2_revert(){
Packit Service 410935 
	message "reverting apache2"
Packit Service 410935 
	chown $VERBOSE -R root:root /var/run/httpd/
Packit Service 410935 
	chown $VERBOSE -R root:root /etc/httpd/
Packit Service 410935 
	chown $VERBOSE -R root:root /var/log/httpd/
Packit Service 410935 
	chown $VERBOSE root:root /usr/sbin/httpd
Packit Service 410935 
	chmod $VERBOSE u-s /usr/sbin/httpd
Packit Service 410935 
	setcap -r /usr/sbin/httpd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
	sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf
Packit Service 410935 
	userdel apache
Packit Service 410935 
	groupdel apache
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935 
# samba
Packit Service 410935 
#######
Packit Service 410935 
APPS="$APPS samba"
Packit Service 410935 
samba_convert(){
Packit Service 410935 
	message "converting samba"
Packit Service 410935 
	if [ "$( id -g samba 2>/dev/null )" == "" ]; then
Packit Service 410935 
		groupadd -g 61 samba
Packit Service 410935 
	fi
Packit Service 410935 
	if [ "$( id -u samba 2>/dev/null )" == "" ]; then
Packit Service 410935 
		useradd -g samba -d / -u 610 samba
Packit Service 410935 
	fi
Packit Service 410935 
	chown $VERBOSE -R samba:samba /var/log/samba
Packit Service 410935 
	chown $VERBOSE -R samba:samba /etc/samba
Packit Service 410935 
	chown $VERBOSE -R samba:samba /var/run/samba
Packit Service 410935 
	chown $VERBOSE -R samba:samba /var/cache/samba
Packit Service 410935 
	chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd
Packit Service 410935 
	chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd
Packit Service 410935 
	setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
	setcap cap_net_bind_service=ep /usr/sbin/nmbd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935 
samba_revert(){
Packit Service 410935 
	message "reverting samba"
Packit Service 410935 
	chown $VERBOSE -R root:root /var/log/samba
Packit Service 410935 
	chown $VERBOSE -R root:root /etc/samba
Packit Service 410935 
	chown $VERBOSE -R root:root /var/run/samba
Packit Service 410935 
	chown $VERBOSE -R root:root /var/cache/samba
Packit Service 410935 
	chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd
Packit Service 410935 
	chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd
Packit Service 410935 
	setcap -r /usr/sbin/smbd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
	setcap -r /usr/sbin/nmbd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
	userdel samba
Packit Service 410935 
	groupdel samba
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935 
# bind
Packit Service 410935 
######
Packit Service 410935 
APPS="$APPS bind"
Packit Service 410935 
bind_convert(){
Packit Service 410935 
	message "converting bind"
Packit Service 410935 
	if [ "$( id -g bind 2>/dev/null )" == "" ]; then
Packit Service 410935 
		groupadd -g 62 bind
Packit Service 410935 
	fi
Packit Service 410935 
	if [ "$( id -u bind 2>/dev/null )" == "" ]; then
Packit Service 410935 
		useradd -g bind -d / -u 620 bind
Packit Service 410935 
	fi
Packit Service 410935 
	chown $VERBOSE -R bind:bind /var/run/named
Packit Service 410935 
	chown $VERBOSE -R bind:bind /var/named
Packit Service 410935 
	chown $VERBOSE bind:bind /etc/rndc.key
Packit Service 410935 
	chown $VERBOSE bind:bind /usr/sbin/named
Packit Service 410935 
	chmod $VERBOSE u+s /usr/sbin/named
Packit Service 410935 
	setcap cap_net_bind_service=ep /usr/sbin/named
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
}
Packit Service 410935 
bind_revert(){
Packit Service 410935 
	message "reverting bind"
Packit Service 410935 
	chown $VERBOSE -R root:root /var/run/named
Packit Service 410935 
	chown $VERBOSE -R root:root /var/named
Packit Service 410935 
	chown $VERBOSE root:root /etc/rndc.key
Packit Service 410935 
	chown $VERBOSE root:root /usr/sbin/named
Packit Service 410935 
	chmod $VERBOSE u-s /usr/sbin/named
Packit Service 410935 
	setcap -r /usr/sbin/named
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
	userdel bind
Packit Service 410935 
	groupdel bind
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935 
# dhcpd
Packit Service 410935 
#######
Packit Service 410935 
APPS="$APPS dhcpd"
Packit Service 410935 
dhcpd_convert(){
Packit Service 410935 
	message "converting dhcpd"
Packit Service 410935 
	if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then
Packit Service 410935 
		groupadd -g 63 dhcpd
Packit Service 410935 
	fi
Packit Service 410935 
	if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then
Packit Service 410935 
		useradd -g dhcpd -d / -u 630 dhcpd
Packit Service 410935 
	fi
Packit Service 410935 
	chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd
Packit Service 410935 
	chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf
Packit Service 410935 
	chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/
Packit Service 410935 
	chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd
Packit Service 410935 
	chmod $VERBOSE u+s /usr/sbin/dhcpd
Packit Service 410935 
	setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
}
Packit Service 410935 
dhcpd_revert(){
Packit Service 410935 
	message "reverting dhcpd"
Packit Service 410935 
	chown $VERBOSE root:root /var/run/dhcpd
Packit Service 410935 
	chown $VERBOSE root:root /etc/dhcpd.conf
Packit Service 410935 
	chown $VERBOSE -R root:root /var/state/dhcp/
Packit Service 410935 
	chown $VERBOSE root:root /usr/sbin/dhcpd
Packit Service 410935 
	chmod $VERBOSE u-s /usr/sbin/dhcpd
Packit Service 410935 
	setcap -r /usr/sbin/dhcpd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
	userdel dhcpd
Packit Service 410935 
	groupdel dhcpd
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935 
# cupsd
Packit Service 410935 
#######
Packit Service 410935 
APPS="$APPS cupsd"
Packit Service 410935 
cupsd_convert(){
Packit Service 410935 
	message "converting cupsd"
Packit Service 410935 
	if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then
Packit Service 410935 
		groupadd -g 64 cupsd
Packit Service 410935 
	fi
Packit Service 410935 
	if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then
Packit Service 410935 
		useradd -g cupsd -d / -u 640 cupsd
Packit Service 410935 
	fi
Packit Service 410935 
	sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf
Packit Service 410935 
	chown $VERBOSE -R cupsd:cupsd /etc/cups
Packit Service 410935 
	chown $VERBOSE -R cupsd:cupsd /var/cache/cups
Packit Service 410935 
	chown $VERBOSE -R cupsd:cupsd /var/log/cups
Packit Service 410935 
	chown $VERBOSE -R cupsd:cupsd /var/spool/cups
Packit Service 410935 
	chown $VERBOSE -R cupsd:cupsd /var/run/cups
Packit Service 410935 
	chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd
Packit Service 410935 
	chmod $VERBOSE u+s /usr/sbin/cupsd
Packit Service 410935 
	setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
}
Packit Service 410935 
cupsd_revert(){
Packit Service 410935 
	message "reverting cupsd"
Packit Service 410935 
	chown $VERBOSE -R root:root /etc/cups
Packit Service 410935 
	chown $VERBOSE -R root:lp /var/cache/cups
Packit Service 410935 
	chown $VERBOSE -R root:root /var/log/cups
Packit Service 410935 
	chown $VERBOSE -R root:root /var/spool/cups
Packit Service 410935 
	chown $VERBOSE root:lp /var/run/cups
Packit Service 410935 
	chown $VERBOSE lp:sys /var/run/cups/certs
Packit Service 410935 
	chmod $VERBOSE 750 /var/run/cups/certs
Packit Service 410935 
	chown $VERBOSE root:root /usr/sbin/cupsd
Packit Service 410935 
	chmod $VERBOSE u-s /usr/sbin/cupsd
Packit Service 410935 
	setcap -r /usr/sbin/cupsd
Packit Service 410935 
	checkReturnCode
Packit Service 410935 
	sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf
Packit Service 410935 
	userdel cupsd
Packit Service 410935 
	groupdel cupsd
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935 
usage_message(){
Packit Service 410935 
	echo "Try 'pcaps4server help' for more information"
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935 
p4r_usage(){
Packit Service 410935 
    echo
Packit Service 410935 
    echo "pcaps4server"
Packit Service 410935 
    echo
Packit Service 410935 
    echo "pcaps4server stores the needed POSIX Capabilities for server binaries to"
Packit Service 410935 
    echo "run successful into their Permitted and Effective Set."
Packit Service 410935 
    echo "The server are now able to run as an unpriviledged user."
Packit Service 410935 
	echo "For each server software an unpriviledged user is added the system."
Packit Service 410935 
    echo "The ownership of all the respective paths are	changed to this user."
Packit Service 410935 
	echo "To ensure that the server is starting as this unpriviledgesd user, the"
Packit Service 410935 
    echo "suid bit (NOT 0) is set."
Packit Service 410935 
	echo "Effectively this means every user can start this server daemons (for now)."
Packit Service 410935 
	echo "All paths are hard coded!"
Packit Service 410935 
	echo "You have been warned. Enjoy!"
Packit Service 410935 
    echo
Packit Service 410935 
    echo "Your Filesystem has to support extended attributes and your kernel must have"
Packit Service 410935 
    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
Packit Service 410935 
    echo
Packit Service 410935 
    echo "Usage:  pcaps4server [PROG] [con(vert)|rev(ert)|help]"
Packit Service 410935 
    echo
Packit Service 410935 
    echo "         con|convert - from setuid0 to POSIX Capabilities"
Packit Service 410935 
    echo "         rev|revert  - from POSIX Capabilities back to setui0"
Packit Service 410935 
    echo "         help        - this help message"
Packit Service 410935 
	echo
Packit Service 410935 
	echo "  PROG: $APPS"
Packit Service 410935 
    echo
Packit Service 410935 
}
Packit Service 410935
Packit Service 410935
Packit Service 410935
Packit Service 410935
Packit Service 410935 
case "$1" in
Packit Service 410935 
	con|convert)
Packit Service 410935 
		p4r_test
Packit Service 410935 
		for j in $APPS; do
Packit Service 410935 
			${j}_convert
Packit Service 410935 
		done
Packit Service 410935 
		exit
Packit Service 410935 
		;;
Packit Service 410935 
	rev|renvert)
Packit Service 410935 
		p4r_test
Packit Service 410935 
		for j in $APPS; do
Packit Service 410935 
			${j}_revert
Packit Service 410935 
		done
Packit Service 410935 
		exit
Packit Service 410935 
		;;
Packit Service 410935 
	help)
Packit Service 410935 
		p4r_usage
Packit Service 410935 
		exit
Packit Service 410935 
		;;
Packit Service 410935 
esac
Packit Service 410935
Packit Service 410935 
for i in ${APPS}; do
Packit Service 410935 
	if [ "$1" == "$i" ]; then
Packit Service 410935 
		case "$2" in
Packit Service 410935 
			con|convert)
Packit Service 410935 
				p4r_test
Packit Service 410935 
				${i}_convert
Packit Service 410935 
				exit
Packit Service 410935 
				;;
Packit Service 410935 
			rev|revert)
Packit Service 410935 
				p4r_test
Packit Service 410935 
				${i}_revert
Packit Service 410935 
				exit
Packit Service 410935 
				;;
Packit Service 410935 
			*)
Packit Service 410935 
				usage_message
Packit Service 410935 
				exit 1
Packit Service 410935 
				;;
Packit Service 410935 
			esac
Packit Service 410935 
	fi
Packit Service 410935 
done
Packit Service 410935
Packit Service 410935 
usage_message

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation