|
Packit |
3a1417 |
#!/bin/bash
|
|
Packit |
3a1417 |
# vim:expandtab:tabstop=4
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
# author: chris friedhoff - chris@friedhoff.org
|
|
Packit |
3a1417 |
# version: pcaps4suid0 3 Tue Mar 11 2008
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
# changelog:
|
|
Packit |
3a1417 |
# 1 - initial release suid02pcaps
|
|
Packit |
3a1417 |
# 2 - renamend to pcaps4suid0
|
|
Packit |
3a1417 |
# implement idea of change between permitted/effective set
|
|
Packit |
3a1417 |
# or iherited/effective set (pam_cap.so)
|
|
Packit |
3a1417 |
# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
# change different suid-0 binaries away from suid-0 to using
|
|
Packit |
3a1417 |
# POSIX Capabilities through their Permitted and Effective Set
|
|
Packit |
3a1417 |
# --> legacy support
|
|
Packit |
3a1417 |
# --> use SET=pe
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
# OR change different suid-0 binaries away from suid-0 to using
|
|
Packit |
3a1417 |
# POSIX Capabilities through their Inherited and Effective Set
|
|
Packit |
3a1417 |
# --> PAM support to set Inheritance set through pam_cap.so
|
|
Packit |
3a1417 |
# --> use SET=ie
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
#
|
|
Packit |
3a1417 |
###############################################################
|
|
Packit |
3a1417 |
# for example use this find call:
|
|
Packit |
3a1417 |
# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \;
|
|
Packit |
3a1417 |
###############################################################
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
##HERE WE ADD APPS
|
|
Packit |
3a1417 |
##################
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
## these apps uses their POSIX Caps
|
|
Packit |
3a1417 |
###################################
|
|
Packit |
3a1417 |
# see /usr/include/linux/capability.h
|
|
Packit |
3a1417 |
#ping=cap_net_raw
|
|
Packit |
3a1417 |
ping=13
|
|
Packit |
3a1417 |
#traceroute=cap_net_raw
|
|
Packit |
3a1417 |
traceroute=13
|
|
Packit |
3a1417 |
chsh=0,2,4,7
|
|
Packit |
3a1417 |
chfn=0,2,4,7
|
|
Packit |
3a1417 |
Xorg=1,6,7,17,21,26
|
|
Packit |
3a1417 |
chage=2
|
|
Packit |
3a1417 |
#passwd=0,2,4,7
|
|
Packit |
3a1417 |
#passwd 0,1
|
|
Packit |
3a1417 |
passwd=0,1,3 #PAM
|
|
Packit |
3a1417 |
unix_chkpwd=1
|
|
Packit |
3a1417 |
mount=1,21
|
|
Packit |
3a1417 |
umount=1,21
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
# this apps were converted/reverted
|
|
Packit |
3a1417 |
###################################
|
|
Packit |
3a1417 |
APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount )
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
# we put it into this set
|
|
Packit |
3a1417 |
#########################
|
|
Packit |
3a1417 |
#SET=pe
|
|
Packit |
3a1417 |
SET=ie
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
##FROM HERE ONLY LOGIC
|
|
Packit |
3a1417 |
######################
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
#save assumption!?
|
|
Packit |
3a1417 |
export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
p4s_test(){
|
|
Packit |
3a1417 |
# are we sane?
|
|
Packit |
3a1417 |
WICH=`which which 2>/dev/null`
|
|
Packit |
3a1417 |
if [ $WICH == "" ]; then
|
|
Packit |
3a1417 |
# thats bad
|
|
Packit |
3a1417 |
echo "Sorry, I haven't found which"
|
|
Packit |
3a1417 |
exit
|
|
Packit |
3a1417 |
fi
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
# we needt his apps
|
|
Packit |
3a1417 |
CHMOD=`which chmod 2>/dev/null`
|
|
Packit |
3a1417 |
SETCAP=`which setcap 2>/dev/null`
|
|
Packit |
3a1417 |
if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then
|
|
Packit |
3a1417 |
echo "Sorry, I'm missing chmod or setcap !"
|
|
Packit |
3a1417 |
exit
|
|
Packit |
3a1417 |
fi
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
# checking setcap for SET_SETFCAP PCap ?
|
|
Packit |
3a1417 |
# for now we stick to root
|
|
Packit |
3a1417 |
if [ "$( id -u )" != "0" ]; then
|
|
Packit |
3a1417 |
echo "Sorry, you must be root !"
|
|
Packit |
3a1417 |
exit 1
|
|
Packit |
3a1417 |
fi
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
p4s_app_convert(){
|
|
Packit |
3a1417 |
# convert a single app
|
|
Packit |
3a1417 |
# $1 is app name; $2 is POSIX Caps
|
|
Packit |
3a1417 |
# well symlinks to apps, so we use -a ...
|
|
Packit |
3a1417 |
APP=`which -a $1 2>/dev/null`
|
|
Packit |
3a1417 |
if [ "$APP" != "" ]; then
|
|
Packit |
3a1417 |
FOUND=no
|
|
Packit |
3a1417 |
for i in $APP; do
|
|
Packit |
3a1417 |
# ... and are looking for symlinks
|
|
Packit |
3a1417 |
if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
|
|
Packit |
3a1417 |
echo "converting $i"
|
|
Packit |
3a1417 |
chmod u-s $i
|
|
Packit |
3a1417 |
setcap $2=$SET $i
|
|
Packit |
3a1417 |
FOUND=yes
|
|
Packit |
3a1417 |
fi
|
|
Packit |
3a1417 |
done
|
|
Packit |
3a1417 |
if [ "$FOUND" == "no" ]; then
|
|
Packit |
3a1417 |
# 'which' found only symlinks
|
|
Packit |
3a1417 |
echo "1 haven't found $1"
|
|
Packit |
3a1417 |
fi
|
|
Packit |
3a1417 |
else
|
|
Packit |
3a1417 |
# 'which' hasn't anything given back
|
|
Packit |
3a1417 |
echo "haven't found $1"
|
|
Packit |
3a1417 |
fi
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
p4s_app_revert(){
|
|
Packit |
3a1417 |
# revert a singel app
|
|
Packit |
3a1417 |
# $1 is app name
|
|
Packit |
3a1417 |
APP=`which -a $1 2>/dev/null`
|
|
Packit |
3a1417 |
if [ "$APP" != "" ]; then
|
|
Packit |
3a1417 |
FOUND=no
|
|
Packit |
3a1417 |
for i in $APP; do
|
|
Packit |
3a1417 |
if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
|
|
Packit |
3a1417 |
echo "reverting $i"
|
|
Packit |
3a1417 |
chmod u+s $i
|
|
Packit |
3a1417 |
setcap -r $i 2>/dev/null
|
|
Packit |
3a1417 |
FOUND=yes
|
|
Packit |
3a1417 |
fi
|
|
Packit |
3a1417 |
done
|
|
Packit |
3a1417 |
if [ "$FOUND" == "no" ]; then
|
|
Packit |
3a1417 |
echo "1 haven't found $1"
|
|
Packit |
3a1417 |
fi
|
|
Packit |
3a1417 |
else
|
|
Packit |
3a1417 |
echo "haven't found $1"
|
|
Packit |
3a1417 |
fi
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
p4s_convert(){
|
|
Packit |
3a1417 |
# we go throug the APPSARRAY and call s2p_app_convert to do the job
|
|
Packit |
3a1417 |
COUNTER=0
|
|
Packit |
3a1417 |
let UPPER=${#APPSARRAY[*]}-1
|
|
Packit |
3a1417 |
until [ $COUNTER == $UPPER ]; do
|
|
Packit |
3a1417 |
p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
|
|
Packit |
3a1417 |
let COUNTER+=1
|
|
Packit |
3a1417 |
done
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
p4s_revert(){
|
|
Packit |
3a1417 |
COUNTER=0
|
|
Packit |
3a1417 |
let UPPER=${#APPSARRAY[*]}-1
|
|
Packit |
3a1417 |
until [ $COUNTER == $UPPER ]; do
|
|
Packit |
3a1417 |
p4s_app_revert ${APPSARRAY[$COUNTER]}
|
|
Packit |
3a1417 |
let COUNTER+=1
|
|
Packit |
3a1417 |
done
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
p4s_usage(){
|
|
Packit |
3a1417 |
echo
|
|
Packit |
3a1417 |
echo "pcaps4suid0"
|
|
Packit |
3a1417 |
echo
|
|
Packit |
3a1417 |
echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0"
|
|
Packit |
3a1417 |
echo "to using POSIX Capabilities by granting the necessary Privileges"
|
|
Packit |
3a1417 |
echo "This is done by storing the needed POSIX Capabilities into the extended"
|
|
Packit |
3a1417 |
echo "attribute capability through setcap."
|
|
Packit |
3a1417 |
echo "Following the idea of setuid - granting a binary the privilege regardless"
|
|
Packit |
3a1417 |
echo "of the user, the POSIX Capabilities are stored into the Permitted and"
|
|
Packit |
3a1417 |
echo "Effective set."
|
|
Packit |
3a1417 |
echo "If you are using pam_cap.so, you might want to change the set into the"
|
|
Packit |
3a1417 |
echo "Inherited and Effective set (check for the SET var)."
|
|
Packit |
3a1417 |
echo
|
|
Packit |
3a1417 |
echo "You need and I will check fot the utilities which, chmod and setcap."
|
|
Packit |
3a1417 |
echo
|
|
Packit |
3a1417 |
echo "Your Filesystem has to support extended attributes and your kernel must have"
|
|
Packit |
3a1417 |
echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
|
|
Packit |
3a1417 |
echo
|
|
Packit |
3a1417 |
echo "Usage: pcaps4suid0 [con(vert)|rev(ert)|help]"
|
|
Packit |
3a1417 |
echo
|
|
Packit |
3a1417 |
echo " con|convert - from setuid0 to POSIX Capabilities"
|
|
Packit |
3a1417 |
echo " rev|revert - from POSIX Capabilities back to setui0"
|
|
Packit |
3a1417 |
echo " help - this help message"
|
|
Packit |
3a1417 |
echo
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
case "$1" in
|
|
Packit |
3a1417 |
con|convert)
|
|
Packit |
3a1417 |
p4s_test
|
|
Packit |
3a1417 |
p4s_convert
|
|
Packit |
3a1417 |
exit 0
|
|
Packit |
3a1417 |
;;
|
|
Packit |
3a1417 |
rev|revert)
|
|
Packit |
3a1417 |
p4s_test
|
|
Packit |
3a1417 |
p4s_revert
|
|
Packit |
3a1417 |
exit 0
|
|
Packit |
3a1417 |
;;
|
|
Packit |
3a1417 |
help)
|
|
Packit |
3a1417 |
p4s_usage
|
|
Packit |
3a1417 |
exit 0
|
|
Packit |
3a1417 |
;;
|
|
Packit |
3a1417 |
*)
|
|
Packit |
3a1417 |
echo "Try 'pcaps4suid0 help' for more information"
|
|
Packit |
3a1417 |
exit 1
|
|
Packit |
3a1417 |
;;
|
|
Packit |
3a1417 |
esac
|