| #!/bin/bash |
| # vim:expandtab:tabstop=4 |
| # |
| # author: chris friedhoff - [email protected] |
| # version: pcaps4suid0 3 Tue Mar 11 2008 |
| # |
| # |
| # changelog: |
| # 1 - initial release suid02pcaps |
| # 2 - renamend to pcaps4suid0 |
| # implement idea of change between permitted/effective set |
| # or iherited/effective set (pam_cap.so) |
| # 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code |
| # |
| # |
| # |
| # change different suid-0 binaries away from suid-0 to using |
| # POSIX Capabilities through their Permitted and Effective Set |
| # --> legacy support |
| # --> use SET=pe |
| # |
| # |
| # OR change different suid-0 binaries away from suid-0 to using |
| # POSIX Capabilities through their Inherited and Effective Set |
| # --> PAM support to set Inheritance set through pam_cap.so |
| # --> use SET=ie |
| # |
| # |
| # |
| # |
| ############################################################### |
| # for example use this find call: |
| # find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \; |
| ############################################################### |
| |
| |
| |
| ##HERE WE ADD APPS |
| ################## |
| |
| ## these apps uses their POSIX Caps |
| ################################### |
| # see /usr/include/linux/capability.h |
| #ping=cap_net_raw |
| ping=13 |
| #traceroute=cap_net_raw |
| traceroute=13 |
| chsh=0,2,4,7 |
| chfn=0,2,4,7 |
| Xorg=1,6,7,17,21,26 |
| chage=2 |
| #passwd=0,2,4,7 |
| #passwd 0,1 |
| passwd=0,1,3 #PAM |
| unix_chkpwd=1 |
| mount=1,21 |
| umount=1,21 |
| |
| # this apps were converted/reverted |
| ################################### |
| APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount ) |
| |
| |
| # we put it into this set |
| ######################### |
| #SET=pe |
| SET=ie |
| |
| |
| ##FROM HERE ONLY LOGIC |
| ###################### |
| |
| #save assumption!? |
| export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin |
| |
| p4s_test(){ |
| # are we sane? |
| WICH=`which which 2>/dev/null` |
| if [ $WICH == "" ]; then |
| # thats bad |
| echo "Sorry, I haven't found which" |
| exit |
| fi |
| |
| # we needt his apps |
| CHMOD=`which chmod 2>/dev/null` |
| SETCAP=`which setcap 2>/dev/null` |
| if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then |
| echo "Sorry, I'm missing chmod or setcap !" |
| exit |
| fi |
| |
| # checking setcap for SET_SETFCAP PCap ? |
| # for now we stick to root |
| if [ "$( id -u )" != "0" ]; then |
| echo "Sorry, you must be root !" |
| exit 1 |
| fi |
| } |
| |
| |
| |
| p4s_app_convert(){ |
| # convert a single app |
| # $1 is app name; $2 is POSIX Caps |
| # well symlinks to apps, so we use -a ... |
| APP=`which -a $1 2>/dev/null` |
| if [ "$APP" != "" ]; then |
| FOUND=no |
| for i in $APP; do |
| # ... and are looking for symlinks |
| if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then |
| echo "converting $i" |
| chmod u-s $i |
| setcap $2=$SET $i |
| FOUND=yes |
| fi |
| done |
| if [ "$FOUND" == "no" ]; then |
| # 'which' found only symlinks |
| echo "1 haven't found $1" |
| fi |
| else |
| # 'which' hasn't anything given back |
| echo "haven't found $1" |
| fi |
| } |
| |
| |
| |
| p4s_app_revert(){ |
| # revert a singel app |
| # $1 is app name |
| APP=`which -a $1 2>/dev/null` |
| if [ "$APP" != "" ]; then |
| FOUND=no |
| for i in $APP; do |
| if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then |
| echo "reverting $i" |
| chmod u+s $i |
| setcap -r $i 2>/dev/null |
| FOUND=yes |
| fi |
| done |
| if [ "$FOUND" == "no" ]; then |
| echo "1 haven't found $1" |
| fi |
| else |
| echo "haven't found $1" |
| fi |
| } |
| |
| |
| |
| p4s_convert(){ |
| # we go throug the APPSARRAY and call s2p_app_convert to do the job |
| COUNTER=0 |
| let UPPER=${#APPSARRAY[*]}-1 |
| until [ $COUNTER == $UPPER ]; do |
| p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} |
| let COUNTER+=1 |
| done |
| } |
| |
| |
| |
| p4s_revert(){ |
| COUNTER=0 |
| let UPPER=${#APPSARRAY[*]}-1 |
| until [ $COUNTER == $UPPER ]; do |
| p4s_app_revert ${APPSARRAY[$COUNTER]} |
| let COUNTER+=1 |
| done |
| |
| } |
| |
| |
| |
| p4s_usage(){ |
| echo |
| echo "pcaps4suid0" |
| echo |
| echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0" |
| echo "to using POSIX Capabilities by granting the necessary Privileges" |
| echo "This is done by storing the needed POSIX Capabilities into the extended" |
| echo "attribute capability through setcap." |
| echo "Following the idea of setuid - granting a binary the privilege regardless" |
| echo "of the user, the POSIX Capabilities are stored into the Permitted and" |
| echo "Effective set." |
| echo "If you are using pam_cap.so, you might want to change the set into the" |
| echo "Inherited and Effective set (check for the SET var)." |
| echo |
| echo "You need and I will check fot the utilities which, chmod and setcap." |
| echo |
| echo "Your Filesystem has to support extended attributes and your kernel must have" |
| echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." |
| echo |
| echo "Usage: pcaps4suid0 [con(vert)|rev(ert)|help]" |
| echo |
| echo " con|convert - from setuid0 to POSIX Capabilities" |
| echo " rev|revert - from POSIX Capabilities back to setui0" |
| echo " help - this help message" |
| echo |
| } |
| |
| |
| |
| case "$1" in |
| con|convert) |
| p4s_test |
| p4s_convert |
| exit 0 |
| ;; |
| rev|revert) |
| p4s_test |
| p4s_revert |
| exit 0 |
| ;; |
| help) |
| p4s_usage |
| exit 0 |
| ;; |
| *) |
| echo "Try 'pcaps4suid0 help' for more information" |
| exit 1 |
| ;; |
| esac |
