228 lines
5.5 KiB
Bash
228 lines
5.5 KiB
Bash
#!/bin/bash
|
|
# vim:expandtab:tabstop=4
|
|
#
|
|
# author: chris friedhoff - chris@friedhoff.org
|
|
# version: pcaps4suid0 3 Tue Mar 11 2008
|
|
#
|
|
#
|
|
# changelog:
|
|
# 1 - initial release suid02pcaps
|
|
# 2 - renamend to pcaps4suid0
|
|
# implement idea of change between permitted/effective set
|
|
# or iherited/effective set (pam_cap.so)
|
|
# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code
|
|
#
|
|
#
|
|
#
|
|
# change different suid-0 binaries away from suid-0 to using
|
|
# POSIX Capabilities through their Permitted and Effective Set
|
|
# --> legacy support
|
|
# --> use SET=pe
|
|
#
|
|
#
|
|
# OR change different suid-0 binaries away from suid-0 to using
|
|
# POSIX Capabilities through their Inherited and Effective Set
|
|
# --> PAM support to set Inheritance set through pam_cap.so
|
|
# --> use SET=ie
|
|
#
|
|
#
|
|
#
|
|
#
|
|
###############################################################
|
|
# for example use this find call:
|
|
# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \;
|
|
###############################################################
|
|
|
|
|
|
|
|
##HERE WE ADD APPS
|
|
##################
|
|
|
|
## these apps uses their POSIX Caps
|
|
###################################
|
|
# see /usr/include/linux/capability.h
|
|
#ping=cap_net_raw
|
|
ping=13
|
|
#traceroute=cap_net_raw
|
|
traceroute=13
|
|
chsh=0,2,4,7
|
|
chfn=0,2,4,7
|
|
Xorg=1,6,7,17,21,26
|
|
chage=2
|
|
#passwd=0,2,4,7
|
|
#passwd 0,1
|
|
passwd=0,1,3 #PAM
|
|
unix_chkpwd=1
|
|
mount=1,21
|
|
umount=1,21
|
|
|
|
# this apps were converted/reverted
|
|
###################################
|
|
APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount )
|
|
|
|
|
|
# we put it into this set
|
|
#########################
|
|
#SET=pe
|
|
SET=ie
|
|
|
|
|
|
##FROM HERE ONLY LOGIC
|
|
######################
|
|
|
|
#save assumption!?
|
|
export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin
|
|
|
|
p4s_test(){
|
|
# are we sane?
|
|
WICH=`which which 2>/dev/null`
|
|
if [ $WICH == "" ]; then
|
|
# thats bad
|
|
echo "Sorry, I haven't found which"
|
|
exit
|
|
fi
|
|
|
|
# we needt his apps
|
|
CHMOD=`which chmod 2>/dev/null`
|
|
SETCAP=`which setcap 2>/dev/null`
|
|
if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then
|
|
echo "Sorry, I'm missing chmod or setcap !"
|
|
exit
|
|
fi
|
|
|
|
# checking setcap for SET_SETFCAP PCap ?
|
|
# for now we stick to root
|
|
if [ "$( id -u )" != "0" ]; then
|
|
echo "Sorry, you must be root !"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
|
|
|
|
p4s_app_convert(){
|
|
# convert a single app
|
|
# $1 is app name; $2 is POSIX Caps
|
|
# well symlinks to apps, so we use -a ...
|
|
APP=`which -a $1 2>/dev/null`
|
|
if [ "$APP" != "" ]; then
|
|
FOUND=no
|
|
for i in $APP; do
|
|
# ... and are looking for symlinks
|
|
if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
|
|
echo "converting $i"
|
|
chmod u-s $i
|
|
setcap $2=$SET $i
|
|
FOUND=yes
|
|
fi
|
|
done
|
|
if [ "$FOUND" == "no" ]; then
|
|
# 'which' found only symlinks
|
|
echo "1 haven't found $1"
|
|
fi
|
|
else
|
|
# 'which' hasn't anything given back
|
|
echo "haven't found $1"
|
|
fi
|
|
}
|
|
|
|
|
|
|
|
p4s_app_revert(){
|
|
# revert a singel app
|
|
# $1 is app name
|
|
APP=`which -a $1 2>/dev/null`
|
|
if [ "$APP" != "" ]; then
|
|
FOUND=no
|
|
for i in $APP; do
|
|
if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
|
|
echo "reverting $i"
|
|
chmod u+s $i
|
|
setcap -r $i 2>/dev/null
|
|
FOUND=yes
|
|
fi
|
|
done
|
|
if [ "$FOUND" == "no" ]; then
|
|
echo "1 haven't found $1"
|
|
fi
|
|
else
|
|
echo "haven't found $1"
|
|
fi
|
|
}
|
|
|
|
|
|
|
|
p4s_convert(){
|
|
# we go throug the APPSARRAY and call s2p_app_convert to do the job
|
|
COUNTER=0
|
|
let UPPER=${#APPSARRAY[*]}-1
|
|
until [ $COUNTER == $UPPER ]; do
|
|
p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
|
|
let COUNTER+=1
|
|
done
|
|
}
|
|
|
|
|
|
|
|
p4s_revert(){
|
|
COUNTER=0
|
|
let UPPER=${#APPSARRAY[*]}-1
|
|
until [ $COUNTER == $UPPER ]; do
|
|
p4s_app_revert ${APPSARRAY[$COUNTER]}
|
|
let COUNTER+=1
|
|
done
|
|
|
|
}
|
|
|
|
|
|
|
|
p4s_usage(){
|
|
echo
|
|
echo "pcaps4suid0"
|
|
echo
|
|
echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0"
|
|
echo "to using POSIX Capabilities by granting the necessary Privileges"
|
|
echo "This is done by storing the needed POSIX Capabilities into the extended"
|
|
echo "attribute capability through setcap."
|
|
echo "Following the idea of setuid - granting a binary the privilege regardless"
|
|
echo "of the user, the POSIX Capabilities are stored into the Permitted and"
|
|
echo "Effective set."
|
|
echo "If you are using pam_cap.so, you might want to change the set into the"
|
|
echo "Inherited and Effective set (check for the SET var)."
|
|
echo
|
|
echo "You need and I will check fot the utilities which, chmod and setcap."
|
|
echo
|
|
echo "Your Filesystem has to support extended attributes and your kernel must have"
|
|
echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
|
|
echo
|
|
echo "Usage: pcaps4suid0 [con(vert)|rev(ert)|help]"
|
|
echo
|
|
echo " con|convert - from setuid0 to POSIX Capabilities"
|
|
echo " rev|revert - from POSIX Capabilities back to setui0"
|
|
echo " help - this help message"
|
|
echo
|
|
}
|
|
|
|
|
|
|
|
case "$1" in
|
|
con|convert)
|
|
p4s_test
|
|
p4s_convert
|
|
exit 0
|
|
;;
|
|
rev|revert)
|
|
p4s_test
|
|
p4s_revert
|
|
exit 0
|
|
;;
|
|
help)
|
|
p4s_usage
|
|
exit 0
|
|
;;
|
|
*)
|
|
echo "Try 'pcaps4suid0 help' for more information"
|
|
exit 1
|
|
;;
|
|
esac
|