1#!/bin/bash
2# vim:expandtab:tabstop=4
3#
4# author:    chris friedhoff - chris@friedhoff.org
5# version:   pcaps4suid0  3  Tue Mar 11 2008
6#
7#
8# changelog:
9# 1 - initial release suid02pcaps
10# 2 - renamend to pcaps4suid0
11#      implement idea of change between permitted/effective set
12#      or iherited/effective set (pam_cap.so)
13# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code
14#
15#
16#
17# change different suid-0 binaries away from suid-0 to using
18# POSIX Capabilities through their Permitted and Effective Set
19# --> legacy support
20# --> use SET=pe
21#
22#
23# OR change different suid-0 binaries away from suid-0 to using
24# POSIX Capabilities through their Inherited and Effective Set
25# --> PAM support to set Inheritance set through pam_cap.so
26# --> use SET=ie
27#
28#
29#
30#
31###############################################################
32# for example use this find call:
33# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \;
34###############################################################
35
36
37
38##HERE WE ADD APPS
39##################
40
41## these apps uses their POSIX Caps
42###################################
43# see /usr/include/linux/capability.h
44#ping=cap_net_raw
45ping=13
46#traceroute=cap_net_raw
47traceroute=13
48chsh=0,2,4,7
49chfn=0,2,4,7
50Xorg=1,6,7,17,21,26
51chage=2
52#passwd=0,2,4,7
53#passwd 0,1
54passwd=0,1,3 #PAM
55unix_chkpwd=1
56mount=1,21
57umount=1,21
58
59# this apps were converted/reverted
60###################################
61APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount )
62
63
64# we put it into this set
65#########################
66#SET=pe
67SET=ie
68
69
70##FROM HERE ONLY LOGIC
71######################
72
73#save assumption!?
74export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin
75
76p4s_test(){
77    # are we sane?
78    WICH=`which which 2>/dev/null`
79    if [ $WICH == "" ]; then
80        # thats bad
81        echo "Sorry, I haven't found which"
82        exit
83    fi
84
85    # we needt his apps
86    CHMOD=`which chmod 2>/dev/null`
87    SETCAP=`which setcap 2>/dev/null`
88    if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then
89        echo "Sorry, I'm missing chmod or setcap !"
90        exit
91    fi
92
93    # checking setcap for SET_SETFCAP PCap ?
94    # for now we stick to root
95    if [ "$( id -u )" != "0" ]; then
96        echo "Sorry, you must be root !"
97        exit 1
98    fi
99}
100
101
102
103p4s_app_convert(){
104    # convert a single app
105    # $1 is app name; $2 is POSIX Caps
106    # well symlinks to apps, so we use -a ...
107    APP=`which -a $1 2>/dev/null`
108    if [ "$APP" != "" ]; then
109        FOUND=no
110        for i in $APP; do
111            # ... and are looking for symlinks
112            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
113                echo "converting $i"
114                chmod u-s $i
115                setcap $2=$SET $i
116                FOUND=yes
117            fi
118        done
119        if [ "$FOUND" == "no" ]; then
120            # 'which' found only symlinks
121            echo "1 haven't found $1"
122        fi
123    else
124        # 'which' hasn't anything given back
125        echo "haven't found $1"
126    fi
127}
128
129
130
131p4s_app_revert(){
132    # revert a singel app
133    # $1 is app name
134    APP=`which -a $1 2>/dev/null`
135    if [ "$APP" != "" ]; then
136        FOUND=no
137        for i in $APP; do
138            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
139                echo "reverting $i"
140                chmod u+s $i
141                setcap -r $i 2>/dev/null
142                FOUND=yes
143            fi
144        done
145        if [ "$FOUND" == "no" ]; then
146            echo "1 haven't found $1"
147        fi
148    else
149        echo "haven't found $1"
150    fi
151}
152
153
154
155p4s_convert(){
156    # we go throug the APPSARRAY and call s2p_app_convert to do the job
157    COUNTER=0
158    let UPPER=${#APPSARRAY[*]}-1
159    until [ $COUNTER == $UPPER ]; do
160        p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
161        let COUNTER+=1
162    done
163}
164
165
166
167p4s_revert(){
168    COUNTER=0
169    let UPPER=${#APPSARRAY[*]}-1
170    until [ $COUNTER == $UPPER ]; do
171        p4s_app_revert ${APPSARRAY[$COUNTER]}
172        let COUNTER+=1
173    done
174
175}
176
177
178
179p4s_usage(){
180    echo
181    echo "pcaps4suid0"
182    echo
183    echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0"
184    echo "to using POSIX Capabilities by granting the necessary Privileges"
185    echo "This is done by storing the needed POSIX Capabilities into the extended"
186    echo "attribute capability through setcap."
187    echo "Following the idea of setuid - granting a binary the privilege regardless"
188    echo "of the user, the POSIX Capabilities are stored into the Permitted and"
189    echo "Effective set."
190    echo "If you are using pam_cap.so, you might want to change the set into the"
191    echo "Inherited and Effective set (check for the SET var)."
192    echo
193    echo "You need and I will check fot the utilities which, chmod and setcap."
194    echo
195    echo "Your Filesystem has to support extended attributes and your kernel must have"
196    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
197    echo
198    echo "Usage:  pcaps4suid0 [con(vert)|rev(ert)|help]"
199    echo
200    echo "         con|convert - from setuid0 to POSIX Capabilities"
201    echo "         rev|revert  - from POSIX Capabilities back to setui0"
202    echo "         help        - this help message"
203    echo
204}
205
206
207
208case "$1" in
209    con|convert)
210        p4s_test
211        p4s_convert
212        exit 0
213        ;;
214    rev|revert)
215        p4s_test
216        p4s_revert
217        exit 0
218        ;;
219    help)
220        p4s_usage
221        exit 0
222        ;;
223    *)
224        echo "Try 'pcaps4suid0 help' for more information"
225        exit 1
226        ;;
227esac
228