#!/bin/sh
|
# vim: tabstop=4
|
#
|
# author: chris friedhoff - chris@friedhoff.org
|
# version: pcaps4server 5 Tue Mar 11 2008
|
#
|
#
|
# changelog:
|
# 1 - initial release pcaps4convenience
|
# 1 - 2007.02.15 - initial release
|
# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id
|
# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap
|
# 4 - renamed to pcaps4server
|
# removed suid0 and convenience files,
|
# they are now in pcaps4suid0 resp. pcaps4convenience
|
# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code
|
#
|
#
|
###########################################################################
|
# change the installation of different server to be able not to run as root
|
# and have their own unpriviledged user. The binary has the needed POSIX
|
# Capabilities.
|
# to ensure that the server is really started as his respective user, we set
|
# the suid bit (BUT NOT 0)!
|
# paths are hard coded and derive from a slackware system
|
# change it to your needs !!
|
###########################################################################
|
|
|
|
VERBOSE="-v"
|
#VERBOSE=""
|
APPS=""
|
|
message(){
|
printRedMessage "$1"
|
}
|
|
printRedMessage(){
|
# print message red and turn back to white
|
echo -e "\n\033[00;31m $1 ...\033[00;00m\n"
|
}
|
|
printGreenMessage(){
|
# print message red and turn back to white
|
echo -e "\033[00;32m $1 ...\033[00;00m\n"
|
sleep 0.5
|
}
|
|
checkReturnCode(){
|
if [ "$?" != "0" ]; then
|
printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!"
|
exit 1
|
else
|
printGreenMessage ":-)"
|
sleep 0.5
|
fi
|
}
|
|
|
|
p4r_test(){
|
#for now, we work with root
|
if [ "$( id -u )" != "0" ]; then
|
echo "Sorry, you must be root !"
|
exit
|
fi
|
}
|
|
|
|
|
# apache 1.3
|
########
|
#APPS="$APPS apache1"
|
apache1_convert(){
|
message "converting apache1"
|
if [ "$( id -g apache 2>/dev/null )" == "" ]; then
|
groupadd -g 60 apache
|
fi
|
if [ "$( id -u apache 2>/dev/null )" == "" ]; then
|
useradd -g apache -d / -u 600 apache
|
fi
|
sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf
|
chown $VERBOSE -R apache:apache /var/run/apache/
|
chown $VERBOSE -R apache:apache /etc/apache/
|
chown $VERBOSE -R apache:apache /var/log/apache/
|
chown $VERBOSE apache:apache /usr/sbin/httpd
|
chmod $VERBOSE u+s /usr/sbin/httpd
|
setcap cap_net_bind_service=ep /usr/sbin/httpd
|
checkReturnCode
|
}
|
apache1_revert(){
|
message "reverting apache1"
|
chown $VERBOSE -R root:root /var/run/apache/
|
chown $VERBOSE -R root:root /etc/apache/
|
chown $VERBOSE -R root:root /var/log/apache/
|
chown $VERBOSE root:root /usr/sbin/httpd
|
chmod $VERBOSE u-s /usr/sbin/httpd
|
setcap -r /usr/sbin/httpd
|
checkReturnCode
|
sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf
|
userdel apache
|
groupdel apache
|
}
|
|
|
# apache 2.x
|
########
|
APPS="$APPS apache2"
|
apache2_convert(){
|
message "converting apache2"
|
if [ "$( id -g apache 2>/dev/null )" == "" ]; then
|
groupadd -g 60 apache
|
fi
|
if [ "$( id -u apache 2>/dev/null )" == "" ]; then
|
useradd -g apache -d / -u 600 apache
|
fi
|
sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf
|
chown $VERBOSE -R apache:apache /var/run/httpd/
|
chown $VERBOSE -R apache:apache /etc/httpd/
|
chown $VERBOSE -R apache:apache /var/log/httpd/
|
chown $VERBOSE apache:apache /usr/sbin/httpd
|
chmod $VERBOSE u+s /usr/sbin/httpd
|
#setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd
|
setcap cap_net_bind_service=ep /usr/sbin/httpd
|
checkReturnCode
|
}
|
apache2_revert(){
|
message "reverting apache2"
|
chown $VERBOSE -R root:root /var/run/httpd/
|
chown $VERBOSE -R root:root /etc/httpd/
|
chown $VERBOSE -R root:root /var/log/httpd/
|
chown $VERBOSE root:root /usr/sbin/httpd
|
chmod $VERBOSE u-s /usr/sbin/httpd
|
setcap -r /usr/sbin/httpd
|
checkReturnCode
|
sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf
|
userdel apache
|
groupdel apache
|
}
|
|
|
# samba
|
#######
|
APPS="$APPS samba"
|
samba_convert(){
|
message "converting samba"
|
if [ "$( id -g samba 2>/dev/null )" == "" ]; then
|
groupadd -g 61 samba
|
fi
|
if [ "$( id -u samba 2>/dev/null )" == "" ]; then
|
useradd -g samba -d / -u 610 samba
|
fi
|
chown $VERBOSE -R samba:samba /var/log/samba
|
chown $VERBOSE -R samba:samba /etc/samba
|
chown $VERBOSE -R samba:samba /var/run/samba
|
chown $VERBOSE -R samba:samba /var/cache/samba
|
chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd
|
chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd
|
setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd
|
checkReturnCode
|
setcap cap_net_bind_service=ep /usr/sbin/nmbd
|
checkReturnCode
|
}
|
|
samba_revert(){
|
message "reverting samba"
|
chown $VERBOSE -R root:root /var/log/samba
|
chown $VERBOSE -R root:root /etc/samba
|
chown $VERBOSE -R root:root /var/run/samba
|
chown $VERBOSE -R root:root /var/cache/samba
|
chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd
|
chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd
|
setcap -r /usr/sbin/smbd
|
checkReturnCode
|
setcap -r /usr/sbin/nmbd
|
checkReturnCode
|
userdel samba
|
groupdel samba
|
}
|
|
|
# bind
|
######
|
APPS="$APPS bind"
|
bind_convert(){
|
message "converting bind"
|
if [ "$( id -g bind 2>/dev/null )" == "" ]; then
|
groupadd -g 62 bind
|
fi
|
if [ "$( id -u bind 2>/dev/null )" == "" ]; then
|
useradd -g bind -d / -u 620 bind
|
fi
|
chown $VERBOSE -R bind:bind /var/run/named
|
chown $VERBOSE -R bind:bind /var/named
|
chown $VERBOSE bind:bind /etc/rndc.key
|
chown $VERBOSE bind:bind /usr/sbin/named
|
chmod $VERBOSE u+s /usr/sbin/named
|
setcap cap_net_bind_service=ep /usr/sbin/named
|
checkReturnCode
|
}
|
bind_revert(){
|
message "reverting bind"
|
chown $VERBOSE -R root:root /var/run/named
|
chown $VERBOSE -R root:root /var/named
|
chown $VERBOSE root:root /etc/rndc.key
|
chown $VERBOSE root:root /usr/sbin/named
|
chmod $VERBOSE u-s /usr/sbin/named
|
setcap -r /usr/sbin/named
|
checkReturnCode
|
userdel bind
|
groupdel bind
|
}
|
|
|
# dhcpd
|
#######
|
APPS="$APPS dhcpd"
|
dhcpd_convert(){
|
message "converting dhcpd"
|
if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then
|
groupadd -g 63 dhcpd
|
fi
|
if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then
|
useradd -g dhcpd -d / -u 630 dhcpd
|
fi
|
chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd
|
chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf
|
chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/
|
chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd
|
chmod $VERBOSE u+s /usr/sbin/dhcpd
|
setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd
|
checkReturnCode
|
}
|
dhcpd_revert(){
|
message "reverting dhcpd"
|
chown $VERBOSE root:root /var/run/dhcpd
|
chown $VERBOSE root:root /etc/dhcpd.conf
|
chown $VERBOSE -R root:root /var/state/dhcp/
|
chown $VERBOSE root:root /usr/sbin/dhcpd
|
chmod $VERBOSE u-s /usr/sbin/dhcpd
|
setcap -r /usr/sbin/dhcpd
|
checkReturnCode
|
userdel dhcpd
|
groupdel dhcpd
|
}
|
|
|
# cupsd
|
#######
|
APPS="$APPS cupsd"
|
cupsd_convert(){
|
message "converting cupsd"
|
if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then
|
groupadd -g 64 cupsd
|
fi
|
if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then
|
useradd -g cupsd -d / -u 640 cupsd
|
fi
|
sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf
|
chown $VERBOSE -R cupsd:cupsd /etc/cups
|
chown $VERBOSE -R cupsd:cupsd /var/cache/cups
|
chown $VERBOSE -R cupsd:cupsd /var/log/cups
|
chown $VERBOSE -R cupsd:cupsd /var/spool/cups
|
chown $VERBOSE -R cupsd:cupsd /var/run/cups
|
chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd
|
chmod $VERBOSE u+s /usr/sbin/cupsd
|
setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd
|
checkReturnCode
|
}
|
cupsd_revert(){
|
message "reverting cupsd"
|
chown $VERBOSE -R root:root /etc/cups
|
chown $VERBOSE -R root:lp /var/cache/cups
|
chown $VERBOSE -R root:root /var/log/cups
|
chown $VERBOSE -R root:root /var/spool/cups
|
chown $VERBOSE root:lp /var/run/cups
|
chown $VERBOSE lp:sys /var/run/cups/certs
|
chmod $VERBOSE 750 /var/run/cups/certs
|
chown $VERBOSE root:root /usr/sbin/cupsd
|
chmod $VERBOSE u-s /usr/sbin/cupsd
|
setcap -r /usr/sbin/cupsd
|
checkReturnCode
|
sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf
|
userdel cupsd
|
groupdel cupsd
|
}
|
|
|
usage_message(){
|
echo "Try 'pcaps4server help' for more information"
|
}
|
|
|
p4r_usage(){
|
echo
|
echo "pcaps4server"
|
echo
|
echo "pcaps4server stores the needed POSIX Capabilities for server binaries to"
|
echo "run successful into their Permitted and Effective Set."
|
echo "The server are now able to run as an unpriviledged user."
|
echo "For each server software an unpriviledged user is added the system."
|
echo "The ownership of all the respective paths are changed to this user."
|
echo "To ensure that the server is starting as this unpriviledgesd user, the"
|
echo "suid bit (NOT 0) is set."
|
echo "Effectively this means every user can start this server daemons (for now)."
|
echo "All paths are hard coded!"
|
echo "You have been warned. Enjoy!"
|
echo
|
echo "Your Filesystem has to support extended attributes and your kernel must have"
|
echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
|
echo
|
echo "Usage: pcaps4server [PROG] [con(vert)|rev(ert)|help]"
|
echo
|
echo " con|convert - from setuid0 to POSIX Capabilities"
|
echo " rev|revert - from POSIX Capabilities back to setui0"
|
echo " help - this help message"
|
echo
|
echo " PROG: $APPS"
|
echo
|
}
|
|
|
|
|
case "$1" in
|
con|convert)
|
p4r_test
|
for j in $APPS; do
|
${j}_convert
|
done
|
exit
|
;;
|
rev|renvert)
|
p4r_test
|
for j in $APPS; do
|
${j}_revert
|
done
|
exit
|
;;
|
help)
|
p4r_usage
|
exit
|
;;
|
esac
|
|
for i in ${APPS}; do
|
if [ "$1" == "$i" ]; then
|
case "$2" in
|
con|convert)
|
p4r_test
|
${i}_convert
|
exit
|
;;
|
rev|revert)
|
p4r_test
|
${i}_revert
|
exit
|
;;
|
*)
|
usage_message
|
exit 1
|
;;
|
esac
|
fi
|
done
|
|
usage_message
|
