mirror of
https://github.com/rd235/cado
synced 2024-12-10 14:45:22 +01:00
Initial release (v.0.9)
This commit is contained in:
parent
4311c2e564
commit
68a7dcfa2e
339
COPYING
Normal file
339
COPYING
Normal file
@ -0,0 +1,339 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||
51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Library General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
Appendix: How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) 19yy <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) 19yy name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Library General
|
||||
Public License instead of this License.
|
9
Makefile.am
Normal file
9
Makefile.am
Normal file
@ -0,0 +1,9 @@
|
||||
bin_PROGRAMS = cado caprint
|
||||
|
||||
cado_SOURCES = cado.c pam_check.c get_user_groups.c capset_from_namelist.c read_conf.c set_ambient_cap.c
|
||||
|
||||
cado_LDADD = -lpam -lpam_misc -lcap
|
||||
|
||||
caprint_LDADD = -lcap
|
||||
|
||||
man_MANS = cado.1 caprint.1 cado.conf.5
|
194
README
Normal file
194
README
Normal file
@ -0,0 +1,194 @@
|
||||
introducing CADO: Capability DO.
|
||||
|
||||
Cado permits to delegate capabilities to users.
|
||||
|
||||
Cado is a capability based sudo. Sudo allows authorized users to run programs
|
||||
as root (or as another user), cado allows authorized users to run programs with
|
||||
specific (ambient) capabilities.
|
||||
|
||||
Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
|
||||
|
||||
INSTALL:
|
||||
|
||||
get the source code, from the root of the source tree run:
|
||||
|
||||
$ autoreconf -if
|
||||
$ ./configure
|
||||
$ make
|
||||
$ sudo make install
|
||||
|
||||
It installs two programs in /usr/local/bin: cado and caprint.
|
||||
If you want to install the programs in /usr/bin run "./configure --prefix=/usr" instead of "./configure".
|
||||
|
||||
Cado needs a configuration file: /etc/cado.conf with the following syntax:
|
||||
* lines beginning with # are comments
|
||||
* all the other lines have two fields separated by :, the first field is a capability or a list of
|
||||
capabilities, the second field is a list of users or groups (group names have @ as a prefix).
|
||||
Capabilities can be written with or without the cap_ prefix (net_admin means cap_net_admin).
|
||||
|
||||
Example of /etc/cado.conf file:
|
||||
---------------------------------------------
|
||||
# Capability Ambient DO configuration file
|
||||
# cado.conf
|
||||
|
||||
net_admin: @netadmin,renzo
|
||||
cap_kill: renzo
|
||||
--------------------------------------------
|
||||
|
||||
The file above allows the user renzo and all the members of the group named netadmin to run programs
|
||||
neeeding the cap_net_admin capability.
|
||||
The user renzo can also run programs requiring cap_kill.
|
||||
The file /etc/cado.conf can be owned by root and have no rw permission for users.
|
||||
|
||||
|
||||
It is also possible to use lists of capabilities:
|
||||
setgid,setuid: giovanni
|
||||
|
||||
or exadecimal masks:
|
||||
c0: giovanni,@idgroup
|
||||
|
||||
|
||||
$ ls -l /etc/cado.conf
|
||||
-rw------- 1 root root 100 Jun 19 17:11 /etc/cado.conf
|
||||
|
||||
IMPORTANT.
|
||||
Cado has been designed to work using the minimum set of capability required for its services.
|
||||
(following the principle of least privilege).
|
||||
Cado itself is not a seuid executable, it uses the capability mechanism and it has an options to
|
||||
set its own capabilities. So after each change in the /etc/cado.conf, the capability set should be
|
||||
recomputed using the following command:
|
||||
$ sudo cado -s
|
||||
or
|
||||
$ sudo cado -sv
|
||||
(this latter command is verbose and shows the set of capabilties assigned to the capo executable file).
|
||||
|
||||
using the example configuration file above, capo would be assigned the following capabilities:
|
||||
$ sudo cado -sv
|
||||
Capability needed by cado:
|
||||
2 0000000000000004 cap_dac_read_search
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001024
|
||||
$ /sbin/getcap /usr/local/bin/cado
|
||||
/usr/local/bin/cado = cap_dac_read_search,cap_kill,cap_net_admin+p
|
||||
|
||||
-----------------------------------------------------------------
|
||||
|
||||
The syntax of cado is simple:
|
||||
$ cado [options] set_of_capabilities command [args]
|
||||
|
||||
for example if the user renzo wants to run a shell having the cap_net_admin capability enabled he can type
|
||||
the following command:
|
||||
$ cado net_admin bash
|
||||
Password:
|
||||
$
|
||||
|
||||
the user will be requested to authenticate himself. If the user has the right to enable cap_net_admin (from the
|
||||
cado.conf configuration file) and he typed in the correct password, cado starts a new shell with the requested
|
||||
capability enabled.
|
||||
|
||||
It is possible define the set_of_capabilities using a list of capabilities (with or without the cap_prefix)
|
||||
or exadecimal masks.
|
||||
|
||||
In the new shell the user can do all the operations permitted by the enabled capabilities,
|
||||
in this case, for example, he will be allowed to change the networking configuration, add tuntap
|
||||
interfaces and so on.
|
||||
|
||||
It is possible to show the ambient capability set of a program by reading the /proc/####/status file:
|
||||
e.g.:
|
||||
$ grep CapAmb /proc/$$/status
|
||||
CapAmb: 0000000000001000
|
||||
|
||||
(cap_net_admin is the capability #12, the mask is 0x1000, i.e. 1ULL << 12)
|
||||
|
||||
-----------------------------------------------------------------
|
||||
|
||||
caprint is a simple program which shows the ambient capabilities of a running program.
|
||||
(a pid of a running process can be specified as an optional parameter, otherwise it shows the capabilities
|
||||
of caprint itself)
|
||||
|
||||
$ caprint
|
||||
cap_net_admin
|
||||
|
||||
$ caprint -l
|
||||
12 0000000000001000 cap_net_admin
|
||||
|
||||
There is an option -p that has been designed to add the current set of ambient capabilities to the shell prompt,
|
||||
so it is easier for the user to recognize when a shell has some "extra power", so to avoid errors.
|
||||
|
||||
In .bashrc or .bash_profile (or in their system-side counterparts in /etc) it is possible to set rules like
|
||||
the followings:
|
||||
-----------
|
||||
if which caprint >&/dev/null ; then
|
||||
ambient=$(caprint -p)
|
||||
fi
|
||||
|
||||
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$$ambient '
|
||||
-----------
|
||||
|
||||
The prompt becomes something like:
|
||||
renzo@host:~$net_admin#
|
||||
|
||||
-------------------------------------------------------------------
|
||||
|
||||
Some secondary features:
|
||||
|
||||
The -v feature shows the set of available capabilities:
|
||||
$ cado -v
|
||||
Allowed ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
|
||||
$ cado -v net_admin,kill bash
|
||||
Allowed ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
Requested ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
Password:
|
||||
|
||||
|
||||
It is useful to show which capability/ies cannot be granted:
|
||||
$ cado net_admin,kill,setuid bash
|
||||
cado: Permission denied
|
||||
|
||||
$ cado -v net_admin,kill,setuid bash
|
||||
Allowed ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
Requested ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
7 0000000000000080 cap_setuid
|
||||
12 0000000000001000 cap_net_admin
|
||||
00000000000010a0
|
||||
Unavailable ambient capabilities:
|
||||
7 0000000000000080 cap_setuid
|
||||
cado: Permission denied
|
||||
|
||||
It is possible to enable only the capability allowed by setting the -q option
|
||||
(with or without -v). Using -q cado does not fail.
|
||||
|
||||
$ cado -qv net_admin,kill,setuid bash
|
||||
Allowed ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
Requested ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
7 0000000000000080 cap_setuid
|
||||
12 0000000000001000 cap_net_admin
|
||||
00000000000010a0
|
||||
Unavailable ambient capabilities:
|
||||
7 0000000000000080 cap_setuid
|
||||
Password:
|
||||
Granted ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
renzo@eipi:~/tests/cado/pre$kill,net_admin#
|
||||
|
216
README.md
216
README.md
@ -1,2 +1,218 @@
|
||||
# cado
|
||||
CADO: Capability DO (like a sudo providing users with just the capabilities they need)
|
||||
|
||||
Cado permits to delegate capabilities to users.
|
||||
|
||||
Cado is a capability based sudo. Sudo allows authorized users to run programs
|
||||
as root (or as another user), cado allows authorized users to run programs with
|
||||
specific (ambient) capabilities.
|
||||
|
||||
Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
|
||||
|
||||
INSTALL:
|
||||
|
||||
get the source code, from the root of the source tree run:
|
||||
```
|
||||
$ autoreconf -if
|
||||
$ ./configure
|
||||
$ make
|
||||
$ sudo make install
|
||||
```
|
||||
|
||||
It installs two programs in /usr/local/bin: cado and caprint.
|
||||
If you want to install the programs in /usr/bin run "./configure --prefix=/usr" instead of "./configure".
|
||||
|
||||
Cado needs a configuration file: /etc/cado.conf with the following syntax:
|
||||
- lines beginning with # are comments
|
||||
- all the other lines have two fields separated by :, the first field is a capability or a list of
|
||||
capabilities, the second field is a list of users or groups (group names have @ as a prefix).
|
||||
Capabilities can be written with or without the cap_ prefix (net_admin means cap_net_admin).
|
||||
|
||||
Example of /etc/cado.conf file:
|
||||
```
|
||||
# Capability Ambient DO configuration file
|
||||
# cado.conf
|
||||
|
||||
net_admin: @netadmin,renzo
|
||||
cap_kill: renzo
|
||||
```
|
||||
|
||||
The file above allows the user renzo and all the members of the group named netadmin to run programs
|
||||
neeeding the cap_net_admin capability.
|
||||
The user renzo can also run programs requiring cap_kill.
|
||||
The file /etc/cado.conf can be owned by root and have no rw permission for users.
|
||||
|
||||
|
||||
It is also possible to use lists of capabilities:
|
||||
```
|
||||
setgid,setuid: giovanni
|
||||
```
|
||||
|
||||
or exadecimal masks:
|
||||
```
|
||||
c0: giovanni,@idgroup
|
||||
```
|
||||
|
||||
IMPORTANT.
|
||||
Cado has been designed to work using the minimum set of capability required for its services.
|
||||
(following the principle of least privilege).
|
||||
```
|
||||
$ ls -l /etc/cado.conf
|
||||
-rw------- 1 root root 100 Jun 19 17:11 /etc/cado.conf
|
||||
```
|
||||
|
||||
Cado itself is not a seuid executable, it uses the capability mechanism and it has an options to
|
||||
set its own capabilities. So after each change in the /etc/cado.conf, the capability set should be
|
||||
recomputed using the following command:
|
||||
```
|
||||
$ sudo cado -s
|
||||
```
|
||||
or
|
||||
```
|
||||
$ sudo cado -sv
|
||||
```
|
||||
(this latter command is verbose and shows the set of capabilties assigned to the capo executable file).
|
||||
|
||||
using the example configuration file above, capo would be assigned the following capabilities:
|
||||
```
|
||||
$ sudo cado -sv
|
||||
Capability needed by cado:
|
||||
2 0000000000000004 cap_dac_read_search
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001024
|
||||
$ /sbin/getcap /usr/local/bin/cado
|
||||
/usr/local/bin/cado = cap_dac_read_search,cap_kill,cap_net_admin+p
|
||||
```
|
||||
---
|
||||
|
||||
The syntax of cado is simple:
|
||||
```
|
||||
$ cado [options] set_of_capabilities command [args]
|
||||
```
|
||||
|
||||
for example if the user renzo wants to run a shell having the cap_net_admin capability enabled he can type
|
||||
the following command:
|
||||
```
|
||||
$ cado net_admin bash
|
||||
Password:
|
||||
$
|
||||
```
|
||||
|
||||
the user will be requested to authenticate himself. If the user has the right to enable cap_net_admin (from the
|
||||
cado.conf configuration file) and he typed in the correct password, cado starts a new shell with the requested
|
||||
capability enabled.
|
||||
|
||||
It is possible define the set_of_capabilities using a list of capabilities (with or without the cap_prefix)
|
||||
or exadecimal masks.
|
||||
|
||||
In the new shell the user can do all the operations permitted by the enabled capabilities,
|
||||
in this case, for example, he will be allowed to change the networking configuration, add tuntap
|
||||
interfaces and so on.
|
||||
|
||||
It is possible to show the ambient capability set of a program by reading the /proc/####/status file:
|
||||
e.g.:
|
||||
```
|
||||
$ grep CapAmb /proc/$$/status
|
||||
CapAmb: 0000000000001000
|
||||
```
|
||||
|
||||
(cap_net_admin is the capability #12, the mask is 0x1000, i.e. 1ULL << 12)
|
||||
|
||||
---
|
||||
|
||||
caprint is a simple program which shows the ambient capabilities of a running program.
|
||||
(a pid of a running process can be specified as an optional parameter, otherwise it shows the capabilities
|
||||
of caprint itself)
|
||||
|
||||
```
|
||||
$ caprint
|
||||
cap_net_admin
|
||||
|
||||
$ caprint -l
|
||||
12 0000000000001000 cap_net_admin
|
||||
```
|
||||
|
||||
There is an option -p that has been designed to add the current set of ambient capabilities to the shell prompt,
|
||||
so it is easier for the user to recognize when a shell has some "extra power", so to avoid errors.
|
||||
|
||||
In .bashrc or .bash_profile (or in their system-side counterparts in /etc) it is possible to set rules like
|
||||
the followings:
|
||||
```
|
||||
if which caprint >&/dev/null ; then
|
||||
ambient=$(caprint -p)
|
||||
fi
|
||||
|
||||
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$$ambient '
|
||||
```
|
||||
|
||||
The prompt becomes something like:
|
||||
```
|
||||
renzo@host:~$net_admin#
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
Some secondary features:
|
||||
|
||||
The -v feature shows the set of available capabilities:
|
||||
```
|
||||
$ cado -v
|
||||
Allowed ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
|
||||
$ cado -v net_admin,kill bash
|
||||
Allowed ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
Requested ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
Password:
|
||||
```
|
||||
|
||||
It is useful to show which capability/ies cannot be granted:
|
||||
```
|
||||
$ cado net_admin,kill,setuid bash
|
||||
cado: Permission denied
|
||||
|
||||
$ cado -v net_admin,kill,setuid bash
|
||||
Allowed ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
Requested ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
7 0000000000000080 cap_setuid
|
||||
12 0000000000001000 cap_net_admin
|
||||
00000000000010a0
|
||||
Unavailable ambient capabilities:
|
||||
7 0000000000000080 cap_setuid
|
||||
cado: Permission denied
|
||||
```
|
||||
It is possible to enable only the capability allowed by setting the -q option
|
||||
(with or without -v). Using -q cado does not fail.
|
||||
```
|
||||
$ cado -qv net_admin,kill,setuid bash
|
||||
Allowed ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
Requested ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
7 0000000000000080 cap_setuid
|
||||
12 0000000000001000 cap_net_admin
|
||||
00000000000010a0
|
||||
Unavailable ambient capabilities:
|
||||
7 0000000000000080 cap_setuid
|
||||
Password:
|
||||
Granted ambient capabilities:
|
||||
5 0000000000000020 cap_kill
|
||||
12 0000000000001000 cap_net_admin
|
||||
0000000000001020
|
||||
renzo@host:~/tests/cado/pre$kill,net_admin#
|
||||
```
|
||||
|
67
cado.1
Normal file
67
cado.1
Normal file
@ -0,0 +1,67 @@
|
||||
.TH CADO 1 "June 23, 2016" "VirtualSquare Labs"
|
||||
.SH NAME
|
||||
cado \- Capability Ambient DO
|
||||
.SH SYNOPSIS
|
||||
.B cado
|
||||
[
|
||||
.I OPTIONS
|
||||
]
|
||||
[
|
||||
.I capability_list
|
||||
.I command
|
||||
[
|
||||
.I args
|
||||
]
|
||||
]
|
||||
|
||||
.SH DESCRIPTION
|
||||
Cado permits to delegate capabilities to users.
|
||||
Cado is a capability based sudo. Sudo allows authorized users to run programs as root (or as another user),
|
||||
cado allows authorized users to run programs with specific (ambient) capabilities.
|
||||
|
||||
Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
|
||||
|
||||
\fIcapability_list\fR is a comma separated list of capability names or capability masks (exadecimal numbers).
|
||||
For brevity, the \fBcap_\fR prefix of capability names can be omitted (e.g. \fBnet_admin\fR and \fBcap_net_admin\fR
|
||||
have the same meaning).
|
||||
|
||||
If it is allowed for the current user to run processes with the requested capabilities, the user is asked to
|
||||
type their password (or to authenticate themselves as required by pam).
|
||||
Once the authentication succeeds, \fBcado\fR executes the command granting the required ambient capabilities.
|
||||
|
||||
The file /etc/cado.conf (see \fBcado.conf\fR(5)) defines which capabilities can be provided by \fBcado\fR to each user.
|
||||
Cado itself is not a seuid executable, it uses the capability mechanism and it has an options to
|
||||
set its own capabilities. So after each change in the /etc/cado.conf, the capability set should be
|
||||
recomputed by root using the command \fBcado -s\fR or \fBcado --setcap\fR.
|
||||
|
||||
.SH OPTIONS
|
||||
.I cado
|
||||
accepts the following options:
|
||||
.TP
|
||||
\fB\-v
|
||||
.TQ
|
||||
\fB\-\-verbose
|
||||
run in verbose mode. \fBcado\fR shows the set of allowed capabilities, requested cababilities, unavailable capabilities and
|
||||
(in case of -s) the set of capabilities assigned to \fBcado.conf\fR itself.
|
||||
.TP
|
||||
\fB\-q
|
||||
.TQ
|
||||
\fB\-\-quiet
|
||||
do not fail in case the user asks for unavailable capabilities, \fBcado.conf\fR in this case grants the intersection between the
|
||||
set of requested cababilities and the set of allowed capabilities
|
||||
.TP
|
||||
\fB\-s
|
||||
.TQ
|
||||
\fB\-\-setcap
|
||||
\fBcado\fR computes the miminal set of capability required by itself and sets the file capability of the cado executable.
|
||||
.TP
|
||||
\fB\-h
|
||||
.TQ
|
||||
\fB\-\-help
|
||||
print a short usage banner and exit.
|
||||
|
||||
.SH SEE ALSO
|
||||
\fBcado.conf\fR(5),
|
||||
\fBcaprint\fR(1),
|
||||
\fBcapabilities\fR(7)
|
||||
|
156
cado.c
Normal file
156
cado.c
Normal file
@ -0,0 +1,156 @@
|
||||
/*
|
||||
* cado: execute a command in a capability ambient
|
||||
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||
*
|
||||
* This file is part of cado.
|
||||
*
|
||||
* Cado is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <getopt.h>
|
||||
#include <unistd.h>
|
||||
#include <libgen.h>
|
||||
#include <pam_check.h>
|
||||
#include <get_user_groups.h>
|
||||
#include <capset_from_namelist.h>
|
||||
#include <read_conf.h>
|
||||
#include <set_ambient_cap.h>
|
||||
|
||||
static void printcapset(uint64_t capset, char *indent) {
|
||||
cap_value_t cap;
|
||||
int count=0;
|
||||
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
|
||||
if (capset & (1ULL << cap)) {
|
||||
count ++;
|
||||
printf("%s%2d %016llx %s\n",indent,cap,1ULL<<cap,cap_to_name(cap));
|
||||
}
|
||||
}
|
||||
if (count > 1)
|
||||
printf("%s %016llx\n",indent,capset);
|
||||
}
|
||||
|
||||
#define OPTSTRING "hqvs"
|
||||
struct option long_options[]={
|
||||
{"help", no_argument, NULL, 'h'},
|
||||
{"quiet", no_argument, NULL, 'q'},
|
||||
{"verbose", no_argument, NULL, 'v'},
|
||||
{"setcap", no_argument, NULL, 'v'},
|
||||
};
|
||||
|
||||
void usage(char *progname) {
|
||||
fprintf(stderr,"%s - execute a command in a different capability ambient\n\n",progname);
|
||||
fprintf(stderr,"usage: %s OPTIONS capability_list command [args]\n\n",progname);
|
||||
fprintf(stderr,"Options:\n");
|
||||
fprintf(stderr," -h, --help display help message and exit\n");
|
||||
fprintf(stderr," -q, --quiet do not display warnings, do what it is allowed\n");
|
||||
fprintf(stderr," -v, --verbose generate extra output\n");
|
||||
fprintf(stderr," -s, --setcap set the minimun caps for %s (root access)\n",progname);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int main(int argc, char*argv[])
|
||||
{
|
||||
char *progname=basename(argv[0]);
|
||||
char **user_groups=get_user_groups();
|
||||
uint64_t okcaps=get_authorized_caps(user_groups);
|
||||
uint64_t reqcaps=0;
|
||||
uint64_t grantcap=0;
|
||||
int verbose=0;
|
||||
int quiet=0;
|
||||
int setcap=0;
|
||||
|
||||
while (1) {
|
||||
int c=getopt_long(argc, argv, OPTSTRING, long_options, NULL);
|
||||
if (c < 0)
|
||||
break;
|
||||
switch (c) {
|
||||
case 'h': usage(progname);
|
||||
break;
|
||||
case 'v': verbose=1;
|
||||
break;
|
||||
case 'q': quiet=1;
|
||||
break;
|
||||
case 's': setcap=1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (setcap) {
|
||||
if (geteuid() != 0) {
|
||||
fprintf(stderr, "setcap requires root access\n");
|
||||
exit(2);
|
||||
}
|
||||
okcaps = get_authorized_caps(NULL);
|
||||
okcaps |= 1ULL << CAP_DAC_READ_SEARCH;
|
||||
if (verbose) {
|
||||
printf("Capability needed by %s:\n", progname);
|
||||
printcapset(okcaps, " ");
|
||||
}
|
||||
if (set_self_capability(okcaps) < 0) {
|
||||
fprintf(stderr, "Cannot set %s capabilities\n", progname);
|
||||
exit(2);
|
||||
}
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (verbose) {
|
||||
printf("Allowed ambient capabilities:\n");
|
||||
printcapset(okcaps, " ");
|
||||
}
|
||||
|
||||
if (verbose && (argc == optind))
|
||||
exit(0);
|
||||
|
||||
if (argc - optind < 2)
|
||||
usage(progname);
|
||||
|
||||
if (capset_from_namelist(argv[optind], &reqcaps))
|
||||
exit(2);
|
||||
|
||||
if (verbose) {
|
||||
printf("Requested ambient capabilities:\n");
|
||||
printcapset(reqcaps, " ");
|
||||
}
|
||||
|
||||
if (reqcaps & ~okcaps) {
|
||||
if (verbose) {
|
||||
printf("Unavailable ambient capabilities:\n");
|
||||
printcapset(reqcaps & ~okcaps, " ");
|
||||
}
|
||||
if (!quiet) {
|
||||
fprintf(stderr,"%s: Permission denied\n",progname);
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
|
||||
grantcap = reqcaps & okcaps;
|
||||
|
||||
optind++;
|
||||
|
||||
if (pam_check(user_groups[0]) != 0) {
|
||||
fprintf(stderr,"%s: Authentication failure\n",progname);
|
||||
exit(2);
|
||||
}
|
||||
set_ambient_cap(grantcap);
|
||||
if (verbose && (reqcaps & ~okcaps)) {
|
||||
printf("Granted ambient capabilities:\n");
|
||||
printcapset(grantcap, " ");
|
||||
}
|
||||
execvp(argv[optind],argv+optind);
|
||||
exit(2);
|
||||
}
|
11
cado.conf
Normal file
11
cado.conf
Normal file
@ -0,0 +1,11 @@
|
||||
# Capability Ambient DO configuration file
|
||||
# cado.conf example
|
||||
|
||||
# syntax list_of_capabilities: list_of_users_or_groups
|
||||
# lists are comma separated
|
||||
# items in list_of_capabilities can be capability names, short capability names (without the cap_ prefix) and exadecimal masks.
|
||||
# using @ as a prefix of a name in list_of_users_or_groups means that it is a groupname instead of a username.
|
||||
|
||||
# net_admin: @netadmin,renzo
|
||||
# net_admin,net_bind_service,net_raw,net_broadcast: @vxvdex
|
||||
# cap_kill: renzo
|
43
cado.conf.5
Normal file
43
cado.conf.5
Normal file
@ -0,0 +1,43 @@
|
||||
.TH CADO.CONF 5 "June 23, 2016" "VirtualSquare Labs"
|
||||
.SH NAME
|
||||
cado.conf \- Capability Ambient DO: configuration file
|
||||
|
||||
.SH DESCRIPTION
|
||||
The \fB/etc/cado.conf\fR file is used to configure which ambient cabalities can be provided by \fBcado\fR to users.
|
||||
\fBcado\fR uses the capability cap_dac_read_search to access \fB/etc/cado.conf\fR, so this configuration does not
|
||||
need to be readable by users.
|
||||
|
||||
All lines beginning with the sign '#' are comments.
|
||||
|
||||
Non-comment lines have the following syntax
|
||||
.nf
|
||||
\fIlist_of_capabilities\fB:\fI list_of_users_and_groups\fR
|
||||
.fi
|
||||
|
||||
Both \fIlist_of_capabilities\fR and \fIlist_of_users_and_groups\fR are comma separated lists of identifiers.
|
||||
|
||||
Items of \fIlist_of_capabilities\fR are capability names or capability masks (exadecimal numbers).
|
||||
For brevity, the \fBcap_\fR prefix of capability names can be omitted (e.g. \fBnet_admin\fR and \fBcap_net_admin\fR
|
||||
have the same meaning).
|
||||
|
||||
Items of \fIlist_of_users_and_groups\fR are usernames or groupnames (groupnames must be prefexed by '@').
|
||||
|
||||
Example of \fBcado.conf\fR file:
|
||||
|
||||
.ni
|
||||
# Capability Ambient DO configuration file
|
||||
# cado.conf
|
||||
|
||||
net_admin: @netadmin,renzo
|
||||
net_admin,net_bind_service,net_raw,net_broadcast: @vxvdex
|
||||
cap_kill: renzo
|
||||
.fi
|
||||
|
||||
In this example the renzo's processes can be granted (by \fBcado\fR) cap_net_admin and cap_kill.
|
||||
cap_net_admin can be acquired by processes owned by users belonging to the netadmin group.
|
||||
Users in vxvdex can provide their processes with a subset of cap_net_admin, cap_net_bind_service, cap_net_raw and cap_net_broadcast
|
||||
|
||||
.SH SEE ALSO
|
||||
\fBcado\fR(1),
|
||||
\fBcaprint\fR(1),
|
||||
\fBcapabilities\fR(7)
|
55
caprint.1
Normal file
55
caprint.1
Normal file
@ -0,0 +1,55 @@
|
||||
.TH CAPRINT 1 "June 23, 2016" "VirtualSquare Labs"
|
||||
.SH NAME
|
||||
caprint \- Capability Ambient Print
|
||||
.SH SYNOPSIS
|
||||
.B caprint
|
||||
[
|
||||
OPTIONS
|
||||
]
|
||||
[
|
||||
.I pid
|
||||
]
|
||||
|
||||
.SH DESCRIPTION
|
||||
\fBcaprint\fR shows the ambient capabilities of a running program (whose pid can be specified as an optional parameter, otherwise \fBcaprint\fR
|
||||
shows the capabilities of caprint itself).
|
||||
|
||||
.SH OPTIONS
|
||||
.I caprint
|
||||
accepts the following options:
|
||||
.TP
|
||||
\fB\-l
|
||||
.TQ
|
||||
\fB\-\-long
|
||||
run in verbose mode. \fBcaprint\fR shows the bitmask for each capability owned by the process and the resulting mask of the capability set.
|
||||
.TP
|
||||
\fB\-c
|
||||
.TQ
|
||||
\fB\-\-compact
|
||||
emit a compact output (a single line composed of a comma separated list of the capability short names). This output can be copied as a
|
||||
capability list for the command \fBcado\fR(1).
|
||||
.TP
|
||||
\fB\-p
|
||||
.TQ
|
||||
\fB\-\-prompt
|
||||
this option has been created to provide users with a suitable shell prompt to warn the users of the extra capabilities granted to that shell
|
||||
(and of the extra danger in case of running wrong commands).
|
||||
As an example, it is possible to set the \fBbash\fR prompt editing the \fB.bashrc\fR in the user's home directory:
|
||||
.nf
|
||||
|
||||
if which caprint >&/dev/null ; then
|
||||
ambient=$(caprint -p)
|
||||
fi
|
||||
|
||||
PS1='\\u@\\h:\\w\\$$ambient'
|
||||
|
||||
.fi
|
||||
.TP
|
||||
\fB\-h
|
||||
.TQ
|
||||
\fB\-\-help
|
||||
print a short usage banner and exit.
|
||||
|
||||
.SH SEE ALSO
|
||||
\fBcado\fR(1),
|
||||
\fBcapabilities\fR(7),
|
131
caprint.c
Normal file
131
caprint.c
Normal file
@ -0,0 +1,131 @@
|
||||
/*
|
||||
* cado: execute a command in a capability ambient
|
||||
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||
*
|
||||
* This file is part of cado.
|
||||
*
|
||||
* Cado is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <stdint.h>
|
||||
#include <getopt.h>
|
||||
#include <libgen.h>
|
||||
#include <sys/capability.h>
|
||||
|
||||
char *tag="CapAmb:\t";
|
||||
uint64_t get_capamb(pid_t pid) {
|
||||
FILE *f;
|
||||
char filename[32];
|
||||
int status=0;
|
||||
int target=strlen(tag);
|
||||
uint64_t capamb=0;
|
||||
int c;
|
||||
snprintf(filename,32,"/proc/%d/status",pid);
|
||||
|
||||
f=fopen(filename,"r");
|
||||
if (f==NULL)
|
||||
exit(2);
|
||||
|
||||
while ((c = getc(f)) != EOF) {
|
||||
if (c == tag[status]) {
|
||||
status++;
|
||||
if (status == target) {
|
||||
fscanf(f,"%llx",&capamb);
|
||||
break;
|
||||
}
|
||||
} else
|
||||
status=0;
|
||||
}
|
||||
fclose(f);
|
||||
return capamb;
|
||||
}
|
||||
|
||||
#define OPTSTRING "hpcl"
|
||||
struct option long_options[]={
|
||||
{"help", no_argument, NULL, 'h'},
|
||||
{"prompt", no_argument, NULL, 'p'},
|
||||
{"compact", no_argument, NULL, 'c'},
|
||||
{"long", no_argument, NULL, 'l'},
|
||||
};
|
||||
|
||||
void usage(char *progname) {
|
||||
fprintf(stderr,"%s - show the current capability ambient\n\n",progname);
|
||||
fprintf(stderr,"usage: %s OPTIONS [pid]\n\n",progname);
|
||||
fprintf(stderr,"Options:\n");
|
||||
fprintf(stderr," -h, --help display help message and exit\n");
|
||||
fprintf(stderr," -p, --prompt single line output for the command prompt\n");
|
||||
fprintf(stderr," -c, --compact single line without cap_ prefix\n");
|
||||
fprintf(stderr," -l, --long display cap# and mask\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
uint64_t capamb;
|
||||
char *progname=basename(argv[0]);
|
||||
int prompt=0;
|
||||
int compact=0;
|
||||
int longlist=0;
|
||||
while (1) {
|
||||
int c=getopt_long(argc, argv, OPTSTRING, long_options, NULL);
|
||||
if (c < 0)
|
||||
break;
|
||||
switch (c) {
|
||||
case 'h': usage(progname);
|
||||
break;
|
||||
case 'p': prompt=compact=1;
|
||||
break;
|
||||
case 'c': compact=1;
|
||||
break;
|
||||
case 'l': longlist=1;
|
||||
break;
|
||||
default:
|
||||
usage(progname);
|
||||
}
|
||||
}
|
||||
|
||||
if (argc - optind > 1)
|
||||
usage(progname);
|
||||
|
||||
if (optind < argc)
|
||||
capamb=get_capamb(atoi(argv[optind]));
|
||||
else
|
||||
capamb=get_capamb(getpid());
|
||||
if (capamb) {
|
||||
cap_value_t cap;
|
||||
char *sep="";
|
||||
int count=0;
|
||||
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
|
||||
if (capamb & (1ULL << cap)) {
|
||||
count++;
|
||||
if (longlist)
|
||||
printf("%2d %016llx %s\n",cap,1ULL<<cap,cap_to_name(cap));
|
||||
else if (compact)
|
||||
printf("%s%s",sep,cap_to_name(cap)+4);
|
||||
else
|
||||
printf("%s\n",cap_to_name(cap));
|
||||
sep=",";
|
||||
}
|
||||
}
|
||||
if (prompt) printf("#");
|
||||
if (compact) printf("\n");
|
||||
if (longlist && count > 1)
|
||||
printf(" %016llx\n",capamb);
|
||||
}
|
||||
}
|
59
capset_from_namelist.c
Normal file
59
capset_from_namelist.c
Normal file
@ -0,0 +1,59 @@
|
||||
/*
|
||||
* cado: execute a command in a capability ambient
|
||||
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||
*
|
||||
* This file is part of cado.
|
||||
*
|
||||
* Cado is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/capability.h>
|
||||
#include <capset_from_namelist.h>
|
||||
|
||||
static int addcap(char *name, uint64_t *capset) {
|
||||
char *tail;
|
||||
uint64_t exacaps=strtoull(name, &tail, 16);
|
||||
if (*tail == 0) {
|
||||
*capset |= exacaps;
|
||||
return 0;
|
||||
} else {
|
||||
int rv;
|
||||
cap_value_t thiscap;
|
||||
if (strncmp(name,"cap_",4) == 0)
|
||||
rv=cap_from_name(name, &thiscap);
|
||||
else {
|
||||
int xnamelen=strlen(name)+5;
|
||||
char xname[xnamelen];
|
||||
snprintf(xname,xnamelen,"cap_%s",name);
|
||||
rv=cap_from_name(xname, &thiscap);
|
||||
}
|
||||
if (rv >= 0)
|
||||
*capset |= 1ULL << thiscap;
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
|
||||
int capset_from_namelist(char *namelist, uint64_t *capset) {
|
||||
int rv=0;
|
||||
char *onecap;
|
||||
char *tmptok;
|
||||
for (; (onecap=strtok_r(namelist,",",&tmptok)) != NULL; namelist=NULL)
|
||||
rv |= addcap(onecap,capset);
|
||||
return rv;
|
||||
}
|
||||
|
8
capset_from_namelist.h
Normal file
8
capset_from_namelist.h
Normal file
@ -0,0 +1,8 @@
|
||||
#ifndef CAP_FROM_NAMEX_H
|
||||
#define CAP_FROM_NAMEX_H
|
||||
#include <sys/capability.h>
|
||||
#include <stdint.h>
|
||||
|
||||
int capset_from_namelist(char *namelist, uint64_t *capset);
|
||||
|
||||
#endif
|
29
configure.ac
Normal file
29
configure.ac
Normal file
@ -0,0 +1,29 @@
|
||||
# -*- Autoconf -*-
|
||||
# Process this file with autoconf to produce a configure script.
|
||||
|
||||
AC_PREREQ([2.69])
|
||||
AC_INIT([cado], [0.9], [info@v2.cs.unibo.it])
|
||||
AM_INIT_AUTOMAKE([foreign dist-bzip2])
|
||||
AC_CONFIG_SRCDIR([pam_check.h])
|
||||
AC_CONFIG_HEADERS([config.h])
|
||||
|
||||
# Checks for programs.
|
||||
AC_PROG_CXX
|
||||
AC_PROG_CC
|
||||
AC_PROG_INSTALL
|
||||
|
||||
# Checks for libraries.
|
||||
|
||||
# Checks for header files.
|
||||
AC_CHECK_HEADERS([fcntl.h stdint.h stdlib.h string.h unistd.h])
|
||||
|
||||
# Checks for typedefs, structures, and compiler characteristics.
|
||||
AC_TYPE_UID_T
|
||||
AC_TYPE_PID_T
|
||||
AC_TYPE_SSIZE_T
|
||||
AC_TYPE_UINT64_T
|
||||
|
||||
# Checks for library functions.
|
||||
AC_CHECK_FUNCS([strdup strtoull])
|
||||
|
||||
AC_OUTPUT([Makefile])
|
60
get_user_groups.c
Normal file
60
get_user_groups.c
Normal file
@ -0,0 +1,60 @@
|
||||
/*
|
||||
* cado: execute a command in a capability ambient
|
||||
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||
*
|
||||
* This file is part of cado.
|
||||
*
|
||||
* Cado is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <get_user_groups.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
|
||||
char **get_user_groups(void) {
|
||||
uid_t uid=getuid();
|
||||
struct passwd *pwd=getpwuid(uid);
|
||||
int ngroups=0;
|
||||
char **user_groups=NULL;
|
||||
getgrouplist(pwd->pw_name, pwd->pw_gid, NULL, &ngroups);
|
||||
if (ngroups > 0) {
|
||||
gid_t gids[ngroups];
|
||||
struct group *grp;
|
||||
user_groups = calloc(ngroups+2, sizeof(char *));
|
||||
if (user_groups) {
|
||||
int i=0;
|
||||
user_groups[i++] = strdup(pwd->pw_name);
|
||||
if (getgrouplist(pwd->pw_name, pwd->pw_gid, gids, &ngroups) == ngroups) {
|
||||
while ((grp=getgrent()) != NULL) {
|
||||
int j;
|
||||
for (j=0; j<ngroups; j++) {
|
||||
if (grp->gr_gid == gids[j]) {
|
||||
gids[j] = -1;
|
||||
user_groups[i++] = strdup(grp->gr_name);
|
||||
}
|
||||
}
|
||||
}
|
||||
user_groups[i] = NULL;
|
||||
endgrent();
|
||||
}
|
||||
}
|
||||
}
|
||||
return user_groups;
|
||||
}
|
||||
|
5
get_user_groups.h
Normal file
5
get_user_groups.h
Normal file
@ -0,0 +1,5 @@
|
||||
#ifndef GET_USER_GROUPS_H
|
||||
#define GET_USER_GROUPS_H
|
||||
|
||||
char **get_user_groups(void);
|
||||
#endif
|
42
pam_check.c
Normal file
42
pam_check.c
Normal file
@ -0,0 +1,42 @@
|
||||
/*
|
||||
* cado: execute a command in a capability ambient
|
||||
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||
*
|
||||
* This file is part of cado.
|
||||
*
|
||||
* Cado is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
#define _GNU_SOURCE
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_misc.h>
|
||||
#include <pwd.h>
|
||||
#include <pam_check.h>
|
||||
|
||||
int pam_check(char *username)
|
||||
{
|
||||
pam_handle_t* pamh;
|
||||
struct pam_conv pamc={.conv=&misc_conv, .appdata_ptr=NULL};
|
||||
int rv;
|
||||
|
||||
pam_start ("capdo", username, &pamc, &pamh);
|
||||
rv= pam_authenticate (pamh, 0);
|
||||
pam_end (pamh, 0);
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
4
pam_check.h
Normal file
4
pam_check.h
Normal file
@ -0,0 +1,4 @@
|
||||
#ifndef PAM_CHECK_H
|
||||
#define PAM_CHECK_H
|
||||
int pam_check(char *username);
|
||||
#endif
|
116
read_conf.c
Normal file
116
read_conf.c
Normal file
@ -0,0 +1,116 @@
|
||||
/*
|
||||
* cado: execute a command in a capability ambient
|
||||
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||
*
|
||||
* This file is part of cado.
|
||||
*
|
||||
* Cado is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <ctype.h>
|
||||
#include <fcntl.h>
|
||||
#include <read_conf.h>
|
||||
#include <set_ambient_cap.h>
|
||||
#include <capset_from_namelist.h>
|
||||
|
||||
#ifndef CONFDIR
|
||||
#define CONFDIR "/etc"
|
||||
#endif
|
||||
|
||||
#define CADO_CONF CONFDIR "/cado.conf"
|
||||
|
||||
static int groupmatch (char *group, char **grouplist) {
|
||||
for (;*grouplist; grouplist++) {
|
||||
//printf("%s %s\n",group, *grouplist);
|
||||
if (strcmp(group, *grouplist) == 0)
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
uint64_t get_authorized_caps(char **user_groups) {
|
||||
uint64_t ok_caps=0;
|
||||
FILE *f;
|
||||
if (user_groups) raise_cap_dac_read_search();
|
||||
f=fopen(CADO_CONF, "r");
|
||||
if (f) {
|
||||
char *line=NULL;
|
||||
ssize_t len,n=0;
|
||||
while ((len=getline(&line, &n, f)) > 0) {
|
||||
//printf("%s",line);
|
||||
char *scan=line;
|
||||
char *tok;
|
||||
uint64_t capset;
|
||||
char *tmptok;
|
||||
while (isspace(*scan)) scan++;
|
||||
if (*scan == 0 || *scan == '#') //comment
|
||||
continue;
|
||||
tok=strtok_r(scan, ":", &tmptok);
|
||||
//printf("%s\n",tok);
|
||||
capset=0;
|
||||
if (capset_from_namelist(tok, &capset) < 0)
|
||||
continue;
|
||||
if (user_groups == NULL) {
|
||||
ok_caps |= capset;
|
||||
continue;
|
||||
}
|
||||
//printf("CAP %s %d\n",tok,thiscap);
|
||||
while ((tok=strtok_r(NULL, ",\n ",&tmptok)) != NULL) {
|
||||
//printf("XX %s\n",tok);
|
||||
if (*tok=='@') {
|
||||
if (groupmatch(tok+1, user_groups+1)) {
|
||||
ok_caps |= capset;
|
||||
break;
|
||||
}
|
||||
} else if (strcmp(tok, user_groups[0]) == 0) {
|
||||
ok_caps |= capset;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
fclose(f);
|
||||
if (line)
|
||||
free(line);
|
||||
}
|
||||
if (user_groups) lower_cap_dac_read_search();
|
||||
return ok_caps;
|
||||
}
|
||||
|
||||
int set_self_capability(uint64_t capset) {
|
||||
cap_value_t cap;
|
||||
cap_t caps=cap_init();
|
||||
int f,rv=-1;
|
||||
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
|
||||
if (capset & (1ULL << cap)) {
|
||||
/*if (cap_set_flag(caps, CAP_PERMITTED, 1, &cap, CAP_SET) ||
|
||||
cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET)) {*/
|
||||
if (cap_set_flag(caps, CAP_PERMITTED, 1, &cap, CAP_SET)) {
|
||||
fprintf(stderr, "Cannot set permitted cap %s\n",cap_to_name(cap));
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
}
|
||||
if ((f=open("/proc/self/exe",O_RDONLY)) >= 0) {
|
||||
if (cap_set_fd(f,caps) >= 0)
|
||||
rv=0;
|
||||
close(f);
|
||||
}
|
||||
cap_free(caps);
|
||||
return rv;
|
||||
}
|
9
read_conf.h
Normal file
9
read_conf.h
Normal file
@ -0,0 +1,9 @@
|
||||
#ifndef READ_CONF_H
|
||||
#define READ_CONF_H
|
||||
#include <stdint.h>
|
||||
|
||||
uint64_t get_authorized_caps(char **user_groups);
|
||||
|
||||
int set_self_capability(uint64_t capset);
|
||||
|
||||
#endif
|
63
set_ambient_cap.c
Normal file
63
set_ambient_cap.c
Normal file
@ -0,0 +1,63 @@
|
||||
/*
|
||||
* cado: execute a command in a capability ambient
|
||||
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||
*
|
||||
* This file is part of cado.
|
||||
*
|
||||
* Cado is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||