mirror of https://github.com/rd235/cado
Initial release (v.0.9)
This commit is contained in:
parent
4311c2e564
commit
68a7dcfa2e
|
@ -0,0 +1,339 @@
|
||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
Version 2, June 1991
|
||||||
|
|
||||||
|
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||||
|
51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The licenses for most software are designed to take away your
|
||||||
|
freedom to share and change it. By contrast, the GNU General Public
|
||||||
|
License is intended to guarantee your freedom to share and change free
|
||||||
|
software--to make sure the software is free for all its users. This
|
||||||
|
General Public License applies to most of the Free Software
|
||||||
|
Foundation's software and to any other program whose authors commit to
|
||||||
|
using it. (Some other Free Software Foundation software is covered by
|
||||||
|
the GNU Library General Public License instead.) You can apply it to
|
||||||
|
your programs, too.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
this service if you wish), that you receive source code or can get it
|
||||||
|
if you want it, that you can change the software or use pieces of it
|
||||||
|
in new free programs; and that you know you can do these things.
|
||||||
|
|
||||||
|
To protect your rights, we need to make restrictions that forbid
|
||||||
|
anyone to deny you these rights or to ask you to surrender the rights.
|
||||||
|
These restrictions translate to certain responsibilities for you if you
|
||||||
|
distribute copies of the software, or if you modify it.
|
||||||
|
|
||||||
|
For example, if you distribute copies of such a program, whether
|
||||||
|
gratis or for a fee, you must give the recipients all the rights that
|
||||||
|
you have. You must make sure that they, too, receive or can get the
|
||||||
|
source code. And you must show them these terms so they know their
|
||||||
|
rights.
|
||||||
|
|
||||||
|
We protect your rights with two steps: (1) copyright the software, and
|
||||||
|
(2) offer you this license which gives you legal permission to copy,
|
||||||
|
distribute and/or modify the software.
|
||||||
|
|
||||||
|
Also, for each author's protection and ours, we want to make certain
|
||||||
|
that everyone understands that there is no warranty for this free
|
||||||
|
software. If the software is modified by someone else and passed on, we
|
||||||
|
want its recipients to know that what they have is not the original, so
|
||||||
|
that any problems introduced by others will not reflect on the original
|
||||||
|
authors' reputations.
|
||||||
|
|
||||||
|
Finally, any free program is threatened constantly by software
|
||||||
|
patents. We wish to avoid the danger that redistributors of a free
|
||||||
|
program will individually obtain patent licenses, in effect making the
|
||||||
|
program proprietary. To prevent this, we have made it clear that any
|
||||||
|
patent must be licensed for everyone's free use or not licensed at all.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||||
|
|
||||||
|
0. This License applies to any program or other work which contains
|
||||||
|
a notice placed by the copyright holder saying it may be distributed
|
||||||
|
under the terms of this General Public License. The "Program", below,
|
||||||
|
refers to any such program or work, and a "work based on the Program"
|
||||||
|
means either the Program or any derivative work under copyright law:
|
||||||
|
that is to say, a work containing the Program or a portion of it,
|
||||||
|
either verbatim or with modifications and/or translated into another
|
||||||
|
language. (Hereinafter, translation is included without limitation in
|
||||||
|
the term "modification".) Each licensee is addressed as "you".
|
||||||
|
|
||||||
|
Activities other than copying, distribution and modification are not
|
||||||
|
covered by this License; they are outside its scope. The act of
|
||||||
|
running the Program is not restricted, and the output from the Program
|
||||||
|
is covered only if its contents constitute a work based on the
|
||||||
|
Program (independent of having been made by running the Program).
|
||||||
|
Whether that is true depends on what the Program does.
|
||||||
|
|
||||||
|
1. You may copy and distribute verbatim copies of the Program's
|
||||||
|
source code as you receive it, in any medium, provided that you
|
||||||
|
conspicuously and appropriately publish on each copy an appropriate
|
||||||
|
copyright notice and disclaimer of warranty; keep intact all the
|
||||||
|
notices that refer to this License and to the absence of any warranty;
|
||||||
|
and give any other recipients of the Program a copy of this License
|
||||||
|
along with the Program.
|
||||||
|
|
||||||
|
You may charge a fee for the physical act of transferring a copy, and
|
||||||
|
you may at your option offer warranty protection in exchange for a fee.
|
||||||
|
|
||||||
|
2. You may modify your copy or copies of the Program or any portion
|
||||||
|
of it, thus forming a work based on the Program, and copy and
|
||||||
|
distribute such modifications or work under the terms of Section 1
|
||||||
|
above, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) You must cause the modified files to carry prominent notices
|
||||||
|
stating that you changed the files and the date of any change.
|
||||||
|
|
||||||
|
b) You must cause any work that you distribute or publish, that in
|
||||||
|
whole or in part contains or is derived from the Program or any
|
||||||
|
part thereof, to be licensed as a whole at no charge to all third
|
||||||
|
parties under the terms of this License.
|
||||||
|
|
||||||
|
c) If the modified program normally reads commands interactively
|
||||||
|
when run, you must cause it, when started running for such
|
||||||
|
interactive use in the most ordinary way, to print or display an
|
||||||
|
announcement including an appropriate copyright notice and a
|
||||||
|
notice that there is no warranty (or else, saying that you provide
|
||||||
|
a warranty) and that users may redistribute the program under
|
||||||
|
these conditions, and telling the user how to view a copy of this
|
||||||
|
License. (Exception: if the Program itself is interactive but
|
||||||
|
does not normally print such an announcement, your work based on
|
||||||
|
the Program is not required to print an announcement.)
|
||||||
|
|
||||||
|
These requirements apply to the modified work as a whole. If
|
||||||
|
identifiable sections of that work are not derived from the Program,
|
||||||
|
and can be reasonably considered independent and separate works in
|
||||||
|
themselves, then this License, and its terms, do not apply to those
|
||||||
|
sections when you distribute them as separate works. But when you
|
||||||
|
distribute the same sections as part of a whole which is a work based
|
||||||
|
on the Program, the distribution of the whole must be on the terms of
|
||||||
|
this License, whose permissions for other licensees extend to the
|
||||||
|
entire whole, and thus to each and every part regardless of who wrote it.
|
||||||
|
|
||||||
|
Thus, it is not the intent of this section to claim rights or contest
|
||||||
|
your rights to work written entirely by you; rather, the intent is to
|
||||||
|
exercise the right to control the distribution of derivative or
|
||||||
|
collective works based on the Program.
|
||||||
|
|
||||||
|
In addition, mere aggregation of another work not based on the Program
|
||||||
|
with the Program (or with a work based on the Program) on a volume of
|
||||||
|
a storage or distribution medium does not bring the other work under
|
||||||
|
the scope of this License.
|
||||||
|
|
||||||
|
3. You may copy and distribute the Program (or a work based on it,
|
||||||
|
under Section 2) in object code or executable form under the terms of
|
||||||
|
Sections 1 and 2 above provided that you also do one of the following:
|
||||||
|
|
||||||
|
a) Accompany it with the complete corresponding machine-readable
|
||||||
|
source code, which must be distributed under the terms of Sections
|
||||||
|
1 and 2 above on a medium customarily used for software interchange; or,
|
||||||
|
|
||||||
|
b) Accompany it with a written offer, valid for at least three
|
||||||
|
years, to give any third party, for a charge no more than your
|
||||||
|
cost of physically performing source distribution, a complete
|
||||||
|
machine-readable copy of the corresponding source code, to be
|
||||||
|
distributed under the terms of Sections 1 and 2 above on a medium
|
||||||
|
customarily used for software interchange; or,
|
||||||
|
|
||||||
|
c) Accompany it with the information you received as to the offer
|
||||||
|
to distribute corresponding source code. (This alternative is
|
||||||
|
allowed only for noncommercial distribution and only if you
|
||||||
|
received the program in object code or executable form with such
|
||||||
|
an offer, in accord with Subsection b above.)
|
||||||
|
|
||||||
|
The source code for a work means the preferred form of the work for
|
||||||
|
making modifications to it. For an executable work, complete source
|
||||||
|
code means all the source code for all modules it contains, plus any
|
||||||
|
associated interface definition files, plus the scripts used to
|
||||||
|
control compilation and installation of the executable. However, as a
|
||||||
|
special exception, the source code distributed need not include
|
||||||
|
anything that is normally distributed (in either source or binary
|
||||||
|
form) with the major components (compiler, kernel, and so on) of the
|
||||||
|
operating system on which the executable runs, unless that component
|
||||||
|
itself accompanies the executable.
|
||||||
|
|
||||||
|
If distribution of executable or object code is made by offering
|
||||||
|
access to copy from a designated place, then offering equivalent
|
||||||
|
access to copy the source code from the same place counts as
|
||||||
|
distribution of the source code, even though third parties are not
|
||||||
|
compelled to copy the source along with the object code.
|
||||||
|
|
||||||
|
4. You may not copy, modify, sublicense, or distribute the Program
|
||||||
|
except as expressly provided under this License. Any attempt
|
||||||
|
otherwise to copy, modify, sublicense or distribute the Program is
|
||||||
|
void, and will automatically terminate your rights under this License.
|
||||||
|
However, parties who have received copies, or rights, from you under
|
||||||
|
this License will not have their licenses terminated so long as such
|
||||||
|
parties remain in full compliance.
|
||||||
|
|
||||||
|
5. You are not required to accept this License, since you have not
|
||||||
|
signed it. However, nothing else grants you permission to modify or
|
||||||
|
distribute the Program or its derivative works. These actions are
|
||||||
|
prohibited by law if you do not accept this License. Therefore, by
|
||||||
|
modifying or distributing the Program (or any work based on the
|
||||||
|
Program), you indicate your acceptance of this License to do so, and
|
||||||
|
all its terms and conditions for copying, distributing or modifying
|
||||||
|
the Program or works based on it.
|
||||||
|
|
||||||
|
6. Each time you redistribute the Program (or any work based on the
|
||||||
|
Program), the recipient automatically receives a license from the
|
||||||
|
original licensor to copy, distribute or modify the Program subject to
|
||||||
|
these terms and conditions. You may not impose any further
|
||||||
|
restrictions on the recipients' exercise of the rights granted herein.
|
||||||
|
You are not responsible for enforcing compliance by third parties to
|
||||||
|
this License.
|
||||||
|
|
||||||
|
7. If, as a consequence of a court judgment or allegation of patent
|
||||||
|
infringement or for any other reason (not limited to patent issues),
|
||||||
|
conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot
|
||||||
|
distribute so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you
|
||||||
|
may not distribute the Program at all. For example, if a patent
|
||||||
|
license would not permit royalty-free redistribution of the Program by
|
||||||
|
all those who receive copies directly or indirectly through you, then
|
||||||
|
the only way you could satisfy both it and this License would be to
|
||||||
|
refrain entirely from distribution of the Program.
|
||||||
|
|
||||||
|
If any portion of this section is held invalid or unenforceable under
|
||||||
|
any particular circumstance, the balance of the section is intended to
|
||||||
|
apply and the section as a whole is intended to apply in other
|
||||||
|
circumstances.
|
||||||
|
|
||||||
|
It is not the purpose of this section to induce you to infringe any
|
||||||
|
patents or other property right claims or to contest validity of any
|
||||||
|
such claims; this section has the sole purpose of protecting the
|
||||||
|
integrity of the free software distribution system, which is
|
||||||
|
implemented by public license practices. Many people have made
|
||||||
|
generous contributions to the wide range of software distributed
|
||||||
|
through that system in reliance on consistent application of that
|
||||||
|
system; it is up to the author/donor to decide if he or she is willing
|
||||||
|
to distribute software through any other system and a licensee cannot
|
||||||
|
impose that choice.
|
||||||
|
|
||||||
|
This section is intended to make thoroughly clear what is believed to
|
||||||
|
be a consequence of the rest of this License.
|
||||||
|
|
||||||
|
8. If the distribution and/or use of the Program is restricted in
|
||||||
|
certain countries either by patents or by copyrighted interfaces, the
|
||||||
|
original copyright holder who places the Program under this License
|
||||||
|
may add an explicit geographical distribution limitation excluding
|
||||||
|
those countries, so that distribution is permitted only in or among
|
||||||
|
countries not thus excluded. In such case, this License incorporates
|
||||||
|
the limitation as if written in the body of this License.
|
||||||
|
|
||||||
|
9. The Free Software Foundation may publish revised and/or new versions
|
||||||
|
of the General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the Program
|
||||||
|
specifies a version number of this License which applies to it and "any
|
||||||
|
later version", you have the option of following the terms and conditions
|
||||||
|
either of that version or of any later version published by the Free
|
||||||
|
Software Foundation. If the Program does not specify a version number of
|
||||||
|
this License, you may choose any version ever published by the Free Software
|
||||||
|
Foundation.
|
||||||
|
|
||||||
|
10. If you wish to incorporate parts of the Program into other free
|
||||||
|
programs whose distribution conditions are different, write to the author
|
||||||
|
to ask for permission. For software which is copyrighted by the Free
|
||||||
|
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||||
|
make exceptions for this. Our decision will be guided by the two goals
|
||||||
|
of preserving the free status of all derivatives of our free software and
|
||||||
|
of promoting the sharing and reuse of software generally.
|
||||||
|
|
||||||
|
NO WARRANTY
|
||||||
|
|
||||||
|
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||||
|
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||||
|
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||||
|
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||||
|
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||||
|
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||||
|
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||||
|
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||||
|
REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||||
|
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||||
|
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||||
|
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||||
|
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||||
|
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||||
|
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||||
|
POSSIBILITY OF SUCH DAMAGES.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
Appendix: How to Apply These Terms to Your New Programs
|
||||||
|
|
||||||
|
If you develop a new program, and you want it to be of the greatest
|
||||||
|
possible use to the public, the best way to achieve this is to make it
|
||||||
|
free software which everyone can redistribute and change under these terms.
|
||||||
|
|
||||||
|
To do so, attach the following notices to the program. It is safest
|
||||||
|
to attach them to the start of each source file to most effectively
|
||||||
|
convey the exclusion of warranty; and each file should have at least
|
||||||
|
the "copyright" line and a pointer to where the full notice is found.
|
||||||
|
|
||||||
|
<one line to give the program's name and a brief idea of what it does.>
|
||||||
|
Copyright (C) 19yy <name of author>
|
||||||
|
|
||||||
|
This program is free software; you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation; either version 2 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License along
|
||||||
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||||
|
51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
|
||||||
|
Also add information on how to contact you by electronic and paper mail.
|
||||||
|
|
||||||
|
If the program is interactive, make it output a short notice like this
|
||||||
|
when it starts in an interactive mode:
|
||||||
|
|
||||||
|
Gnomovision version 69, Copyright (C) 19yy name of author
|
||||||
|
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||||
|
This is free software, and you are welcome to redistribute it
|
||||||
|
under certain conditions; type `show c' for details.
|
||||||
|
|
||||||
|
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||||
|
parts of the General Public License. Of course, the commands you use may
|
||||||
|
be called something other than `show w' and `show c'; they could even be
|
||||||
|
mouse-clicks or menu items--whatever suits your program.
|
||||||
|
|
||||||
|
You should also get your employer (if you work as a programmer) or your
|
||||||
|
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||||
|
necessary. Here is a sample; alter the names:
|
||||||
|
|
||||||
|
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||||
|
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||||
|
|
||||||
|
<signature of Ty Coon>, 1 April 1989
|
||||||
|
Ty Coon, President of Vice
|
||||||
|
|
||||||
|
This General Public License does not permit incorporating your program into
|
||||||
|
proprietary programs. If your program is a subroutine library, you may
|
||||||
|
consider it more useful to permit linking proprietary applications with the
|
||||||
|
library. If this is what you want to do, use the GNU Library General
|
||||||
|
Public License instead of this License.
|
|
@ -0,0 +1,9 @@
|
||||||
|
bin_PROGRAMS = cado caprint
|
||||||
|
|
||||||
|
cado_SOURCES = cado.c pam_check.c get_user_groups.c capset_from_namelist.c read_conf.c set_ambient_cap.c
|
||||||
|
|
||||||
|
cado_LDADD = -lpam -lpam_misc -lcap
|
||||||
|
|
||||||
|
caprint_LDADD = -lcap
|
||||||
|
|
||||||
|
man_MANS = cado.1 caprint.1 cado.conf.5
|
|
@ -0,0 +1,194 @@
|
||||||
|
introducing CADO: Capability DO.
|
||||||
|
|
||||||
|
Cado permits to delegate capabilities to users.
|
||||||
|
|
||||||
|
Cado is a capability based sudo. Sudo allows authorized users to run programs
|
||||||
|
as root (or as another user), cado allows authorized users to run programs with
|
||||||
|
specific (ambient) capabilities.
|
||||||
|
|
||||||
|
Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
|
||||||
|
|
||||||
|
INSTALL:
|
||||||
|
|
||||||
|
get the source code, from the root of the source tree run:
|
||||||
|
|
||||||
|
$ autoreconf -if
|
||||||
|
$ ./configure
|
||||||
|
$ make
|
||||||
|
$ sudo make install
|
||||||
|
|
||||||
|
It installs two programs in /usr/local/bin: cado and caprint.
|
||||||
|
If you want to install the programs in /usr/bin run "./configure --prefix=/usr" instead of "./configure".
|
||||||
|
|
||||||
|
Cado needs a configuration file: /etc/cado.conf with the following syntax:
|
||||||
|
* lines beginning with # are comments
|
||||||
|
* all the other lines have two fields separated by :, the first field is a capability or a list of
|
||||||
|
capabilities, the second field is a list of users or groups (group names have @ as a prefix).
|
||||||
|
Capabilities can be written with or without the cap_ prefix (net_admin means cap_net_admin).
|
||||||
|
|
||||||
|
Example of /etc/cado.conf file:
|
||||||
|
---------------------------------------------
|
||||||
|
# Capability Ambient DO configuration file
|
||||||
|
# cado.conf
|
||||||
|
|
||||||
|
net_admin: @netadmin,renzo
|
||||||
|
cap_kill: renzo
|
||||||
|
--------------------------------------------
|
||||||
|
|
||||||
|
The file above allows the user renzo and all the members of the group named netadmin to run programs
|
||||||
|
neeeding the cap_net_admin capability.
|
||||||
|
The user renzo can also run programs requiring cap_kill.
|
||||||
|
The file /etc/cado.conf can be owned by root and have no rw permission for users.
|
||||||
|
|
||||||
|
|
||||||
|
It is also possible to use lists of capabilities:
|
||||||
|
setgid,setuid: giovanni
|
||||||
|
|
||||||
|
or exadecimal masks:
|
||||||
|
c0: giovanni,@idgroup
|
||||||
|
|
||||||
|
|
||||||
|
$ ls -l /etc/cado.conf
|
||||||
|
-rw------- 1 root root 100 Jun 19 17:11 /etc/cado.conf
|
||||||
|
|
||||||
|
IMPORTANT.
|
||||||
|
Cado has been designed to work using the minimum set of capability required for its services.
|
||||||
|
(following the principle of least privilege).
|
||||||
|
Cado itself is not a seuid executable, it uses the capability mechanism and it has an options to
|
||||||
|
set its own capabilities. So after each change in the /etc/cado.conf, the capability set should be
|
||||||
|
recomputed using the following command:
|
||||||
|
$ sudo cado -s
|
||||||
|
or
|
||||||
|
$ sudo cado -sv
|
||||||
|
(this latter command is verbose and shows the set of capabilties assigned to the capo executable file).
|
||||||
|
|
||||||
|
using the example configuration file above, capo would be assigned the following capabilities:
|
||||||
|
$ sudo cado -sv
|
||||||
|
Capability needed by cado:
|
||||||
|
2 0000000000000004 cap_dac_read_search
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001024
|
||||||
|
$ /sbin/getcap /usr/local/bin/cado
|
||||||
|
/usr/local/bin/cado = cap_dac_read_search,cap_kill,cap_net_admin+p
|
||||||
|
|
||||||
|
-----------------------------------------------------------------
|
||||||
|
|
||||||
|
The syntax of cado is simple:
|
||||||
|
$ cado [options] set_of_capabilities command [args]
|
||||||
|
|
||||||
|
for example if the user renzo wants to run a shell having the cap_net_admin capability enabled he can type
|
||||||
|
the following command:
|
||||||
|
$ cado net_admin bash
|
||||||
|
Password:
|
||||||
|
$
|
||||||
|
|
||||||
|
the user will be requested to authenticate himself. If the user has the right to enable cap_net_admin (from the
|
||||||
|
cado.conf configuration file) and he typed in the correct password, cado starts a new shell with the requested
|
||||||
|
capability enabled.
|
||||||
|
|
||||||
|
It is possible define the set_of_capabilities using a list of capabilities (with or without the cap_prefix)
|
||||||
|
or exadecimal masks.
|
||||||
|
|
||||||
|
In the new shell the user can do all the operations permitted by the enabled capabilities,
|
||||||
|
in this case, for example, he will be allowed to change the networking configuration, add tuntap
|
||||||
|
interfaces and so on.
|
||||||
|
|
||||||
|
It is possible to show the ambient capability set of a program by reading the /proc/####/status file:
|
||||||
|
e.g.:
|
||||||
|
$ grep CapAmb /proc/$$/status
|
||||||
|
CapAmb: 0000000000001000
|
||||||
|
|
||||||
|
(cap_net_admin is the capability #12, the mask is 0x1000, i.e. 1ULL << 12)
|
||||||
|
|
||||||
|
-----------------------------------------------------------------
|
||||||
|
|
||||||
|
caprint is a simple program which shows the ambient capabilities of a running program.
|
||||||
|
(a pid of a running process can be specified as an optional parameter, otherwise it shows the capabilities
|
||||||
|
of caprint itself)
|
||||||
|
|
||||||
|
$ caprint
|
||||||
|
cap_net_admin
|
||||||
|
|
||||||
|
$ caprint -l
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
|
||||||
|
There is an option -p that has been designed to add the current set of ambient capabilities to the shell prompt,
|
||||||
|
so it is easier for the user to recognize when a shell has some "extra power", so to avoid errors.
|
||||||
|
|
||||||
|
In .bashrc or .bash_profile (or in their system-side counterparts in /etc) it is possible to set rules like
|
||||||
|
the followings:
|
||||||
|
-----------
|
||||||
|
if which caprint >&/dev/null ; then
|
||||||
|
ambient=$(caprint -p)
|
||||||
|
fi
|
||||||
|
|
||||||
|
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$$ambient '
|
||||||
|
-----------
|
||||||
|
|
||||||
|
The prompt becomes something like:
|
||||||
|
renzo@host:~$net_admin#
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
|
||||||
|
Some secondary features:
|
||||||
|
|
||||||
|
The -v feature shows the set of available capabilities:
|
||||||
|
$ cado -v
|
||||||
|
Allowed ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
|
||||||
|
$ cado -v net_admin,kill bash
|
||||||
|
Allowed ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
Requested ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
Password:
|
||||||
|
|
||||||
|
|
||||||
|
It is useful to show which capability/ies cannot be granted:
|
||||||
|
$ cado net_admin,kill,setuid bash
|
||||||
|
cado: Permission denied
|
||||||
|
|
||||||
|
$ cado -v net_admin,kill,setuid bash
|
||||||
|
Allowed ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
Requested ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
7 0000000000000080 cap_setuid
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
00000000000010a0
|
||||||
|
Unavailable ambient capabilities:
|
||||||
|
7 0000000000000080 cap_setuid
|
||||||
|
cado: Permission denied
|
||||||
|
|
||||||
|
It is possible to enable only the capability allowed by setting the -q option
|
||||||
|
(with or without -v). Using -q cado does not fail.
|
||||||
|
|
||||||
|
$ cado -qv net_admin,kill,setuid bash
|
||||||
|
Allowed ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
Requested ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
7 0000000000000080 cap_setuid
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
00000000000010a0
|
||||||
|
Unavailable ambient capabilities:
|
||||||
|
7 0000000000000080 cap_setuid
|
||||||
|
Password:
|
||||||
|
Granted ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
renzo@eipi:~/tests/cado/pre$kill,net_admin#
|
||||||
|
|
216
README.md
216
README.md
|
@ -1,2 +1,218 @@
|
||||||
# cado
|
# cado
|
||||||
CADO: Capability DO (like a sudo providing users with just the capabilities they need)
|
CADO: Capability DO (like a sudo providing users with just the capabilities they need)
|
||||||
|
|
||||||
|
Cado permits to delegate capabilities to users.
|
||||||
|
|
||||||
|
Cado is a capability based sudo. Sudo allows authorized users to run programs
|
||||||
|
as root (or as another user), cado allows authorized users to run programs with
|
||||||
|
specific (ambient) capabilities.
|
||||||
|
|
||||||
|
Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
|
||||||
|
|
||||||
|
INSTALL:
|
||||||
|
|
||||||
|
get the source code, from the root of the source tree run:
|
||||||
|
```
|
||||||
|
$ autoreconf -if
|
||||||
|
$ ./configure
|
||||||
|
$ make
|
||||||
|
$ sudo make install
|
||||||
|
```
|
||||||
|
|
||||||
|
It installs two programs in /usr/local/bin: cado and caprint.
|
||||||
|
If you want to install the programs in /usr/bin run "./configure --prefix=/usr" instead of "./configure".
|
||||||
|
|
||||||
|
Cado needs a configuration file: /etc/cado.conf with the following syntax:
|
||||||
|
- lines beginning with # are comments
|
||||||
|
- all the other lines have two fields separated by :, the first field is a capability or a list of
|
||||||
|
capabilities, the second field is a list of users or groups (group names have @ as a prefix).
|
||||||
|
Capabilities can be written with or without the cap_ prefix (net_admin means cap_net_admin).
|
||||||
|
|
||||||
|
Example of /etc/cado.conf file:
|
||||||
|
```
|
||||||
|
# Capability Ambient DO configuration file
|
||||||
|
# cado.conf
|
||||||
|
|
||||||
|
net_admin: @netadmin,renzo
|
||||||
|
cap_kill: renzo
|
||||||
|
```
|
||||||
|
|
||||||
|
The file above allows the user renzo and all the members of the group named netadmin to run programs
|
||||||
|
neeeding the cap_net_admin capability.
|
||||||
|
The user renzo can also run programs requiring cap_kill.
|
||||||
|
The file /etc/cado.conf can be owned by root and have no rw permission for users.
|
||||||
|
|
||||||
|
|
||||||
|
It is also possible to use lists of capabilities:
|
||||||
|
```
|
||||||
|
setgid,setuid: giovanni
|
||||||
|
```
|
||||||
|
|
||||||
|
or exadecimal masks:
|
||||||
|
```
|
||||||
|
c0: giovanni,@idgroup
|
||||||
|
```
|
||||||
|
|
||||||
|
IMPORTANT.
|
||||||
|
Cado has been designed to work using the minimum set of capability required for its services.
|
||||||
|
(following the principle of least privilege).
|
||||||
|
```
|
||||||
|
$ ls -l /etc/cado.conf
|
||||||
|
-rw------- 1 root root 100 Jun 19 17:11 /etc/cado.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
Cado itself is not a seuid executable, it uses the capability mechanism and it has an options to
|
||||||
|
set its own capabilities. So after each change in the /etc/cado.conf, the capability set should be
|
||||||
|
recomputed using the following command:
|
||||||
|
```
|
||||||
|
$ sudo cado -s
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```
|
||||||
|
$ sudo cado -sv
|
||||||
|
```
|
||||||
|
(this latter command is verbose and shows the set of capabilties assigned to the capo executable file).
|
||||||
|
|
||||||
|
using the example configuration file above, capo would be assigned the following capabilities:
|
||||||
|
```
|
||||||
|
$ sudo cado -sv
|
||||||
|
Capability needed by cado:
|
||||||
|
2 0000000000000004 cap_dac_read_search
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001024
|
||||||
|
$ /sbin/getcap /usr/local/bin/cado
|
||||||
|
/usr/local/bin/cado = cap_dac_read_search,cap_kill,cap_net_admin+p
|
||||||
|
```
|
||||||
|
---
|
||||||
|
|
||||||
|
The syntax of cado is simple:
|
||||||
|
```
|
||||||
|
$ cado [options] set_of_capabilities command [args]
|
||||||
|
```
|
||||||
|
|
||||||
|
for example if the user renzo wants to run a shell having the cap_net_admin capability enabled he can type
|
||||||
|
the following command:
|
||||||
|
```
|
||||||
|
$ cado net_admin bash
|
||||||
|
Password:
|
||||||
|
$
|
||||||
|
```
|
||||||
|
|
||||||
|
the user will be requested to authenticate himself. If the user has the right to enable cap_net_admin (from the
|
||||||
|
cado.conf configuration file) and he typed in the correct password, cado starts a new shell with the requested
|
||||||
|
capability enabled.
|
||||||
|
|
||||||
|
It is possible define the set_of_capabilities using a list of capabilities (with or without the cap_prefix)
|
||||||
|
or exadecimal masks.
|
||||||
|
|
||||||
|
In the new shell the user can do all the operations permitted by the enabled capabilities,
|
||||||
|
in this case, for example, he will be allowed to change the networking configuration, add tuntap
|
||||||
|
interfaces and so on.
|
||||||
|
|
||||||
|
It is possible to show the ambient capability set of a program by reading the /proc/####/status file:
|
||||||
|
e.g.:
|
||||||
|
```
|
||||||
|
$ grep CapAmb /proc/$$/status
|
||||||
|
CapAmb: 0000000000001000
|
||||||
|
```
|
||||||
|
|
||||||
|
(cap_net_admin is the capability #12, the mask is 0x1000, i.e. 1ULL << 12)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
caprint is a simple program which shows the ambient capabilities of a running program.
|
||||||
|
(a pid of a running process can be specified as an optional parameter, otherwise it shows the capabilities
|
||||||
|
of caprint itself)
|
||||||
|
|
||||||
|
```
|
||||||
|
$ caprint
|
||||||
|
cap_net_admin
|
||||||
|
|
||||||
|
$ caprint -l
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
```
|
||||||
|
|
||||||
|
There is an option -p that has been designed to add the current set of ambient capabilities to the shell prompt,
|
||||||
|
so it is easier for the user to recognize when a shell has some "extra power", so to avoid errors.
|
||||||
|
|
||||||
|
In .bashrc or .bash_profile (or in their system-side counterparts in /etc) it is possible to set rules like
|
||||||
|
the followings:
|
||||||
|
```
|
||||||
|
if which caprint >&/dev/null ; then
|
||||||
|
ambient=$(caprint -p)
|
||||||
|
fi
|
||||||
|
|
||||||
|
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$$ambient '
|
||||||
|
```
|
||||||
|
|
||||||
|
The prompt becomes something like:
|
||||||
|
```
|
||||||
|
renzo@host:~$net_admin#
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
Some secondary features:
|
||||||
|
|
||||||
|
The -v feature shows the set of available capabilities:
|
||||||
|
```
|
||||||
|
$ cado -v
|
||||||
|
Allowed ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
|
||||||
|
$ cado -v net_admin,kill bash
|
||||||
|
Allowed ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
Requested ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
Password:
|
||||||
|
```
|
||||||
|
|
||||||
|
It is useful to show which capability/ies cannot be granted:
|
||||||
|
```
|
||||||
|
$ cado net_admin,kill,setuid bash
|
||||||
|
cado: Permission denied
|
||||||
|
|
||||||
|
$ cado -v net_admin,kill,setuid bash
|
||||||
|
Allowed ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
Requested ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
7 0000000000000080 cap_setuid
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
00000000000010a0
|
||||||
|
Unavailable ambient capabilities:
|
||||||
|
7 0000000000000080 cap_setuid
|
||||||
|
cado: Permission denied
|
||||||
|
```
|
||||||
|
It is possible to enable only the capability allowed by setting the -q option
|
||||||
|
(with or without -v). Using -q cado does not fail.
|
||||||
|
```
|
||||||
|
$ cado -qv net_admin,kill,setuid bash
|
||||||
|
Allowed ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
Requested ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
7 0000000000000080 cap_setuid
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
00000000000010a0
|
||||||
|
Unavailable ambient capabilities:
|
||||||
|
7 0000000000000080 cap_setuid
|
||||||
|
Password:
|
||||||
|
Granted ambient capabilities:
|
||||||
|
5 0000000000000020 cap_kill
|
||||||
|
12 0000000000001000 cap_net_admin
|
||||||
|
0000000000001020
|
||||||
|
renzo@host:~/tests/cado/pre$kill,net_admin#
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
.TH CADO 1 "June 23, 2016" "VirtualSquare Labs"
|
||||||
|
.SH NAME
|
||||||
|
cado \- Capability Ambient DO
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.B cado
|
||||||
|
[
|
||||||
|
.I OPTIONS
|
||||||
|
]
|
||||||
|
[
|
||||||
|
.I capability_list
|
||||||
|
.I command
|
||||||
|
[
|
||||||
|
.I args
|
||||||
|
]
|
||||||
|
]
|
||||||
|
|
||||||
|
.SH DESCRIPTION
|
||||||
|
Cado permits to delegate capabilities to users.
|
||||||
|
Cado is a capability based sudo. Sudo allows authorized users to run programs as root (or as another user),
|
||||||
|
cado allows authorized users to run programs with specific (ambient) capabilities.
|
||||||
|
|
||||||
|
Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
|
||||||
|
|
||||||
|
\fIcapability_list\fR is a comma separated list of capability names or capability masks (exadecimal numbers).
|
||||||
|
For brevity, the \fBcap_\fR prefix of capability names can be omitted (e.g. \fBnet_admin\fR and \fBcap_net_admin\fR
|
||||||
|
have the same meaning).
|
||||||
|
|
||||||
|
If it is allowed for the current user to run processes with the requested capabilities, the user is asked to
|
||||||
|
type their password (or to authenticate themselves as required by pam).
|
||||||
|
Once the authentication succeeds, \fBcado\fR executes the command granting the required ambient capabilities.
|
||||||
|
|
||||||
|
The file /etc/cado.conf (see \fBcado.conf\fR(5)) defines which capabilities can be provided by \fBcado\fR to each user.
|
||||||
|
Cado itself is not a seuid executable, it uses the capability mechanism and it has an options to
|
||||||
|
set its own capabilities. So after each change in the /etc/cado.conf, the capability set should be
|
||||||
|
recomputed by root using the command \fBcado -s\fR or \fBcado --setcap\fR.
|
||||||
|
|
||||||
|
.SH OPTIONS
|
||||||
|
.I cado
|
||||||
|
accepts the following options:
|
||||||
|
.TP
|
||||||
|
\fB\-v
|
||||||
|
.TQ
|
||||||
|
\fB\-\-verbose
|
||||||
|
run in verbose mode. \fBcado\fR shows the set of allowed capabilities, requested cababilities, unavailable capabilities and
|
||||||
|
(in case of -s) the set of capabilities assigned to \fBcado.conf\fR itself.
|
||||||
|
.TP
|
||||||
|
\fB\-q
|
||||||
|
.TQ
|
||||||
|
\fB\-\-quiet
|
||||||
|
do not fail in case the user asks for unavailable capabilities, \fBcado.conf\fR in this case grants the intersection between the
|
||||||
|
set of requested cababilities and the set of allowed capabilities
|
||||||
|
.TP
|
||||||
|
\fB\-s
|
||||||
|
.TQ
|
||||||
|
\fB\-\-setcap
|
||||||
|
\fBcado\fR computes the miminal set of capability required by itself and sets the file capability of the cado executable.
|
||||||
|
.TP
|
||||||
|
\fB\-h
|
||||||
|
.TQ
|
||||||
|
\fB\-\-help
|
||||||
|
print a short usage banner and exit.
|
||||||
|
|
||||||
|
.SH SEE ALSO
|
||||||
|
\fBcado.conf\fR(5),
|
||||||
|
\fBcaprint\fR(1),
|
||||||
|
\fBcapabilities\fR(7)
|
||||||
|
|
|
@ -0,0 +1,156 @@
|
||||||
|
/*
|
||||||
|
* cado: execute a command in a capability ambient
|
||||||
|
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||||
|
*
|
||||||
|
* This file is part of cado.
|
||||||
|
*
|
||||||
|
* Cado is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License
|
||||||
|
* as published by the Free Software Foundation; either version 2
|
||||||
|
* of the License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <getopt.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <libgen.h>
|
||||||
|
#include <pam_check.h>
|
||||||
|
#include <get_user_groups.h>
|
||||||
|
#include <capset_from_namelist.h>
|
||||||
|
#include <read_conf.h>
|
||||||
|
#include <set_ambient_cap.h>
|
||||||
|
|
||||||
|
static void printcapset(uint64_t capset, char *indent) {
|
||||||
|
cap_value_t cap;
|
||||||
|
int count=0;
|
||||||
|
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
|
||||||
|
if (capset & (1ULL << cap)) {
|
||||||
|
count ++;
|
||||||
|
printf("%s%2d %016llx %s\n",indent,cap,1ULL<<cap,cap_to_name(cap));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (count > 1)
|
||||||
|
printf("%s %016llx\n",indent,capset);
|
||||||
|
}
|
||||||
|
|
||||||
|
#define OPTSTRING "hqvs"
|
||||||
|
struct option long_options[]={
|
||||||
|
{"help", no_argument, NULL, 'h'},
|
||||||
|
{"quiet", no_argument, NULL, 'q'},
|
||||||
|
{"verbose", no_argument, NULL, 'v'},
|
||||||
|
{"setcap", no_argument, NULL, 'v'},
|
||||||
|
};
|
||||||
|
|
||||||
|
void usage(char *progname) {
|
||||||
|
fprintf(stderr,"%s - execute a command in a different capability ambient\n\n",progname);
|
||||||
|
fprintf(stderr,"usage: %s OPTIONS capability_list command [args]\n\n",progname);
|
||||||
|
fprintf(stderr,"Options:\n");
|
||||||
|
fprintf(stderr," -h, --help display help message and exit\n");
|
||||||
|
fprintf(stderr," -q, --quiet do not display warnings, do what it is allowed\n");
|
||||||
|
fprintf(stderr," -v, --verbose generate extra output\n");
|
||||||
|
fprintf(stderr," -s, --setcap set the minimun caps for %s (root access)\n",progname);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char*argv[])
|
||||||
|
{
|
||||||
|
char *progname=basename(argv[0]);
|
||||||
|
char **user_groups=get_user_groups();
|
||||||
|
uint64_t okcaps=get_authorized_caps(user_groups);
|
||||||
|
uint64_t reqcaps=0;
|
||||||
|
uint64_t grantcap=0;
|
||||||
|
int verbose=0;
|
||||||
|
int quiet=0;
|
||||||
|
int setcap=0;
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
int c=getopt_long(argc, argv, OPTSTRING, long_options, NULL);
|
||||||
|
if (c < 0)
|
||||||
|
break;
|
||||||
|
switch (c) {
|
||||||
|
case 'h': usage(progname);
|
||||||
|
break;
|
||||||
|
case 'v': verbose=1;
|
||||||
|
break;
|
||||||
|
case 'q': quiet=1;
|
||||||
|
break;
|
||||||
|
case 's': setcap=1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (setcap) {
|
||||||
|
if (geteuid() != 0) {
|
||||||
|
fprintf(stderr, "setcap requires root access\n");
|
||||||
|
exit(2);
|
||||||
|
}
|
||||||
|
okcaps = get_authorized_caps(NULL);
|
||||||
|
okcaps |= 1ULL << CAP_DAC_READ_SEARCH;
|
||||||
|
if (verbose) {
|
||||||
|
printf("Capability needed by %s:\n", progname);
|
||||||
|
printcapset(okcaps, " ");
|
||||||
|
}
|
||||||
|
if (set_self_capability(okcaps) < 0) {
|
||||||
|
fprintf(stderr, "Cannot set %s capabilities\n", progname);
|
||||||
|
exit(2);
|
||||||
|
}
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (verbose) {
|
||||||
|
printf("Allowed ambient capabilities:\n");
|
||||||
|
printcapset(okcaps, " ");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (verbose && (argc == optind))
|
||||||
|
exit(0);
|
||||||
|
|
||||||
|
if (argc - optind < 2)
|
||||||
|
usage(progname);
|
||||||
|
|
||||||
|
if (capset_from_namelist(argv[optind], &reqcaps))
|
||||||
|
exit(2);
|
||||||
|
|
||||||
|
if (verbose) {
|
||||||
|
printf("Requested ambient capabilities:\n");
|
||||||
|
printcapset(reqcaps, " ");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (reqcaps & ~okcaps) {
|
||||||
|
if (verbose) {
|
||||||
|
printf("Unavailable ambient capabilities:\n");
|
||||||
|
printcapset(reqcaps & ~okcaps, " ");
|
||||||
|
}
|
||||||
|
if (!quiet) {
|
||||||
|
fprintf(stderr,"%s: Permission denied\n",progname);
|
||||||
|
exit(2);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
grantcap = reqcaps & okcaps;
|
||||||
|
|
||||||
|
optind++;
|
||||||
|
|
||||||
|
if (pam_check(user_groups[0]) != 0) {
|
||||||
|
fprintf(stderr,"%s: Authentication failure\n",progname);
|
||||||
|
exit(2);
|
||||||
|
}
|
||||||
|
set_ambient_cap(grantcap);
|
||||||
|
if (verbose && (reqcaps & ~okcaps)) {
|
||||||
|
printf("Granted ambient capabilities:\n");
|
||||||
|
printcapset(grantcap, " ");
|
||||||
|
}
|
||||||
|
execvp(argv[optind],argv+optind);
|
||||||
|
exit(2);
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
# Capability Ambient DO configuration file
|
||||||
|
# cado.conf example
|
||||||
|
|
||||||
|
# syntax list_of_capabilities: list_of_users_or_groups
|
||||||
|
# lists are comma separated
|
||||||
|
# items in list_of_capabilities can be capability names, short capability names (without the cap_ prefix) and exadecimal masks.
|
||||||
|
# using @ as a prefix of a name in list_of_users_or_groups means that it is a groupname instead of a username.
|
||||||
|
|
||||||
|
# net_admin: @netadmin,renzo
|
||||||
|
# net_admin,net_bind_service,net_raw,net_broadcast: @vxvdex
|
||||||
|
# cap_kill: renzo
|
|
@ -0,0 +1,43 @@
|
||||||
|
.TH CADO.CONF 5 "June 23, 2016" "VirtualSquare Labs"
|
||||||
|
.SH NAME
|
||||||
|
cado.conf \- Capability Ambient DO: configuration file
|
||||||
|
|
||||||
|
.SH DESCRIPTION
|
||||||
|
The \fB/etc/cado.conf\fR file is used to configure which ambient cabalities can be provided by \fBcado\fR to users.
|
||||||
|
\fBcado\fR uses the capability cap_dac_read_search to access \fB/etc/cado.conf\fR, so this configuration does not
|
||||||
|
need to be readable by users.
|
||||||
|
|
||||||
|
All lines beginning with the sign '#' are comments.
|
||||||
|
|
||||||
|
Non-comment lines have the following syntax
|
||||||
|
.nf
|
||||||
|
\fIlist_of_capabilities\fB:\fI list_of_users_and_groups\fR
|
||||||
|
.fi
|
||||||
|
|
||||||
|
Both \fIlist_of_capabilities\fR and \fIlist_of_users_and_groups\fR are comma separated lists of identifiers.
|
||||||
|
|
||||||
|
Items of \fIlist_of_capabilities\fR are capability names or capability masks (exadecimal numbers).
|
||||||
|
For brevity, the \fBcap_\fR prefix of capability names can be omitted (e.g. \fBnet_admin\fR and \fBcap_net_admin\fR
|
||||||
|
have the same meaning).
|
||||||
|
|
||||||
|
Items of \fIlist_of_users_and_groups\fR are usernames or groupnames (groupnames must be prefexed by '@').
|
||||||
|
|
||||||
|
Example of \fBcado.conf\fR file:
|
||||||
|
|
||||||
|
.ni
|
||||||
|
# Capability Ambient DO configuration file
|
||||||
|
# cado.conf
|
||||||
|
|
||||||
|
net_admin: @netadmin,renzo
|
||||||
|
net_admin,net_bind_service,net_raw,net_broadcast: @vxvdex
|
||||||
|
cap_kill: renzo
|
||||||
|
.fi
|
||||||
|
|
||||||
|
In this example the renzo's processes can be granted (by \fBcado\fR) cap_net_admin and cap_kill.
|
||||||
|
cap_net_admin can be acquired by processes owned by users belonging to the netadmin group.
|
||||||
|
Users in vxvdex can provide their processes with a subset of cap_net_admin, cap_net_bind_service, cap_net_raw and cap_net_broadcast
|
||||||
|
|
||||||
|
.SH SEE ALSO
|
||||||
|
\fBcado\fR(1),
|
||||||
|
\fBcaprint\fR(1),
|
||||||
|
\fBcapabilities\fR(7)
|
|
@ -0,0 +1,55 @@
|
||||||
|
.TH CAPRINT 1 "June 23, 2016" "VirtualSquare Labs"
|
||||||
|
.SH NAME
|
||||||
|
caprint \- Capability Ambient Print
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.B caprint
|
||||||
|
[
|
||||||
|
OPTIONS
|
||||||
|
]
|
||||||
|
[
|
||||||
|
.I pid
|
||||||
|
]
|
||||||
|
|
||||||
|
.SH DESCRIPTION
|
||||||
|
\fBcaprint\fR shows the ambient capabilities of a running program (whose pid can be specified as an optional parameter, otherwise \fBcaprint\fR
|
||||||
|
shows the capabilities of caprint itself).
|
||||||
|
|
||||||
|
.SH OPTIONS
|
||||||
|
.I caprint
|
||||||
|
accepts the following options:
|
||||||
|
.TP
|
||||||
|
\fB\-l
|
||||||
|
.TQ
|
||||||
|
\fB\-\-long
|
||||||
|
run in verbose mode. \fBcaprint\fR shows the bitmask for each capability owned by the process and the resulting mask of the capability set.
|
||||||
|
.TP
|
||||||
|
\fB\-c
|
||||||
|
.TQ
|
||||||
|
\fB\-\-compact
|
||||||
|
emit a compact output (a single line composed of a comma separated list of the capability short names). This output can be copied as a
|
||||||
|
capability list for the command \fBcado\fR(1).
|
||||||
|
.TP
|
||||||
|
\fB\-p
|
||||||
|
.TQ
|
||||||
|
\fB\-\-prompt
|
||||||
|
this option has been created to provide users with a suitable shell prompt to warn the users of the extra capabilities granted to that shell
|
||||||
|
(and of the extra danger in case of running wrong commands).
|
||||||
|
As an example, it is possible to set the \fBbash\fR prompt editing the \fB.bashrc\fR in the user's home directory:
|
||||||
|
.nf
|
||||||
|
|
||||||
|
if which caprint >&/dev/null ; then
|
||||||
|
ambient=$(caprint -p)
|
||||||
|
fi
|
||||||
|
|
||||||
|
PS1='\\u@\\h:\\w\\$$ambient'
|
||||||
|
|
||||||
|
.fi
|
||||||
|
.TP
|
||||||
|
\fB\-h
|
||||||
|
.TQ
|
||||||
|
\fB\-\-help
|
||||||
|
print a short usage banner and exit.
|
||||||
|
|
||||||
|
.SH SEE ALSO
|
||||||
|
\fBcado\fR(1),
|
||||||
|
\fBcapabilities\fR(7),
|
|
@ -0,0 +1,131 @@
|
||||||
|
/*
|
||||||
|
* cado: execute a command in a capability ambient
|
||||||
|
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||||
|
*
|
||||||
|
* This file is part of cado.
|
||||||
|
*
|
||||||
|
* Cado is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License
|
||||||
|
* as published by the Free Software Foundation; either version 2
|
||||||
|
* of the License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
#include <getopt.h>
|
||||||
|
#include <libgen.h>
|
||||||
|
#include <sys/capability.h>
|
||||||
|
|
||||||
|
char *tag="CapAmb:\t";
|
||||||
|
uint64_t get_capamb(pid_t pid) {
|
||||||
|
FILE *f;
|
||||||
|
char filename[32];
|
||||||
|
int status=0;
|
||||||
|
int target=strlen(tag);
|
||||||
|
uint64_t capamb=0;
|
||||||
|
int c;
|
||||||
|
snprintf(filename,32,"/proc/%d/status",pid);
|
||||||
|
|
||||||
|
f=fopen(filename,"r");
|
||||||
|
if (f==NULL)
|
||||||
|
exit(2);
|
||||||
|
|
||||||
|
while ((c = getc(f)) != EOF) {
|
||||||
|
if (c == tag[status]) {
|
||||||
|
status++;
|
||||||
|
if (status == target) {
|
||||||
|
fscanf(f,"%llx",&capamb);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} else
|
||||||
|
status=0;
|
||||||
|
}
|
||||||
|
fclose(f);
|
||||||
|
return capamb;
|
||||||
|
}
|
||||||
|
|
||||||
|
#define OPTSTRING "hpcl"
|
||||||
|
struct option long_options[]={
|
||||||
|
{"help", no_argument, NULL, 'h'},
|
||||||
|
{"prompt", no_argument, NULL, 'p'},
|
||||||
|
{"compact", no_argument, NULL, 'c'},
|
||||||
|
{"long", no_argument, NULL, 'l'},
|
||||||
|
};
|
||||||
|
|
||||||
|
void usage(char *progname) {
|
||||||
|
fprintf(stderr,"%s - show the current capability ambient\n\n",progname);
|
||||||
|
fprintf(stderr,"usage: %s OPTIONS [pid]\n\n",progname);
|
||||||
|
fprintf(stderr,"Options:\n");
|
||||||
|
fprintf(stderr," -h, --help display help message and exit\n");
|
||||||
|
fprintf(stderr," -p, --prompt single line output for the command prompt\n");
|
||||||
|
fprintf(stderr," -c, --compact single line without cap_ prefix\n");
|
||||||
|
fprintf(stderr," -l, --long display cap# and mask\n");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int main(int argc, char *argv[]) {
|
||||||
|
uint64_t capamb;
|
||||||
|
char *progname=basename(argv[0]);
|
||||||
|
int prompt=0;
|
||||||
|
int compact=0;
|
||||||
|
int longlist=0;
|
||||||
|
while (1) {
|
||||||
|
int c=getopt_long(argc, argv, OPTSTRING, long_options, NULL);
|
||||||
|
if (c < 0)
|
||||||
|
break;
|
||||||
|
switch (c) {
|
||||||
|
case 'h': usage(progname);
|
||||||
|
break;
|
||||||
|
case 'p': prompt=compact=1;
|
||||||
|
break;
|
||||||
|
case 'c': compact=1;
|
||||||
|
break;
|
||||||
|
case 'l': longlist=1;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
usage(progname);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (argc - optind > 1)
|
||||||
|
usage(progname);
|
||||||
|
|
||||||
|
if (optind < argc)
|
||||||
|
capamb=get_capamb(atoi(argv[optind]));
|
||||||
|
else
|
||||||
|
capamb=get_capamb(getpid());
|
||||||
|
if (capamb) {
|
||||||
|
cap_value_t cap;
|
||||||
|
char *sep="";
|
||||||
|
int count=0;
|
||||||
|
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
|
||||||
|
if (capamb & (1ULL << cap)) {
|
||||||
|
count++;
|
||||||
|
if (longlist)
|
||||||
|
printf("%2d %016llx %s\n",cap,1ULL<<cap,cap_to_name(cap));
|
||||||
|
else if (compact)
|
||||||
|
printf("%s%s",sep,cap_to_name(cap)+4);
|
||||||
|
else
|
||||||
|
printf("%s\n",cap_to_name(cap));
|
||||||
|
sep=",";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (prompt) printf("#");
|
||||||
|
if (compact) printf("\n");
|
||||||
|
if (longlist && count > 1)
|
||||||
|
printf(" %016llx\n",capamb);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,59 @@
|
||||||
|
/*
|
||||||
|
* cado: execute a command in a capability ambient
|
||||||
|
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||||
|
*
|
||||||
|
* This file is part of cado.
|
||||||
|
*
|
||||||
|
* Cado is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License
|
||||||
|
* as published by the Free Software Foundation; either version 2
|
||||||
|
* of the License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <sys/capability.h>
|
||||||
|
#include <capset_from_namelist.h>
|
||||||
|
|
||||||
|
static int addcap(char *name, uint64_t *capset) {
|
||||||
|
char *tail;
|
||||||
|
uint64_t exacaps=strtoull(name, &tail, 16);
|
||||||
|
if (*tail == 0) {
|
||||||
|
*capset |= exacaps;
|
||||||
|
return 0;
|
||||||
|
} else {
|
||||||
|
int rv;
|
||||||
|
cap_value_t thiscap;
|
||||||
|
if (strncmp(name,"cap_",4) == 0)
|
||||||
|
rv=cap_from_name(name, &thiscap);
|
||||||
|
else {
|
||||||
|
int xnamelen=strlen(name)+5;
|
||||||
|
char xname[xnamelen];
|
||||||
|
snprintf(xname,xnamelen,"cap_%s",name);
|
||||||
|
rv=cap_from_name(xname, &thiscap);
|
||||||
|
}
|
||||||
|
if (rv >= 0)
|
||||||
|
*capset |= 1ULL << thiscap;
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int capset_from_namelist(char *namelist, uint64_t *capset) {
|
||||||
|
int rv=0;
|
||||||
|
char *onecap;
|
||||||
|
char *tmptok;
|
||||||
|
for (; (onecap=strtok_r(namelist,",",&tmptok)) != NULL; namelist=NULL)
|
||||||
|
rv |= addcap(onecap,capset);
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
#ifndef CAP_FROM_NAMEX_H
|
||||||
|
#define CAP_FROM_NAMEX_H
|
||||||
|
#include <sys/capability.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
int capset_from_namelist(char *namelist, uint64_t *capset);
|
||||||
|
|
||||||
|
#endif
|
|
@ -0,0 +1,29 @@
|
||||||
|
# -*- Autoconf -*-
|
||||||
|
# Process this file with autoconf to produce a configure script.
|
||||||
|
|
||||||
|
AC_PREREQ([2.69])
|
||||||
|
AC_INIT([cado], [0.9], [info@v2.cs.unibo.it])
|
||||||
|
AM_INIT_AUTOMAKE([foreign dist-bzip2])
|
||||||
|
AC_CONFIG_SRCDIR([pam_check.h])
|
||||||
|
AC_CONFIG_HEADERS([config.h])
|
||||||
|
|
||||||
|
# Checks for programs.
|
||||||
|
AC_PROG_CXX
|
||||||
|
AC_PROG_CC
|
||||||
|
AC_PROG_INSTALL
|
||||||
|
|
||||||
|
# Checks for libraries.
|
||||||
|
|
||||||
|
# Checks for header files.
|
||||||
|
AC_CHECK_HEADERS([fcntl.h stdint.h stdlib.h string.h unistd.h])
|
||||||
|
|
||||||
|
# Checks for typedefs, structures, and compiler characteristics.
|
||||||
|
AC_TYPE_UID_T
|
||||||
|
AC_TYPE_PID_T
|
||||||
|
AC_TYPE_SSIZE_T
|
||||||
|
AC_TYPE_UINT64_T
|
||||||
|
|
||||||
|
# Checks for library functions.
|
||||||
|
AC_CHECK_FUNCS([strdup strtoull])
|
||||||
|
|
||||||
|
AC_OUTPUT([Makefile])
|
|
@ -0,0 +1,60 @@
|
||||||
|
/*
|
||||||
|
* cado: execute a command in a capability ambient
|
||||||
|
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||||
|
*
|
||||||
|
* This file is part of cado.
|
||||||
|
*
|
||||||
|
* Cado is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License
|
||||||
|
* as published by the Free Software Foundation; either version 2
|
||||||
|
* of the License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <get_user_groups.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <grp.h>
|
||||||
|
#include <pwd.h>
|
||||||
|
|
||||||
|
char **get_user_groups(void) {
|
||||||
|
uid_t uid=getuid();
|
||||||
|
struct passwd *pwd=getpwuid(uid);
|
||||||
|
int ngroups=0;
|
||||||
|
char **user_groups=NULL;
|
||||||
|
getgrouplist(pwd->pw_name, pwd->pw_gid, NULL, &ngroups);
|
||||||
|
if (ngroups > 0) {
|
||||||
|
gid_t gids[ngroups];
|
||||||
|
struct group *grp;
|
||||||
|
user_groups = calloc(ngroups+2, sizeof(char *));
|
||||||
|
if (user_groups) {
|
||||||
|
int i=0;
|
||||||
|
user_groups[i++] = strdup(pwd->pw_name);
|
||||||
|
if (getgrouplist(pwd->pw_name, pwd->pw_gid, gids, &ngroups) == ngroups) {
|
||||||
|
while ((grp=getgrent()) != NULL) {
|
||||||
|
int j;
|
||||||
|
for (j=0; j<ngroups; j++) {
|
||||||
|
if (grp->gr_gid == gids[j]) {
|
||||||
|
gids[j] = -1;
|
||||||
|
user_groups[i++] = strdup(grp->gr_name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
user_groups[i] = NULL;
|
||||||
|
endgrent();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return user_groups;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
#ifndef GET_USER_GROUPS_H
|
||||||
|
#define GET_USER_GROUPS_H
|
||||||
|
|
||||||
|
char **get_user_groups(void);
|
||||||
|
#endif
|
|
@ -0,0 +1,42 @@
|
||||||
|
/*
|
||||||
|
* cado: execute a command in a capability ambient
|
||||||
|
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||||
|
*
|
||||||
|
* This file is part of cado.
|
||||||
|
*
|
||||||
|
* Cado is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License
|
||||||
|
* as published by the Free Software Foundation; either version 2
|
||||||
|
* of the License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#define _GNU_SOURCE
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <security/pam_appl.h>
|
||||||
|
#include <security/pam_misc.h>
|
||||||
|
#include <pwd.h>
|
||||||
|
#include <pam_check.h>
|
||||||
|
|
||||||
|
int pam_check(char *username)
|
||||||
|
{
|
||||||
|
pam_handle_t* pamh;
|
||||||
|
struct pam_conv pamc={.conv=&misc_conv, .appdata_ptr=NULL};
|
||||||
|
int rv;
|
||||||
|
|
||||||
|
pam_start ("capdo", username, &pamc, &pamh);
|
||||||
|
rv= pam_authenticate (pamh, 0);
|
||||||
|
pam_end (pamh, 0);
|
||||||
|
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
#ifndef PAM_CHECK_H
|
||||||
|
#define PAM_CHECK_H
|
||||||
|
int pam_check(char *username);
|
||||||
|
#endif
|
|
@ -0,0 +1,116 @@
|
||||||
|
/*
|
||||||
|
* cado: execute a command in a capability ambient
|
||||||
|
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||||
|
*
|
||||||
|
* This file is part of cado.
|
||||||
|
*
|
||||||
|
* Cado is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License
|
||||||
|
* as published by the Free Software Foundation; either version 2
|
||||||
|
* of the License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <ctype.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <read_conf.h>
|
||||||
|
#include <set_ambient_cap.h>
|
||||||
|
#include <capset_from_namelist.h>
|
||||||
|
|
||||||
|
#ifndef CONFDIR
|
||||||
|
#define CONFDIR "/etc"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#define CADO_CONF CONFDIR "/cado.conf"
|
||||||
|
|
||||||
|
static int groupmatch (char *group, char **grouplist) {
|
||||||
|
for (;*grouplist; grouplist++) {
|
||||||
|
//printf("%s %s\n",group, *grouplist);
|
||||||
|
if (strcmp(group, *grouplist) == 0)
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
uint64_t get_authorized_caps(char **user_groups) {
|
||||||
|
uint64_t ok_caps=0;
|
||||||
|
FILE *f;
|
||||||
|
if (user_groups) raise_cap_dac_read_search();
|
||||||
|
f=fopen(CADO_CONF, "r");
|
||||||
|
if (f) {
|
||||||
|
char *line=NULL;
|
||||||
|
ssize_t len,n=0;
|
||||||
|
while ((len=getline(&line, &n, f)) > 0) {
|
||||||
|
//printf("%s",line);
|
||||||
|
char *scan=line;
|
||||||
|
char *tok;
|
||||||
|
uint64_t capset;
|
||||||
|
char *tmptok;
|
||||||
|
while (isspace(*scan)) scan++;
|
||||||
|
if (*scan == 0 || *scan == '#') //comment
|
||||||
|
continue;
|
||||||
|
tok=strtok_r(scan, ":", &tmptok);
|
||||||
|
//printf("%s\n",tok);
|
||||||
|
capset=0;
|
||||||
|
if (capset_from_namelist(tok, &capset) < 0)
|
||||||
|
continue;
|
||||||
|
if (user_groups == NULL) {
|
||||||
|
ok_caps |= capset;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
//printf("CAP %s %d\n",tok,thiscap);
|
||||||
|
while ((tok=strtok_r(NULL, ",\n ",&tmptok)) != NULL) {
|
||||||
|
//printf("XX %s\n",tok);
|
||||||
|
if (*tok=='@') {
|
||||||
|
if (groupmatch(tok+1, user_groups+1)) {
|
||||||
|
ok_caps |= capset;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} else if (strcmp(tok, user_groups[0]) == 0) {
|
||||||
|
ok_caps |= capset;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
fclose(f);
|
||||||
|
if (line)
|
||||||
|
free(line);
|
||||||
|
}
|
||||||
|
if (user_groups) lower_cap_dac_read_search();
|
||||||
|
return ok_caps;
|
||||||
|
}
|
||||||
|
|
||||||
|
int set_self_capability(uint64_t capset) {
|
||||||
|
cap_value_t cap;
|
||||||
|
cap_t caps=cap_init();
|
||||||
|
int f,rv=-1;
|
||||||
|
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
|
||||||
|
if (capset & (1ULL << cap)) {
|
||||||
|
/*if (cap_set_flag(caps, CAP_PERMITTED, 1, &cap, CAP_SET) ||
|
||||||
|
cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET)) {*/
|
||||||
|
if (cap_set_flag(caps, CAP_PERMITTED, 1, &cap, CAP_SET)) {
|
||||||
|
fprintf(stderr, "Cannot set permitted cap %s\n",cap_to_name(cap));
|
||||||
|
exit(2);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ((f=open("/proc/self/exe",O_RDONLY)) >= 0) {
|
||||||
|
if (cap_set_fd(f,caps) >= 0)
|
||||||
|
rv=0;
|
||||||
|
close(f);
|
||||||
|
}
|
||||||
|
cap_free(caps);
|
||||||
|
return rv;
|
||||||
|
}
|
|
@ -0,0 +1,9 @@
|
||||||
|
#ifndef READ_CONF_H
|
||||||
|
#define READ_CONF_H
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
uint64_t get_authorized_caps(char **user_groups);
|
||||||
|
|
||||||
|
int set_self_capability(uint64_t capset);
|
||||||
|
|
||||||
|
#endif
|
|
@ -0,0 +1,63 @@
|
||||||
|
/*
|
||||||
|
* cado: execute a command in a capability ambient
|
||||||
|
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||||
|
*
|
||||||
|
* This file is part of cado.
|
||||||
|
*
|
||||||
|
* Cado is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License
|
||||||
|
* as published by the Free Software Foundation; either version 2
|
||||||
|
* of the License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <sys/capability.h>
|
||||||
|
#include <sys/prctl.h>
|
||||||
|
#include <set_ambient_cap.h>
|
||||||
|
|
||||||
|
void set_ambient_cap(uint64_t capset)
|
||||||
|
{
|
||||||
|
cap_value_t cap;
|
||||||
|
cap_t caps=cap_get_proc();
|
||||||
|
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
|
||||||
|
int op = (capset & (1ULL << cap)) ? CAP_SET : CAP_CLEAR;
|
||||||
|
if (cap_set_flag(caps, CAP_INHERITABLE, 1, &cap, op)) {
|
||||||
|
fprintf(stderr, "Cannot %s inheritable cap %s\n",op==CAP_SET?"set":"clear",cap_to_name(cap));
|
||||||
|
exit(2);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
cap_set_proc(caps);
|
||||||
|
cap_free(caps);
|
||||||
|
|
||||||
|
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
|
||||||
|
int op = (capset & (1ULL << cap)) ? PR_CAP_AMBIENT_RAISE : PR_CAP_AMBIENT_LOWER;
|
||||||
|
if (prctl(PR_CAP_AMBIENT, op, cap, 0, 0)) {
|
||||||
|
perror("Cannot set cap");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void raise_cap_dac_read_search(void) {
|
||||||
|
cap_value_t cap=CAP_DAC_READ_SEARCH;
|
||||||
|
cap_t caps=cap_get_proc();
|
||||||
|
cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
|
||||||
|
cap_set_proc(caps);
|
||||||
|
}
|
||||||
|
|
||||||
|
void lower_cap_dac_read_search(void) {
|
||||||
|
cap_value_t cap=CAP_DAC_READ_SEARCH;
|
||||||
|
cap_t caps=cap_get_proc();
|
||||||
|
cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_CLEAR);
|
||||||
|
cap_set_proc(caps);
|
||||||
|
}
|
|
@ -0,0 +1,10 @@
|
||||||
|
#ifndef SET_AMBIENT_CAP_H
|
||||||
|
#define SET_AMBIENT_CAP_H
|
||||||
|
|
||||||
|
void set_ambient_cap(uint64_t capset);
|
||||||
|
|
||||||
|
void raise_cap_dac_read_search(void);
|
||||||
|
|
||||||
|
void lower_cap_dac_read_search(void);
|
||||||
|
|
||||||
|
#endif
|
Loading…
Reference in New Issue