update man page in markdown support (currently unused)

Mention prequisite libraries in README

CMakeLists.txt

@@ -1,34 +1,37 @@
 cmake_minimum_required(VERSION 3.13)
 project(cado
-    VERSION 0.9.4
-    DESCRIPTION "Capability Ambient DO. Provide users just the capabilities they need."
-    HOMEPAGE_URL "https://github.com/rd235/cado"
-    LANGUAGES C)
+	VERSION 0.9.6
+	DESCRIPTION "Capability Ambient DO. Provide users just the capabilities they need."
+	HOMEPAGE_URL "https://github.com/rd235/cado"
+	LANGUAGES C)
 
 include(GNUInstallDirs)
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_FORTIFY_SOURCE=2 -O2 -Wall -pedantic")
 
 set(LIBS_REQUIRED cap execs mhash pam pam_misc)
 
+option(CADO_RUN_POST_INSTALL "Run PostInstall.cmake" ON)
+
 foreach(THISLIB IN LISTS LIBS_REQUIRED)
-  find_library(${THISLIB}_library ${THISLIB})
-  if(NOT ${THISLIB}_library)
-    message(FATAL_ERROR "library lib${THISLIB} not found")
-  endif()
+	find_library(${THISLIB}_library ${THISLIB})
+	if(NOT ${THISLIB}_library)
+		message(FATAL_ERROR "library lib${THISLIB} not found")
+	endif()
 endforeach(THISLIB)
 
 if (WITHEDITOR)
-        set(EDITOR "${WITHEDITOR}")
+	set(EDITOR "${WITHEDITOR}")
 else (WITHEDITOR)
-        set(EDITOR "/usr/bin/vi")
+	set(EDITOR "/usr/bin/vi")
 endif (WITHEDITOR)
 
 # Spool dir for scado files
-set(CADO_SPOOL_DIR "/usr/local/var/spool/cado")
+set(CADO_SPOOL_DIR
+	"${CMAKE_INSTALL_FULL_LOCALSTATEDIR}/spool/${CMAKE_PROJECT_NAME}")
 
 configure_file(
-        "include/config.h.in"
-        "include/config.h"
+	"include/config.h.in"
+	"include/config.h"
 )
 
 add_subdirectory(man)

README.md

@@ -10,8 +10,11 @@ specific (ambient) capabilities.
 Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
 
 ## Install
-
-get the source code, from the root of the source tree run:
+Install prerequisite libraries:
+    
+    $ sudo apt install libpam0g-dev libcap-dev libmhash-dev libexecs-dev
+    
+Get the source code, from the root of the source tree run:
 ```
 $ mkdir build
 $ cd build
@@ -21,7 +24,7 @@ $ sudo make install
 ```
 
 It installs two programs in /usr/local/bin: cado and caprint.
-If you want to install the programs in /usr/bin run "cmake .. -DCMAKE_INSTALL_PREFIX:PATH=/usr" instead of "cmake ..".
+If you want to install the programs in /usr/bin run "cmake .. -DCMAKE\_INSTALL\_PREFIX:PATH=/usr" instead of "cmake ..".
 
 ## Configuration
 
@@ -29,7 +32,7 @@ Cado needs a configuration file: /etc/cado.conf with the following syntax:
 - lines beginning with # are comments
 - all the other lines have two fields separated by :, the first field is a capability or a list of
 capabilities, the second field is a list of users or groups (group names have @ as a prefix).
-Capabilities can be written with or without the cap_ prefix (net_admin means cap_net_admin).
+Capabilities can be written with or without the cap\_ prefix (net\_admin means cap\_net\_admin).
 
 Example of /etc/cado.conf file:
 ```
@@ -41,8 +44,8 @@ cap_kill: renzo
 ```
 
 The file above allows the user renzo and all the members of the group named netadmin to run programs
-neeeding the cap_net_admin capability.
-The user renzo can also run programs requiring cap_kill.
+neeeding the cap\_net\_admin capability.
+The user renzo can also run programs requiring cap\_kill.
 The file /etc/cado.conf can be owned by root and have no rw permission for users.
 
 
@@ -94,7 +97,7 @@ The syntax of cado is simple:
 $ cado [options] set_of_capabilities command [args]
 ```
 
-for example if the user renzo wants to run a shell having the cap_net_admin capability enabled he can type
+for example if the user renzo wants to run a shell having the cap\_net\_admin capability enabled he can type
 the following command:
 ```
 $ cado net_admin bash
@@ -102,11 +105,11 @@ Password:
 $
 ```
 
-the user will be requested to authenticate himself. If the user has the right to enable cap_net_admin (from the
+the user will be requested to authenticate himself. If the user has the right to enable cap\_net\_admin (from the
 cado.conf configuration file) and he typed in the correct password, cado starts a new shell with the requested
 capability enabled.
 
-It is possible define the set_of_capabilities using a list of capabilities (with or without the cap_prefix)
+It is possible define the set\_of\_capabilities using a list of capabilities (with or without the cap\_prefix)
 or exadecimal masks.
 
 In the new shell the user can do all the operations permitted by the enabled capabilities,
@@ -120,7 +123,7 @@ $ grep CapAmb /proc/$$/status
 CapAmb: 0000000000001000
 ```
 
-(cap_net_admin is the capability #12, the mask is 0x1000, i.e. 1ULL << 12)
+(cap\_net\_admin is the capability #12, the mask is 0x1000, i.e. 1ULL << 12)
 
 ## caprint
 
@@ -139,7 +142,7 @@ $ caprint -l
 There is an option -p that has been designed to add the current set of ambient capabilities to the shell prompt,
 so it is easier for the user to recognize when a shell has some "extra power", so to avoid errors.
 
-In .bashrc or .bash_profile (or in their system-side counterparts in /etc) it is possible to set rules like
+In .bashrc or .bash\_profile (or in their system-side counterparts in /etc) it is possible to set rules like
 the followings:
 ```
 if which caprint >&/dev/null ; then

man/CMakeLists.txt

@@ -1,21 +1,20 @@
-cmake_minimum_required(VERSION 3.13)
+cmake_minimum_required(VERSION 3.7)
 
-set(RONN_ORGANIZATION "VirtualSquare")
-set(RONN_ARGS --organization=${RONN_ORGANIZATION})
+set(PANDOC_ORG "VirtualSquare")
 
-# #ronn pages
+# ### pandoc pages
 
- file(GLOB VU_RONN_PAGES ${CMAKE_CURRENT_SOURCE_DIR}/*.[1-8].ronn)
+file(GLOB VU_PANDOC_PAGES ${CMAKE_CURRENT_SOURCE_DIR}/*.[1-8].md)
 set(VU_MAN_FILES)
-foreach(VU_RONN_PATH IN LISTS VU_RONN_PAGES)
-# VU_RONNPAGE: basename of VU_RONN_PATH
-	get_filename_component(VU_RONNPAGE ${VU_RONN_PATH} NAME)
-# VU_MANPAGE: VU_RONNPAGE without the suffix
-	string(REGEX REPLACE "\.ronn$" "" VU_MANPAGE ${VU_RONNPAGE})
+foreach(VU_PANDOC_PATH IN LISTS VU_PANDOC_PAGES)
+# VU_PANDOCPAGE: basename of VU_PANDOC_PATH
+	get_filename_component(VU_PANDOCPAGE ${VU_PANDOC_PATH} NAME)
+# VU_MANPAGE: VU_PANDOCPAGE without the suffix
+	string(REGEX REPLACE "\.md$" "" VU_MANPAGE ${VU_PANDOCPAGE})
 	list(APPEND VU_MAN_FILES ${VU_MANPAGE})
-endforeach(VU_RONN_PATH)
+endforeach(VU_PANDOC_PATH)
 
-add_custom_target(${PROJECT_NAME}_manpages ALL make RONN_ARGS="${RONN_ARGS}"  ${VU_MAN_FILES}
+add_custom_target(${PROJECT_NAME}_manpages ALL make PANDOC_ORG="${PANDOC_ORG}"  ${VU_MAN_FILES}
 	WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
 
 ### man pages

man/Makefile

@@ -1,16 +1,18 @@
-RONN=ronn
-RONNOK := $(shell command -v ${RONN} 2> /dev/null)
+PANDOC=pandoc
+PANDOCOK := $(shell command -v ${PANDOC} 2> /dev/null)
 
 none:
 
-% : %.ronn
-ifdef RONNOK
+% : %.md
+ifdef PANDOCOK
 # copy copyright notice
 		grep "^\.\\\\\"" $< > $@ || true
-# run ronn
-		$(RONN) -r ${RONN_ARGS} --pipe $< >> $@
-# delete useless trailing "" in .TH
-		sed -i '/^\.TH /s/ ""$$//' $@
+# run pandoc
+		$(eval SECTION := $(subst .,,$(suffix $@)))
+		$(eval BASENAME := $(basename $@))
+		$(eval TITLE := $(shell echo "${BASENAME}\(${SECTION}\)" | tr [:lower:] [:upper:]))
+		$(eval HEADER := "$(shell man ${SECTION} intro | head -1 | sed -e 's/^[^[:blank:]]*[[:blank:]]*//' -e 's/[[:blank:]]*[^[:blank:]]*$$//' )")
+		$(PANDOC) -standalone -M title=${TITLE} -M section=${SECTION} -M header=${HEADER} -M footer=${PANDOC_ORG} -M "date=`date +\"%B %Y\"`" --to man $< >> $@
 else
-		echo "${RONN} is not available. Manpage $@ cannot be updated" >/dev/stderr >&2
+		echo "${PANDOC} is not available. Manpage $@ cannot be updated" >/dev/stderr >&2
 endif

man/cado.1

@@ -15,7 +15,7 @@ cado \- Capability Ambient DO
 ]
 
 .SH DESCRIPTION
-Cado permits to delegate capabilities to users.
+Cado allows the system administrator to delegate capabilities to users.
 Cado is a capability based sudo. Sudo allows authorized users to run programs as root (or as another user),
 cado allows authorized users to run programs with specific (ambient) capabilities.
 

man/cadrop.1

@@ -14,7 +14,7 @@ cadrop \- Capability Ambient Drop
 ]
 
 .SH DESCRIPTION
-Cadrop permits to drop (ambient) capabilities.
+Cadrop allows users to drop (ambient) capabilities.
 
 Cadrop launches the command indicated as a parameter ($SHELL if omitted) dropping all the capabilities 
 listed in the capability_list.

man/scado.1

@@ -20,8 +20,8 @@ scado \- Script Capability Ambient DO
 
 .SH DESCRIPTION
 
-\fBcado(1)\fR permits to delegate capabilities to users.
-Users can grant a subset of these ambient capabilities to trusted programs. 
+\fBcado(1)\fR allows the system administrator to delegate capabilities to users.
+Users can grant a subset of these ambient capabilities to trusted programs.
 Each user can define their own list of trusted programs and which capabilities to grant, using a scado file.
 \fBcado -S\fR or \fBcado --scado\fR run those trusted programs without any further authentication.
 In this way it is also possible to run programs requiring specific capabilities within a bash script.

src/CMakeLists.txt

@@ -1,27 +1,27 @@
 cmake_minimum_required(VERSION 3.13)
 
 add_executable(
-        cado cado.c pam_check.c get_user_groups.c capset_from_namelist.c
-        read_conf.c set_ambient_cap.c compute_digest.c file_utils.c
-        scado_parse.c cado_scado_check.c
+	cado cado.c pam_check.c get_user_groups.c capset_from_namelist.c
+	read_conf.c set_ambient_cap.c compute_digest.c file_utils.c
+	scado_parse.c cado_scado_check.c
 )
 target_include_directories(cado PRIVATE ${PROJECT_SOURCE_DIR}/include ${CMAKE_BINARY_DIR}/include)
 target_link_libraries(
-        cado ${pam_library} ${pam_misc_library} ${cap_library} ${mhash_library}
-        ${execs_library})
+	cado ${pam_library} ${pam_misc_library} ${cap_library} ${mhash_library}
+	${execs_library})
 
 add_executable(cadrop cadrop.c capset_from_namelist.c set_ambient_cap.c)
 target_include_directories(cadrop PRIVATE ${PROJECT_SOURCE_DIR}/include ${CMAKE_BINARY_DIR}/include)
 target_link_libraries(cadrop ${cap_library})
 
 add_executable(
-        scado scado.c pam_check.c file_utils.c compute_digest.c
-        capset_from_namelist.c scado_parse.c
+	scado scado.c pam_check.c file_utils.c compute_digest.c
+	capset_from_namelist.c scado_parse.c
 )
 target_include_directories(scado PRIVATE ${PROJECT_SOURCE_DIR}/include ${CMAKE_BINARY_DIR}/include)
 target_link_libraries(
-        scado ${pam_library} ${pam_misc_library} ${cap_library} ${mhash_library}
-        ${execs_library}
+	scado ${pam_library} ${pam_misc_library} ${cap_library} ${mhash_library}
+	${execs_library}
 )
 
 add_executable(caprint caprint.c)
@@ -29,19 +29,19 @@ target_include_directories(caprint PRIVATE ${PROJECT_SOURCE_DIR}/include ${CMAKE
 target_link_libraries(caprint ${cap_library})
 
 install(
-        TARGETS cado cadrop scado caprint
-        RUNTIME
-        DESTINATION ${CMAKE_INSTALL_BINDIR}
+	TARGETS cado cadrop scado caprint
+	RUNTIME
+	DESTINATION ${CMAKE_INSTALL_BINDIR}
 )
 
-if(NOT DEBUILD)
-        install(
-                CODE "execute_process(
-                        COMMAND ${CMAKE_COMMAND}
-                        -DBINDIR=${CMAKE_INSTALL_FULL_BINDIR}
-                        -DLIBDIR=${CMAKE_INSTALL_FULL_LIBDIR}
-                        -DCADO_SPOOL_DIR=${CADO_SPOOL_DIR}
-                        -P ${PROJECT_SOURCE_DIR}/PostInstall.cmake
-                )"
-        )
+if(CADO_RUN_POST_INSTALL)
+	install(
+		CODE "execute_process(
+			COMMAND ${CMAKE_COMMAND}
+			-DBINDIR=${CMAKE_INSTALL_FULL_BINDIR}
+			-DLIBDIR=${CMAKE_INSTALL_FULL_LIBDIR}
+			-DCADO_SPOOL_DIR=${CADO_SPOOL_DIR}
+			-P ${PROJECT_SOURCE_DIR}/PostInstall.cmake
+		)"
+	)
 endif()

src/cado.c

@@ -71,7 +71,7 @@ void usage(char *progname) {
 	fprintf(stderr,"  -f, --force        do not display warnings, do what is allowed\n");
 	fprintf(stderr,"  -v, --verbose      generate extra output\n");
 	fprintf(stderr,"  -S, --scado        check scado pre-authorization for scripts\n");
-	fprintf(stderr,"  -s, --setcap       set the minimun caps for %s (root access)\n",progname);
+	fprintf(stderr,"  -s, --setcap       set the minimum caps for %s (root access)\n",progname);
 	exit(1);
 }
 

src/read_conf.c

@@ -1,21 +1,21 @@
-/* 
+/*
  * cado: execute a command in a capability ambient
  * Copyright (C) 2016  Renzo Davoli, University of Bologna
- * 
+ *
  * This file is part of cado.
  *
  * Cado is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
  * as published by the Free Software Foundation; either version 2
  * of the License, or (at your option) any later version.
- * 
+ *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU General Public License
- * along with this program; If not, see <http://www.gnu.org/licenses/>. 
+ * along with this program; If not, see <http://www.gnu.org/licenses/>.
  *
  */
 
@@ -96,7 +96,7 @@ uint64_t get_authorized_caps(char **user_groups, uint64_t reqset) {
 			if (user_groups == NULL) {
 				ok_caps |= capset;
 				continue;
-			} 
+			}
 			//printf("CAP %s %d\n",tok,thiscap);
 			while ((tok=strtok_r(tokenusergroup, ",\n ",&tmptok)) != NULL) {
 				//printf("XX %s\n",tok);
@@ -113,7 +113,12 @@ uint64_t get_authorized_caps(char **user_groups, uint64_t reqset) {
 			}
 			if (usermatch) {
 				if (tokencondition) {
-					if (system_execsa(tokencondition) == 0)
+					if
+#if defined(EXECS_SOVERSION) && EXECS_SOVERSION > 0
+						(system_execsqa(tokencondition) == 0)
+#else
+						(system_execsa(tokencondition) == 0)
+#endif
 						ok_caps |= capset;
 				} else
 					ok_caps |= capset;