mirror of https://github.com/rd235/cado
Compare commits
9 Commits
Author | SHA1 | Date |
---|---|---|
Renzo Davoli | 70744d6390 | |
Renzo Davoli | 4be60595bb | |
Renzo Davoli | 652087d8a0 | |
Renzo Davoli | 4486b11c54 | |
Renzo Davoli | a3ff38e826 | |
tzugen | 0d4a2f6f43 | |
Mattia Biondi | 942ec59c61 | |
Mattia Biondi | c3bc6f56dd | |
Mattia Biondi | 792020b65d |
|
@ -1,34 +1,37 @@
|
|||
cmake_minimum_required(VERSION 3.13)
|
||||
project(cado
|
||||
VERSION 0.9.4
|
||||
DESCRIPTION "Capability Ambient DO. Provide users just the capabilities they need."
|
||||
HOMEPAGE_URL "https://github.com/rd235/cado"
|
||||
LANGUAGES C)
|
||||
VERSION 0.9.6
|
||||
DESCRIPTION "Capability Ambient DO. Provide users just the capabilities they need."
|
||||
HOMEPAGE_URL "https://github.com/rd235/cado"
|
||||
LANGUAGES C)
|
||||
|
||||
include(GNUInstallDirs)
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_FORTIFY_SOURCE=2 -O2 -Wall -pedantic")
|
||||
|
||||
set(LIBS_REQUIRED cap execs mhash pam pam_misc)
|
||||
|
||||
option(CADO_RUN_POST_INSTALL "Run PostInstall.cmake" ON)
|
||||
|
||||
foreach(THISLIB IN LISTS LIBS_REQUIRED)
|
||||
find_library(${THISLIB}_library ${THISLIB})
|
||||
if(NOT ${THISLIB}_library)
|
||||
message(FATAL_ERROR "library lib${THISLIB} not found")
|
||||
endif()
|
||||
find_library(${THISLIB}_library ${THISLIB})
|
||||
if(NOT ${THISLIB}_library)
|
||||
message(FATAL_ERROR "library lib${THISLIB} not found")
|
||||
endif()
|
||||
endforeach(THISLIB)
|
||||
|
||||
if (WITHEDITOR)
|
||||
set(EDITOR "${WITHEDITOR}")
|
||||
set(EDITOR "${WITHEDITOR}")
|
||||
else (WITHEDITOR)
|
||||
set(EDITOR "/usr/bin/vi")
|
||||
set(EDITOR "/usr/bin/vi")
|
||||
endif (WITHEDITOR)
|
||||
|
||||
# Spool dir for scado files
|
||||
set(CADO_SPOOL_DIR "/usr/local/var/spool/cado")
|
||||
set(CADO_SPOOL_DIR
|
||||
"${CMAKE_INSTALL_FULL_LOCALSTATEDIR}/spool/${CMAKE_PROJECT_NAME}")
|
||||
|
||||
configure_file(
|
||||
"include/config.h.in"
|
||||
"include/config.h"
|
||||
"include/config.h.in"
|
||||
"include/config.h"
|
||||
)
|
||||
|
||||
add_subdirectory(man)
|
||||
|
|
25
README.md
25
README.md
|
@ -10,8 +10,11 @@ specific (ambient) capabilities.
|
|||
Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
|
||||
|
||||
## Install
|
||||
|
||||
get the source code, from the root of the source tree run:
|
||||
Install prerequisite libraries:
|
||||
|
||||
$ sudo apt install libpam0g-dev libcap-dev libmhash-dev libexecs-dev
|
||||
|
||||
Get the source code, from the root of the source tree run:
|
||||
```
|
||||
$ mkdir build
|
||||
$ cd build
|
||||
|
@ -21,7 +24,7 @@ $ sudo make install
|
|||
```
|
||||
|
||||
It installs two programs in /usr/local/bin: cado and caprint.
|
||||
If you want to install the programs in /usr/bin run "cmake .. -DCMAKE_INSTALL_PREFIX:PATH=/usr" instead of "cmake ..".
|
||||
If you want to install the programs in /usr/bin run "cmake .. -DCMAKE\_INSTALL\_PREFIX:PATH=/usr" instead of "cmake ..".
|
||||
|
||||
## Configuration
|
||||
|
||||
|
@ -29,7 +32,7 @@ Cado needs a configuration file: /etc/cado.conf with the following syntax:
|
|||
- lines beginning with # are comments
|
||||
- all the other lines have two fields separated by :, the first field is a capability or a list of
|
||||
capabilities, the second field is a list of users or groups (group names have @ as a prefix).
|
||||
Capabilities can be written with or without the cap_ prefix (net_admin means cap_net_admin).
|
||||
Capabilities can be written with or without the cap\_ prefix (net\_admin means cap\_net\_admin).
|
||||
|
||||
Example of /etc/cado.conf file:
|
||||
```
|
||||
|
@ -41,8 +44,8 @@ cap_kill: renzo
|
|||
```
|
||||
|
||||
The file above allows the user renzo and all the members of the group named netadmin to run programs
|
||||
neeeding the cap_net_admin capability.
|
||||
The user renzo can also run programs requiring cap_kill.
|
||||
neeeding the cap\_net\_admin capability.
|
||||
The user renzo can also run programs requiring cap\_kill.
|
||||
The file /etc/cado.conf can be owned by root and have no rw permission for users.
|
||||
|
||||
|
||||
|
@ -94,7 +97,7 @@ The syntax of cado is simple:
|
|||
$ cado [options] set_of_capabilities command [args]
|
||||
```
|
||||
|
||||
for example if the user renzo wants to run a shell having the cap_net_admin capability enabled he can type
|
||||
for example if the user renzo wants to run a shell having the cap\_net\_admin capability enabled he can type
|
||||
the following command:
|
||||
```
|
||||
$ cado net_admin bash
|
||||
|
@ -102,11 +105,11 @@ Password:
|
|||
$
|
||||
```
|
||||
|
||||
the user will be requested to authenticate himself. If the user has the right to enable cap_net_admin (from the
|
||||
the user will be requested to authenticate himself. If the user has the right to enable cap\_net\_admin (from the
|
||||
cado.conf configuration file) and he typed in the correct password, cado starts a new shell with the requested
|
||||
capability enabled.
|
||||
|
||||
It is possible define the set_of_capabilities using a list of capabilities (with or without the cap_prefix)
|
||||
It is possible define the set\_of\_capabilities using a list of capabilities (with or without the cap\_prefix)
|
||||
or exadecimal masks.
|
||||
|
||||
In the new shell the user can do all the operations permitted by the enabled capabilities,
|
||||
|
@ -120,7 +123,7 @@ $ grep CapAmb /proc/$$/status
|
|||
CapAmb: 0000000000001000
|
||||
```
|
||||
|
||||
(cap_net_admin is the capability #12, the mask is 0x1000, i.e. 1ULL << 12)
|
||||
(cap\_net\_admin is the capability #12, the mask is 0x1000, i.e. 1ULL << 12)
|
||||
|
||||
## caprint
|
||||
|
||||
|
@ -139,7 +142,7 @@ $ caprint -l
|
|||
There is an option -p that has been designed to add the current set of ambient capabilities to the shell prompt,
|
||||
so it is easier for the user to recognize when a shell has some "extra power", so to avoid errors.
|
||||
|
||||
In .bashrc or .bash_profile (or in their system-side counterparts in /etc) it is possible to set rules like
|
||||
In .bashrc or .bash\_profile (or in their system-side counterparts in /etc) it is possible to set rules like
|
||||
the followings:
|
||||
```
|
||||
if which caprint >&/dev/null ; then
|
||||
|
|
|
@ -1,21 +1,20 @@
|
|||
cmake_minimum_required(VERSION 3.13)
|
||||
cmake_minimum_required(VERSION 3.7)
|
||||
|
||||
set(RONN_ORGANIZATION "VirtualSquare")
|
||||
set(RONN_ARGS --organization=${RONN_ORGANIZATION})
|
||||
set(PANDOC_ORG "VirtualSquare")
|
||||
|
||||
# #ronn pages
|
||||
# ### pandoc pages
|
||||
|
||||
file(GLOB VU_RONN_PAGES ${CMAKE_CURRENT_SOURCE_DIR}/*.[1-8].ronn)
|
||||
file(GLOB VU_PANDOC_PAGES ${CMAKE_CURRENT_SOURCE_DIR}/*.[1-8].md)
|
||||
set(VU_MAN_FILES)
|
||||
foreach(VU_RONN_PATH IN LISTS VU_RONN_PAGES)
|
||||
# VU_RONNPAGE: basename of VU_RONN_PATH
|
||||
get_filename_component(VU_RONNPAGE ${VU_RONN_PATH} NAME)
|
||||
# VU_MANPAGE: VU_RONNPAGE without the suffix
|
||||
string(REGEX REPLACE "\.ronn$" "" VU_MANPAGE ${VU_RONNPAGE})
|
||||
foreach(VU_PANDOC_PATH IN LISTS VU_PANDOC_PAGES)
|
||||
# VU_PANDOCPAGE: basename of VU_PANDOC_PATH
|
||||
get_filename_component(VU_PANDOCPAGE ${VU_PANDOC_PATH} NAME)
|
||||
# VU_MANPAGE: VU_PANDOCPAGE without the suffix
|
||||
string(REGEX REPLACE "\.md$" "" VU_MANPAGE ${VU_PANDOCPAGE})
|
||||
list(APPEND VU_MAN_FILES ${VU_MANPAGE})
|
||||
endforeach(VU_RONN_PATH)
|
||||
endforeach(VU_PANDOC_PATH)
|
||||
|
||||
add_custom_target(${PROJECT_NAME}_manpages ALL make RONN_ARGS="${RONN_ARGS}" ${VU_MAN_FILES}
|
||||
add_custom_target(${PROJECT_NAME}_manpages ALL make PANDOC_ORG="${PANDOC_ORG}" ${VU_MAN_FILES}
|
||||
WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
|
||||
|
||||
### man pages
|
||||
|
|
20
man/Makefile
20
man/Makefile
|
@ -1,16 +1,18 @@
|
|||
RONN=ronn
|
||||
RONNOK := $(shell command -v ${RONN} 2> /dev/null)
|
||||
PANDOC=pandoc
|
||||
PANDOCOK := $(shell command -v ${PANDOC} 2> /dev/null)
|
||||
|
||||
none:
|
||||
|
||||
% : %.ronn
|
||||
ifdef RONNOK
|
||||
% : %.md
|
||||
ifdef PANDOCOK
|
||||
# copy copyright notice
|
||||
grep "^\.\\\\\"" $< > $@ || true
|
||||
# run ronn
|
||||
$(RONN) -r ${RONN_ARGS} --pipe $< >> $@
|
||||
# delete useless trailing "" in .TH
|
||||
sed -i '/^\.TH /s/ ""$$//' $@
|
||||
# run pandoc
|
||||
$(eval SECTION := $(subst .,,$(suffix $@)))
|
||||
$(eval BASENAME := $(basename $@))
|
||||
$(eval TITLE := $(shell echo "${BASENAME}\(${SECTION}\)" | tr [:lower:] [:upper:]))
|
||||
$(eval HEADER := "$(shell man ${SECTION} intro | head -1 | sed -e 's/^[^[:blank:]]*[[:blank:]]*//' -e 's/[[:blank:]]*[^[:blank:]]*$$//' )")
|
||||
$(PANDOC) -standalone -M title=${TITLE} -M section=${SECTION} -M header=${HEADER} -M footer=${PANDOC_ORG} -M "date=`date +\"%B %Y\"`" --to man $< >> $@
|
||||
else
|
||||
echo "${RONN} is not available. Manpage $@ cannot be updated" >/dev/stderr >&2
|
||||
echo "${PANDOC} is not available. Manpage $@ cannot be updated" >/dev/stderr >&2
|
||||
endif
|
||||
|
|
|
@ -15,7 +15,7 @@ cado \- Capability Ambient DO
|
|||
]
|
||||
|
||||
.SH DESCRIPTION
|
||||
Cado permits to delegate capabilities to users.
|
||||
Cado allows the system administrator to delegate capabilities to users.
|
||||
Cado is a capability based sudo. Sudo allows authorized users to run programs as root (or as another user),
|
||||
cado allows authorized users to run programs with specific (ambient) capabilities.
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ cadrop \- Capability Ambient Drop
|
|||
]
|
||||
|
||||
.SH DESCRIPTION
|
||||
Cadrop permits to drop (ambient) capabilities.
|
||||
Cadrop allows users to drop (ambient) capabilities.
|
||||
|
||||
Cadrop launches the command indicated as a parameter ($SHELL if omitted) dropping all the capabilities
|
||||
listed in the capability_list.
|
||||
|
|
|
@ -20,8 +20,8 @@ scado \- Script Capability Ambient DO
|
|||
|
||||
.SH DESCRIPTION
|
||||
|
||||
\fBcado(1)\fR permits to delegate capabilities to users.
|
||||
Users can grant a subset of these ambient capabilities to trusted programs.
|
||||
\fBcado(1)\fR allows the system administrator to delegate capabilities to users.
|
||||
Users can grant a subset of these ambient capabilities to trusted programs.
|
||||
Each user can define their own list of trusted programs and which capabilities to grant, using a scado file.
|
||||
\fBcado -S\fR or \fBcado --scado\fR run those trusted programs without any further authentication.
|
||||
In this way it is also possible to run programs requiring specific capabilities within a bash script.
|
||||
|
|
|
@ -1,27 +1,27 @@
|
|||
cmake_minimum_required(VERSION 3.13)
|
||||
|
||||
add_executable(
|
||||
cado cado.c pam_check.c get_user_groups.c capset_from_namelist.c
|
||||
read_conf.c set_ambient_cap.c compute_digest.c file_utils.c
|
||||
scado_parse.c cado_scado_check.c
|
||||
cado cado.c pam_check.c get_user_groups.c capset_from_namelist.c
|
||||
read_conf.c set_ambient_cap.c compute_digest.c file_utils.c
|
||||
scado_parse.c cado_scado_check.c
|
||||
)
|
||||
target_include_directories(cado PRIVATE ${PROJECT_SOURCE_DIR}/include ${CMAKE_BINARY_DIR}/include)
|
||||
target_link_libraries(
|
||||
cado ${pam_library} ${pam_misc_library} ${cap_library} ${mhash_library}
|
||||
${execs_library})
|
||||
cado ${pam_library} ${pam_misc_library} ${cap_library} ${mhash_library}
|
||||
${execs_library})
|
||||
|
||||
add_executable(cadrop cadrop.c capset_from_namelist.c set_ambient_cap.c)
|
||||
target_include_directories(cadrop PRIVATE ${PROJECT_SOURCE_DIR}/include ${CMAKE_BINARY_DIR}/include)
|
||||
target_link_libraries(cadrop ${cap_library})
|
||||
|
||||
add_executable(
|
||||
scado scado.c pam_check.c file_utils.c compute_digest.c
|
||||
capset_from_namelist.c scado_parse.c
|
||||
scado scado.c pam_check.c file_utils.c compute_digest.c
|
||||
capset_from_namelist.c scado_parse.c
|
||||
)
|
||||
target_include_directories(scado PRIVATE ${PROJECT_SOURCE_DIR}/include ${CMAKE_BINARY_DIR}/include)
|
||||
target_link_libraries(
|
||||
scado ${pam_library} ${pam_misc_library} ${cap_library} ${mhash_library}
|
||||
${execs_library}
|
||||
scado ${pam_library} ${pam_misc_library} ${cap_library} ${mhash_library}
|
||||
${execs_library}
|
||||
)
|
||||
|
||||
add_executable(caprint caprint.c)
|
||||
|
@ -29,19 +29,19 @@ target_include_directories(caprint PRIVATE ${PROJECT_SOURCE_DIR}/include ${CMAKE
|
|||
target_link_libraries(caprint ${cap_library})
|
||||
|
||||
install(
|
||||
TARGETS cado cadrop scado caprint
|
||||
RUNTIME
|
||||
DESTINATION ${CMAKE_INSTALL_BINDIR}
|
||||
TARGETS cado cadrop scado caprint
|
||||
RUNTIME
|
||||
DESTINATION ${CMAKE_INSTALL_BINDIR}
|
||||
)
|
||||
|
||||
if(NOT DEBUILD)
|
||||
install(
|
||||
CODE "execute_process(
|
||||
COMMAND ${CMAKE_COMMAND}
|
||||
-DBINDIR=${CMAKE_INSTALL_FULL_BINDIR}
|
||||
-DLIBDIR=${CMAKE_INSTALL_FULL_LIBDIR}
|
||||
-DCADO_SPOOL_DIR=${CADO_SPOOL_DIR}
|
||||
-P ${PROJECT_SOURCE_DIR}/PostInstall.cmake
|
||||
)"
|
||||
)
|
||||
if(CADO_RUN_POST_INSTALL)
|
||||
install(
|
||||
CODE "execute_process(
|
||||
COMMAND ${CMAKE_COMMAND}
|
||||
-DBINDIR=${CMAKE_INSTALL_FULL_BINDIR}
|
||||
-DLIBDIR=${CMAKE_INSTALL_FULL_LIBDIR}
|
||||
-DCADO_SPOOL_DIR=${CADO_SPOOL_DIR}
|
||||
-P ${PROJECT_SOURCE_DIR}/PostInstall.cmake
|
||||
)"
|
||||
)
|
||||
endif()
|
||||
|
|
|
@ -71,7 +71,7 @@ void usage(char *progname) {
|
|||
fprintf(stderr," -f, --force do not display warnings, do what is allowed\n");
|
||||
fprintf(stderr," -v, --verbose generate extra output\n");
|
||||
fprintf(stderr," -S, --scado check scado pre-authorization for scripts\n");
|
||||
fprintf(stderr," -s, --setcap set the minimun caps for %s (root access)\n",progname);
|
||||
fprintf(stderr," -s, --setcap set the minimum caps for %s (root access)\n",progname);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
/*
|
||||
/*
|
||||
* cado: execute a command in a capability ambient
|
||||
* Copyright (C) 2016 Renzo Davoli, University of Bologna
|
||||
*
|
||||
*
|
||||
* This file is part of cado.
|
||||
*
|
||||
* Cado is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||
* along with this program; If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
|
@ -96,7 +96,7 @@ uint64_t get_authorized_caps(char **user_groups, uint64_t reqset) {
|
|||
if (user_groups == NULL) {
|
||||
ok_caps |= capset;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
//printf("CAP %s %d\n",tok,thiscap);
|
||||
while ((tok=strtok_r(tokenusergroup, ",\n ",&tmptok)) != NULL) {
|
||||
//printf("XX %s\n",tok);
|
||||
|
@ -113,7 +113,12 @@ uint64_t get_authorized_caps(char **user_groups, uint64_t reqset) {
|
|||
}
|
||||
if (usermatch) {
|
||||
if (tokencondition) {
|
||||
if (system_execsa(tokencondition) == 0)
|
||||
if
|
||||
#if defined(EXECS_SOVERSION) && EXECS_SOVERSION > 0
|
||||
(system_execsqa(tokencondition) == 0)
|
||||
#else
|
||||
(system_execsa(tokencondition) == 0)
|
||||
#endif
|
||||
ok_caps |= capset;
|
||||
} else
|
||||
ok_caps |= capset;
|
||||
|
|
Loading…
Reference in New Issue