18d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff#!/bin/sh 28d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# vim: tabstop=4 38d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 48d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# author: chris friedhoff - chris@friedhoff.org 58d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# version: pcaps4server 5 Tue Mar 11 2008 68d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 78d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 88d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# changelog: 98d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 1 - initial release pcaps4convenience 108d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 1 - 2007.02.15 - initial release 118d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id 128d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap 138d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 4 - renamed to pcaps4server 148d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# removed suid0 and convenience files, 158d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# they are now in pcaps4suid0 resp. pcaps4convenience 168d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code 178d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 188d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# 198d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff########################################################################### 208d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# change the installation of different server to be able not to run as root 218d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# and have their own unpriviledged user. The binary has the needed POSIX 228d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# Capabilities. 238d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# to ensure that the server is really started as his respective user, we set 248d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# the suid bit (BUT NOT 0)! 258d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# paths are hard coded and derive from a slackware system 268d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# change it to your needs !! 278d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff########################################################################### 288d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 298d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 308d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 318d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffVERBOSE="-v" 328d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff#VERBOSE="" 338d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffAPPS="" 348d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 358d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffmessage(){ 368d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff printRedMessage "$1" 378d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 388d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 398d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffprintRedMessage(){ 408d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff # print message red and turn back to white 418d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo -e "\n\033[00;31m $1 ...\033[00;00m\n" 428d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 438d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 448d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffprintGreenMessage(){ 458d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff # print message red and turn back to white 468d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo -e "\033[00;32m $1 ...\033[00;00m\n" 478d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff sleep 0.5 488d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 498d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 508d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffcheckReturnCode(){ 518d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$?" != "0" ]; then 528d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!" 538d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff exit 1 548d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff else 558d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff printGreenMessage ":-)" 568d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff sleep 0.5 578d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 588d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 598d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 608d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 618d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 628d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffp4r_test(){ 638d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff #for now, we work with root 648d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -u )" != "0" ]; then 658d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "Sorry, you must be root !" 668d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff exit 678d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 688d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 698d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 708d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 718d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 728d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 738d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# apache 1.3 748d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff######## 758d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff#APPS="$APPS apache1" 768d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffapache1_convert(){ 778d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "converting apache1" 788d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -g apache 2>/dev/null )" == "" ]; then 798d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupadd -g 60 apache 808d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 818d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -u apache 2>/dev/null )" == "" ]; then 828d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff useradd -g apache -d / -u 600 apache 838d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 848d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf 858d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R apache:apache /var/run/apache/ 868d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R apache:apache /etc/apache/ 878d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R apache:apache /var/log/apache/ 888d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE apache:apache /usr/sbin/httpd 898d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u+s /usr/sbin/httpd 908d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap cap_net_bind_service=ep /usr/sbin/httpd 918d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 928d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 938d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffapache1_revert(){ 948d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "reverting apache1" 958d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/run/apache/ 968d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /etc/apache/ 978d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/log/apache/ 988d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:root /usr/sbin/httpd 998d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u-s /usr/sbin/httpd 1008d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap -r /usr/sbin/httpd 1018d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 1028d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf 1038d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff userdel apache 1048d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupdel apache 1058d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 1068d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 1078d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 1088d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# apache 2.x 1098d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff######## 1108d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffAPPS="$APPS apache2" 1118d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffapache2_convert(){ 1128d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "converting apache2" 1138d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -g apache 2>/dev/null )" == "" ]; then 1148d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupadd -g 60 apache 1158d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 1168d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -u apache 2>/dev/null )" == "" ]; then 1178d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff useradd -g apache -d / -u 600 apache 1188d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 1198d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf 1208d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R apache:apache /var/run/httpd/ 1218d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R apache:apache /etc/httpd/ 1228d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R apache:apache /var/log/httpd/ 1238d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE apache:apache /usr/sbin/httpd 1248d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u+s /usr/sbin/httpd 1258d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff #setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd 1268d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap cap_net_bind_service=ep /usr/sbin/httpd 1278d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 1288d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 1298d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffapache2_revert(){ 1308d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "reverting apache2" 1318d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/run/httpd/ 1328d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /etc/httpd/ 1338d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/log/httpd/ 1348d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:root /usr/sbin/httpd 1358d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u-s /usr/sbin/httpd 1368d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap -r /usr/sbin/httpd 1378d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 1388d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf 1398d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff userdel apache 1408d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupdel apache 1418d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 1428d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 1438d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 1448d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# samba 1458d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff####### 1468d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffAPPS="$APPS samba" 1478d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffsamba_convert(){ 1488d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "converting samba" 1498d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -g samba 2>/dev/null )" == "" ]; then 1508d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupadd -g 61 samba 1518d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 1528d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -u samba 2>/dev/null )" == "" ]; then 1538d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff useradd -g samba -d / -u 610 samba 1548d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 1558d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R samba:samba /var/log/samba 1568d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R samba:samba /etc/samba 1578d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R samba:samba /var/run/samba 1588d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R samba:samba /var/cache/samba 1598d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd 1608d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd 1618d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd 1628d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 1638d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap cap_net_bind_service=ep /usr/sbin/nmbd 1648d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 1658d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 1668d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 1678d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffsamba_revert(){ 1688d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "reverting samba" 1698d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/log/samba 1708d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /etc/samba 1718d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/run/samba 1728d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/cache/samba 1738d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd 1748d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd 1758d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap -r /usr/sbin/smbd 1768d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 1778d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap -r /usr/sbin/nmbd 1788d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 1798d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff userdel samba 1808d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupdel samba 1818d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 1828d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 1838d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 1848d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# bind 1858d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff###### 1868d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffAPPS="$APPS bind" 1878d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffbind_convert(){ 1888d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "converting bind" 1898d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -g bind 2>/dev/null )" == "" ]; then 1908d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupadd -g 62 bind 1918d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 1928d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -u bind 2>/dev/null )" == "" ]; then 1938d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff useradd -g bind -d / -u 620 bind 1948d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 1958d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R bind:bind /var/run/named 1968d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R bind:bind /var/named 1978d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE bind:bind /etc/rndc.key 1988d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE bind:bind /usr/sbin/named 1998d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u+s /usr/sbin/named 2008d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap cap_net_bind_service=ep /usr/sbin/named 2018d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 2028d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 2038d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffbind_revert(){ 2048d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "reverting bind" 2058d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/run/named 2068d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/named 2078d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:root /etc/rndc.key 2088d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:root /usr/sbin/named 2098d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u-s /usr/sbin/named 2108d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap -r /usr/sbin/named 2118d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 2128d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff userdel bind 2138d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupdel bind 2148d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 2158d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 2168d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 2178d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# dhcpd 2188d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff####### 2198d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffAPPS="$APPS dhcpd" 2208d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffdhcpd_convert(){ 2218d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "converting dhcpd" 2228d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then 2238d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupadd -g 63 dhcpd 2248d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 2258d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then 2268d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff useradd -g dhcpd -d / -u 630 dhcpd 2278d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 2288d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd 2298d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf 2308d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/ 2318d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd 2328d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u+s /usr/sbin/dhcpd 2338d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd 2348d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 2358d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 2368d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffdhcpd_revert(){ 2378d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "reverting dhcpd" 2388d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:root /var/run/dhcpd 2398d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:root /etc/dhcpd.conf 2408d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/state/dhcp/ 2418d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:root /usr/sbin/dhcpd 2428d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u-s /usr/sbin/dhcpd 2438d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap -r /usr/sbin/dhcpd 2448d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 2458d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff userdel dhcpd 2468d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupdel dhcpd 2478d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 2488d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 2498d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 2508d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff# cupsd 2518d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff####### 2528d380c8fd54fe40987af64c6947b064ad47fd881Chris FriedhoffAPPS="$APPS cupsd" 2538d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffcupsd_convert(){ 2548d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "converting cupsd" 2558d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then 2568d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupadd -g 64 cupsd 2578d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 2588d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then 2598d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff useradd -g cupsd -d / -u 640 cupsd 2608d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 2618d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf 2628d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R cupsd:cupsd /etc/cups 2638d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R cupsd:cupsd /var/cache/cups 2648d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R cupsd:cupsd /var/log/cups 2658d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R cupsd:cupsd /var/spool/cups 2668d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R cupsd:cupsd /var/run/cups 2678d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd 2688d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u+s /usr/sbin/cupsd 2698d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd 2708d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 2718d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 2728d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffcupsd_revert(){ 2738d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff message "reverting cupsd" 2748d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /etc/cups 2758d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:lp /var/cache/cups 2768d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/log/cups 2778d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE -R root:root /var/spool/cups 2788d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:lp /var/run/cups 2798d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE lp:sys /var/run/cups/certs 2808d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE 750 /var/run/cups/certs 2818d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chown $VERBOSE root:root /usr/sbin/cupsd 2828d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff chmod $VERBOSE u-s /usr/sbin/cupsd 2838d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff setcap -r /usr/sbin/cupsd 2848d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff checkReturnCode 2858d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf 2868d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff userdel cupsd 2878d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff groupdel cupsd 2888d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 2898d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 2908d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 2918d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffusage_message(){ 2928d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "Try 'pcaps4server help' for more information" 2938d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 2948d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 2958d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 2968d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffp4r_usage(){ 2978d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo 2988d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "pcaps4server" 2998d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo 3008d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "pcaps4server stores the needed POSIX Capabilities for server binaries to" 3018d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "run successful into their Permitted and Effective Set." 3028d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "The server are now able to run as an unpriviledged user." 3038d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "For each server software an unpriviledged user is added the system." 3048d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "The ownership of all the respective paths are changed to this user." 3058d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "To ensure that the server is starting as this unpriviledgesd user, the" 3068d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "suid bit (NOT 0) is set." 3078d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "Effectively this means every user can start this server daemons (for now)." 3088d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "All paths are hard coded!" 3098d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "You have been warned. Enjoy!" 3108d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo 3118d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "Your Filesystem has to support extended attributes and your kernel must have" 3128d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." 3138d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo 3148d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo "Usage: pcaps4server [PROG] [con(vert)|rev(ert)|help]" 3158d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo 3168d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo " con|convert - from setuid0 to POSIX Capabilities" 3178d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo " rev|revert - from POSIX Capabilities back to setui0" 3188d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo " help - this help message" 3198d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo 3208d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo " PROG: $APPS" 3218d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff echo 3228d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff} 3238d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 3248d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 3258d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 3268d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 3278d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffcase "$1" in 3288d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff con|convert) 3298d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff p4r_test 3308d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff for j in $APPS; do 3318d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ${j}_convert 3328d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff done 3338d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff exit 3348d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ;; 3358d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff rev|renvert) 3368d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff p4r_test 3378d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff for j in $APPS; do 3388d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ${j}_revert 3398d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff done 3408d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff exit 3418d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ;; 3428d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff help) 3438d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff p4r_usage 3448d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff exit 3458d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ;; 3468d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffesac 3478d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 3488d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhofffor i in ${APPS}; do 3498d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff if [ "$1" == "$i" ]; then 3508d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff case "$2" in 3518d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff con|convert) 3528d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff p4r_test 3538d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ${i}_convert 3548d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff exit 3558d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ;; 3568d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff rev|revert) 3578d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff p4r_test 3588d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ${i}_revert 3598d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff exit 3608d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ;; 3618d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff *) 3628d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff usage_message 3638d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff exit 1 3648d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff ;; 3658d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff esac 3668d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff fi 3678d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffdone 3688d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoff 3698d380c8fd54fe40987af64c6947b064ad47fd881Chris Friedhoffusage_message 370