Domas Mituzas' Linux perl script (immutable bit etc)

[rickt () UNIXLABS NET (Rick Tait)]

OK folks,

I have Domas' permission to post the script publically to the list. It
works great for me, I suggest we all look into locking down our binaries
with something like this. Note that you can do a whole lot more with
capbounds that fiddling with immutable bits. Using 'capbounds list' will
give you a list of stuff to further look into. Domas is also going to
be putting up further documentation on his website. I'll add a link to
it (when I find out what it is) on unixlabs. Here's the script:

--- snip snip snip ---
#!/usr/bin/perl
#
#
# system capability boundaries tool.
# author: Domas Mituzas <midom () dammit lt>
# development hosts: home2.dammit.lt
# flag.dammit.lt
# path: /sbin/capbounds
# revision: 1.0 (1999/Aug/22 - 12.00CEST) - midom@flag
#
sub get_caps {
unless(open(DEFINES,"</usr/include/linux/capability.h")) {
print STDERR "Can't open /usr/include/linux/capability.h: $!\n";
return;
}

while(<DEFINES>) {
if (/^#define CAP_([A-Z_]+)\s*(\d+)$/) {
$caps{lc($1)}=$2;
}
}
close(DEFINES);
}

sub get_bound {
unless(open(BOUND,"</proc/sys/kernel/cap-bound")) {
print STDERR "Can't open /proc/sys/kernel/cap-bound: $!\nMake sure you are running 2.2.11 or newer kernel.\n";
exit;
}
while(<BOUND>){
if (/(-\d+)/) {
return $1;
}
}
close BOUND;
}

sub show_usage {
print <<END;
system capabilities setting tool

syscapset {list|set capability [capability [...]]}
END
}

sub cap_to_mask {
$tmpcap=$_[0];
return (1 << ($tmpcap));
}

sub list_caps {
foreach $cap (@scaps) {
if ($caps{$cap} eq "") { $status="does not exist"; }
$mask = cap_to_mask($caps{$cap});
if (($mask & $boundary) ne 0) {
$status="enabled"; } else {
$status="disabled"; }

printf("%-30s\t%10s\n",
$cap,$status);
}
}

$boundary= ~0;

&get_caps;

cap_to_mask(1);

$boundary=get_bound();
@scaps=sort keys %caps;

if ($ARGV[0] eq "list") {&list_caps;}
elsif ($ARGV[0] eq "help") {&show_usage;}
elsif ($ARGV[0] eq "set") {
if ($#ARGV==0) {&show_usage;} else {
while ( $i++ < $#ARGV) {
$_=$ARGV[$i];
if (/([a-z_]+)/i) {
if ($caps{lc($1)} eq "") {
print STDERR "Warning: capability $1 does not exist. \nConsult 'list' command.\n";
} else {
push @tounset,lc($1);
}
} else {
print STDERR "Warning: $_ command not recognized.\n";
}

}
foreach $cap (@tounset) {
$boundary &= ~cap_to_mask($caps{$cap});
}
unless (open(CAPBOUND,">/proc/sys/kernel/cap-bound")) {
print STDERR "Could not open /proc/sys/kernel/cap-bound for writing: $!.\nMake sure you are running 2.2.11 or newer 
kernel.\n";
return;
}

print CAPBOUND $boundary;

close CAPBOUND;
}
} else {&show_usage;}

# it's the end :-)
--- snip snip snip ---

Thanks,
Rick.

--
main(v, c)char**c;{for(v[c++]="Rick Tait <rickt () UNIXLABS NET>\n)";(!!c)[*
c]&&(v--||--c&&execlp(*c,*c,c[!!c]+!!c,!c));**c=!c)write(!!*c,*c,!!**c);}