1 // $Id: reducecap.c 2279 2006-01-22 19:31:53Z ensc $
3 // Copyright (C) 2003 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
4 // based on reducecap.cc by Jacques Gelinas
6 // This program is free software; you can redistribute it and/or modify
7 // it under the terms of the GNU General Public License as published by
8 // the Free Software Foundation; either version 2, or (at your option)
11 // This program is distributed in the hope that it will be useful,
12 // but WITHOUT ANY WARRANTY; without even the implied warranty of
13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 // GNU General Public License for more details.
16 // You should have received a copy of the GNU General Public License
17 // along with this program; if not, write to the Free Software
18 // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
33 #include <sys/param.h>
35 #define ENSC_WRAPPERS_PREFIX "reducecap: "
36 #define ENSC_WRAPPERS_VSERVER 1
37 #define ENSC_WRAPPERS_UNISTD 1
42 #include "capability-compat.h"
45 #define CMD_HELP 0x1000
46 #define CMD_VERSION 0x1001
48 #define CMD_SHOW 0x2000
49 #define CMD_PID 0x2001
51 #define CMD_CAP 0x4000
52 #define CMD_FLAG 0x4004
53 #define CMD_SECURE 0x4006
55 #ifdef VC_ENABLE_API_LEGACY
56 # define CMD_OBSOLETE_CHOWN 0x8000
57 # define CMD_OBSOLETE_DAC_OVERRIDE 0x8001
58 # define CMD_OBSOLETE_DAC_READ_SEARCH 0x8002
59 # define CMD_OBSOLETE_FOWNER 0x8003
60 # define CMD_OBSOLETE_FSETID 0x8004
61 # define CMD_OBSOLETE_KILL 0x8005
62 # define CMD_OBSOLETE_SETGID 0x8006
63 # define CMD_OBSOLETE_SETUID 0x8007
64 # define CMD_OBSOLETE_SETPCAP 0x8008
65 # define CMD_OBSOLETE_SYS_TTY_CONFIG 0x8009
66 # define CMD_OBSOLETE_LEASE 0x800a
67 # define CMD_OBSOLETE_SYS_CHROOT 0x800b
68 # define CMD_OBSOLETE_X_LINUX_IMMUTABLE 0x800c
69 # define CMD_OBSOLETE_X_NET_BIND_SERVICE 0x800d
70 # define CMD_OBSOLETE_X_NET_BROADCAST 0x800e
71 # define CMD_OBSOLETE_X_NET_ADMIN 0x800f
72 # define CMD_OBSOLETE_X_NET_RAW 0x8010
73 # define CMD_OBSOLETE_X_IPC_LOCK 0x8011
74 # define CMD_OBSOLETE_X_IPC_OWNER 0x8012
75 # define CMD_OBSOLETE_X_SYS_MODULE 0x8013
76 # define CMD_OBSOLETE_X_SYS_RAWIO 0x8014
77 # define CMD_OBSOLETE_X_SYS_PACCT 0x8015
78 # define CMD_OBSOLETE_X_SYS_ADMIN 0x8016
79 # define CMD_OBSOLETE_X_SYS_BOOT 0x8017
80 # define CMD_OBSOLETE_X_SYS_NICE 0x8018
81 # define CMD_OBSOLETE_X_SYS_RESOURCE 0x8019
82 # define CMD_OBSOLETE_X_SYS_TIME 0x801a
83 # define CMD_OBSOLETE_X_MKNOD 0x801b
84 # define CMD_OBSOLETE_X_QUOTACTL 0x801c
86 static char const * const OBSOLETE_MAPPING[] = {
88 "CHOWN", "DAC_OVERRIDE", "DAC_READ_SEARCH", "FOWNER",
89 "FSETID", "KILL", "SETGID", "SETUID",
90 "SETPCAP", "SYS_TTY_CONFIG", "LEASE", "SYS_CHROOT",
91 "LINUX_IMMUTABLE", "NET_BIND_SERVICE", "NET_BROADCAST", "NET_ADMIN",
92 "NET_RAW", "IPC_LOCK", "IPC_OWNER", "SYS_MODULE",
93 "SYS_RAWIO", "SYS_PACCT", "SYS_ADMIN", "SYS_BOOT",
94 "SYS_NICE", "SYS_RESOURCE", "SYS_TIME", "MKNOD",
100 { "help", no_argument, 0, CMD_HELP },
101 { "version", no_argument, 0, CMD_VERSION },
102 { "cap", required_argument, 0, CMD_CAP },
103 { "flag", required_argument, 0, CMD_FLAG },
104 { "secure", no_argument, 0, CMD_SECURE },
105 { "show", no_argument, 0, CMD_SHOW },
106 { "pid", required_argument, 0, CMD_PID },
107 #ifdef VC_ENABLE_API_LEGACY
108 { "CAP_CHOWN", no_argument, 0, CMD_OBSOLETE_CHOWN },
109 { "CAP_DAC_OVERRIDE", no_argument, 0, CMD_OBSOLETE_DAC_OVERRIDE },
110 { "CAP_DAC_READ_SEARCH", no_argument, 0, CMD_OBSOLETE_DAC_READ_SEARCH },
111 { "CAP_FOWNER", no_argument, 0, CMD_OBSOLETE_FOWNER },
112 { "CAP_FSETID", no_argument, 0, CMD_OBSOLETE_FSETID },
113 { "CAP_KILL", no_argument, 0, CMD_OBSOLETE_KILL },
114 { "CAP_SETGID", no_argument, 0, CMD_OBSOLETE_SETGID },
115 { "CAP_SETUID", no_argument, 0, CMD_OBSOLETE_SETUID },
116 { "CAP_SETPCAP", no_argument, 0, CMD_OBSOLETE_SETPCAP },
117 { "CAP_SYS_TTY_CONFIG", no_argument, 0, CMD_OBSOLETE_SYS_TTY_CONFIG },
118 { "CAP_LEASE", no_argument, 0, CMD_OBSOLETE_LEASE },
119 { "CAP_SYS_CHROOT", no_argument, 0, CMD_OBSOLETE_SYS_CHROOT },
120 { "--CAP_LINUX_IMMUTABLE", no_argument, 0, CMD_OBSOLETE_X_LINUX_IMMUTABLE },
121 { "--CAP_NET_BIND_SERVICE", no_argument, 0, CMD_OBSOLETE_X_NET_BIND_SERVICE },
122 { "--CAP_NET_BROADCAST", no_argument, 0, CMD_OBSOLETE_X_NET_BROADCAST },
123 { "--CAP_NET_ADMIN", no_argument, 0, CMD_OBSOLETE_X_NET_ADMIN },
124 { "--CAP_NET_RAW", no_argument, 0, CMD_OBSOLETE_X_NET_RAW },
125 { "--CAP_IPC_LOCK", no_argument, 0, CMD_OBSOLETE_X_IPC_LOCK },
126 { "--CAP_IPC_OWNER", no_argument, 0, CMD_OBSOLETE_X_IPC_OWNER },
127 { "--CAP_SYS_MODULE", no_argument, 0, CMD_OBSOLETE_X_SYS_MODULE },
128 { "--CAP_SYS_RAWIO", no_argument, 0, CMD_OBSOLETE_X_SYS_RAWIO },
129 { "--CAP_SYS_PACCT", no_argument, 0, CMD_OBSOLETE_X_SYS_PACCT },
130 { "--CAP_SYS_ADMIN", no_argument, 0, CMD_OBSOLETE_X_SYS_ADMIN },
131 { "--CAP_SYS_BOOT", no_argument, 0, CMD_OBSOLETE_X_SYS_BOOT },
132 { "--CAP_SYS_NICE", no_argument, 0, CMD_OBSOLETE_X_SYS_NICE },
133 { "--CAP_SYS_RESOURCE", no_argument, 0, CMD_OBSOLETE_X_SYS_RESOURCE },
134 { "--CAP_SYS_TIME", no_argument, 0, CMD_OBSOLETE_X_SYS_TIME },
135 { "--CAP_MKNOD", no_argument, 0, CMD_OBSOLETE_X_MKNOD },
136 { "--CAP_QUOTACTL", no_argument, 0, CMD_OBSOLETE_X_QUOTACTL },
141 int wrapper_exit_code = 255;
144 showHelp(int fd, char const *cmd, int res)
146 #if !defined(VC_ENABLE_API_COMPAT) && !defined(VC_ENABLE_API_LEGACY)
147 WRITE_MSG(1, "ERROR: tools were built without legacy API support; reducecap will not work!\n\n");
150 WRITE_MSG(fd, "Usage:\n ");
153 " [--show] [--secure] [--flag <flag>] [--cap <capability>] [--] <cmd> <args>*\n ");
156 " --show [--pid <pid>]\n\n"
157 "Please report bugs to " PACKAGE_BUGREPORT "\n");
166 "reducecap " VERSION " -- starts programs with reduced capabilities\n"
167 "This program is part of " PACKAGE_STRING "\n\n"
168 "Copyright (C) 2003,2004 Enrico Scholz\n"
169 VERSION_COPYRIGHT_DISCLAIMER);
174 printReducecap(struct __user_cap_data_struct *user)
177 WRITE_MSG(1, " Capability Effective Permitted Inheritable\n");
180 size_t const len = 23 + 10*2 + 4+2;
181 char const * text = vc_cap2text(i);
187 memset(buf, ' ', sizeof buf);
189 l = MIN(strlen(text), 22);
190 memcpy(buf, text, l);
191 buf[23 + 10*0 + 4] = (user->effective & bit) ? 'X' : ' ';
192 buf[23 + 10*1 + 4] = (user->permitted & bit) ? 'X' : ' ';
193 buf[23 + 10*2 + 4] = (user->inheritable & bit) ? 'X' : ' ';
201 struct __user_cap_header_struct header;
202 struct __user_cap_data_struct user;
203 header.version = _LINUX_CAPABILITY_VERSION;
205 if (capget(&header,&user)==-1){
206 perror ("reducecap: capget()");
207 exit(wrapper_exit_code);
210 printReducecap(&user);
213 #if defined(VC_ENABLE_API_COMPAT) || defined(VC_ENABLE_API_LEGACY)
216 getCap(char const *cap)
218 int bit = vc_text2cap(cap);
220 WRITE_MSG(2, "Unknown capability '");
221 WRITE_STR(2, optarg);
222 WRITE_MSG(2, "'; try '--help' for more information\n");
223 exit(wrapper_exit_code);
231 int main (int argc, char *argv[])
234 bool do_show = false;
237 #ifdef VC_ENABLE_API_LEGACY
238 bool show_obsolete_warning = true;
242 int c = getopt_long(argc, argv, "+", CMDLINE_OPTIONS, 0);
245 #ifdef VC_ENABLE_API_LEGACY
246 if (c>=CMD_OBSOLETE_CHOWN && c<=CMD_OBSOLETE_X_QUOTACTL) {
247 if (show_obsolete_warning) {
248 WRITE_MSG(2, "reducecap: warning, obsolete CLI used\n");
249 show_obsolete_warning = false;
252 remove = getCap(OBSOLETE_MAPPING[c-CMD_OBSOLETE_CHOWN]);
257 case CMD_HELP : showHelp(1, argv[0], 0);
258 case CMD_VERSION : showVersion();
259 case CMD_SHOW : do_show = true; break;
260 case CMD_PID : pid = atoi(optarg); break;
261 #if defined(VC_ENABLE_API_COMPAT) || defined(VC_ENABLE_API_LEGACY)
262 case CMD_SECURE : remove = vc_get_insecurebcaps(); break;
263 case CMD_CAP : remove = getCap(optarg); break;
265 struct vc_err_listparser err;
267 flags = vc_list2cflag_compat(optarg, 0, &err);
269 WRITE_MSG(2, "Unknown flag '");
270 Vwrite(2, err.ptr, err.len);
272 exit(wrapper_exit_code);
279 case CMD_FLAG : flags = 0; remove = 0; break;
284 if (!do_show && optind==argc) {
285 WRITE_MSG(2, "No command given; use '--help' for more information\n");
286 exit(wrapper_exit_code);
289 if (!do_show && pid!=0) {
290 WRITE_MSG(2, "A pid can be specified in '--show' mode only; use '--help' for more information\n");
291 exit(wrapper_exit_code);
294 if (do_show && optind==argc)
296 #if defined(VC_ENABLE_API_COMPAT) || defined(VC_ENABLE_API_LEGACY)
298 Evc_new_s_context(VC_SAMECTX, remove, flags);
299 if (do_show) show(pid);
301 WRITE_MSG(2, "Executing\n");
302 Eexecvp(argv[optind], argv+optind);
308 WRITE_MSG(2, "reducecap: tools were built without legacy API support; can not continue\n");
309 exit(wrapper_exit_code);