system/cage: Added to 13.0 repository
This commit is contained in:
Menno Duursma
Robby Workman
parent
2c4c0749bd
commit
29f9bed3ae
|
|
@ -0,0 +1,8 @@
|
|||
cage was wtitten to be a creator of unbreakable padded cells for untrusted
|
||||
applications. It can be used to chroot programs that want to run as root.
|
||||
For that to work though either sysvinit or the kernel need to be patched and
|
||||
recompiled (instructions on how to go about this are included in /usr/doc).
|
||||
|
||||
However since filesystem capabilities are implemented it can also be used
|
||||
as a 'su' command with inheritance support, similar to the 'capsh' command
|
||||
from the libcap package (but featuring chroot support). See README.SLACKWARE
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
For example:
|
||||
|
||||
root@pc:~# chmod 0755 /bin/ping
|
||||
root@pc:~# setcap 'cap_net_raw=ie' /bin/ping
|
||||
|
||||
root@pc:~# su menno
|
||||
menno@pc:/root$ ping -c1 www.zonnet.nl
|
||||
ping: icmp open socket: Operation not permitted
|
||||
menno@pc:/root$ exit
|
||||
|
||||
root@pc:~# cage -u 1000 -c 'cap_setuid=pe cap_net_raw=pie' / /bin/sh
|
||||
menno@pc:/$ ping -c1 www.zonnet.nl
|
||||
PING www.zonnet.nl (62.58.50.202) 56(84) bytes of data.
|
||||
64 bytes from www.tele2.nl (62.58.50.202): icmp_seq=1 ttl=116 time=27.0 ms
|
||||
|
||||
--- www.zonnet.nl ping statistics ---
|
||||
1 packets transmitted, 1 received, 0% packet loss, time 0ms
|
||||
rtt min/avg/max/mdev = 27.054/27.054/27.054/0.000 ms
|
||||
menno@pc:/$ /sbin/getpcaps $$
|
||||
Capabilities for `7242': = cap_net_raw+i
|
||||
menno@pc:/$ exit
|
||||
|
||||
|
|
@ -0,0 +1,81 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Slackware build script for cage
|
||||
|
||||
# Written by Menno Duursma <druiloor@zonnet.nl>
|
||||
|
||||
# This program is free software. It comes without any warranty.
|
||||
# Granted WTFPL, Version 2, as published by Sam Hocevar. See
|
||||
# http://sam.zoy.org/wtfpl/COPYING for more details.
|
||||
|
||||
PRGNAM=cage
|
||||
VERSION=${VERSION:-0.80}
|
||||
ARCH=${ARCH:-i486}
|
||||
BUILD=${BUILD:-1}
|
||||
TAG=${TAG:-_SBo}
|
||||
|
||||
CWD=$(pwd)
|
||||
TMP=${TMP:-/tmp/SBo}
|
||||
PKG=$TMP/package-$PRGNAM
|
||||
OUTPUT=${OUTPUT:-/tmp}
|
||||
|
||||
if [ "$ARCH" = "i486" ]; then
|
||||
SLKCFLAGS="-O2 -march=i486 -mtune=i686"
|
||||
LIBDIRSUFFIX=""
|
||||
elif [ "$ARCH" = "i686" ]; then
|
||||
SLKCFLAGS="-O2 -march=i686 -mtune=i686"
|
||||
LIBDIRSUFFIX=""
|
||||
elif [ "$ARCH" = "x86_64" ]; then
|
||||
SLKCFLAGS="-O2 -fPIC"
|
||||
LIBDIRSUFFIX="64"
|
||||
fi
|
||||
|
||||
set -e # Exit on most errors
|
||||
|
||||
rm -rf $PKG
|
||||
mkdir -p $TMP $PKG $OUTPUT
|
||||
cd $TMP
|
||||
rm -rf $PRGNAM-$VERSION
|
||||
tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
|
||||
cd $PRGNAM-$VERSION
|
||||
chown -R root:root .
|
||||
find . \
|
||||
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
|
||||
-exec chmod 755 {} \; -o \
|
||||
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
|
||||
-exec chmod 644 {} \;
|
||||
|
||||
CFLAGS="$SLKCFLAGS" \
|
||||
./configure \
|
||||
--prefix=/usr \
|
||||
--libdir=/usr/lib${LIBDIRSUFFIX} \
|
||||
--sysconfdir=/etc \
|
||||
--localstatedir=/var \
|
||||
--mandir=/usr/man \
|
||||
--build=$ARCH-slackware-linux
|
||||
|
||||
make CFLAGS="$SLKCFLAGS"
|
||||
make install DESTDIR=$PKG
|
||||
|
||||
( cd $PKG
|
||||
find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | \
|
||||
xargs strip --strip-unneeded 2> /dev/null || true
|
||||
find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | \
|
||||
xargs strip --strip-unneeded 2> /dev/null || true
|
||||
)
|
||||
|
||||
( cd $PKG/usr/man
|
||||
find . -type f -exec gzip -9 {} \;
|
||||
for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
|
||||
)
|
||||
|
||||
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cp -a INSTALL COPYING README* Attic poc $PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
|
||||
cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
|
||||
|
||||
mkdir -p $PKG/install
|
||||
cat $CWD/slack-desc > $PKG/install/slack-desc
|
||||
|
||||
cd $PKG
|
||||
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
PRGNAM="cage"
|
||||
VERSION="0.80"
|
||||
HOMEPAGE="http://killa.net/infosec/cage/"
|
||||
DOWNLOAD="http://killa.net/infosec/cage/cage-0.80.tar.gz"
|
||||
MD5SUM="c2ee362a8ea8044834aa82ba148030ef"
|
||||
DOWNLOAD_x86_64=""
|
||||
MD5SUM_x86_64=""
|
||||
MAINTAINER="Menno Duursma"
|
||||
EMAIL="druiloor@zonnet.nl"
|
||||
APPROVED="rworkman"
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# HOW TO EDIT THIS FILE:
|
||||
# The "handy ruler" below makes it easier to edit a package description. Line
|
||||
# up the first '|' above the ':' following the base package name, and the '|'
|
||||
# on the right side marks the last column you can put a character in. You must
|
||||
# make exactly 11 lines for the formatting to be correct. It's also
|
||||
# customary to leave one space after the ':'.
|
||||
|
||||
|-----handy-ruler---------------------------------------------------|
|
||||
cage: Cage (su+chroot with capabilities support)
|
||||
cage:
|
||||
cage: On stock systems this can be used as a 'chrootuid' utility with caps.
|
||||
cage: In case patches are applied to the system it can be used to creat
|
||||
cage: padded cells for untrusted applications.
|
||||
cage:
|
||||
cage: cage was wtitten by Anthony D. Urso
|
||||
cage:
|
||||
cage:
|
||||
cage:
|
||||
cage:
|
||||
Loading…
Reference in New Issue