diff --git a/system/cage/README b/system/cage/README new file mode 100644 index 0000000000..bcda6fef20 --- /dev/null +++ b/system/cage/README @@ -0,0 +1,8 @@ +cage was wtitten to be a creator of unbreakable padded cells for untrusted +applications. It can be used to chroot programs that want to run as root. +For that to work though either sysvinit or the kernel need to be patched and +recompiled (instructions on how to go about this are included in /usr/doc). + +However since filesystem capabilities are implemented it can also be used +as a 'su' command with inheritance support, similar to the 'capsh' command +from the libcap package (but featuring chroot support). See README.SLACKWARE diff --git a/system/cage/README.SLACKWARE b/system/cage/README.SLACKWARE new file mode 100644 index 0000000000..3cac4ce8e5 --- /dev/null +++ b/system/cage/README.SLACKWARE @@ -0,0 +1,22 @@ +For example: + +root@pc:~# chmod 0755 /bin/ping +root@pc:~# setcap 'cap_net_raw=ie' /bin/ping + +root@pc:~# su menno +menno@pc:/root$ ping -c1 www.zonnet.nl +ping: icmp open socket: Operation not permitted +menno@pc:/root$ exit + +root@pc:~# cage -u 1000 -c 'cap_setuid=pe cap_net_raw=pie' / /bin/sh +menno@pc:/$ ping -c1 www.zonnet.nl +PING www.zonnet.nl (62.58.50.202) 56(84) bytes of data. +64 bytes from www.tele2.nl (62.58.50.202): icmp_seq=1 ttl=116 time=27.0 ms + +--- www.zonnet.nl ping statistics --- +1 packets transmitted, 1 received, 0% packet loss, time 0ms +rtt min/avg/max/mdev = 27.054/27.054/27.054/0.000 ms +menno@pc:/$ /sbin/getpcaps $$ +Capabilities for `7242': = cap_net_raw+i +menno@pc:/$ exit + diff --git a/system/cage/cage.SlackBuild b/system/cage/cage.SlackBuild new file mode 100644 index 0000000000..3e285bdf28 --- /dev/null +++ b/system/cage/cage.SlackBuild @@ -0,0 +1,81 @@ +#!/bin/sh + +# Slackware build script for cage + +# Written by Menno Duursma + +# This program is free software. It comes without any warranty. +# Granted WTFPL, Version 2, as published by Sam Hocevar. See +# http://sam.zoy.org/wtfpl/COPYING for more details. + +PRGNAM=cage +VERSION=${VERSION:-0.80} +ARCH=${ARCH:-i486} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +fi + +set -e # Exit on most errors + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +CFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/man \ + --build=$ARCH-slackware-linux + +make CFLAGS="$SLKCFLAGS" +make install DESTDIR=$PKG + +( cd $PKG + find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | \ + xargs strip --strip-unneeded 2> /dev/null || true + find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | \ + xargs strip --strip-unneeded 2> /dev/null || true +) + +( cd $PKG/usr/man + find . -type f -exec gzip -9 {} \; + for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done +) + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a INSTALL COPYING README* Attic poc $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/system/cage/cage.info b/system/cage/cage.info new file mode 100644 index 0000000000..bfd106e8d2 --- /dev/null +++ b/system/cage/cage.info @@ -0,0 +1,10 @@ +PRGNAM="cage" +VERSION="0.80" +HOMEPAGE="http://killa.net/infosec/cage/" +DOWNLOAD="http://killa.net/infosec/cage/cage-0.80.tar.gz" +MD5SUM="c2ee362a8ea8044834aa82ba148030ef" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +MAINTAINER="Menno Duursma" +EMAIL="druiloor@zonnet.nl" +APPROVED="rworkman" diff --git a/system/cage/slack-desc b/system/cage/slack-desc new file mode 100644 index 0000000000..da621b51d5 --- /dev/null +++ b/system/cage/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler---------------------------------------------------| +cage: Cage (su+chroot with capabilities support) +cage: +cage: On stock systems this can be used as a 'chrootuid' utility with caps. +cage: In case patches are applied to the system it can be used to creat +cage: padded cells for untrusted applications. +cage: +cage: cage was wtitten by Anthony D. Urso +cage: +cage: +cage: +cage: