aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system/cage/README8
-rw-r--r--system/cage/README.SLACKWARE22
-rw-r--r--system/cage/cage.SlackBuild81
-rw-r--r--system/cage/cage.info10
-rw-r--r--system/cage/slack-desc19
5 files changed, 140 insertions, 0 deletions
diff --git a/system/cage/README b/system/cage/README
new file mode 100644
index 0000000000000..bcda6fef20735
--- /dev/null
+++ b/system/cage/README
@@ -0,0 +1,8 @@
+cage was wtitten to be a creator of unbreakable padded cells for untrusted
+applications. It can be used to chroot programs that want to run as root.
+For that to work though either sysvinit or the kernel need to be patched and
+recompiled (instructions on how to go about this are included in /usr/doc).
+
+However since filesystem capabilities are implemented it can also be used
+as a 'su' command with inheritance support, similar to the 'capsh' command
+from the libcap package (but featuring chroot support). See README.SLACKWARE
diff --git a/system/cage/README.SLACKWARE b/system/cage/README.SLACKWARE
new file mode 100644
index 0000000000000..3cac4ce8e5cd7
--- /dev/null
+++ b/system/cage/README.SLACKWARE
@@ -0,0 +1,22 @@
+For example:
+
+root@pc:~# chmod 0755 /bin/ping
+root@pc:~# setcap 'cap_net_raw=ie' /bin/ping
+
+root@pc:~# su menno
+menno@pc:/root$ ping -c1 www.zonnet.nl
+ping: icmp open socket: Operation not permitted
+menno@pc:/root$ exit
+
+root@pc:~# cage -u 1000 -c 'cap_setuid=pe cap_net_raw=pie' / /bin/sh
+menno@pc:/$ ping -c1 www.zonnet.nl
+PING www.zonnet.nl (62.58.50.202) 56(84) bytes of data.
+64 bytes from www.tele2.nl (62.58.50.202): icmp_seq=1 ttl=116 time=27.0 ms
+
+--- www.zonnet.nl ping statistics ---
+1 packets transmitted, 1 received, 0% packet loss, time 0ms
+rtt min/avg/max/mdev = 27.054/27.054/27.054/0.000 ms
+menno@pc:/$ /sbin/getpcaps $$
+Capabilities for `7242': = cap_net_raw+i
+menno@pc:/$ exit
+
diff --git a/system/cage/cage.SlackBuild b/system/cage/cage.SlackBuild
new file mode 100644
index 0000000000000..3e285bdf28383
--- /dev/null
+++ b/system/cage/cage.SlackBuild
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+# Slackware build script for cage
+
+# Written by Menno Duursma <druiloor@zonnet.nl>
+
+# This program is free software. It comes without any warranty.
+# Granted WTFPL, Version 2, as published by Sam Hocevar. See
+# http://sam.zoy.org/wtfpl/COPYING for more details.
+
+PRGNAM=cage
+VERSION=${VERSION:-0.80}
+ARCH=${ARCH:-i486}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "i686" ]; then
+ SLKCFLAGS="-O2 -march=i686 -mtune=i686"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+ LIBDIRSUFFIX="64"
+fi
+
+set -e # Exit on most errors
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $PRGNAM-$VERSION
+tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
+cd $PRGNAM-$VERSION
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+
+CFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --libdir=/usr/lib${LIBDIRSUFFIX} \
+ --sysconfdir=/etc \
+ --localstatedir=/var \
+ --mandir=/usr/man \
+ --build=$ARCH-slackware-linux
+
+make CFLAGS="$SLKCFLAGS"
+make install DESTDIR=$PKG
+
+( cd $PKG
+ find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | \
+ xargs strip --strip-unneeded 2> /dev/null || true
+ find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | \
+ xargs strip --strip-unneeded 2> /dev/null || true
+)
+
+( cd $PKG/usr/man
+ find . -type f -exec gzip -9 {} \;
+ for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
+)
+
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a INSTALL COPYING README* Attic poc $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
diff --git a/system/cage/cage.info b/system/cage/cage.info
new file mode 100644
index 0000000000000..bfd106e8d2b0e
--- /dev/null
+++ b/system/cage/cage.info
@@ -0,0 +1,10 @@
+PRGNAM="cage"
+VERSION="0.80"
+HOMEPAGE="http://killa.net/infosec/cage/"
+DOWNLOAD="http://killa.net/infosec/cage/cage-0.80.tar.gz"
+MD5SUM="c2ee362a8ea8044834aa82ba148030ef"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+MAINTAINER="Menno Duursma"
+EMAIL="druiloor@zonnet.nl"
+APPROVED="rworkman"
diff --git a/system/cage/slack-desc b/system/cage/slack-desc
new file mode 100644
index 0000000000000..da621b51d5437
--- /dev/null
+++ b/system/cage/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+ |-----handy-ruler---------------------------------------------------|
+cage: Cage (su+chroot with capabilities support)
+cage:
+cage: On stock systems this can be used as a 'chrootuid' utility with caps.
+cage: In case patches are applied to the system it can be used to creat
+cage: padded cells for untrusted applications.
+cage:
+cage: cage was wtitten by Anthony D. Urso
+cage:
+cage:
+cage:
+cage: