forked from brltty/brltty
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbrltty-setcaps
executable file
·120 lines (102 loc) · 3.6 KB
/
brltty-setcaps
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/bin/sh
###############################################################################
# BRLTTY - A background process providing access to the console screen (when in
# text mode) for a blind person using a refreshable braille display.
#
# Copyright (C) 1995-2020 by The BRLTTY Developers.
#
# BRLTTY comes with ABSOLUTELY NO WARRANTY.
#
# This is free software, placed under the terms of the
# GNU Lesser General Public License, as published by the Free Software
# Foundation; either version 2.1 of the License, or (at your option) any
# later version. Please see the file LICENSE-LGPL for details.
#
# Web Page: http://brltty.app/
#
# This software is maintained by Dave Mielke <[email protected]>.
###############################################################################
set -e
. "`dirname "${0}"`/brltty-prologue.sh"
executeCommand() {
"${useSudo}" && set -- sudo -- "${@}"
if "${testMode}"
then
echo "${*}"
else
"${@}"
fi
}
setOwner() {
local type="${1}"
local root="${2}"
local command="${3}"
if "${root}"
then
local owner=0
else
local owner="$(id -"${type}")"
fi
executeCommand "${command}" "${owner}" -- "${executablePath}"
}
setMode() {
local type="${1}"
local set="${2}"
if "${set}"
then
local operator="+"
else
local operator="-"
fi
executeCommand chmod "${type}${operator}s" "${executablePath}"
}
capabilitiesList=()
addCapability() {
capabilitiesList[${#capabilitiesList[*]}]="${1}"
}
addProgramOption c flag noCreation "don't allow creating missing state directories"
addProgramOption d flag noDevices "don't allow creating needed but missing device files"
addProgramOption g flag noGroups "don't allow switching to the writable group or joining the required groups"
addProgramOption i flag noInput "don't allow injecting input characters"
addProgramOption m flag noModules "don't allow installing kernel modules"
addProgramOption o flag noOwnership "don't allow claiming ownership of the state directories"
addProgramOption p flag noPermissions "don't allow adding group permissions to the state directories"
addProgramOption s flag noSpeaker "don't allow using the built-in PC speaker"
addProgramOption C flag noCapabilities "don't set the capabilities"
addProgramOption G flag rootGroup "set group root execution"
addProgramOption S flag useSudo "use sudo to execute the commands as root"
addProgramOption T flag testMode "test mode - show the commands that would be executed"
addProgramOption U flag rootUser "set user root execution"
addProgramParameter executable executablePath "the path to the executable"
parseProgramArguments "${@}"
verifyExecutable "${executablePath}"
"${testMode}" || {
if "${useSudo}"
then
sudo -v
elif [ "$(id -u)" -ne 0 ]
then
semanticError "not executing as root"
fi
}
setOwner u "${rootUser}" chown
setOwner g "${rootGroup}" chgrp
setMode u "${rootUser}"
setMode g "${rootGroup}"
"${noCapabilities}" || {
"${noCreation}" || addCapability "cap_dac_override"
"${noDevices}" || addCapability "cap_mknod"
"${noGroups}" || addCapability "cap_setgid"
"${noInput}" || addCapability "cap_sys_admin"
"${noModules}" || addCapability "cap_sys_module"
"${noOwnership}" || addCapability "cap_chown"
"${noPermissions}" || addCapability "cap_fowner"
"${noSpeaker}" || addCapability "cap_sys_tty_config"
[ "${#capabilitiesList[*]}" -eq 0 ] || {
capabilitiesOperand="${capabilitiesList[*]}"
capabilitiesOperand="${capabilitiesOperand// /,}"
capabilitiesOperand+="+p"
executeCommand setcap "${capabilitiesOperand}" "${executablePath}"
}
}
exit 0