SCADO(1) General Commands Manual SCADO(1)

scado - Script Capability Ambient DO

scado -D | -e | -l
scado -u command | -U
scado -h

cado(1) allows the system administrator to delegate capabilities to users. Users can grant a subset of these ambient capabilities to trusted programs. Each user can define their own list of trusted programs and which capabilities to grant, using a scado file. cado -S or cado --scado run those trusted programs without any further authentication. In this way it is also possible to run programs requiring specific capabilities within a bash script.

Scado is the command a user can run to create, edit, check or delete their own scado file.

Each line of a scado file file has the following syntax:

path_of_the_executable_file : capability_list

or
path_of_the_executable_file : capability_list : sha256_digest_of_the_executable

(See the EXAMPLES section at the end of the man page for more info. All the trailing part of a line following a # sign is a comment.).

The path_of_the_executable_file must be absolute.

The capability_list is a comma separated list of capability names or capability masks. For brevity, the cap_ prefix of capabilities names can be omitted (e.g. net_admin and cap_net_admin have the same meaning).

The sha256_digest_of_the_executable prevents TOCTTOU attacks. When a user wants to run the file at path_of_the_executable_file granting it some of the capabilities in the capability_list, the permission is denied if its sha256 digest does not match sha256_digest_of_the_executable.

If there are only two colon (:) separated fields in a line, it means that the user trusts a priori the integrity of the file whose pathname is path_of_the_executable_file. It can be, for example, a program in /bin or /usr/bin not modifiable by users.

If there are three fields (i.e. two colon characters), it means that the user wants the cryptographic digest check on the executable file integrity. When a user edits their scado file, if the field (sha256_digest_of_the_executable) is empty, scado computes it automatically when the scado file is saved.

Scado asks for user authentication by PAM to confirm any modification of the scado file.

There is also a TOCTTOU protection at running time: cado -S copies the executable file in a safe place, where the user cannot change it, and runs it only if the integrity check on it succeeds. The user (or a malicious intruder acting as the user) cannot modify the file after the integrity check has completed and before the program is loaded.

scado accepts the following options:

Display the current scado file. The actual file in the file system is not accessible by unprivileged users, for security reasons.
Edit the scado file of the current user using the editor specified by either the VISUAL or the EDITOR environment variable (checked in that order). After you exit from the editor, the modified file will be installed automatically.
Delete the current user's scado file.
Recompute the hash of the line which starts with command.
Update all the digest entries.
print a short usage banner and exit.

Allow cado -S to run /bin/ping providing it with the cap_net_raw capability, without any integrity check:

/bin/ping : cap_net_raw

Allow the activation of ping with cap_net_raw provided it has a specific SHA256 digest

/bin/ping : cap_net_raw : dcb237f1cb20ee7b1550900d1b524c554063fd17fc673c56d341736ced6bed4b

Compute the SHA256 digest of (the current version of) ping so, allow the activation of ping with cap_net_raw provided it has not been modified.

/bin/ping : cap_net_raw :

If one of the example lines here above has been inserted in the user scado file using scado -e, it is possible to execute ping as follows:

cado -S cap_net_raw /bin/ping

cado(1), capabilities(7)

June 23, 2016 VirtualSquare Labs