Provided by: cado_0.9.6-1build1_amd64 
NAME
scado - Script Capability Ambient DO
SYNOPSIS
scado -D | -e | -l
scado -u command | -U
scado -h
DESCRIPTION
cado(1) allows the system administrator to delegate capabilities to users. Users can grant a subset of
these ambient capabilities to trusted programs. Each user can define their own list of trusted programs
and which capabilities to grant, using a scado file. cado -S or cado --scado run those trusted programs
without any further authentication. In this way it is also possible to run programs requiring specific
capabilities within a bash script.
Scado is the command a user can run to create, edit, check or delete their own scado file.
Each line of a scado file file has the following syntax:
path_of_the_executable_file : capability_list
or
path_of_the_executable_file : capability_list : sha256_digest_of_the_executable
(See the EXAMPLES section at the end of the man page for more info. All the trailing part of a line
following a # sign is a comment.).
The path_of_the_executable_file must be absolute.
The capability_list is a comma separated list of capability names or capability masks. For brevity, the
cap_ prefix of capabilities names can be omitted (e.g. net_admin and cap_net_admin have the same
meaning).
The sha256_digest_of_the_executable prevents TOCTTOU attacks. When a user wants to run the file at
path_of_the_executable_file granting it some of the capabilities in the capability_list, the permission
is denied if its sha256 digest does not match sha256_digest_of_the_executable.
If there are only two colon (:) separated fields in a line, it means that the user trusts a priori the
integrity of the file whose pathname is path_of_the_executable_file. It can be, for example, a program
in /bin or /usr/bin not modifiable by users.
If there are three fields (i.e. two colon characters), it means that the user wants the cryptographic
digest check on the executable file integrity. When a user edits their scado file, if the field
(sha256_digest_of_the_executable) is empty, scado computes it automatically when the scado file is saved.
Scado asks for user authentication by PAM to confirm any modification of the scado file.
There is also a TOCTTOU protection at running time: cado -S copies the executable file in a safe place,
where the user cannot change it, and runs it only if the integrity check on it succeeds. The user (or a
malicious intruder acting as the user) cannot modify the file after the integrity check has completed and
before the program is loaded.
OPTIONS
scado accepts the following options:
-l
--list Display the current scado file. The actual file in the file system is not accessible by
unprivileged users, for security reasons.
-e
--edit Edit the scado file of the current user using the editor specified by either the VISUAL or the
EDITOR environment variable (checked in that order). After you exit from the editor, the modified
file will be installed automatically.
-D
--delete
Delete the current user's scado file.
-u command
--update command
Recompute the hash of the line which starts with command.
-U
--update-all
Update all the digest entries.
-h
--help print a short usage banner and exit.
EXCEPTIONS FILES EXAMPLES
Allow cado -S to run /bin/ping providing it with the cap_net_raw capability, without any integrity check:
/bin/ping : cap_net_raw
Allow the activation of ping with cap_net_raw provided it has a specific SHA256 digest
/bin/ping : cap_net_raw : dcb237f1cb20ee7b1550900d1b524c554063fd17fc673c56d341736ced6bed4b
Compute the SHA256 digest of (the current version of) ping so, allow the activation of ping with
cap_net_raw provided it has not been modified.
/bin/ping : cap_net_raw :
If one of the example lines here above has been inserted in the user scado file using scado -e, it is
possible to execute ping as follows:
cado -S cap_net_raw /bin/ping
SEE ALSO
cado(1), capabilities(7)
VirtualSquare Labs June 23, 2016 SCADO(1)