Provided by: cado_0.9.6-1build1_amd64 bug

NAME

       scado - Script Capability Ambient DO

SYNOPSIS

       scado -D | -e | -l
       scado -u command | -U
       scado -h

DESCRIPTION

       cado(1)  allows  the  system  administrator  to delegate capabilities to users.  Users can
       grant a subset of these ambient capabilities to trusted programs.  Each  user  can  define
       their  own  list  of trusted programs and which capabilities to grant, using a scado file.
       cado -S or cado --scado run those trusted programs without any further authentication.  In
       this way it is also possible to run programs requiring specific capabilities within a bash
       script.

       Scado is the command a user can run to create, edit, check or delete their own scado file.

       Each line of a scado file file has the following syntax:
           path_of_the_executable_file : capability_list
       or
           path_of_the_executable_file : capability_list : sha256_digest_of_the_executable
       (See the EXAMPLES section at the end of the man page for more info. All the trailing  part
       of a line following a # sign is a comment.).

       The path_of_the_executable_file must be absolute.

       The  capability_list  is  a  comma separated list of capability names or capability masks.
       For brevity, the cap_ prefix of capabilities names can  be  omitted  (e.g.  net_admin  and
       cap_net_admin have the same meaning).

       The sha256_digest_of_the_executable prevents TOCTTOU attacks. When a user wants to run the
       file  at  path_of_the_executable_file  granting  it  some  of  the  capabilities  in   the
       capability_list,   the   permission  is  denied  if  its  sha256  digest  does  not  match
       sha256_digest_of_the_executable.

       If there are only two colon (:) separated fields in a line, it means that the user  trusts
       a  priori the integrity of the file whose pathname is path_of_the_executable_file.  It can
       be, for example, a program in /bin or /usr/bin not modifiable by users.

       If there are three fields (i.e. two colon characters), it means that the  user  wants  the
       cryptographic  digest  check  on  the  executable file integrity.  When a user edits their
       scado file, if the field (sha256_digest_of_the_executable) is  empty,  scado  computes  it
       automatically when the scado file is saved.

       Scado asks for user authentication by PAM to confirm any modification of the scado file.

       There  is also a TOCTTOU protection at running time: cado -S copies the executable file in
       a safe place, where the user cannot change it, and runs it only if the integrity check  on
       it succeeds.  The user (or a malicious intruder acting as the user) cannot modify the file
       after the integrity check has completed and before the program is loaded.

OPTIONS

       scado accepts the following options:

       -l
       --list Display the current scado  file.  The  actual  file  in  the  file  system  is  not
              accessible by unprivileged users, for security reasons.

       -e
       --edit Edit  the  scado  file of the current user using the editor specified by either the
              VISUAL or the EDITOR environment variable (checked in that order).  After you  exit
              from the editor, the modified file will be installed automatically.

       -D
       --delete
              Delete the current user's scado file.

       -u command
       --update command
              Recompute the hash of the line which starts with command.

       -U
       --update-all
              Update all the digest entries.

       -h
       --help print a short usage banner and exit.

EXCEPTIONS FILES EXAMPLES

       Allow  cado  -S to run /bin/ping providing it with the cap_net_raw capability, without any
       integrity check:
           /bin/ping : cap_net_raw

       Allow the activation of ping with cap_net_raw provided it has a specific SHA256 digest
           /bin/ping                     :                     cap_net_raw                      :
           dcb237f1cb20ee7b1550900d1b524c554063fd17fc673c56d341736ced6bed4b

       Compute  the  SHA256  digest  of (the current version of) ping so, allow the activation of
       ping with cap_net_raw provided it has not been modified.
           /bin/ping : cap_net_raw :

       If one of the example lines here above has been inserted in  the  user  scado  file  using
       scado -e, it is possible to execute ping as follows:
           cado -S cap_net_raw /bin/ping

SEE ALSO

       cado(1), capabilities(7)