Provided by: cado_0.9.5-2_amd64 
NAME
scado - Script Capability Ambient DO
SYNOPSIS
scado -D | -e | -l
scado -u command | -U
scado -h
DESCRIPTION
cado(1) allows the system administrator to delegate capabilities to users. Users can
grant a subset of these ambient capabilities to trusted programs. Each user can define
their own list of trusted programs and which capabilities to grant, using a scado file.
cado -S or cado --scado run those trusted programs without any further authentication. In
this way it is also possible to run programs requiring specific capabilities within a bash
script.
Scado is the command a user can run to create, edit, check or delete their own scado file.
Each line of a scado file file has the following syntax:
path_of_the_executable_file : capability_list
or
path_of_the_executable_file : capability_list : sha256_digest_of_the_executable
(See the EXAMPLES section at the end of the man page for more info. All the trailing part
of a line following a # sign is a comment.).
The path_of_the_executable_file must be absolute.
The capability_list is a comma separated list of capability names or capability masks.
For brevity, the cap_ prefix of capabilities names can be omitted (e.g. net_admin and
cap_net_admin have the same meaning).
The sha256_digest_of_the_executable prevents TOCTTOU attacks. When a user wants to run the
file at path_of_the_executable_file granting it some of the capabilities in the
capability_list, the permission is denied if its sha256 digest does not match
sha256_digest_of_the_executable.
If there are only two colon (:) separated fields in a line, it means that the user trusts
a priori the integrity of the file whose pathname is path_of_the_executable_file. It can
be, for example, a program in /bin or /usr/bin not modifiable by users.
If there are three fields (i.e. two colon characters), it means that the user wants the
cryptographic digest check on the executable file integrity. When a user edits their
scado file, if the field (sha256_digest_of_the_executable) is empty, scado computes it
automatically when the scado file is saved.
Scado asks for user authentication by PAM to confirm any modification of the scado file.
There is also a TOCTTOU protection at running time: cado -S copies the executable file in
a safe place, where the user cannot change it, and runs it only if the integrity check on
it succeeds. The user (or a malicious intruder acting as the user) cannot modify the file
after the integrity check has completed and before the program is loaded.
OPTIONS
scado accepts the following options:
-l
--list Display the current scado file. The actual file in the file system is not
accessible by unprivileged users, for security reasons.
-e
--edit Edit the scado file of the current user using the editor specified by either the
VISUAL or the EDITOR environment variable (checked in that order). After you exit
from the editor, the modified file will be installed automatically.
-D
--delete
Delete the current user's scado file.
-u command
--update command
Recompute the hash of the line which starts with command.
-U
--update-all
Update all the digest entries.
-h
--help print a short usage banner and exit.
EXCEPTIONS FILES EXAMPLES
Allow cado -S to run /bin/ping providing it with the cap_net_raw capability, without any
integrity check:
/bin/ping : cap_net_raw
Allow the activation of ping with cap_net_raw provided it has a specific SHA256 digest
/bin/ping : cap_net_raw :
dcb237f1cb20ee7b1550900d1b524c554063fd17fc673c56d341736ced6bed4b
Compute the SHA256 digest of (the current version of) ping so, allow the activation of
ping with cap_net_raw provided it has not been modified.
/bin/ping : cap_net_raw :
If one of the example lines here above has been inserted in the user scado file using
scado -e, it is possible to execute ping as follows:
cado -S cap_net_raw /bin/ping
SEE ALSO
cado(1), capabilities(7)