scheduler/cups-exec.c

   1 /*
   2  * "$Id$"
   3  *
   4  * Sandbox helper for CUPS.
   5  *
   6  * Copyright 2007-2014 by Apple Inc.
   7  *
   8  * These coded instructions, statements, and computer programs are the
   9  * property of Apple Inc. and are protected by Federal copyright
  10  * law.  Distribution and use rights are outlined in the file "LICENSE.txt"
  11  * which should have been included with this file.  If this file is
  12  * file is missing or damaged, see the license at "http://www.cups.org/".
  13  *
  14  * Usage:
  15  *
  16  *     cups-exec /path/to/profile UID GID NICE /path/to/program argv0 argv1 ... argvN
  17  */
  18
  19 /*
  20  * Include necessary headers...
  21  */
  22
  23 #include <cups/string-private.h>
  24 #include <cups/file.h>
  25 #include <unistd.h>
  26 #include <fcntl.h>
  27 #include <sys/stat.h>
  28 #ifdef HAVE_SANDBOX_H
  29 #  include <sandbox.h>
  30 #  ifndef SANDBOX_NAMED_EXTERNAL
  31 #    define SANDBOX_NAMED_EXTERNAL  0x0003
  32 #  endif /* !SANDBOX_NAMED_EXTERNAL */
  33 #  pragma GCC diagnostic ignored "-Wdeprecated-declarations"
  34 #endif /* HAVE_SANDBOX_H */
  35
  36
  37 /*
  38  * 'main()' - Apply sandbox profile and execute program.
  39  */
  40
  41 int                                     /* O - Exit status */
  42 main(int  argc,                         /* I - Number of command-line args */
  43      char *argv[])                      /* I - Command-line arguments */
  44 {
  45   uid_t uid;                            /* UID */
  46   gid_t gid;                            /* GID */
  47   int   niceval;                        /* Nice value */
  48 #ifdef HAVE_SANDBOX_H
  49   char  *sandbox_error = NULL;          /* Sandbox error, if any */
  50 #endif /* HAVE_SANDBOX_H */
  51
  52
  53  /*
  54   * Check that we have enough arguments...
  55   */
  56
  57   if (argc < 7)
  58   {
  59     puts("Usage: cups-exec /path/to/profile UID GID NICE /path/to/program argv0 argv1 ... argvN");
  60     return (1);
  61   }
  62
  63  /*
  64   * Make sure side and back channel FDs are non-blocking...
  65   */
  66
  67   fcntl(3, F_SETFL, O_NDELAY);
  68   fcntl(4, F_SETFL, O_NDELAY);
  69
  70  /*
  71   * Change UID, GID, and nice value...
  72   */
  73
  74   uid     = (uid_t)atoi(argv[2]);
  75   gid     = (gid_t)atoi(argv[3]);
  76   niceval = atoi(argv[4]);
  77
  78   if (uid)
  79     nice(niceval);
  80
  81   if (!getuid())
  82   {
  83     if (setgid(gid))
  84       exit(errno + 100);
  85
  86     if (setgroups(1, &gid))
  87       exit(errno + 100);
  88
  89     if (uid && setuid(uid))
  90       exit(errno + 100);
  91   }
  92
  93   umask(077);
  94
  95 #ifdef HAVE_SANDBOX_H
  96  /*
  97   * Run in a separate security profile...
  98   */
  99
 100   if (strcmp(argv[1], "none") &&
 101       sandbox_init(argv[1], SANDBOX_NAMED_EXTERNAL, &sandbox_error))
 102   {
 103     cups_file_t *fp;                    /* File */
 104     char        line[1024];             /* Line from file */
 105     int         linenum = 0;            /* Line number in file */
 106
 107     fprintf(stderr, "DEBUG: sandbox_init failed: %s (%s)\n", sandbox_error,
 108             strerror(errno));
 109     sandbox_free_error(sandbox_error);
 110
 111     if ((fp = cupsFileOpen(argv[1], "r")) != NULL)
 112     {
 113       while (cupsFileGets(fp, line, sizeof(line)))
 114       {
 115         linenum ++;
 116         fprintf(stderr, "DEBUG: %4d  %s\n", linenum, line);
 117       }
 118       cupsFileClose(fp);
 119     }
 120
 121     return (100 + EINVAL);
 122   }
 123 #endif /* HAVE_SANDBOX_H */
 124
 125  /*
 126   * If we get here, execv() failed...
 127   */
 128
 129   fprintf(stderr, "DEBUG: execv failed: %s\n", strerror(errno));
 130   return (errno + 100);
 131 }
 132
 133
 134 /*
 135  * End of "$Id$".
 136  */