src/misc-progs/setuid.c

   1 /* This file is part of the IPCop Firewall.
   2  *
   3  * IPCop is free software; you can redistribute it and/or modify
   4  * it under the terms of the GNU General Public License as published by
   5  * the Free Software Foundation; either version 2 of the License, or
   6  * (at your option) any later version.
   7  *
   8  * IPCop is distributed in the hope that it will be useful,
   9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11  * GNU General Public License for more details.
  12  *
  13  * You should have received a copy of the GNU General Public License
  14  * along with IPCop; if not, write to the Free Software
  15  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
  16  *
  17  * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
  18  *
  19  * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
  20  *
  21  */
  22
  23 #include <ctype.h>
  24 #include <stdio.h>
  25 #include <string.h>
  26 #include <errno.h>
  27 #include <unistd.h>
  28 #include <stdlib.h>
  29 #include <sys/types.h>
  30 #include <limits.h>
  31 #include <sys/time.h>
  32 #include <sys/resource.h>
  33 #include <sys/stat.h>
  34 #include <fcntl.h>
  35 #include <grp.h>
  36 #include <signal.h>
  37 #include <sys/wait.h>
  38 #include <glob.h>
  39 #include "setuid.h"
  40
  41 #ifndef OPEN_MAX
  42 #define OPEN_MAX 256
  43 #endif
  44
  45 #define MAX_ARGUMENTS 128
  46
  47 /* Trusted environment for executing commands */
  48 char * trusted_env[4] = {
  49         "PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin",
  50         "SHELL=/bin/sh",
  51         "TERM=dumb",
  52         NULL
  53 };
  54
  55 static int system_core(char* command, char** args, uid_t uid, gid_t gid, char *error) {
  56         int pid, status;
  57
  58         char* argv[MAX_ARGUMENTS + 1];
  59         unsigned int argc = 0;
  60
  61         if(!command)
  62                 return 1;
  63
  64         // Add command as first element to argv
  65         argv[argc++] = command;
  66
  67         // Add all other arguments
  68         if (args) {
  69                 while (*args) {
  70                         argv[argc++] = *args++;
  71
  72                         // Break when argv is full
  73                         if (argc >= MAX_ARGUMENTS) {
  74                                 return 2;
  75                         }
  76                 }
  77         }
  78
  79         // Make sure that argv is NULL-terminated
  80         argv[argc] = NULL;
  81
  82         switch(pid = fork()) {
  83                 case -1:
  84                         return -1;
  85
  86                 case 0: /* child */ {
  87                         if (gid && setgid(gid)) {
  88                                 fprintf(stderr, "%s: ", error);
  89                                 perror("Couldn't setgid");
  90                                 exit(127);
  91                         }
  92
  93                         if (uid && setuid(uid)) {
  94                                 fprintf(stderr, "%s: ", error);
  95                                 perror("Couldn't setuid");
  96                                 exit(127);
  97                         }
  98
  99                         execve(command, argv, trusted_env);
 100
 101                         fprintf(stderr, "%s: ", error);
 102                         perror("execve failed");
 103                         exit(127);
 104                 }
 105
 106                 default: /* parent */
 107                         do {
 108                                 if (waitpid(pid, &status, 0) == -1) {
 109                                         if (errno != EINTR)
 110                                                 return -1;
 111                                         } else {
 112                                                 return status;
 113                                         }
 114                         } while (1);
 115         }
 116
 117 }
 118
 119 int run(char* command, char** argv) {
 120         return system_core(command, argv, 0, 0, "run");
 121 }
 122
 123 /* Spawns a child process that uses /bin/sh to interpret a command.
 124  * This is much the same in use and purpose as system(), yet as it uses execve
 125  * to pass a trusted environment it's immune to attacks based upon changing
 126  * IFS, ENV, BASH_ENV and other such variables.
 127  * Note this does NOT guard against any other attacks, inparticular you MUST
 128  * validate the command you are passing. If the command is formed from user
 129  * input be sure to check this input is what you expect. Nasty things can
 130  * happen if a user can inject ; or `` into your command for example */
 131 int safe_system(char* command) {
 132         char* argv[4] = {
 133                 "/bin/sh",
 134                 "-c",
 135                 command,
 136                 NULL,
 137         };
 138
 139         return system_core(argv[0], argv + 1, 0, 0, "safe_system");
 140 }
 141
 142 /* Much like safe_system but lets you specify a non-root uid and gid to run
 143  * the command as */
 144 int unpriv_system(char* command, uid_t uid, gid_t gid) {
 145         char* argv[4] = {
 146                 "/bin/sh",
 147                 "-c",
 148                 command,
 149                 NULL,
 150         };
 151
 152         return system_core(argv[0], argv + 1, uid, gid, "unpriv_system");
 153 }
 154
 155 /* General routine to initialise a setuid root program, and put the
 156  * environment in a known state. Returns 1 on success, if initsetuid() returns
 157  * 0 then you should exit(1) immediately, DON'T attempt to recover from the
 158  * error */
 159 int initsetuid(void) {
 160         int fds, i;
 161         struct stat st;
 162         struct rlimit rlim;
 163
 164         /* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
 165         for (i = 0; i < NSIG; i++) {
 166                 if (i != SIGKILL && i != SIGCHLD)
 167                         signal(i, SIG_IGN);
 168         }
 169
 170         /* dump all non-standard file descriptors (a full descriptor table could
 171          * lead to DoS by preventing us opening files) */
 172         if ((fds = getdtablesize()) == -1)
 173                 fds = OPEN_MAX;
 174         for (i = 3; i < fds; i++)
 175                 close(i);
 176
 177         /* check stdin, stdout & stderr are open before going any further */
 178         for (i = 0; i < 3; i++)
 179                 if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i))
 180                         return 0;
 181
 182         /* disable core dumps in case we're processing sensitive information */
 183         rlim.rlim_cur = rlim.rlim_max = 0;
 184         if (setrlimit(RLIMIT_CORE, &rlim)) {
 185                 perror("Couldn't disable core dumps");
 186                 return 0;
 187         }
 188
 189         /* drop any supplementary groups, set uid & gid to root */
 190         if (setgroups(0, NULL)) {
 191                 perror("Couldn't clear group list");
 192                 return 0;
 193         }
 194
 195         if (setgid(0)) {
 196                 perror("Couldn't setgid(0)");
 197                 return 0;
 198         }
 199
 200         if (setuid(0)) {
 201                 perror("Couldn't setuid(0)");
 202                 return 0;
 203         }
 204
 205         return 1;
 206 }
 207
 208 /* Checks if a string only contains alphanumerical characters, dash or underscore */
 209 int is_valid_argument_alnum(const char* arg) {
 210         size_t l = strlen(arg);
 211
 212         for (unsigned int i = 0; i < l; i++) {
 213                 char c = arg[i];
 214
 215                 // Dash or underscore
 216                 if (c == '-' || c == '_')
 217                         continue;
 218
 219                 // Any alphanumerical character
 220                 if (isalnum(c))
 221                         continue;
 222
 223                 // Invalid
 224                 return 0;
 225         }
 226
 227         return 1;
 228 }
 229
 230 int is_valid_argument_num(const char* arg) {
 231         size_t l = strlen(arg);
 232
 233         for (unsigned int i = 0; i < l; i++) {
 234                 char c = arg[i];
 235
 236                 // Any digit
 237                 if (isdigit(c))
 238                         continue;
 239
 240                 // Invalid
 241                 return 0;
 242         }
 243
 244         return 1;
 245 }