]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/misc-progs/setuid.c
misc-progs: Add path to executable to argv
[people/pmueller/ipfire-2.x.git] / src / misc-progs / setuid.c
1 /* This file is part of the IPCop Firewall.
2 *
3 * IPCop is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 * IPCop is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License
14 * along with IPCop; if not, write to the Free Software
15 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
16 *
17 * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
18 *
19 * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
20 *
21 */
22
23 #include <ctype.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <errno.h>
27 #include <unistd.h>
28 #include <stdlib.h>
29 #include <sys/types.h>
30 #include <limits.h>
31 #include <sys/time.h>
32 #include <sys/resource.h>
33 #include <sys/stat.h>
34 #include <fcntl.h>
35 #include <grp.h>
36 #include <signal.h>
37 #include <sys/wait.h>
38 #include <glob.h>
39 #include "setuid.h"
40
41 #ifndef OPEN_MAX
42 #define OPEN_MAX 256
43 #endif
44
45 #define MAX_ARGUMENTS 128
46
47 /* Trusted environment for executing commands */
48 char * trusted_env[4] = {
49 "PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin",
50 "SHELL=/bin/sh",
51 "TERM=dumb",
52 NULL
53 };
54
55 static int system_core(char* command, char** args, uid_t uid, gid_t gid, char *error) {
56 int pid, status;
57
58 char* argv[MAX_ARGUMENTS + 1];
59 unsigned int argc = 0;
60
61 if(!command)
62 return 1;
63
64 // Add command as first element to argv
65 argv[argc++] = command;
66
67 // Add all other arguments
68 if (args) {
69 while (*args) {
70 argv[argc++] = *args++;
71
72 // Break when argv is full
73 if (argc >= MAX_ARGUMENTS) {
74 return 2;
75 }
76 }
77 }
78
79 // Make sure that argv is NULL-terminated
80 argv[argc] = NULL;
81
82 switch(pid = fork()) {
83 case -1:
84 return -1;
85
86 case 0: /* child */ {
87 if (gid && setgid(gid)) {
88 fprintf(stderr, "%s: ", error);
89 perror("Couldn't setgid");
90 exit(127);
91 }
92
93 if (uid && setuid(uid)) {
94 fprintf(stderr, "%s: ", error);
95 perror("Couldn't setuid");
96 exit(127);
97 }
98
99 execve(command, argv, trusted_env);
100
101 fprintf(stderr, "%s: ", error);
102 perror("execve failed");
103 exit(127);
104 }
105
106 default: /* parent */
107 do {
108 if (waitpid(pid, &status, 0) == -1) {
109 if (errno != EINTR)
110 return -1;
111 } else {
112 return status;
113 }
114 } while (1);
115 }
116
117 }
118
119 int run(char* command, char** argv) {
120 return system_core(command, argv, 0, 0, "run");
121 }
122
123 /* Spawns a child process that uses /bin/sh to interpret a command.
124 * This is much the same in use and purpose as system(), yet as it uses execve
125 * to pass a trusted environment it's immune to attacks based upon changing
126 * IFS, ENV, BASH_ENV and other such variables.
127 * Note this does NOT guard against any other attacks, inparticular you MUST
128 * validate the command you are passing. If the command is formed from user
129 * input be sure to check this input is what you expect. Nasty things can
130 * happen if a user can inject ; or `` into your command for example */
131 int safe_system(char* command) {
132 char* argv[4] = {
133 "/bin/sh",
134 "-c",
135 command,
136 NULL,
137 };
138
139 return system_core(argv[0], argv + 1, 0, 0, "safe_system");
140 }
141
142 /* Much like safe_system but lets you specify a non-root uid and gid to run
143 * the command as */
144 int unpriv_system(char* command, uid_t uid, gid_t gid) {
145 char* argv[4] = {
146 "/bin/sh",
147 "-c",
148 command,
149 NULL,
150 };
151
152 return system_core(argv[0], argv + 1, uid, gid, "unpriv_system");
153 }
154
155 /* General routine to initialise a setuid root program, and put the
156 * environment in a known state. Returns 1 on success, if initsetuid() returns
157 * 0 then you should exit(1) immediately, DON'T attempt to recover from the
158 * error */
159 int initsetuid(void) {
160 int fds, i;
161 struct stat st;
162 struct rlimit rlim;
163
164 /* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
165 for (i = 0; i < NSIG; i++) {
166 if (i != SIGKILL && i != SIGCHLD)
167 signal(i, SIG_IGN);
168 }
169
170 /* dump all non-standard file descriptors (a full descriptor table could
171 * lead to DoS by preventing us opening files) */
172 if ((fds = getdtablesize()) == -1)
173 fds = OPEN_MAX;
174 for (i = 3; i < fds; i++)
175 close(i);
176
177 /* check stdin, stdout & stderr are open before going any further */
178 for (i = 0; i < 3; i++)
179 if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i))
180 return 0;
181
182 /* disable core dumps in case we're processing sensitive information */
183 rlim.rlim_cur = rlim.rlim_max = 0;
184 if (setrlimit(RLIMIT_CORE, &rlim)) {
185 perror("Couldn't disable core dumps");
186 return 0;
187 }
188
189 /* drop any supplementary groups, set uid & gid to root */
190 if (setgroups(0, NULL)) {
191 perror("Couldn't clear group list");
192 return 0;
193 }
194
195 if (setgid(0)) {
196 perror("Couldn't setgid(0)");
197 return 0;
198 }
199
200 if (setuid(0)) {
201 perror("Couldn't setuid(0)");
202 return 0;
203 }
204
205 return 1;
206 }
207
208 /* Checks if a string only contains alphanumerical characters, dash or underscore */
209 int is_valid_argument_alnum(const char* arg) {
210 size_t l = strlen(arg);
211
212 for (unsigned int i = 0; i < l; i++) {
213 char c = arg[i];
214
215 // Dash or underscore
216 if (c == '-' || c == '_')
217 continue;
218
219 // Any alphanumerical character
220 if (isalnum(c))
221 continue;
222
223 // Invalid
224 return 0;
225 }
226
227 return 1;
228 }
229
230 int is_valid_argument_num(const char* arg) {
231 size_t l = strlen(arg);
232
233 for (unsigned int i = 0; i < l; i++) {
234 char c = arg[i];
235
236 // Any digit
237 if (isdigit(c))
238 continue;
239
240 // Invalid
241 return 0;
242 }
243
244 return 1;
245 }