]>
Commit | Line | Data |
---|---|---|
12938118 MT |
1 | /* This file is part of the IPCop Firewall. |
2 | * | |
3 | * IPCop is free software; you can redistribute it and/or modify | |
4 | * it under the terms of the GNU General Public License as published by | |
5 | * the Free Software Foundation; either version 2 of the License, or | |
6 | * (at your option) any later version. | |
7 | * | |
8 | * IPCop is distributed in the hope that it will be useful, | |
9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
11 | * GNU General Public License for more details. | |
12 | * | |
13 | * You should have received a copy of the GNU General Public License | |
14 | * along with IPCop; if not, write to the Free Software | |
15 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
16 | * | |
17 | * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to> | |
18 | * | |
19 | * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $ | |
20 | * | |
21 | */ | |
22 | ||
ca060524 | 23 | #include <ctype.h> |
12938118 MT |
24 | #include <stdio.h> |
25 | #include <string.h> | |
26 | #include <errno.h> | |
27 | #include <unistd.h> | |
28 | #include <stdlib.h> | |
29 | #include <sys/types.h> | |
30 | #include <limits.h> | |
31 | #include <sys/time.h> | |
32 | #include <sys/resource.h> | |
33 | #include <sys/stat.h> | |
34 | #include <fcntl.h> | |
35 | #include <grp.h> | |
36 | #include <signal.h> | |
37 | #include <sys/wait.h> | |
38 | #include <glob.h> | |
39 | #include "setuid.h" | |
40 | ||
41 | #ifndef OPEN_MAX | |
42 | #define OPEN_MAX 256 | |
43 | #endif | |
44 | ||
ca060524 MT |
45 | #define MAX_ARGUMENTS 128 |
46 | ||
12938118 MT |
47 | /* Trusted environment for executing commands */ |
48 | char * trusted_env[4] = { | |
136d91f3 | 49 | "PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin", |
12938118 MT |
50 | "SHELL=/bin/sh", |
51 | "TERM=dumb", | |
52 | NULL | |
53 | }; | |
54 | ||
ca060524 | 55 | static int system_core(char* command, char** args, uid_t uid, gid_t gid, char *error) { |
12938118 MT |
56 | int pid, status; |
57 | ||
ca060524 MT |
58 | char* argv[MAX_ARGUMENTS + 1]; |
59 | unsigned int argc = 0; | |
60 | ||
12938118 MT |
61 | if(!command) |
62 | return 1; | |
63 | ||
ca060524 MT |
64 | // Add command as first element to argv |
65 | argv[argc++] = command; | |
ca060524 MT |
66 | |
67 | // Add all other arguments | |
68 | if (args) { | |
69 | while (*args) { | |
70 | argv[argc++] = *args++; | |
71 | ||
72 | // Break when argv is full | |
73 | if (argc >= MAX_ARGUMENTS) { | |
74 | return 2; | |
75 | } | |
76 | } | |
77 | } | |
78 | ||
79 | // Make sure that argv is NULL-terminated | |
80 | argv[argc] = NULL; | |
81 | ||
2dcea58c | 82 | switch(pid = fork()) { |
12938118 MT |
83 | case -1: |
84 | return -1; | |
2dcea58c MT |
85 | |
86 | case 0: /* child */ { | |
2dcea58c | 87 | if (gid && setgid(gid)) { |
12938118 MT |
88 | fprintf(stderr, "%s: ", error); |
89 | perror("Couldn't setgid"); | |
90 | exit(127); | |
91 | } | |
2dcea58c MT |
92 | |
93 | if (uid && setuid(uid)) { | |
12938118 MT |
94 | fprintf(stderr, "%s: ", error); |
95 | perror("Couldn't setuid"); | |
96 | exit(127); | |
97 | } | |
2dcea58c | 98 | |
ca060524 MT |
99 | execve(command, argv, trusted_env); |
100 | ||
12938118 MT |
101 | fprintf(stderr, "%s: ", error); |
102 | perror("execve failed"); | |
103 | exit(127); | |
104 | } | |
2dcea58c | 105 | |
12938118 | 106 | default: /* parent */ |
ed1a2468 MT |
107 | // Wait until the child process has finished |
108 | waitpid(pid, &status, 0); | |
109 | ||
110 | // The child was terminated by a signal | |
111 | if (WIFSIGNALED(status)) | |
112 | return 128 + WTERMSIG(status); | |
12938118 | 113 | |
ed1a2468 MT |
114 | // Return the exit code if available |
115 | if (WIFEXITED(status)) | |
116 | return WEXITSTATUS(status); | |
117 | ||
118 | // Something unexpected happened, exiting with error | |
119 | return EXIT_FAILURE; | |
120 | } | |
12938118 MT |
121 | } |
122 | ||
ca060524 MT |
123 | int run(char* command, char** argv) { |
124 | return system_core(command, argv, 0, 0, "run"); | |
125 | } | |
126 | ||
127 | /* Spawns a child process that uses /bin/sh to interpret a command. | |
128 | * This is much the same in use and purpose as system(), yet as it uses execve | |
129 | * to pass a trusted environment it's immune to attacks based upon changing | |
130 | * IFS, ENV, BASH_ENV and other such variables. | |
131 | * Note this does NOT guard against any other attacks, inparticular you MUST | |
132 | * validate the command you are passing. If the command is formed from user | |
133 | * input be sure to check this input is what you expect. Nasty things can | |
134 | * happen if a user can inject ; or `` into your command for example */ | |
135 | int safe_system(char* command) { | |
136 | char* argv[4] = { | |
137 | "/bin/sh", | |
138 | "-c", | |
139 | command, | |
140 | NULL, | |
141 | }; | |
142 | ||
9dc534dd | 143 | return system_core(argv[0], argv + 1, 0, 0, "safe_system"); |
ca060524 MT |
144 | } |
145 | ||
146 | /* Much like safe_system but lets you specify a non-root uid and gid to run | |
147 | * the command as */ | |
148 | int unpriv_system(char* command, uid_t uid, gid_t gid) { | |
23f280b5 MT |
149 | char* argv[4] = { |
150 | "/bin/sh", | |
151 | "-c", | |
152 | command, | |
153 | NULL, | |
154 | }; | |
155 | ||
9dc534dd | 156 | return system_core(argv[0], argv + 1, uid, gid, "unpriv_system"); |
ca060524 MT |
157 | } |
158 | ||
12938118 MT |
159 | /* General routine to initialise a setuid root program, and put the |
160 | * environment in a known state. Returns 1 on success, if initsetuid() returns | |
161 | * 0 then you should exit(1) immediately, DON'T attempt to recover from the | |
162 | * error */ | |
2dcea58c MT |
163 | int initsetuid(void) { |
164 | int fds, i; | |
12938118 MT |
165 | struct stat st; |
166 | struct rlimit rlim; | |
167 | ||
168 | /* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */ | |
2dcea58c MT |
169 | for (i = 0; i < NSIG; i++) { |
170 | if (i != SIGKILL && i != SIGCHLD) | |
171 | signal(i, SIG_IGN); | |
12938118 MT |
172 | } |
173 | ||
174 | /* dump all non-standard file descriptors (a full descriptor table could | |
175 | * lead to DoS by preventing us opening files) */ | |
2dcea58c MT |
176 | if ((fds = getdtablesize()) == -1) |
177 | fds = OPEN_MAX; | |
178 | for (i = 3; i < fds; i++) | |
179 | close(i); | |
12938118 MT |
180 | |
181 | /* check stdin, stdout & stderr are open before going any further */ | |
2dcea58c MT |
182 | for (i = 0; i < 3; i++) |
183 | if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i)) | |
12938118 MT |
184 | return 0; |
185 | ||
186 | /* disable core dumps in case we're processing sensitive information */ | |
187 | rlim.rlim_cur = rlim.rlim_max = 0; | |
2dcea58c MT |
188 | if (setrlimit(RLIMIT_CORE, &rlim)) { |
189 | perror("Couldn't disable core dumps"); | |
190 | return 0; | |
191 | } | |
12938118 MT |
192 | |
193 | /* drop any supplementary groups, set uid & gid to root */ | |
2dcea58c MT |
194 | if (setgroups(0, NULL)) { |
195 | perror("Couldn't clear group list"); | |
196 | return 0; | |
197 | } | |
198 | ||
199 | if (setgid(0)) { | |
200 | perror("Couldn't setgid(0)"); | |
201 | return 0; | |
202 | } | |
203 | ||
204 | if (setuid(0)) { | |
205 | perror("Couldn't setuid(0)"); | |
206 | return 0; | |
207 | } | |
12938118 MT |
208 | |
209 | return 1; | |
210 | } | |
db984059 MT |
211 | |
212 | /* Checks if a string only contains alphanumerical characters, dash or underscore */ | |
213 | int is_valid_argument_alnum(const char* arg) { | |
214 | size_t l = strlen(arg); | |
215 | ||
216 | for (unsigned int i = 0; i < l; i++) { | |
217 | char c = arg[i]; | |
218 | ||
219 | // Dash or underscore | |
220 | if (c == '-' || c == '_') | |
221 | continue; | |
222 | ||
223 | // Any alphanumerical character | |
224 | if (isalnum(c)) | |
225 | continue; | |
226 | ||
227 | // Invalid | |
228 | return 0; | |
229 | } | |
230 | ||
231 | return 1; | |
232 | } | |
233 | ||
234 | int is_valid_argument_num(const char* arg) { | |
235 | size_t l = strlen(arg); | |
236 | ||
237 | for (unsigned int i = 0; i < l; i++) { | |
238 | char c = arg[i]; | |
239 | ||
240 | // Any digit | |
241 | if (isdigit(c)) | |
242 | continue; | |
243 | ||
244 | // Invalid | |
245 | return 0; | |
246 | } | |
247 | ||
248 | return 1; | |
249 | } |