[ipfire-2.x.git] / src / misc-progs / setuid.c

/* This file is part of the IPCop Firewall.
 *
 * IPCop is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * IPCop is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with IPCop; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
 *
 * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
 *
 * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
 *
 */

#include <ctype.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <limits.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <grp.h>
#include <signal.h>
#include <sys/wait.h>
#include <glob.h>
#include "setuid.h"

#ifndef OPEN_MAX
#define OPEN_MAX 256
#endif

#define MAX_ARGUMENTS 128

/* Trusted environment for executing commands */
char * trusted_env[4] = {
	"PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin",
	"SHELL=/bin/sh",
	"TERM=dumb",
	NULL
};

static int system_core(char* command, char** args, uid_t uid, gid_t gid, char *error) {
	int pid, status;

	char* argv[MAX_ARGUMENTS + 1];
	unsigned int argc = 0;

	if(!command)
		return 1;

	// Add command as first element to argv
	argv[argc++] = command;

	// Add all other arguments
	if (args) {
		while (*args) {
			argv[argc++] = *args++;

			// Break when argv is full
			if (argc >= MAX_ARGUMENTS) {
				return 2;
			}
		}
	}

	// Make sure that argv is NULL-terminated
	argv[argc] = NULL;

	switch(pid = fork()) {
		case -1:
			return -1;

		case 0: /* child */ {
			if (gid && setgid(gid))	{
				fprintf(stderr, "%s: ", error);
				perror("Couldn't setgid");
				exit(127);
			}

			if (uid && setuid(uid)) {
				fprintf(stderr, "%s: ", error);
				perror("Couldn't setuid");
				exit(127);
			}

			execve(command, argv, trusted_env);

			fprintf(stderr, "%s: ", error);
			perror("execve failed");
			exit(127);
		}

		default: /* parent */
			// Wait until the child process has finished
			waitpid(pid, &status, 0);

			// The child was terminated by a signal
			if (WIFSIGNALED(status))
				 return 128 + WTERMSIG(status);

			// Return the exit code if available
			if (WIFEXITED(status))
				return WEXITSTATUS(status);

			// Something unexpected happened, exiting with error
			return EXIT_FAILURE;
	}
}

int run(char* command, char** argv) {
	return system_core(command, argv, 0, 0, "run");
}

/* Spawns a child process that uses /bin/sh to interpret a command.
 * This is much the same in use and purpose as system(), yet as it uses execve
 * to pass a trusted environment it's immune to attacks based upon changing
 * IFS, ENV, BASH_ENV and other such variables.
 * Note this does NOT guard against any other attacks, inparticular you MUST
 * validate the command you are passing. If the command is formed from user
 * input be sure to check this input is what you expect. Nasty things can
 * happen if a user can inject ; or `` into your command for example */
int safe_system(char* command) {
	char* argv[4] = {
		"/bin/sh",
		"-c",
		command,
		NULL,
	};

	return system_core(argv[0], argv + 1, 0, 0, "safe_system");
}

/* Much like safe_system but lets you specify a non-root uid and gid to run
 * the command as */
int unpriv_system(char* command, uid_t uid, gid_t gid) {
	char* argv[4] = {
		"/bin/sh",
		"-c",
		command,
		NULL,
	};

	return system_core(argv[0], argv + 1, uid, gid, "unpriv_system");
}

/* General routine to initialise a setuid root program, and put the
 * environment in a known state. Returns 1 on success, if initsetuid() returns
 * 0 then you should exit(1) immediately, DON'T attempt to recover from the
 * error */
int initsetuid(void) {
	int fds, i;
	struct stat st;
	struct rlimit rlim;

	/* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
	for (i = 0; i < NSIG; i++) {
		if (i != SIGKILL && i != SIGCHLD)
			signal(i, SIG_IGN);
	}

	/* dump all non-standard file descriptors (a full descriptor table could
	 * lead to DoS by preventing us opening files) */
	if ((fds = getdtablesize()) == -1)
		fds = OPEN_MAX;
	for (i = 3; i < fds; i++)
		close(i);

	/* check stdin, stdout & stderr are open before going any further */
	for (i = 0; i < 3; i++)
		if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i))
			return 0;

	/* disable core dumps in case we're processing sensitive information */
	rlim.rlim_cur = rlim.rlim_max = 0;
	if (setrlimit(RLIMIT_CORE, &rlim)) {
		perror("Couldn't disable core dumps");
		return 0;
	}

	/* drop any supplementary groups, set uid & gid to root */
	if (setgroups(0, NULL)) {
		perror("Couldn't clear group list");
		return 0;
	}

	if (setgid(0)) {
		perror("Couldn't setgid(0)");
		return 0;
	}

	if (setuid(0)) {
		perror("Couldn't setuid(0)");
		return 0;
	}

	return 1;
}

/* Checks if a string only contains alphanumerical characters, dash or underscore */
int is_valid_argument_alnum(const char* arg) {
	size_t l = strlen(arg);

	for (unsigned int i = 0; i < l; i++) {
		char c = arg[i];

		// Dash or underscore
		if (c == '-' || c == '_')
			continue;

		// Any alphanumerical character
		if (isalnum(c))
			continue;

		// Invalid
		return 0;
	}

	return 1;
}

int is_valid_argument_num(const char* arg) {
	size_t l = strlen(arg);

	for (unsigned int i = 0; i < l; i++) {
		char c = arg[i];

		// Any digit
		if (isdigit(c))
			continue;

		// Invalid
		return 0;
	}

	return 1;
}
Commit	Line	Data
12938118 MT	1	/* This file is part of the IPCop Firewall.
	2	*
	3	* IPCop is free software; you can redistribute it and/or modify
	4	* it under the terms of the GNU General Public License as published by
	5	* the Free Software Foundation; either version 2 of the License, or
	6	* (at your option) any later version.
	7	*
	8	* IPCop is distributed in the hope that it will be useful,
	9	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	10	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	11	* GNU General Public License for more details.
	12	*
	13	* You should have received a copy of the GNU General Public License
	14	* along with IPCop; if not, write to the Free Software
	15	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	16	*
	17	* Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
	18	*
	19	* $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
	20	*
	21	*/
	22
ca060524	23	#include <ctype.h>
12938118 MT	24	#include <stdio.h>
	25	#include <string.h>
	26	#include <errno.h>
	27	#include <unistd.h>
	28	#include <stdlib.h>
	29	#include <sys/types.h>
	30	#include <limits.h>
	31	#include <sys/time.h>
	32	#include <sys/resource.h>
	33	#include <sys/stat.h>
	34	#include <fcntl.h>
	35	#include <grp.h>
	36	#include <signal.h>
	37	#include <sys/wait.h>
	38	#include <glob.h>
	39	#include "setuid.h"
	40
	41	#ifndef OPEN_MAX
	42	#define OPEN_MAX 256
	43	#endif
	44
ca060524 MT	45	#define MAX_ARGUMENTS 128
ca060524 MT	46
12938118 MT	47	/* Trusted environment for executing commands */
12938118 MT	48	char * trusted_env[4] = {
136d91f3	49	"PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin",
12938118 MT	50	"SHELL=/bin/sh",
	51	"TERM=dumb",
	52	NULL
	53	};
	54
ca060524	55	static int system_core(char* command, char** args, uid_t uid, gid_t gid, char *error) {
12938118 MT	56	int pid, status;
12938118 MT	57
ca060524 MT	58	char* argv[MAX_ARGUMENTS + 1];
	59	unsigned int argc = 0;
	60
12938118 MT	61	if(!command)
	62	return 1;
	63
ca060524 MT	64	// Add command as first element to argv
ca060524 MT	65	argv[argc++] = command;
ca060524 MT	66
	67	// Add all other arguments
	68	if (args) {
	69	while (*args) {
	70	argv[argc++] = *args++;
	71
	72	// Break when argv is full
	73	if (argc >= MAX_ARGUMENTS) {
	74	return 2;
	75	}
	76	}
	77	}
	78
	79	// Make sure that argv is NULL-terminated
	80	argv[argc] = NULL;
	81
2dcea58c	82	switch(pid = fork()) {
12938118 MT	83	case -1:
12938118 MT	84	return -1;
2dcea58c MT	85
2dcea58c MT	86	case 0: /* child */ {
2dcea58c	87	if (gid && setgid(gid)) {
12938118 MT	88	fprintf(stderr, "%s: ", error);
	89	perror("Couldn't setgid");
	90	exit(127);
	91	}
2dcea58c MT	92
2dcea58c MT	93	if (uid && setuid(uid)) {
12938118 MT	94	fprintf(stderr, "%s: ", error);
	95	perror("Couldn't setuid");
	96	exit(127);
	97	}
2dcea58c	98
ca060524 MT	99	execve(command, argv, trusted_env);
ca060524 MT	100
12938118 MT	101	fprintf(stderr, "%s: ", error);
	102	perror("execve failed");
	103	exit(127);
	104	}
2dcea58c	105
12938118	106	default: /* parent */
ed1a2468 MT	107	// Wait until the child process has finished
	108	waitpid(pid, &status, 0);
	109
	110	// The child was terminated by a signal
	111	if (WIFSIGNALED(status))
	112	return 128 + WTERMSIG(status);
12938118	113
ed1a2468 MT	114	// Return the exit code if available
	115	if (WIFEXITED(status))
	116	return WEXITSTATUS(status);
	117
	118	// Something unexpected happened, exiting with error
	119	return EXIT_FAILURE;
	120	}
12938118 MT	121	}
12938118 MT	122
ca060524 MT	123	int run(char* command, char** argv) {
	124	return system_core(command, argv, 0, 0, "run");
	125	}
	126
	127	/* Spawns a child process that uses /bin/sh to interpret a command.
	128	* This is much the same in use and purpose as system(), yet as it uses execve
	129	* to pass a trusted environment it's immune to attacks based upon changing
	130	* IFS, ENV, BASH_ENV and other such variables.
	131	* Note this does NOT guard against any other attacks, inparticular you MUST
	132	* validate the command you are passing. If the command is formed from user
	133	* input be sure to check this input is what you expect. Nasty things can
	134	* happen if a user can inject ; or `` into your command for example */
	135	int safe_system(char* command) {
	136	char* argv[4] = {
	137	"/bin/sh",
	138	"-c",
	139	command,
	140	NULL,
	141	};
	142
9dc534dd	143	return system_core(argv[0], argv + 1, 0, 0, "safe_system");
ca060524 MT	144	}
	145
	146	/* Much like safe_system but lets you specify a non-root uid and gid to run
	147	* the command as */
	148	int unpriv_system(char* command, uid_t uid, gid_t gid) {
23f280b5 MT	149	char* argv[4] = {
	150	"/bin/sh",
	151	"-c",
	152	command,
	153	NULL,
	154	};
	155
9dc534dd	156	return system_core(argv[0], argv + 1, uid, gid, "unpriv_system");
ca060524 MT	157	}
ca060524 MT	158
12938118 MT	159	/* General routine to initialise a setuid root program, and put the
	160	* environment in a known state. Returns 1 on success, if initsetuid() returns
	161	* 0 then you should exit(1) immediately, DON'T attempt to recover from the
	162	* error */
2dcea58c MT	163	int initsetuid(void) {
2dcea58c MT	164	int fds, i;
12938118 MT	165	struct stat st;
	166	struct rlimit rlim;
	167
	168	/* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
2dcea58c MT	169	for (i = 0; i < NSIG; i++) {
	170	if (i != SIGKILL && i != SIGCHLD)
	171	signal(i, SIG_IGN);
12938118 MT	172	}
	173
	174	/* dump all non-standard file descriptors (a full descriptor table could
	175	* lead to DoS by preventing us opening files) */
2dcea58c MT	176	if ((fds = getdtablesize()) == -1)
	177	fds = OPEN_MAX;
	178	for (i = 3; i < fds; i++)
	179	close(i);
12938118 MT	180
12938118 MT	181	/* check stdin, stdout & stderr are open before going any further */
2dcea58c MT	182	for (i = 0; i < 3; i++)
2dcea58c MT	183	if( fstat(i, &st) == -1 && ((errno != EBADF) \|\| (close(i), open("/dev/null", O_RDWR, 0)) != i))
12938118 MT	184	return 0;
	185
	186	/* disable core dumps in case we're processing sensitive information */
	187	rlim.rlim_cur = rlim.rlim_max = 0;
2dcea58c MT	188	if (setrlimit(RLIMIT_CORE, &rlim)) {
	189	perror("Couldn't disable core dumps");
	190	return 0;
	191	}
12938118 MT	192
12938118 MT	193	/* drop any supplementary groups, set uid & gid to root */
2dcea58c MT	194	if (setgroups(0, NULL)) {
	195	perror("Couldn't clear group list");
	196	return 0;
	197	}
	198
	199	if (setgid(0)) {
	200	perror("Couldn't setgid(0)");
	201	return 0;
	202	}
	203
	204	if (setuid(0)) {
	205	perror("Couldn't setuid(0)");
	206	return 0;
	207	}
12938118 MT	208
	209	return 1;
	210	}
db984059 MT	211
	212	/* Checks if a string only contains alphanumerical characters, dash or underscore */
	213	int is_valid_argument_alnum(const char* arg) {
	214	size_t l = strlen(arg);
	215
	216	for (unsigned int i = 0; i < l; i++) {
	217	char c = arg[i];
	218
	219	// Dash or underscore
	220	if (c == '-' \|\| c == '_')
	221	continue;
	222
	223	// Any alphanumerical character
	224	if (isalnum(c))
	225	continue;
	226
	227	// Invalid
	228	return 0;
	229	}
	230
	231	return 1;
	232	}
	233
	234	int is_valid_argument_num(const char* arg) {
	235	size_t l = strlen(arg);
	236
	237	for (unsigned int i = 0; i < l; i++) {
	238	char c = arg[i];
	239
	240	// Any digit
	241	if (isdigit(c))
	242	continue;
	243
	244	// Invalid
	245	return 0;
	246	}
	247
	248	return 1;
	249	}