src/misc-progs/setuid.c

   1 /* This file is part of the IPCop Firewall.
   2  *
   3  * IPCop is free software; you can redistribute it and/or modify
   4  * it under the terms of the GNU General Public License as published by
   5  * the Free Software Foundation; either version 2 of the License, or
   6  * (at your option) any later version.
   7  *
   8  * IPCop is distributed in the hope that it will be useful,
   9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11  * GNU General Public License for more details.
  12  *
  13  * You should have received a copy of the GNU General Public License
  14  * along with IPCop; if not, write to the Free Software
  15  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
  16  *
  17  * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
  18  *
  19  * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
  20  *
  21  */
  22
  23 #include <ctype.h>
  24 #include <stdio.h>
  25 #include <string.h>
  26 #include <errno.h>
  27 #include <unistd.h>
  28 #include <stdlib.h>
  29 #include <sys/types.h>
  30 #include <limits.h>
  31 #include <sys/time.h>
  32 #include <sys/resource.h>
  33 #include <sys/stat.h>
  34 #include <fcntl.h>
  35 #include <grp.h>
  36 #include <signal.h>
  37 #include <sys/wait.h>
  38 #include <glob.h>
  39 #include "setuid.h"
  40
  41 #ifndef OPEN_MAX
  42 #define OPEN_MAX 256
  43 #endif
  44
  45 #define MAX_ARGUMENTS 128
  46
  47 /* Trusted environment for executing commands */
  48 char * trusted_env[4] = {
  49         "PATH=/usr/bin:/usr/sbin:/sbin:/bin",
  50         "SHELL=/bin/sh",
  51         "TERM=dumb",
  52         NULL
  53 };
  54
  55 static int system_core(char* command, char** args, uid_t uid, gid_t gid, char *error) {
  56         int pid, status;
  57
  58         char* argv[MAX_ARGUMENTS + 1];
  59         unsigned int argc = 0;
  60
  61         if(!command)
  62                 return 1;
  63
  64 #if 0
  65         // Add command as first element to argv
  66         argv[argc++] = command;
  67 #endif
  68
  69         // Add all other arguments
  70         if (args) {
  71                 while (*args) {
  72                         argv[argc++] = *args++;
  73
  74                         // Break when argv is full
  75                         if (argc >= MAX_ARGUMENTS) {
  76                                 return 2;
  77                         }
  78                 }
  79         }
  80
  81         // Make sure that argv is NULL-terminated
  82         argv[argc] = NULL;
  83
  84         switch(pid = fork()) {
  85                 case -1:
  86                         return -1;
  87
  88                 case 0: /* child */ {
  89                         if (gid && setgid(gid)) {
  90                                 fprintf(stderr, "%s: ", error);
  91                                 perror("Couldn't setgid");
  92                                 exit(127);
  93                         }
  94
  95                         if (uid && setuid(uid)) {
  96                                 fprintf(stderr, "%s: ", error);
  97                                 perror("Couldn't setuid");
  98                                 exit(127);
  99                         }
 100
 101                         execve(command, argv, trusted_env);
 102
 103                         fprintf(stderr, "%s: ", error);
 104                         perror("execve failed");
 105                         exit(127);
 106                 }
 107
 108                 default: /* parent */
 109                         do {
 110                                 if (waitpid(pid, &status, 0) == -1) {
 111                                         if (errno != EINTR)
 112                                                 return -1;
 113                                         } else {
 114                                                 return status;
 115                                         }
 116                         } while (1);
 117         }
 118
 119 }
 120
 121 int run(char* command, char** argv) {
 122         return system_core(command, argv, 0, 0, "run");
 123 }
 124
 125 /* Spawns a child process that uses /bin/sh to interpret a command.
 126  * This is much the same in use and purpose as system(), yet as it uses execve
 127  * to pass a trusted environment it's immune to attacks based upon changing
 128  * IFS, ENV, BASH_ENV and other such variables.
 129  * Note this does NOT guard against any other attacks, inparticular you MUST
 130  * validate the command you are passing. If the command is formed from user
 131  * input be sure to check this input is what you expect. Nasty things can
 132  * happen if a user can inject ; or `` into your command for example */
 133 int safe_system(char* command) {
 134         char* argv[4] = {
 135                 "/bin/sh",
 136                 "-c",
 137                 command,
 138                 NULL,
 139         };
 140
 141         return system_core(argv[0], argv, 0, 0, "safe_system");
 142 }
 143
 144 /* Much like safe_system but lets you specify a non-root uid and gid to run
 145  * the command as */
 146 int unpriv_system(char* command, uid_t uid, gid_t gid) {
 147         return system_core(command, NULL, uid, gid, "unpriv_system");
 148 }
 149
 150 /* General routine to initialise a setuid root program, and put the
 151  * environment in a known state. Returns 1 on success, if initsetuid() returns
 152  * 0 then you should exit(1) immediately, DON'T attempt to recover from the
 153  * error */
 154 int initsetuid(void) {
 155         int fds, i;
 156         struct stat st;
 157         struct rlimit rlim;
 158
 159         /* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
 160         for (i = 0; i < NSIG; i++) {
 161                 if (i != SIGKILL && i != SIGCHLD)
 162                         signal(i, SIG_IGN);
 163         }
 164
 165         /* dump all non-standard file descriptors (a full descriptor table could
 166          * lead to DoS by preventing us opening files) */
 167         if ((fds = getdtablesize()) == -1)
 168                 fds = OPEN_MAX;
 169         for (i = 3; i < fds; i++)
 170                 close(i);
 171
 172         /* check stdin, stdout & stderr are open before going any further */
 173         for (i = 0; i < 3; i++)
 174                 if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i))
 175                         return 0;
 176
 177         /* disable core dumps in case we're processing sensitive information */
 178         rlim.rlim_cur = rlim.rlim_max = 0;
 179         if (setrlimit(RLIMIT_CORE, &rlim)) {
 180                 perror("Couldn't disable core dumps");
 181                 return 0;
 182         }
 183
 184         /* drop any supplementary groups, set uid & gid to root */
 185         if (setgroups(0, NULL)) {
 186                 perror("Couldn't clear group list");
 187                 return 0;
 188         }
 189
 190         if (setgid(0)) {
 191                 perror("Couldn't setgid(0)");
 192                 return 0;
 193         }
 194
 195         if (setuid(0)) {
 196                 perror("Couldn't setuid(0)");
 197                 return 0;
 198         }
 199
 200         return 1;
 201 }