projects / people / pmueller / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| cd1a2927 MT |
1 | /* This file is part of the IPCop Firewall.\r |
| 2 | *\r | |
| 3 | * IPCop is free software; you can redistribute it and/or modify\r | |
| 4 | * it under the terms of the GNU General Public License as published by\r | |
| 5 | * the Free Software Foundation; either version 2 of the License, or\r | |
| 6 | * (at your option) any later version.\r | |
| 7 | *\r | |
| 8 | * IPCop is distributed in the hope that it will be useful,\r | |
| 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of\r | |
| 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r | |
| 11 | * GNU General Public License for more details.\r | |
| 12 | *\r | |
| 13 | * You should have received a copy of the GNU General Public License\r | |
| 14 | * along with IPCop; if not, write to the Free Software\r | |
| 15 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\r | |
| 16 | *\r | |
| 17 | * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>\r | |
| 18 | *\r | |
| 19 | * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $\r | |
| 20 | *\r | |
| 21 | */\r | |
| 22 | \r | |
| 23 | #include <stdio.h>\r | |
| 24 | #include <string.h>\r | |
| 25 | #include <errno.h>\r | |
| 26 | #include <unistd.h>\r | |
| 27 | #include <stdlib.h>\r | |
| 28 | #include <sys/types.h>\r | |
| 29 | #include <limits.h>\r | |
| 30 | #include <sys/time.h>\r | |
| 31 | #include <sys/resource.h>\r | |
| 32 | #include <sys/stat.h>\r | |
| 33 | #include <fcntl.h>\r | |
| 34 | #include <grp.h>\r | |
| 35 | #include <signal.h>\r | |
| 36 | #include <sys/wait.h>\r | |
| 37 | #include <glob.h>\r | |
| 38 | #include "setuid.h"\r | |
| 39 | \r | |
| 40 | #ifndef OPEN_MAX\r | |
| 41 | #define OPEN_MAX 256\r | |
| 42 | #endif\r | |
| 43 | \r | |
| 44 | /* Trusted environment for executing commands */\r | |
| 45 | char * trusted_env[4]={\r | |
| 46 | "PATH=/usr/bin:/usr/sbin:/sbin:/bin",\r | |
| 47 | "SHELL=/bin/sh",\r | |
| 48 | "TERM=dumb",\r | |
| 49 | NULL};\r | |
| 50 | \r | |
| 51 | /* Spawns a child process that uses /bin/sh to interpret a command.\r | |
| 52 | * This is much the same in use and purpose as system(), yet as it uses execve\r | |
| 53 | * to pass a trusted environment it's immune to attacks based upon changing\r | |
| 54 | * IFS, ENV, BASH_ENV and other such variables.\r | |
| 55 | * Note this does NOT guard against any other attacks, inparticular you MUST\r | |
| 56 | * validate the command you are passing. If the command is formed from user\r | |
| 57 | * input be sure to check this input is what you expect. Nasty things can\r | |
| 58 | * happen if a user can inject ; or `` into your command for example */\r | |
| 59 | int safe_system(char* command)\r | |
| 60 | {\r | |
| 61 | return system_core( command, 0, 0, "safe_system" );\r | |
| 62 | }\r | |
| 63 | \r | |
| 64 | /* Much like safe_system but lets you specify a non-root uid and gid to run\r | |
| 65 | * the command as */\r | |
| 66 | int unpriv_system(char* command, uid_t uid, gid_t gid)\r | |
| 67 | {\r | |
| 68 | return system_core(command, uid, gid, "unpriv_system" );\r | |
| 69 | }\r | |
| 70 | \r | |
| 71 | int system_core(char* command, uid_t uid, gid_t gid, char *error)\r | |
| 72 | {\r | |
| 73 | int pid, status;\r | |
| 74 | \r | |
| 75 | if(!command)\r | |
| 76 | return 1;\r | |
| 77 | \r | |
| 78 | switch( pid = fork() )\r | |
| 79 | {\r | |
| 80 | case -1:\r | |
| 81 | return -1;\r | |
| 82 | case 0: /* child */\r | |
| 83 | {\r | |
| 84 | char * argv[4];\r | |
| 85 | if (gid && setgid(gid)) \r | |
| 86 | {\r | |
| 87 | fprintf(stderr, "%s: ", error);\r | |
| 88 | perror("Couldn't setgid");\r | |
| 89 | exit(127);\r | |
| 90 | }\r | |
| 91 | if (uid && setuid(uid))\r | |
| 92 | {\r | |
| 93 | fprintf(stderr, "%s: ", error);\r | |
| 94 | perror("Couldn't setuid");\r | |
| 95 | exit(127);\r | |
| 96 | }\r | |
| 97 | argv[0] = "sh";\r | |
| 98 | argv[1] = "-c";\r | |
| 99 | argv[2] = command;\r | |
| 100 | argv[3] = NULL;\r | |
| 101 | execve("/bin/sh", argv, trusted_env);\r | |
| 102 | fprintf(stderr, "%s: ", error);\r | |
| 103 | perror("execve failed");\r | |
| 104 | exit(127);\r | |
| 105 | }\r | |
| 106 | default: /* parent */\r | |
| 107 | do {\r | |
| 108 | if( waitpid(pid, &status, 0) == -1 ) {\r | |
| 109 | if( errno != EINTR )\r | |
| 110 | return -1;\r | |
| 111 | } else\r | |
| 112 | return status;\r | |
| 113 | } while (1);\r | |
| 114 | }\r | |
| 115 | \r | |
| 116 | }\r | |
| 117 | \r | |
| 118 | /* BSD style safe strcat; from the secure programming cookbook */\r | |
| 119 | size_t strlcat(char *dst, const char *src, size_t len) {\r | |
| 120 | char *dstptr = dst;\r | |
| 121 | size_t dstlen, tocopy = len;\r | |
| 122 | const char *srcptr = src;\r | |
| 123 | \r | |
| 124 | while (tocopy-- && *dstptr) dstptr++;\r | |
| 125 | dstlen = dstptr - dst;\r | |
| 126 | if (!(tocopy = len - dstlen)) return (dstlen + strlen(src));\r | |
| 127 | while (*srcptr) {\r | |
| 128 | if (tocopy != 1) {\r | |
| 129 | *dstptr++ = *srcptr;\r | |
| 130 | tocopy--;\r | |
| 131 | }\r | |
| 132 | srcptr++;\r | |
| 133 | }\r | |
| 134 | *dstptr = 0;\r | |
| 135 | \r | |
| 136 | return (dstlen + (srcptr - src));\r | |
| 137 | }\r | |
| 138 | \r | |
| 139 | /* General routine to initialise a setuid root program, and put the\r | |
| 140 | * environment in a known state. Returns 1 on success, if initsetuid() returns\r | |
| 141 | * 0 then you should exit(1) immediately, DON'T attempt to recover from the\r | |
| 142 | * error */\r | |
| 143 | int initsetuid(void)\r | |
| 144 | {\r | |
| 145 | int fds,i;\r | |
| 146 | struct stat st;\r | |
| 147 | struct rlimit rlim;\r | |
| 148 | \r | |
| 149 | /* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */\r | |
| 150 | for( i = 0; i < NSIG; i++ ) {\r | |
| 151 | if( i != SIGKILL && i != SIGCHLD )\r | |
| 152 | signal(i, SIG_IGN);\r | |
| 153 | }\r | |
| 154 | \r | |
| 155 | /* dump all non-standard file descriptors (a full descriptor table could\r | |
| 156 | * lead to DoS by preventing us opening files) */\r | |
| 157 | if ((fds = getdtablesize()) == -1) fds = OPEN_MAX;\r | |
| 158 | for( i = 3; i < fds; i++ ) close(i);\r | |
| 159 | \r | |
| 160 | /* check stdin, stdout & stderr are open before going any further */\r | |
| 161 | for( i = 0; i < 3; i++ )\r | |
| 162 | if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i ))\r | |
| 163 | return 0;\r | |
| 164 | \r | |
| 165 | /* disable core dumps in case we're processing sensitive information */\r | |
| 166 | rlim.rlim_cur = rlim.rlim_max = 0;\r | |
| 167 | if(setrlimit(RLIMIT_CORE, &rlim))\r | |
| 168 | { perror("Couldn't disable core dumps"); return 0; }\r | |
| 169 | \r | |
| 170 | /* drop any supplementary groups, set uid & gid to root */\r | |
| 171 | if (setgroups(0, NULL)) { perror("Couldn't clear group list"); return 0; }\r | |
| 172 | if (setgid(0)) { perror("Couldn't setgid(0)"); return 0; }\r | |
| 173 | if (setuid(0)) { perror("Couldn't setuid(0)"); return 0; }\r | |
| 174 | \r | |
| 175 | return 1;\r | |
| 176 | }\r | |
| 177 | \r | |
| 178 | /* check whether a file exists */\r | |
| 179 | int file_exists(const char *fname) {\r | |
| 180 | struct stat st;\r | |
| 181 | stat(fname, &st);\r | |
| 182 | return S_ISREG(st.st_mode) ? 1 : 0;\r | |
| 183 | }\r | |
| 184 | \r | |
| 185 | /* check whether a file exists. fname is wildcard eg: file_exists (/tmp/foo*) */\r | |
| 186 | int file_exists_w(const char *fname)\r | |
| 187 | {\r | |
| 188 | /* do a quick check first */\r | |
| 189 | struct stat st;\r | |
| 190 | stat(fname, &st);\r | |
| 191 | if (S_ISREG(st.st_mode))\r | |
| 192 | return 1;\r | |
| 193 | \r | |
| 194 | /* check for possible wild cards in name */\r | |
| 195 | glob_t globbuf;\r | |
| 196 | int retval=0;\r | |
| 197 | if (glob(fname, GLOB_ERR, NULL, &globbuf)==0) {\r | |
| 198 | if (globbuf.gl_pathc>0) {\r | |
| 199 | retval=1;\r | |
| 200 | }\r | |
| 201 | }\r | |
| 202 | globfree(&globbuf);\r | |
| 203 | return retval;\r | |
| 204 | }\r |