src/misc-progs/setuid.c

   1 /* This file is part of the IPCop Firewall.
   2  *
   3  * IPCop is free software; you can redistribute it and/or modify
   4  * it under the terms of the GNU General Public License as published by
   5  * the Free Software Foundation; either version 2 of the License, or
   6  * (at your option) any later version.
   7  *
   8  * IPCop is distributed in the hope that it will be useful,
   9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11  * GNU General Public License for more details.
  12  *
  13  * You should have received a copy of the GNU General Public License
  14  * along with IPCop; if not, write to the Free Software
  15  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
  16  *
  17  * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
  18  *
  19  * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
  20  *
  21  */
  22
  23 #include <ctype.h>
  24 #include <stdio.h>
  25 #include <string.h>
  26 #include <errno.h>
  27 #include <unistd.h>
  28 #include <stdlib.h>
  29 #include <sys/types.h>
  30 #include <limits.h>
  31 #include <sys/time.h>
  32 #include <sys/resource.h>
  33 #include <sys/stat.h>
  34 #include <fcntl.h>
  35 #include <grp.h>
  36 #include <signal.h>
  37 #include <sys/wait.h>
  38 #include <glob.h>
  39 #include "setuid.h"
  40
  41 #ifndef OPEN_MAX
  42 #define OPEN_MAX 256
  43 #endif
  44
  45 #define MAX_ARGUMENTS 128
  46
  47 /* Trusted environment for executing commands */
  48 char * trusted_env[4] = {
  49         "PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin",
  50         "SHELL=/bin/sh",
  51         "TERM=dumb",
  52         NULL
  53 };
  54
  55 static int system_core(char* command, char** args, uid_t uid, gid_t gid, char *error) {
  56         int pid, status;
  57
  58         char* argv[MAX_ARGUMENTS + 1];
  59         unsigned int argc = 0;
  60
  61         if(!command)
  62                 return 1;
  63
  64 #if 0
  65         // Add command as first element to argv
  66         argv[argc++] = command;
  67 #endif
  68
  69         // Add all other arguments
  70         if (args) {
  71                 while (*args) {
  72                         argv[argc++] = *args++;
  73
  74                         // Break when argv is full
  75                         if (argc >= MAX_ARGUMENTS) {
  76                                 return 2;
  77                         }
  78                 }
  79         }
  80
  81         // Make sure that argv is NULL-terminated
  82         argv[argc] = NULL;
  83
  84         switch(pid = fork()) {
  85                 case -1:
  86                         return -1;
  87
  88                 case 0: /* child */ {
  89                         if (gid && setgid(gid)) {
  90                                 fprintf(stderr, "%s: ", error);
  91                                 perror("Couldn't setgid");
  92                                 exit(127);
  93                         }
  94
  95                         if (uid && setuid(uid)) {
  96                                 fprintf(stderr, "%s: ", error);
  97                                 perror("Couldn't setuid");
  98                                 exit(127);
  99                         }
 100
 101                         execve(command, argv, trusted_env);
 102
 103                         fprintf(stderr, "%s: ", error);
 104                         perror("execve failed");
 105                         exit(127);
 106                 }
 107
 108                 default: /* parent */
 109                         do {
 110                                 if (waitpid(pid, &status, 0) == -1) {
 111                                         if (errno != EINTR)
 112                                                 return -1;
 113                                         } else {
 114                                                 return status;
 115                                         }
 116                         } while (1);
 117         }
 118
 119 }
 120
 121 int run(char* command, char** argv) {
 122         return system_core(command, argv, 0, 0, "run");
 123 }
 124
 125 /* Spawns a child process that uses /bin/sh to interpret a command.
 126  * This is much the same in use and purpose as system(), yet as it uses execve
 127  * to pass a trusted environment it's immune to attacks based upon changing
 128  * IFS, ENV, BASH_ENV and other such variables.
 129  * Note this does NOT guard against any other attacks, inparticular you MUST
 130  * validate the command you are passing. If the command is formed from user
 131  * input be sure to check this input is what you expect. Nasty things can
 132  * happen if a user can inject ; or `` into your command for example */
 133 int safe_system(char* command) {
 134         char* argv[4] = {
 135                 "/bin/sh",
 136                 "-c",
 137                 command,
 138                 NULL,
 139         };
 140
 141         return system_core(argv[0], argv, 0, 0, "safe_system");
 142 }
 143
 144 /* Much like safe_system but lets you specify a non-root uid and gid to run
 145  * the command as */
 146 int unpriv_system(char* command, uid_t uid, gid_t gid) {
 147         char* argv[4] = {
 148                 "/bin/sh",
 149                 "-c",
 150                 command,
 151                 NULL,
 152         };
 153
 154         return system_core(argv[0], argv, uid, gid, "unpriv_system");
 155 }
 156
 157 /* General routine to initialise a setuid root program, and put the
 158  * environment in a known state. Returns 1 on success, if initsetuid() returns
 159  * 0 then you should exit(1) immediately, DON'T attempt to recover from the
 160  * error */
 161 int initsetuid(void) {
 162         int fds, i;
 163         struct stat st;
 164         struct rlimit rlim;
 165
 166         /* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
 167         for (i = 0; i < NSIG; i++) {
 168                 if (i != SIGKILL && i != SIGCHLD)
 169                         signal(i, SIG_IGN);
 170         }
 171
 172         /* dump all non-standard file descriptors (a full descriptor table could
 173          * lead to DoS by preventing us opening files) */
 174         if ((fds = getdtablesize()) == -1)
 175                 fds = OPEN_MAX;
 176         for (i = 3; i < fds; i++)
 177                 close(i);
 178
 179         /* check stdin, stdout & stderr are open before going any further */
 180         for (i = 0; i < 3; i++)
 181                 if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i))
 182                         return 0;
 183
 184         /* disable core dumps in case we're processing sensitive information */
 185         rlim.rlim_cur = rlim.rlim_max = 0;
 186         if (setrlimit(RLIMIT_CORE, &rlim)) {
 187                 perror("Couldn't disable core dumps");
 188                 return 0;
 189         }
 190
 191         /* drop any supplementary groups, set uid & gid to root */
 192         if (setgroups(0, NULL)) {
 193                 perror("Couldn't clear group list");
 194                 return 0;
 195         }
 196
 197         if (setgid(0)) {
 198                 perror("Couldn't setgid(0)");
 199                 return 0;
 200         }
 201
 202         if (setuid(0)) {
 203                 perror("Couldn't setuid(0)");
 204                 return 0;
 205         }
 206
 207         return 1;
 208 }
 209
 210 /* Checks if a string only contains alphanumerical characters, dash or underscore */
 211 int is_valid_argument_alnum(const char* arg) {
 212         size_t l = strlen(arg);
 213
 214         for (unsigned int i = 0; i < l; i++) {
 215                 char c = arg[i];
 216
 217                 // Dash or underscore
 218                 if (c == '-' || c == '_')
 219                         continue;
 220
 221                 // Any alphanumerical character
 222                 if (isalnum(c))
 223                         continue;
 224
 225                 // Invalid
 226                 return 0;
 227         }
 228
 229         return 1;
 230 }
 231
 232 int is_valid_argument_num(const char* arg) {
 233         size_t l = strlen(arg);
 234
 235         for (unsigned int i = 0; i < l; i++) {
 236                 char c = arg[i];
 237
 238                 // Any digit
 239                 if (isdigit(c))
 240                         continue;
 241
 242                 // Invalid
 243                 return 0;
 244         }
 245
 246         return 1;
 247 }