src/misc-progs/setuid.c

   1 /* This file is part of the IPCop Firewall.
   2  *
   3  * IPCop is free software; you can redistribute it and/or modify
   4  * it under the terms of the GNU General Public License as published by
   5  * the Free Software Foundation; either version 2 of the License, or
   6  * (at your option) any later version.
   7  *
   8  * IPCop is distributed in the hope that it will be useful,
   9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11  * GNU General Public License for more details.
  12  *
  13  * You should have received a copy of the GNU General Public License
  14  * along with IPCop; if not, write to the Free Software
  15  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
  16  *
  17  * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
  18  *
  19  * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
  20  *
  21  */
  22
  23 #include <ctype.h>
  24 #include <stdio.h>
  25 #include <string.h>
  26 #include <errno.h>
  27 #include <unistd.h>
  28 #include <stdlib.h>
  29 #include <sys/types.h>
  30 #include <limits.h>
  31 #include <sys/time.h>
  32 #include <sys/resource.h>
  33 #include <sys/stat.h>
  34 #include <fcntl.h>
  35 #include <grp.h>
  36 #include <signal.h>
  37 #include <sys/wait.h>
  38 #include <glob.h>
  39 #include "setuid.h"
  40
  41 #ifndef OPEN_MAX
  42 #define OPEN_MAX 256
  43 #endif
  44
  45 #define MAX_ARGUMENTS 128
  46
  47 /* Trusted environment for executing commands */
  48 char * trusted_env[4] = {
  49         "PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin",
  50         "SHELL=/bin/sh",
  51         "TERM=dumb",
  52         NULL
  53 };
  54
  55 static int system_core(char* command, char** args, uid_t uid, gid_t gid, char *error) {
  56         int pid, status;
  57
  58         char* argv[MAX_ARGUMENTS + 1];
  59         unsigned int argc = 0;
  60
  61         if(!command)
  62                 return 1;
  63
  64         // Add command as first element to argv
  65         argv[argc++] = command;
  66
  67         // Add all other arguments
  68         if (args) {
  69                 while (*args) {
  70                         argv[argc++] = *args++;
  71
  72                         // Break when argv is full
  73                         if (argc >= MAX_ARGUMENTS) {
  74                                 return 2;
  75                         }
  76                 }
  77         }
  78
  79         // Make sure that argv is NULL-terminated
  80         argv[argc] = NULL;
  81
  82         switch(pid = fork()) {
  83                 case -1:
  84                         return -1;
  85
  86                 case 0: /* child */ {
  87                         if (gid && setgid(gid)) {
  88                                 fprintf(stderr, "%s: ", error);
  89                                 perror("Couldn't setgid");
  90                                 exit(127);
  91                         }
  92
  93                         if (uid && setuid(uid)) {
  94                                 fprintf(stderr, "%s: ", error);
  95                                 perror("Couldn't setuid");
  96                                 exit(127);
  97                         }
  98
  99                         execve(command, argv, trusted_env);
 100
 101                         fprintf(stderr, "%s: ", error);
 102                         perror("execve failed");
 103                         exit(127);
 104                 }
 105
 106                 default: /* parent */
 107                         // Wait until the child process has finished
 108                         waitpid(pid, &status, 0);
 109
 110                         // The child was terminated by a signal
 111                         if (WIFSIGNALED(status))
 112                                  return 128 + WTERMSIG(status);
 113
 114                         // Return the exit code if available
 115                         if (WIFEXITED(status))
 116                                 return WEXITSTATUS(status);
 117
 118                         // Something unexpected happened, exiting with error
 119                         return EXIT_FAILURE;
 120         }
 121 }
 122
 123 int run(char* command, char** argv) {
 124         return system_core(command, argv, 0, 0, "run");
 125 }
 126
 127 /* Spawns a child process that uses /bin/sh to interpret a command.
 128  * This is much the same in use and purpose as system(), yet as it uses execve
 129  * to pass a trusted environment it's immune to attacks based upon changing
 130  * IFS, ENV, BASH_ENV and other such variables.
 131  * Note this does NOT guard against any other attacks, inparticular you MUST
 132  * validate the command you are passing. If the command is formed from user
 133  * input be sure to check this input is what you expect. Nasty things can
 134  * happen if a user can inject ; or `` into your command for example */
 135 int safe_system(char* command) {
 136         char* argv[4] = {
 137                 "/bin/sh",
 138                 "-c",
 139                 command,
 140                 NULL,
 141         };
 142
 143         return system_core(argv[0], argv + 1, 0, 0, "safe_system");
 144 }
 145
 146 /* Much like safe_system but lets you specify a non-root uid and gid to run
 147  * the command as */
 148 int unpriv_system(char* command, uid_t uid, gid_t gid) {
 149         char* argv[4] = {
 150                 "/bin/sh",
 151                 "-c",
 152                 command,
 153                 NULL,
 154         };
 155
 156         return system_core(argv[0], argv + 1, uid, gid, "unpriv_system");
 157 }
 158
 159 /* General routine to initialise a setuid root program, and put the
 160  * environment in a known state. Returns 1 on success, if initsetuid() returns
 161  * 0 then you should exit(1) immediately, DON'T attempt to recover from the
 162  * error */
 163 int initsetuid(void) {
 164         int fds, i;
 165         struct stat st;
 166         struct rlimit rlim;
 167
 168         /* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
 169         for (i = 0; i < NSIG; i++) {
 170                 if (i != SIGKILL && i != SIGCHLD)
 171                         signal(i, SIG_IGN);
 172         }
 173
 174         /* dump all non-standard file descriptors (a full descriptor table could
 175          * lead to DoS by preventing us opening files) */
 176         if ((fds = getdtablesize()) == -1)
 177                 fds = OPEN_MAX;
 178         for (i = 3; i < fds; i++)
 179                 close(i);
 180
 181         /* check stdin, stdout & stderr are open before going any further */
 182         for (i = 0; i < 3; i++)
 183                 if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i))
 184                         return 0;
 185
 186         /* disable core dumps in case we're processing sensitive information */
 187         rlim.rlim_cur = rlim.rlim_max = 0;
 188         if (setrlimit(RLIMIT_CORE, &rlim)) {
 189                 perror("Couldn't disable core dumps");
 190                 return 0;
 191         }
 192
 193         /* drop any supplementary groups, set uid & gid to root */
 194         if (setgroups(0, NULL)) {
 195                 perror("Couldn't clear group list");
 196                 return 0;
 197         }
 198
 199         if (setgid(0)) {
 200                 perror("Couldn't setgid(0)");
 201                 return 0;
 202         }
 203
 204         if (setuid(0)) {
 205                 perror("Couldn't setuid(0)");
 206                 return 0;
 207         }
 208
 209         return 1;
 210 }
 211
 212 /* Checks if a string only contains alphanumerical characters, dash or underscore */
 213 int is_valid_argument_alnum(const char* arg) {
 214         size_t l = strlen(arg);
 215
 216         for (unsigned int i = 0; i < l; i++) {
 217                 char c = arg[i];
 218
 219                 // Dash or underscore
 220                 if (c == '-' || c == '_')
 221                         continue;
 222
 223                 // Any alphanumerical character
 224                 if (isalnum(c))
 225                         continue;
 226
 227                 // Invalid
 228                 return 0;
 229         }
 230
 231         return 1;
 232 }
 233
 234 int is_valid_argument_num(const char* arg) {
 235         size_t l = strlen(arg);
 236
 237         for (unsigned int i = 0; i < l; i++) {
 238                 char c = arg[i];
 239
 240                 // Any digit
 241                 if (isdigit(c))
 242                         continue;
 243
 244                 // Invalid
 245                 return 0;
 246         }
 247
 248         return 1;
 249 }