]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/misc-progs/setuid.c
1 /* This file is part of the IPCop Firewall.
3 * IPCop is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
8 * IPCop is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License
14 * along with IPCop; if not, write to the Free Software
15 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
19 * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
29 #include <sys/types.h>
32 #include <sys/resource.h>
45 #define MAX_ARGUMENTS 128
47 /* Trusted environment for executing commands */
48 char * trusted_env
[4] = {
49 "PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin",
55 static int system_core(char* command
, char** args
, uid_t uid
, gid_t gid
, char *error
) {
58 char* argv
[MAX_ARGUMENTS
+ 1];
59 unsigned int argc
= 0;
64 // Add command as first element to argv
65 argv
[argc
++] = command
;
67 // Add all other arguments
70 argv
[argc
++] = *args
++;
72 // Break when argv is full
73 if (argc
>= MAX_ARGUMENTS
) {
79 // Make sure that argv is NULL-terminated
82 switch(pid
= fork()) {
87 if (gid
&& setgid(gid
)) {
88 fprintf(stderr
, "%s: ", error
);
89 perror("Couldn't setgid");
93 if (uid
&& setuid(uid
)) {
94 fprintf(stderr
, "%s: ", error
);
95 perror("Couldn't setuid");
99 execve(command
, argv
, trusted_env
);
101 fprintf(stderr
, "%s: ", error
);
102 perror("execve failed");
106 default: /* parent */
107 // Wait until the child process has finished
108 waitpid(pid
, &status
, 0);
110 // The child was terminated by a signal
111 if (WIFSIGNALED(status
))
112 return 128 + WTERMSIG(status
);
114 // Return the exit code if available
115 if (WIFEXITED(status
))
116 return WEXITSTATUS(status
);
118 // Something unexpected happened, exiting with error
123 int run(char* command
, char** argv
) {
124 return system_core(command
, argv
, 0, 0, "run");
127 /* Spawns a child process that uses /bin/sh to interpret a command.
128 * This is much the same in use and purpose as system(), yet as it uses execve
129 * to pass a trusted environment it's immune to attacks based upon changing
130 * IFS, ENV, BASH_ENV and other such variables.
131 * Note this does NOT guard against any other attacks, inparticular you MUST
132 * validate the command you are passing. If the command is formed from user
133 * input be sure to check this input is what you expect. Nasty things can
134 * happen if a user can inject ; or `` into your command for example */
135 int safe_system(char* command
) {
143 return system_core(argv
[0], argv
+ 1, 0, 0, "safe_system");
146 /* Much like safe_system but lets you specify a non-root uid and gid to run
148 int unpriv_system(char* command
, uid_t uid
, gid_t gid
) {
156 return system_core(argv
[0], argv
+ 1, uid
, gid
, "unpriv_system");
159 /* General routine to initialise a setuid root program, and put the
160 * environment in a known state. Returns 1 on success, if initsetuid() returns
161 * 0 then you should exit(1) immediately, DON'T attempt to recover from the
163 int initsetuid(void) {
168 /* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
169 for (i
= 0; i
< NSIG
; i
++) {
170 if (i
!= SIGKILL
&& i
!= SIGCHLD
)
174 /* dump all non-standard file descriptors (a full descriptor table could
175 * lead to DoS by preventing us opening files) */
176 if ((fds
= getdtablesize()) == -1)
178 for (i
= 3; i
< fds
; i
++)
181 /* check stdin, stdout & stderr are open before going any further */
182 for (i
= 0; i
< 3; i
++)
183 if( fstat(i
, &st
) == -1 && ((errno
!= EBADF
) || (close(i
), open("/dev/null", O_RDWR
, 0)) != i
))
186 /* disable core dumps in case we're processing sensitive information */
187 rlim
.rlim_cur
= rlim
.rlim_max
= 0;
188 if (setrlimit(RLIMIT_CORE
, &rlim
)) {
189 perror("Couldn't disable core dumps");
193 /* drop any supplementary groups, set uid & gid to root */
194 if (setgroups(0, NULL
)) {
195 perror("Couldn't clear group list");
200 perror("Couldn't setgid(0)");
205 perror("Couldn't setuid(0)");
212 /* Checks if a string only contains alphanumerical characters, dash or underscore */
213 int is_valid_argument_alnum(const char* arg
) {
214 size_t l
= strlen(arg
);
216 for (unsigned int i
= 0; i
< l
; i
++) {
219 // Dash or underscore
220 if (c
== '-' || c
== '_')
223 // Any alphanumerical character
234 int is_valid_argument_num(const char* arg
) {
235 size_t l
= strlen(arg
);
237 for (unsigned int i
= 0; i
< l
; i
++) {