[people/teissler/ipfire-2.x.git] / src / misc-progs / setuid.c

/* This file is part of the IPCop Firewall.
 *
 * IPCop is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * IPCop is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with IPCop; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
 *
 * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
 *
 * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
 *
 */

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <limits.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <grp.h>
#include <signal.h>
#include <sys/wait.h>
#include <glob.h>
#include "setuid.h"

#ifndef OPEN_MAX
#define OPEN_MAX 256
#endif

/* Trusted environment for executing commands */
char * trusted_env[4] = {
	"PATH=/usr/bin:/usr/sbin:/sbin:/bin",
	"SHELL=/bin/sh",
	"TERM=dumb",
	NULL
};

/* Spawns a child process that uses /bin/sh to interpret a command.
 * This is much the same in use and purpose as system(), yet as it uses execve
 * to pass a trusted environment it's immune to attacks based upon changing
 * IFS, ENV, BASH_ENV and other such variables.
 * Note this does NOT guard against any other attacks, inparticular you MUST
 * validate the command you are passing. If the command is formed from user
 * input be sure to check this input is what you expect. Nasty things can
 * happen if a user can inject ; or `` into your command for example */
int safe_system(char* command)
{
	return system_core( command, 0, 0, "safe_system" );
}

/* Much like safe_system but lets you specify a non-root uid and gid to run
 * the command as */
int unpriv_system(char* command, uid_t uid, gid_t gid)
{
	return system_core(command, uid, gid, "unpriv_system" );
}

int system_core(char* command, uid_t uid, gid_t gid, char *error)
{
	int pid, status;

	if(!command)
		return 1;

	switch( pid = fork() )
	{
		case -1:
			return -1;
		case 0: /* child */
		{
			char * argv[4];
			if (gid && setgid(gid))	
			{
				fprintf(stderr, "%s: ", error);
				perror("Couldn't setgid");
				exit(127);
			}
			if (uid && setuid(uid))
			{
				fprintf(stderr, "%s: ", error);
				perror("Couldn't setuid");
				exit(127);
			}
			argv[0] = "sh";
			argv[1] = "-c";
			argv[2] = command;
			argv[3] = NULL;
			execve("/bin/sh", argv, trusted_env);
			fprintf(stderr, "%s: ", error);
			perror("execve failed");
			exit(127);
		}
		default: /* parent */
			do {
				if( waitpid(pid, &status, 0) == -1 ) {
					if( errno != EINTR )
						return -1;
					} else
						return status;
			} while (1);
	}

}

/* General routine to initialise a setuid root program, and put the
 * environment in a known state. Returns 1 on success, if initsetuid() returns
 * 0 then you should exit(1) immediately, DON'T attempt to recover from the
 * error */
int initsetuid(void)
{
	int fds,i;
	struct stat st;
	struct rlimit rlim;

	/* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
		for( i = 0; i < NSIG; i++ ) {
			if( i != SIGKILL && i != SIGCHLD )
				signal(i, SIG_IGN);
	}

	/* dump all non-standard file descriptors (a full descriptor table could
	 * lead to DoS by preventing us opening files) */
	if ((fds = getdtablesize()) == -1) fds = OPEN_MAX;
	for( i = 3; i < fds; i++ ) close(i);

	/* check stdin, stdout & stderr are open before going any further */
	for( i = 0; i < 3; i++ )
		if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i ))
			return 0;

	/* disable core dumps in case we're processing sensitive information */
	rlim.rlim_cur = rlim.rlim_max = 0;
	if(setrlimit(RLIMIT_CORE, &rlim))
		{ perror("Couldn't disable core dumps"); return 0; }

	/* drop any supplementary groups, set uid & gid to root */
	if (setgroups(0, NULL)) { perror("Couldn't clear group list"); return 0; }
	if (setgid(0))          { perror("Couldn't setgid(0)");        return 0; }
	if (setuid(0))          { perror("Couldn't setuid(0)");        return 0; }

	return 1;
}
Commit	Line	Data
12938118 MT	1	/* This file is part of the IPCop Firewall.
	2	*
	3	* IPCop is free software; you can redistribute it and/or modify
	4	* it under the terms of the GNU General Public License as published by
	5	* the Free Software Foundation; either version 2 of the License, or
	6	* (at your option) any later version.
	7	*
	8	* IPCop is distributed in the hope that it will be useful,
	9	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	10	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	11	* GNU General Public License for more details.
	12	*
	13	* You should have received a copy of the GNU General Public License
	14	* along with IPCop; if not, write to the Free Software
	15	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	16	*
	17	* Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
	18	*
	19	* $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
	20	*
	21	*/
	22
	23	#include <stdio.h>
	24	#include <string.h>
	25	#include <errno.h>
	26	#include <unistd.h>
	27	#include <stdlib.h>
	28	#include <sys/types.h>
	29	#include <limits.h>
	30	#include <sys/time.h>
	31	#include <sys/resource.h>
	32	#include <sys/stat.h>
	33	#include <fcntl.h>
	34	#include <grp.h>
	35	#include <signal.h>
	36	#include <sys/wait.h>
	37	#include <glob.h>
	38	#include "setuid.h"
	39
	40	#ifndef OPEN_MAX
	41	#define OPEN_MAX 256
	42	#endif
	43
	44	/* Trusted environment for executing commands */
	45	char * trusted_env[4] = {
	46	"PATH=/usr/bin:/usr/sbin:/sbin:/bin",
	47	"SHELL=/bin/sh",
	48	"TERM=dumb",
	49	NULL
	50	};
	51
	52	/* Spawns a child process that uses /bin/sh to interpret a command.
	53	* This is much the same in use and purpose as system(), yet as it uses execve
	54	* to pass a trusted environment it's immune to attacks based upon changing
	55	* IFS, ENV, BASH_ENV and other such variables.
	56	* Note this does NOT guard against any other attacks, inparticular you MUST
	57	* validate the command you are passing. If the command is formed from user
	58	* input be sure to check this input is what you expect. Nasty things can
	59	* happen if a user can inject ; or `` into your command for example */
	60	int safe_system(char* command)
	61	{
	62	return system_core( command, 0, 0, "safe_system" );
	63	}
	64
65	/* Much like safe_system but lets you specify a non-root uid and gid to run
66	* the command as */
67	int unpriv_system(char* command, uid_t uid, gid_t gid)
68	{
69	return system_core(command, uid, gid, "unpriv_system" );
70	}
71
72	int system_core(char* command, uid_t uid, gid_t gid, char *error)
73	{
74	int pid, status;
75
76	if(!command)
77	return 1;
78
79	switch( pid = fork() )
80	{
81	case -1:
82	return -1;
83	case 0: /* child */
84	{
85	char * argv[4];
86	if (gid && setgid(gid))
87	{
88	fprintf(stderr, "%s: ", error);
89	perror("Couldn't setgid");
90	exit(127);
91	}
92	if (uid && setuid(uid))
93	{
94	fprintf(stderr, "%s: ", error);
95	perror("Couldn't setuid");
96	exit(127);
97	}
98	argv[0] = "sh";
99	argv[1] = "-c";
100	argv[2] = command;
101	argv[3] = NULL;
102	execve("/bin/sh", argv, trusted_env);
103	fprintf(stderr, "%s: ", error);
104	perror("execve failed");
105	exit(127);
106	}
107	default: /* parent */
108	do {
109	if( waitpid(pid, &status, 0) == -1 ) {
110	if( errno != EINTR )
111	return -1;
112	} else
113	return status;
114	} while (1);
115	}
116
117	}
118
119	/* General routine to initialise a setuid root program, and put the
120	* environment in a known state. Returns 1 on success, if initsetuid() returns
121	* 0 then you should exit(1) immediately, DON'T attempt to recover from the
122	* error */
123	int initsetuid(void)
124	{
125	int fds,i;
126	struct stat st;
127	struct rlimit rlim;
128
129	/* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
130	for( i = 0; i < NSIG; i++ ) {
131	if( i != SIGKILL && i != SIGCHLD )
132	signal(i, SIG_IGN);
133	}
134
135	/* dump all non-standard file descriptors (a full descriptor table could
136	* lead to DoS by preventing us opening files) */
137	if ((fds = getdtablesize()) == -1) fds = OPEN_MAX;
138	for( i = 3; i < fds; i++ ) close(i);
139
140	/* check stdin, stdout & stderr are open before going any further */
141	for( i = 0; i < 3; i++ )
142	if( fstat(i, &st) == -1 && ((errno != EBADF) \|\| (close(i), open("/dev/null", O_RDWR, 0)) != i ))
143	return 0;
144
145	/* disable core dumps in case we're processing sensitive information */
146	rlim.rlim_cur = rlim.rlim_max = 0;
147	if(setrlimit(RLIMIT_CORE, &rlim))
148	{ perror("Couldn't disable core dumps"); return 0; }
149
150	/* drop any supplementary groups, set uid & gid to root */
151	if (setgroups(0, NULL)) { perror("Couldn't clear group list"); return 0; }
152	if (setgid(0)) { perror("Couldn't setgid(0)"); return 0; }
153	if (setuid(0)) { perror("Couldn't setuid(0)"); return 0; }
154
155	return 1;
156	}