-/*
- Unix SMB/Netbios implementation.
- Version 1.9.
+/*
+ Unix SMB/CIFS implementation.
run a command as a specified user
Copyright (C) Andrew Tridgell 1992-1998
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
+#include "system/filesys.h"
/* need to move this from here!! need some sleep ... */
struct current_user current_user;
-extern int DEBUGLEVEL;
+/****************************************************************************
+This is a utility function of smbrun().
+****************************************************************************/
+
+static int setup_out_fd(void)
+{
+ int fd;
+ TALLOC_CTX *ctx = talloc_stackframe();
+ char *path = NULL;
+ mode_t mask;
+
+ path = talloc_asprintf(ctx,
+ "%s/smb.XXXXXX",
+ tmpdir());
+ if (!path) {
+ TALLOC_FREE(ctx);
+ errno = ENOMEM;
+ return -1;
+ }
+
+ /* now create the file */
+ mask = umask(S_IRWXO | S_IRWXG);
+ fd = mkstemp(path);
+ umask(mask);
+
+ if (fd == -1) {
+ DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
+ path, strerror(errno) ));
+ TALLOC_FREE(ctx);
+ return -1;
+ }
+
+ DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
+
+ /* Ensure file only kept around by open fd. */
+ unlink(path);
+ TALLOC_FREE(ctx);
+ return fd;
+}
/****************************************************************************
-This is a utility function of smbrun(). It must be called only from
-the child as it may leave the caller in a privilaged state.
+run a command being careful about uid/gid handling and putting the output in
+outfd (or discard it if outfd is NULL).
****************************************************************************/
-static BOOL setup_stdout_file(char *outfile,BOOL shared)
-{
- int fd;
- SMB_STRUCT_STAT st;
- mode_t mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH;
- int flags = O_RDWR|O_CREAT|O_TRUNC|O_EXCL;
-
- close(1);
-
- if (shared) {
- /* become root - unprivilaged users can't delete these files */
-#ifdef HAVE_SETRESUID
- setresgid(0,0,0);
- setresuid(0,0,0);
-#else
- setuid(0);
- seteuid(0);
+
+static int smbrun_internal(const char *cmd, int *outfd, bool sanitize,
+ char * const *env)
+{
+ pid_t pid;
+ uid_t uid = current_user.ut.uid;
+ gid_t gid = current_user.ut.gid;
+ void (*saved_handler)(int);
+
+ /*
+ * Lose any elevated privileges.
+ */
+ drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
+ drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
+
+ /* point our stdout at the file we want output to go into */
+
+ if (outfd && ((*outfd = setup_out_fd()) == -1)) {
+ return -1;
+ }
+
+ /* in this method we will exec /bin/sh with the correct
+ arguments, after first setting stdout to point at the file */
+
+ /*
+ * We need to temporarily stop CatchChild from eating
+ * SIGCLD signals as it also eats the exit status code. JRA.
+ */
+
+ saved_handler = CatchChildLeaveStatus();
+
+ if ((pid=fork()) < 0) {
+ DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
+ (void)CatchSignal(SIGCLD, saved_handler);
+ if (outfd) {
+ close(*outfd);
+ *outfd = -1;
+ }
+ return errno;
+ }
+
+ if (pid) {
+ /*
+ * Parent.
+ */
+ int status=0;
+ pid_t wpid;
+
+
+ /* the parent just waits for the child to exit */
+ while((wpid = waitpid(pid,&status,0)) < 0) {
+ if(errno == EINTR) {
+ errno = 0;
+ continue;
+ }
+ break;
+ }
+
+ (void)CatchSignal(SIGCLD, saved_handler);
+
+ if (wpid != pid) {
+ DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
+ if (outfd) {
+ close(*outfd);
+ *outfd = -1;
+ }
+ return -1;
+ }
+
+ /* Reset the seek pointer. */
+ if (outfd) {
+ lseek(*outfd, 0, SEEK_SET);
+ }
+
+#if defined(WIFEXITED) && defined(WEXITSTATUS)
+ if (WIFEXITED(status)) {
+ return WEXITSTATUS(status);
+ }
#endif
- }
-
- if(sys_stat(outfile, &st) == 0) {
- /* Check we're not deleting a device file. */
- if(st.st_mode & S_IFREG)
- unlink(outfile);
- else
- flags = O_RDWR;
- }
- /* now create the file */
- fd = open(outfile,flags,mode);
-
- if (fd == -1) return False;
-
- if (fd != 1) {
- if (dup2(fd,1) != 0) {
- DEBUG(2,("Failed to create stdout file descriptor\n"));
- close(fd);
- return False;
- }
- close(fd);
- }
- return True;
+
+ return status;
+ }
+
+ (void)CatchChild();
+
+ /* we are in the child. we exec /bin/sh to do the work for us. we
+ don't directly exec the command we want because it may be a
+ pipeline or anything else the config file specifies */
+
+ /* point our stdout at the file we want output to go into */
+ if (outfd) {
+ close(1);
+ if (dup2(*outfd,1) != 1) {
+ DEBUG(2,("Failed to create stdout file descriptor\n"));
+ close(*outfd);
+ exit(80);
+ }
+ }
+
+ /* now completely lose our privileges. This is a fairly paranoid
+ way of doing it, but it does work on all systems that I know of */
+
+ become_user_permanently(uid, gid);
+
+ if (!non_root_mode()) {
+ if (getuid() != uid || geteuid() != uid ||
+ getgid() != gid || getegid() != gid) {
+ /* we failed to lose our privileges - do not execute
+ the command */
+ exit(81); /* we can't print stuff at this stage,
+ instead use exit codes for debugging */
+ }
+ }
+
+#ifndef __INSURE__
+ /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
+ 2 point to /dev/null from the startup code */
+ {
+ int fd;
+ for (fd=3;fd<256;fd++) close(fd);
+ }
+#endif
+
+ {
+ char *newcmd = NULL;
+ if (sanitize) {
+ newcmd = escape_shell_string(cmd);
+ if (!newcmd)
+ exit(82);
+ }
+
+ if (env != NULL) {
+ execle("/bin/sh","sh","-c",
+ newcmd ? (const char *)newcmd : cmd, NULL,
+ env);
+ } else {
+ execl("/bin/sh","sh","-c",
+ newcmd ? (const char *)newcmd : cmd, NULL);
+ }
+
+ SAFE_FREE(newcmd);
+ }
+
+ /* not reached */
+ exit(83);
+ return 1;
}
+/****************************************************************************
+ Use only in known safe shell calls (printing).
+****************************************************************************/
+
+int smbrun_no_sanitize(const char *cmd, int *outfd, char * const *env)
+{
+ return smbrun_internal(cmd, outfd, false, env);
+}
/****************************************************************************
-run a command being careful about uid/gid handling and putting the output in
-outfile (or discard it if outfile is NULL).
+ By default this now sanitizes shell expansion.
+****************************************************************************/
-if shared is True then ensure the file will be writeable by all users
-but created such that its owned by root. This overcomes a security hole.
+int smbrun(const char *cmd, int *outfd, char * const *env)
+{
+ return smbrun_internal(cmd, outfd, true, env);
+}
-if shared is not set then open the file with O_EXCL set
+/****************************************************************************
+run a command being careful about uid/gid handling and putting the output in
+outfd (or discard it if outfd is NULL).
+sends the provided secret to the child stdin.
****************************************************************************/
-int smbrun(char *cmd,char *outfile,BOOL shared)
+
+int smbrunsecret(const char *cmd, const char *secret)
{
- int fd,pid;
- int uid = current_user.uid;
- int gid = current_user.gid;
-
- /*
- * Lose any kernel oplock capabilities we may have.
- */
- set_process_capability(KERNEL_OPLOCK_CAPABILITY, False);
- set_inherited_process_capability(KERNEL_OPLOCK_CAPABILITY, False);
-
-#ifndef HAVE_EXECL
- int ret;
- pstring syscmd;
- char *path = lp_smbrun();
+ pid_t pid;
+ uid_t uid = current_user.ut.uid;
+ gid_t gid = current_user.ut.gid;
+ int ifd[2];
+ void (*saved_handler)(int);
- /* in the old method we use system() to execute smbrun which then
- executes the command (using system() again!). This involves lots
- of shell launches and is very slow. It also suffers from a
- potential security hole */
- if (!file_exist(path,NULL)) {
- DEBUG(0,("SMBRUN ERROR: Can't find %s. Installation problem?\n",path));
- return(1);
+ /*
+ * Lose any elevated privileges.
+ */
+ drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
+ drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
+
+ /* build up an input pipe */
+ if(pipe(ifd)) {
+ return -1;
}
- slprintf(syscmd,sizeof(syscmd)-1,"%s %d %d \"(%s 2>&1) > %s\"",
- path,uid,gid,cmd,
- outfile?outfile:"/dev/null");
-
- DEBUG(5,("smbrun - running %s ",syscmd));
- ret = system(syscmd);
- DEBUG(5,("gave %d\n",ret));
- return(ret);
-#else
- /* in this newer method we will exec /bin/sh with the correct
+ /* in this method we will exec /bin/sh with the correct
arguments, after first setting stdout to point at the file */
-
- if ((pid=fork())) {
- int status=0;
+
+ /*
+ * We need to temporarily stop CatchChild from eating
+ * SIGCLD signals as it also eats the exit status code. JRA.
+ */
+
+ saved_handler = CatchChildLeaveStatus();
+
+ if ((pid=fork()) < 0) {
+ DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
+ (void)CatchSignal(SIGCLD, saved_handler);
+ return errno;
+ }
+
+ if (pid) {
+ /*
+ * Parent.
+ */
+ int status = 0;
+ pid_t wpid;
+ size_t towrite;
+ ssize_t wrote;
+
+ close(ifd[0]);
+ /* send the secret */
+ towrite = strlen(secret);
+ wrote = write(ifd[1], secret, towrite);
+ if ( wrote != towrite ) {
+ DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
+ }
+ fsync(ifd[1]);
+ close(ifd[1]);
+
/* the parent just waits for the child to exit */
- if (sys_waitpid(pid,&status,0) != pid) {
- DEBUG(2,("waitpid(%d) : %s\n",pid,strerror(errno)));
+ while((wpid = waitpid(pid, &status, 0)) < 0) {
+ if(errno == EINTR) {
+ errno = 0;
+ continue;
+ }
+ break;
+ }
+
+ (void)CatchSignal(SIGCLD, saved_handler);
+
+ if (wpid != pid) {
+ DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
return -1;
}
+
+#if defined(WIFEXITED) && defined(WEXITSTATUS)
+ if (WIFEXITED(status)) {
+ return WEXITSTATUS(status);
+ }
+#endif
+
return status;
}
+ (void)CatchChild();
/* we are in the child. we exec /bin/sh to do the work for us. we
don't directly exec the command we want because it may be a
pipeline or anything else the config file specifies */
- /* point our stdout at the file we want output to go into */
- if (outfile && !setup_stdout_file(outfile,shared)) {
+ close(ifd[1]);
+ close(0);
+ if (dup2(ifd[0], 0) != 0) {
+ DEBUG(2,("Failed to create stdin file descriptor\n"));
+ close(ifd[0]);
exit(80);
}
-
- /* now completely lose our privilages. This is a fairly paranoid
+
+ /* now completely lose our privileges. This is a fairly paranoid
way of doing it, but it does work on all systems that I know of */
-#ifdef HAVE_SETRESUID
- setresgid(0,0,0);
- setresuid(0,0,0);
- setresgid(gid,gid,gid);
- setresuid(uid,uid,uid);
-#else
- setuid(0);
- seteuid(0);
- setgid(gid);
- setegid(gid);
- setuid(uid);
- seteuid(uid);
-#endif
-
- if (getuid() != uid || geteuid() != uid ||
- getgid() != gid || getegid() != gid) {
- /* we failed to lose our privilages - do not execute
- the command */
- exit(81); /* we can't print stuff at this stage,
- instead use exit codes for debugging */
+
+ become_user_permanently(uid, gid);
+
+ if (!non_root_mode()) {
+ if (getuid() != uid || geteuid() != uid ||
+ getgid() != gid || getegid() != gid) {
+ /* we failed to lose our privileges - do not execute
+ the command */
+ exit(81); /* we can't print stuff at this stage,
+ instead use exit codes for debugging */
+ }
}
-
+
+#ifndef __INSURE__
/* close all other file descriptors, leaving only 0, 1 and 2. 0 and
2 point to /dev/null from the startup code */
- for (fd=3;fd<256;fd++) close(fd);
-
- execl("/bin/sh","sh","-c",cmd,NULL);
-
+ {
+ int fd;
+ for (fd = 3; fd < 256; fd++) close(fd);
+ }
+#endif
+
+ execl("/bin/sh", "sh", "-c", cmd, NULL);
+
/* not reached */
exit(82);
-#endif
return 1;
}