RIP BOOL. Convert BOOL -> bool. I found a few interesting
[nivanova/samba-autobuild/.git] / source3 / lib / smbrun.c
1 /*
2    Unix SMB/CIFS implementation.
3    run a command as a specified user
4    Copyright (C) Andrew Tridgell 1992-1998
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10
11    This program is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21
22 /* need to move this from here!! need some sleep ... */
23 struct current_user current_user;
24
25 /****************************************************************************
26 This is a utility function of smbrun().
27 ****************************************************************************/
28
29 static int setup_out_fd(void)
30 {
31         int fd;
32         TALLOC_CTX *ctx = talloc_stackframe();
33         char *path = NULL;
34
35         path = talloc_asprintf(ctx,
36                                 "%s/smb.XXXXXX",
37                                 tmpdir());
38         if (!path) {
39                 TALLOC_FREE(ctx);
40                 errno = ENOMEM;
41                 return -1;
42         }
43
44         /* now create the file */
45         fd = smb_mkstemp(path);
46
47         if (fd == -1) {
48                 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
49                         path, strerror(errno) ));
50                 TALLOC_FREE(ctx);
51                 return -1;
52         }
53
54         DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
55
56         /* Ensure file only kept around by open fd. */
57         unlink(path);
58         TALLOC_FREE(ctx);
59         return fd;
60 }
61
62 /****************************************************************************
63 run a command being careful about uid/gid handling and putting the output in
64 outfd (or discard it if outfd is NULL).
65 ****************************************************************************/
66
67 static int smbrun_internal(const char *cmd, int *outfd, bool sanitize)
68 {
69         pid_t pid;
70         uid_t uid = current_user.ut.uid;
71         gid_t gid = current_user.ut.gid;
72
73         /*
74          * Lose any elevated privileges.
75          */
76         drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
77         drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
78
79         /* point our stdout at the file we want output to go into */
80
81         if (outfd && ((*outfd = setup_out_fd()) == -1)) {
82                 return -1;
83         }
84
85         /* in this method we will exec /bin/sh with the correct
86            arguments, after first setting stdout to point at the file */
87
88         /*
89          * We need to temporarily stop CatchChild from eating
90          * SIGCLD signals as it also eats the exit status code. JRA.
91          */
92
93         CatchChildLeaveStatus();
94                                         
95         if ((pid=sys_fork()) < 0) {
96                 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
97                 CatchChild(); 
98                 if (outfd) {
99                         close(*outfd);
100                         *outfd = -1;
101                 }
102                 return errno;
103         }
104
105         if (pid) {
106                 /*
107                  * Parent.
108                  */
109                 int status=0;
110                 pid_t wpid;
111
112                 
113                 /* the parent just waits for the child to exit */
114                 while((wpid = sys_waitpid(pid,&status,0)) < 0) {
115                         if(errno == EINTR) {
116                                 errno = 0;
117                                 continue;
118                         }
119                         break;
120                 }
121
122                 CatchChild(); 
123
124                 if (wpid != pid) {
125                         DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
126                         if (outfd) {
127                                 close(*outfd);
128                                 *outfd = -1;
129                         }
130                         return -1;
131                 }
132
133                 /* Reset the seek pointer. */
134                 if (outfd) {
135                         sys_lseek(*outfd, 0, SEEK_SET);
136                 }
137
138 #if defined(WIFEXITED) && defined(WEXITSTATUS)
139                 if (WIFEXITED(status)) {
140                         return WEXITSTATUS(status);
141                 }
142 #endif
143
144                 return status;
145         }
146         
147         CatchChild(); 
148         
149         /* we are in the child. we exec /bin/sh to do the work for us. we
150            don't directly exec the command we want because it may be a
151            pipeline or anything else the config file specifies */
152         
153         /* point our stdout at the file we want output to go into */
154         if (outfd) {
155                 close(1);
156                 if (sys_dup2(*outfd,1) != 1) {
157                         DEBUG(2,("Failed to create stdout file descriptor\n"));
158                         close(*outfd);
159                         exit(80);
160                 }
161         }
162
163         /* now completely lose our privileges. This is a fairly paranoid
164            way of doing it, but it does work on all systems that I know of */
165
166         become_user_permanently(uid, gid);
167
168         if (getuid() != uid || geteuid() != uid ||
169             getgid() != gid || getegid() != gid) {
170                 /* we failed to lose our privileges - do not execute
171                    the command */
172                 exit(81); /* we can't print stuff at this stage,
173                              instead use exit codes for debugging */
174         }
175         
176 #ifndef __INSURE__
177         /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
178            2 point to /dev/null from the startup code */
179         {
180         int fd;
181         for (fd=3;fd<256;fd++) close(fd);
182         }
183 #endif
184
185         {
186                 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
187                 if (!newcmd) {
188                         exit(82);
189                 }
190                 execl("/bin/sh","sh","-c",newcmd,NULL);  
191         }
192         
193         /* not reached */
194         exit(83);
195         return 1;
196 }
197
198 /****************************************************************************
199  Use only in known safe shell calls (printing).
200 ****************************************************************************/
201
202 int smbrun_no_sanitize(const char *cmd, int *outfd)
203 {
204         return smbrun_internal(cmd, outfd, False);
205 }
206
207 /****************************************************************************
208  By default this now sanitizes shell expansion.
209 ****************************************************************************/
210
211 int smbrun(const char *cmd, int *outfd)
212 {
213         return smbrun_internal(cmd, outfd, True);
214 }
215
216 /****************************************************************************
217 run a command being careful about uid/gid handling and putting the output in
218 outfd (or discard it if outfd is NULL).
219 sends the provided secret to the child stdin.
220 ****************************************************************************/
221
222 int smbrunsecret(const char *cmd, const char *secret)
223 {
224         pid_t pid;
225         uid_t uid = current_user.ut.uid;
226         gid_t gid = current_user.ut.gid;
227         int ifd[2];
228         
229         /*
230          * Lose any elevated privileges.
231          */
232         drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
233         drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
234
235         /* build up an input pipe */
236         if(pipe(ifd)) {
237                 return -1;
238         }
239
240         /* in this method we will exec /bin/sh with the correct
241            arguments, after first setting stdout to point at the file */
242
243         /*
244          * We need to temporarily stop CatchChild from eating
245          * SIGCLD signals as it also eats the exit status code. JRA.
246          */
247
248         CatchChildLeaveStatus();
249                                         
250         if ((pid=sys_fork()) < 0) {
251                 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
252                 CatchChild(); 
253                 return errno;
254         }
255
256         if (pid) {
257                 /*
258                  * Parent.
259                  */
260                 int status = 0;
261                 pid_t wpid;
262                 size_t towrite;
263                 ssize_t wrote;
264                 
265                 close(ifd[0]);
266                 /* send the secret */
267                 towrite = strlen(secret);
268                 wrote = write(ifd[1], secret, towrite);
269                 if ( wrote != towrite ) {
270                     DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
271                 }
272                 fsync(ifd[1]);
273                 close(ifd[1]);
274
275                 /* the parent just waits for the child to exit */
276                 while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
277                         if(errno == EINTR) {
278                                 errno = 0;
279                                 continue;
280                         }
281                         break;
282                 }
283
284                 CatchChild(); 
285
286                 if (wpid != pid) {
287                         DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
288                         return -1;
289                 }
290
291 #if defined(WIFEXITED) && defined(WEXITSTATUS)
292                 if (WIFEXITED(status)) {
293                         return WEXITSTATUS(status);
294                 }
295 #endif
296
297                 return status;
298         }
299         
300         CatchChild(); 
301         
302         /* we are in the child. we exec /bin/sh to do the work for us. we
303            don't directly exec the command we want because it may be a
304            pipeline or anything else the config file specifies */
305         
306         close(ifd[1]);
307         close(0);
308         if (sys_dup2(ifd[0], 0) != 0) {
309                 DEBUG(2,("Failed to create stdin file descriptor\n"));
310                 close(ifd[0]);
311                 exit(80);
312         }
313
314         /* now completely lose our privileges. This is a fairly paranoid
315            way of doing it, but it does work on all systems that I know of */
316
317         become_user_permanently(uid, gid);
318
319         if (getuid() != uid || geteuid() != uid ||
320             getgid() != gid || getegid() != gid) {
321                 /* we failed to lose our privileges - do not execute
322                    the command */
323                 exit(81); /* we can't print stuff at this stage,
324                              instead use exit codes for debugging */
325         }
326         
327 #ifndef __INSURE__
328         /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
329            2 point to /dev/null from the startup code */
330         {
331                 int fd;
332                 for (fd = 3; fd < 256; fd++) close(fd);
333         }
334 #endif
335
336         execl("/bin/sh", "sh", "-c", cmd, NULL);  
337
338         /* not reached */
339         exit(82);
340         return 1;
341 }