suid_exec.c revision da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin/***********************************************************************
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* This software is part of the ast package *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* Copyright (c) 1982-2007 AT&T Knowledge Ventures *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* and is licensed under the *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* Common Public License, Version 1.0 *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* by AT&T Knowledge Ventures *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* A copy of the License is available at *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* (with md5 checksum 059e8cd6165cb4c31e351f2b69388fd9) *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* Information and Software Systems Research *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* AT&T Research *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* Florham Park NJ *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin* David Korn <dgk@research.att.com> *
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin***********************************************************************/
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * This is a program to execute 'execute only' and suid/sgid shell scripts.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * This program must be owned by root and must have the set uid bit set.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * It must not have the set group id bit set. This program must be installed
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * where the define parameter THISPROG indicates to work correctly on system V
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * Written by David Korn
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * AT&T Labs
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * Enhanced by Rob Stampfli
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin/* The file name of the script to execute is argv[0]
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * Argv[1] is the program name
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * The basic idea is to open the script as standard input, set the effective
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * user and group id correctly, and then exec the shell.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * The complicated part is getting the effective uid of the caller and
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * setting the effective uid/gid. The program which execs this program
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * may pass file descriptor FDIN as an open file with mode SPECIAL if
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * the effective user id is not the real user id. The effective
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * user id for authentication purposes will be the owner of this
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * open file. On systems without the setreuid() call, e[ug]id is set
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * by copying this program to a /tmp/file, making it a suid and/or sgid
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * program, and then execing this program.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * A forked version of this program waits until it can unlink the /tmp
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * file and then exits. Actually, we fork() twice so the parent can
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * wait for the child to complete. A pipe is used to guarantee that we
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * do not remove the /tmp file too soon.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#define SPECIAL 04100 /* setuid execute only by owner */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#define FDSYNC 11 /* used on sys5 to synchronize cleanup */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinstatic void error_exit(const char*);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinstatic int in_dir(const char*, const char*);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinstatic int endsh(const char*);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin static int mycopy(int, int);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin static void maketemp(char*);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin static void setids(int,int,int);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#endif /* _lib_setreuid */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinstatic const char version[] = "\n@(#)$Id: suid_exec "SH_RELEASE" $\n";
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinstatic const char devfd[] = "/dev/fd/10"; /* must match FDIN above */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinstatic char **arglist;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinstatic char *shell;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinstatic char *command;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin register int m,n;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin register char *p;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* At this point, the presumption is that we are the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * version of THISPROG copied into /tmp, with the owner,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * group, and setuid/gid bits correctly set. This copy of
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * the program is executable by anyone, so we must be careful
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * not to allow just any invocation of it to succeed, since
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * it is setuid/gid. Validate the proper execution by
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * examining the FDVERIFY file descriptor -- if it is owned
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * by root and is mode SPECIAL, then this is proof that it was
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * passed by a program with superuser privileges -- hence we
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * can presume legitimacy. Otherwise, bail out, as we suspect
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * an impostor.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (statb.st_mode & ~S_IFMT) != SPECIAL || close(FDVERIFY)<0)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* This enables the grandchild to clean up /tmp file */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* Make sure that this is a valid invocation of the clone.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * Perhaps unnecessary, given FDVERIFY, but what the heck...
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin ((statb.st_mode & S_ISUID) == 0 || statb.st_uid != euserid))
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* Make sure that this is the real setuid program, not the clone.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * It is possible by clever hacking to get past this point in the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * clone, but it doesn't do the hacker any good that I can see.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#endif /* _lib_setreuid */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* Open the script for reading first and then validate it. This
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * prevents someone from pulling a switcheroo while we are validating.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* validate execution rights to this script */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin if(fstat(FDIN,&statb) < 0 || (statb.st_mode & ~S_IFMT) != SPECIAL)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* do it the easy way if you can */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* have to check access on each component */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin while(*p++)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin if(*p == '/' || *p == 0)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin statb.st_ino != statx.st_ino || statb.st_dev != statx.st_dev)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (statb.st_ino == statx.st_ino && statb.st_dev == statx.st_dev))
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* compute the desired new effective user and group id */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* see if group needs setting */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* now see if the uid needs setting */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#endif /* _lib_setreuid */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* only use SHELL if file is in trusted directory and ends in sh */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * return true of shell ends in sh of ksh
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin return(0);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin return(1);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin return(1);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin return(0);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * return true of shell is in <dir> directory
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinstatic int in_dir(register const char *dir,register const char *shell)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin return(0);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* return true if next character is a '/' */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * This version of access checks against effective uid and effective gid
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinint eaccess(register const char *name, register int mode)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin return(0);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* root needs execute permission for someone */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* on some systems you can be in several groups */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin register int n;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* first time */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* pre-POSIX system */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin while(--n >= 0)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#endif /* _lib_getgroups */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin return(0);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin return(-1);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* set effective uid even if S_ISUID is not set. This is because
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * we are *really* executing EUID root at this point. Even if S_ISUID
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * is not set, the value for owner that is passsed should be correct.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * This version of setids creats a /tmp file and copies itself into it.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * The "clone" file is made executable with appropriate suid/sgid bits.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * Finally, the clone is exec'ed. This file is unlinked by a grandchild
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * of this program, who waits around until the text is free.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin register int n,m;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * Create a token to pass to the new program for validation.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * This token can only be procured by someone running with an
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * effective userid of root, and hence gives the clone a way to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * certify that it was really invoked by THISPROG. Someone who
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * is already root could spoof us, but why would they want to?
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * Since we are root here, we must be careful: What if someone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * linked a valuable file to tmpname?
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin if((n = open(tmpname, O_WRONLY | O_CREAT | O_EXCL, SPECIAL)) < 0 ||
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin if((n = open(tmpname, O_WRONLY | O_CREAT ,SPECIAL)) < 0 || unlink(tmpname) < 0)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* create a pipe for synchronization */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin if((n=fork()) == 0)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin { /* child */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin if((n=fork()) == 0)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin { /* grandchild -- cleans up clone file */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin else if(n == -1)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* Create a set[ug]id file that will become the clone.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * To make this atomic, without need for chown(), the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * child takes on desired user and group. The only
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * downsize of this that I can see is that it may
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * screw up some per- * user accounting.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin if((n = open(tmpname,O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, mode)) < 0)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin if((n = open(tmpname,O_WRONLY|O_CREAT|O_TRUNC, mode)) < 0)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#endif /* O_EXCL */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* populate the clone */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin else if(n == -1)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* move write end of pipe into FDSYNC */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* wait for child to die */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin while((m = wait(0)) != n)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* Kill any setuid status at this point. That way, if the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * clone is not setuid, we won't exec it as root. Also, don't
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * neglect to consider that someone could have switched the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * clone file on us.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * create a unique name into the <template>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* skip to end of string */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin while(*++cp);
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin /* convert process id to string */
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin while(n > 0)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin * copy THISPROG into the open file number <fdo> and close <fdo>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin register int n;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#endif /* _lib_setreuid */