1 /*- 2 * Copyright (c) 1996 by 3 * Sean Eric Fagan <sef@kithrup.com> 4 * David Nugent <davidn@blaze.net.au> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, is permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice immediately at the beginning of the file, without modification, 12 * this list of conditions, and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. This work was done expressly for inclusion into FreeBSD. Other use 17 * is permitted provided this notation is included. 18 * 4. Absolutely no warranty of function or purpose is made by the authors. 19 * 5. Modifications may be freely made to this file providing the above 20 * conditions are met. 21 * 22 * High-level routines relating to use of the user capabilities database 23 */ 24 25 #include <sys/param.h> 26 #include <sys/cpuset.h> 27 #include <sys/mac.h> 28 #include <sys/resource.h> 29 #include <sys/rtprio.h> 30 #include <sys/stat.h> 31 #include <sys/time.h> 32 33 #include <ctype.h> 34 #include <err.h> 35 #include <errno.h> 36 #include <fcntl.h> 37 #include <login_cap.h> 38 #include <paths.h> 39 #include <pwd.h> 40 #include <stdint.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <syslog.h> 45 #include <unistd.h> 46 47 48 static struct login_res { 49 const char *what; 50 rlim_t (*who)(login_cap_t *, const char *, rlim_t, rlim_t); 51 int why; 52 } resources[] = { 53 { "cputime", login_getcaptime, RLIMIT_CPU }, 54 { "filesize", login_getcapsize, RLIMIT_FSIZE }, 55 { "datasize", login_getcapsize, RLIMIT_DATA }, 56 { "stacksize", login_getcapsize, RLIMIT_STACK }, 57 { "memoryuse", login_getcapsize, RLIMIT_RSS }, 58 { "memorylocked", login_getcapsize, RLIMIT_MEMLOCK }, 59 { "maxproc", login_getcapnum, RLIMIT_NPROC }, 60 { "openfiles", login_getcapnum, RLIMIT_NOFILE }, 61 { "coredumpsize", login_getcapsize, RLIMIT_CORE }, 62 { "sbsize", login_getcapsize, RLIMIT_SBSIZE }, 63 { "vmemoryuse", login_getcapsize, RLIMIT_VMEM }, 64 { "pseudoterminals", login_getcapnum, RLIMIT_NPTS }, 65 { "swapuse", login_getcapsize, RLIMIT_SWAP }, 66 { "kqueues", login_getcapsize, RLIMIT_KQUEUES }, 67 { "umtxp", login_getcapnum, RLIMIT_UMTXP }, 68 { "pipebuf", login_getcapnum, RLIMIT_PIPEBUF }, 69 { NULL, 0, 0 } 70 }; 71 72 73 void setclassresources(login_cap_t * lc)74 setclassresources(login_cap_t *lc) 75 { 76 struct login_res *lr; 77 78 if (lc == NULL) 79 return; 80 81 for (lr = resources; lr->what != NULL; ++lr) { 82 struct rlimit rlim; 83 84 /* 85 * The login.conf file can have <limit>, <limit>-max, and 86 * <limit>-cur entries. 87 * What we do is get the current current- and maximum- limits. 88 * Then, we try to get an entry for <limit> from the capability, 89 * using the current and max limits we just got as the 90 * default/error values. 91 * *Then*, we try looking for <limit>-cur and <limit>-max, 92 * again using the appropriate values as the default/error 93 * conditions. 94 */ 95 96 if (getrlimit(lr->why, &rlim) != 0) 97 syslog(LOG_ERR, "getting %s resource limit: %m", lr->what); 98 else { 99 char name_cur[40]; 100 char name_max[40]; 101 rlim_t rcur = rlim.rlim_cur; 102 rlim_t rmax = rlim.rlim_max; 103 104 sprintf(name_cur, "%s-cur", lr->what); 105 sprintf(name_max, "%s-max", lr->what); 106 107 rcur = (*lr->who)(lc, lr->what, rcur, rcur); 108 rmax = (*lr->who)(lc, lr->what, rmax, rmax); 109 rlim.rlim_cur = (*lr->who)(lc, name_cur, rcur, rcur); 110 rlim.rlim_max = (*lr->who)(lc, name_max, rmax, rmax); 111 112 if (setrlimit(lr->why, &rlim) == -1) 113 syslog(LOG_WARNING, "set class '%s' resource limit %s: %m", lc->lc_class, lr->what); 114 } 115 } 116 } 117 118 119 120 static struct login_vars { 121 const char *tag; 122 const char *var; 123 const char *def; 124 int overwrite; 125 } pathvars[] = { 126 { "path", "PATH", NULL, 1}, 127 { "cdpath", "CDPATH", NULL, 1}, 128 { "manpath", "MANPATH", NULL, 1}, 129 { NULL, NULL, NULL, 0} 130 }, envars[] = { 131 { "lang", "LANG", NULL, 1}, 132 { "charset", "MM_CHARSET", NULL, 1}, 133 { "mail", "MAIL", NULL, 1}, 134 { "timezone", "TZ", NULL, 1}, 135 { "term", "TERM", NULL, 0}, 136 { NULL, NULL, NULL, 0} 137 }; 138 139 static char * substvar(const char * var,const struct passwd * pwd,int hlen,int pch,int nlen)140 substvar(const char * var, const struct passwd * pwd, int hlen, int pch, int nlen) 141 { 142 char *np = NULL; 143 144 if (var != NULL) { 145 int tildes = 0; 146 int dollas = 0; 147 char *p; 148 const char *q; 149 150 if (pwd != NULL) { 151 for (q = var; *q != '\0'; ++q) { 152 tildes += (*q == '~'); 153 dollas += (*q == '$'); 154 } 155 } 156 157 np = malloc(strlen(var) + (dollas * nlen) 158 - dollas + (tildes * (pch+hlen)) 159 - tildes + 1); 160 161 if (np != NULL) { 162 p = strcpy(np, var); 163 164 if (pwd != NULL) { 165 /* 166 * This loop does user username and homedir substitutions 167 * for unescaped $ (username) and ~ (homedir) 168 */ 169 while (*(p += strcspn(p, "~$")) != '\0') { 170 int l = strlen(p); 171 172 if (p > np && *(p-1) == '\\') /* Escaped: */ 173 memmove(p - 1, p, l + 1); /* Slide-out the backslash */ 174 else if (*p == '~') { 175 int v = pch && *(p+1) != '/'; /* Avoid double // */ 176 memmove(p + hlen + v, p + 1, l); /* Subst homedir */ 177 memmove(p, pwd->pw_dir, hlen); 178 if (v) 179 p[hlen] = '/'; 180 p += hlen + v; 181 } 182 else /* if (*p == '$') */ { 183 memmove(p + nlen, p + 1, l); /* Subst username */ 184 memmove(p, pwd->pw_name, nlen); 185 p += nlen; 186 } 187 } 188 } 189 } 190 } 191 192 return (np); 193 } 194 195 196 void setclassenvironment(login_cap_t * lc,const struct passwd * pwd,int paths)197 setclassenvironment(login_cap_t *lc, const struct passwd * pwd, int paths) 198 { 199 struct login_vars *vars = paths ? pathvars : envars; 200 int hlen = pwd ? strlen(pwd->pw_dir) : 0; 201 int nlen = pwd ? strlen(pwd->pw_name) : 0; 202 char pch = 0; 203 204 if (hlen && pwd->pw_dir[hlen-1] != '/') 205 ++pch; 206 207 while (vars->tag != NULL) { 208 const char * var = paths ? login_getpath(lc, vars->tag, NULL) 209 : login_getcapstr(lc, vars->tag, NULL, NULL); 210 211 char * np = substvar(var, pwd, hlen, pch, nlen); 212 213 if (np != NULL) { 214 setenv(vars->var, np, vars->overwrite); 215 free(np); 216 } else if (vars->def != NULL) { 217 setenv(vars->var, vars->def, 0); 218 } 219 ++vars; 220 } 221 222 /* 223 * If we're not processing paths, then see if there is a setenv list by 224 * which the admin and/or user may set an arbitrary set of env vars. 225 */ 226 if (!paths) { 227 const char **set_env = login_getcaplist(lc, "setenv", ","); 228 229 if (set_env != NULL) { 230 while (*set_env != NULL) { 231 char *p = strchr(*set_env, '='); 232 233 if (p != NULL && p != *set_env) { /* Discard invalid entries */ 234 const char *ep; 235 char *np; 236 237 *p++ = '\0'; 238 /* Strip leading spaces from variable name */ 239 ep = *set_env; 240 while (*ep == ' ' || *ep == '\t') 241 ep++; 242 if ((np = substvar(p, pwd, hlen, pch, nlen)) != NULL) { 243 setenv(ep, np, 1); 244 free(np); 245 } 246 } 247 ++set_env; 248 } 249 } 250 } 251 } 252 253 254 static int list2cpuset(const char * list,cpuset_t * mask)255 list2cpuset(const char *list, cpuset_t *mask) 256 { 257 enum { NONE, NUM, DASH } state; 258 int lastnum; 259 int curnum; 260 const char *l; 261 262 state = NONE; 263 curnum = lastnum = 0; 264 for (l = list; *l != '\0';) { 265 if (isdigit(*l)) { 266 curnum = atoi(l); 267 if (curnum > CPU_SETSIZE) 268 errx(EXIT_FAILURE, 269 "Only %d cpus supported", CPU_SETSIZE); 270 while (isdigit(*l)) 271 l++; 272 switch (state) { 273 case NONE: 274 lastnum = curnum; 275 state = NUM; 276 break; 277 case DASH: 278 for (; lastnum <= curnum; lastnum++) 279 CPU_SET(lastnum, mask); 280 state = NONE; 281 break; 282 case NUM: 283 default: 284 return (0); 285 } 286 continue; 287 } 288 switch (*l) { 289 case ',': 290 switch (state) { 291 case NONE: 292 break; 293 case NUM: 294 CPU_SET(curnum, mask); 295 state = NONE; 296 break; 297 case DASH: 298 return (0); 299 break; 300 } 301 break; 302 case '-': 303 if (state != NUM) 304 return (0); 305 state = DASH; 306 break; 307 default: 308 return (0); 309 } 310 l++; 311 } 312 switch (state) { 313 case NONE: 314 break; 315 case NUM: 316 CPU_SET(curnum, mask); 317 break; 318 case DASH: 319 return (0); 320 } 321 return (1); 322 } 323 324 325 void setclasscpumask(login_cap_t * lc)326 setclasscpumask(login_cap_t *lc) 327 { 328 const char *maskstr; 329 cpuset_t maskset; 330 cpusetid_t setid; 331 332 maskstr = login_getcapstr(lc, "cpumask", NULL, NULL); 333 CPU_ZERO(&maskset); 334 if (maskstr == NULL) 335 return; 336 if (strcasecmp("default", maskstr) == 0) 337 return; 338 if (!list2cpuset(maskstr, &maskset)) { 339 syslog(LOG_WARNING, 340 "list2cpuset(%s) invalid mask specification", maskstr); 341 return; 342 } 343 344 if (cpuset(&setid) != 0) { 345 syslog(LOG_ERR, "cpuset(): %s", strerror(errno)); 346 return; 347 } 348 349 if (cpuset_setaffinity(CPU_LEVEL_CPUSET, CPU_WHICH_PID, -1, 350 sizeof(maskset), &maskset) != 0) 351 syslog(LOG_ERR, "cpuset_setaffinity(%s): %s", maskstr, 352 strerror(errno)); 353 } 354 355 356 /* 357 * setclasscontext() 358 * 359 * For the login class <class>, set various class context values 360 * (limits, mainly) to the values for that class. Which values are 361 * set are controlled by <flags> -- see <login_class.h> for the 362 * possible values. 363 * 364 * setclasscontext() can only set resources, priority, and umask. 365 */ 366 367 int setclasscontext(const char * classname,unsigned int flags)368 setclasscontext(const char *classname, unsigned int flags) 369 { 370 int rc; 371 login_cap_t *lc; 372 373 lc = login_getclassbyname(classname, NULL); 374 375 flags &= LOGIN_SETRESOURCES | LOGIN_SETPRIORITY | 376 LOGIN_SETUMASK | LOGIN_SETPATH; 377 378 rc = lc ? setusercontext(lc, NULL, 0, flags) : -1; 379 login_close(lc); 380 return (rc); 381 } 382 383 384 static const char * const inherit_enum[] = { 385 "inherit", 386 NULL 387 }; 388 389 /* 390 * Private function setting umask from the login class. 391 */ 392 static void setclassumask(login_cap_t * lc,const struct passwd * pwd)393 setclassumask(login_cap_t *lc, const struct passwd *pwd) 394 { 395 /* 396 * Make it unlikely that someone would input our default sentinel 397 * indicating no specification. 398 */ 399 const rlim_t def_val = INT64_MIN + 1, err_val = INT64_MIN; 400 rlim_t val; 401 402 /* If value is "inherit", nothing to change. */ 403 if (login_getcapenum(lc, "umask", inherit_enum) == 0) 404 return; 405 406 val = login_getcapnum(lc, "umask", def_val, err_val); 407 408 if (val != def_val) { 409 if (val < 0 || val > UINT16_MAX) { 410 /* We get here also on 'err_val'. */ 411 syslog(LOG_WARNING, 412 "%s%s%sLogin class '%s': " 413 "Invalid umask specification: '%s'", 414 pwd ? "Login '" : "", 415 pwd ? pwd->pw_name : "", 416 pwd ? "': " : "", 417 lc->lc_class, 418 login_getcapstr(lc, "umask", "", "")); 419 } else { 420 const mode_t mode = val; 421 422 umask(mode); 423 } 424 } 425 } 426 427 /* 428 * Private function which takes care of processing 429 */ 430 431 static void setlogincontext(login_cap_t * lc,const struct passwd * pwd,unsigned long flags)432 setlogincontext(login_cap_t *lc, const struct passwd *pwd, unsigned long flags) 433 { 434 if (lc == NULL) 435 return; 436 437 /* Set resources. */ 438 if ((flags & LOGIN_SETRESOURCES) != 0) 439 setclassresources(lc); 440 441 /* See if there's a umask override. */ 442 if ((flags & LOGIN_SETUMASK) != 0) 443 setclassumask(lc, pwd); 444 445 /* Set paths. */ 446 if ((flags & LOGIN_SETPATH) != 0) 447 setclassenvironment(lc, pwd, 1); 448 449 /* Set environment. */ 450 if ((flags & LOGIN_SETENV) != 0) 451 setclassenvironment(lc, pwd, 0); 452 453 /* Set cpu affinity. */ 454 if ((flags & LOGIN_SETCPUMASK) != 0) 455 setclasscpumask(lc); 456 } 457 458 459 /* 460 * Private function to set process priority. 461 */ 462 static void setclasspriority(login_cap_t * const lc,struct passwd const * const pwd)463 setclasspriority(login_cap_t * const lc, struct passwd const * const pwd) 464 { 465 const rlim_t def_val = 0, err_val = INT64_MIN; 466 rlim_t p; 467 int rc; 468 469 /* If value is "inherit", nothing to change. */ 470 if (login_getcapenum(lc, "priority", inherit_enum) == 0) 471 return; 472 473 p = login_getcapnum(lc, "priority", def_val, err_val); 474 475 if (p == err_val) { 476 /* Invariant: 'lc' != NULL. */ 477 syslog(LOG_WARNING, 478 "%s%s%sLogin class '%s': " 479 "Invalid priority specification: '%s'", 480 pwd ? "Login '" : "", 481 pwd ? pwd->pw_name : "", 482 pwd ? "': " : "", 483 lc->lc_class, 484 login_getcapstr(lc, "priority", "", "")); 485 /* Reset the priority, as if the capability was not present. */ 486 p = def_val; 487 } 488 489 if (p > PRIO_MAX) { 490 struct rtprio rtp; 491 492 rtp.type = RTP_PRIO_IDLE; 493 p += RTP_PRIO_MIN - (PRIO_MAX + 1); 494 rtp.prio = p > RTP_PRIO_MAX ? RTP_PRIO_MAX : p; 495 rc = rtprio(RTP_SET, 0, &rtp); 496 } else if (p < PRIO_MIN) { 497 struct rtprio rtp; 498 499 rtp.type = RTP_PRIO_REALTIME; 500 p += RTP_PRIO_MAX - (PRIO_MIN - 1); 501 rtp.prio = p < RTP_PRIO_MIN ? RTP_PRIO_MIN : p; 502 rc = rtprio(RTP_SET, 0, &rtp); 503 } else 504 rc = setpriority(PRIO_PROCESS, 0, (int)p); 505 506 if (rc != 0) 507 syslog(LOG_WARNING, 508 "%s%s%sLogin class '%s': " 509 "Setting priority failed: %m", 510 pwd ? "Login '" : "", 511 pwd ? pwd->pw_name : "", 512 pwd ? "': " : "", 513 lc ? lc->lc_class : "<none>"); 514 } 515 516 /* 517 * setusercontext() 518 * 519 * Given a login class <lc> and a user in <pwd>, with a uid <uid>, 520 * set the context as in setclasscontext(). <flags> controls which 521 * values are set. 522 * 523 * The difference between setclasscontext() and setusercontext() is 524 * that the former sets things up for an already-existing process, 525 * while the latter sets things up from a root context. Such as might 526 * be called from login(1). 527 * 528 */ 529 530 int setusercontext(login_cap_t * lc,const struct passwd * pwd,uid_t uid,unsigned int flags)531 setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned int flags) 532 { 533 login_cap_t *llc = NULL; 534 int error; 535 536 if (lc == NULL) { 537 if (pwd != NULL && (lc = login_getpwclass(pwd)) != NULL) 538 llc = lc; /* free this when we're done */ 539 } 540 541 if (flags & LOGIN_SETPATH) 542 pathvars[0].def = uid ? _PATH_DEFPATH : _PATH_STDPATH; 543 544 /* we need a passwd entry to set these */ 545 if (pwd == NULL) 546 flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN | LOGIN_SETMAC); 547 548 /* Set the process priority */ 549 if (flags & LOGIN_SETPRIORITY) 550 setclasspriority(lc, pwd); 551 552 /* Setup the user's group permissions */ 553 if (flags & LOGIN_SETGROUP) { 554 if (setgid(pwd->pw_gid) != 0) { 555 syslog(LOG_ERR, "setgid(%lu): %m", (u_long)pwd->pw_gid); 556 login_close(llc); 557 return (-1); 558 } 559 if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) { 560 syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name, 561 (u_long)pwd->pw_gid); 562 login_close(llc); 563 return (-1); 564 } 565 } 566 567 /* Set up the user's MAC label. */ 568 if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) { 569 const char *label_string; 570 mac_t label; 571 572 label_string = login_getcapstr(lc, "label", NULL, NULL); 573 if (label_string != NULL) { 574 if (mac_from_text(&label, label_string) == -1) { 575 syslog(LOG_ERR, "mac_from_text('%s') for %s: %m", 576 pwd->pw_name, label_string); 577 return (-1); 578 } 579 if (mac_set_proc(label) == -1) 580 error = errno; 581 else 582 error = 0; 583 mac_free(label); 584 if (error != 0) { 585 syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s", 586 label_string, pwd->pw_name, strerror(error)); 587 return (-1); 588 } 589 } 590 } 591 592 /* Set the sessions login */ 593 if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) { 594 syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name); 595 login_close(llc); 596 return (-1); 597 } 598 599 /* Inform the kernel about current login class */ 600 if (lc != NULL && lc->lc_class != NULL && (flags & LOGIN_SETLOGINCLASS)) { 601 error = setloginclass(lc->lc_class); 602 if (error != 0) { 603 syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class); 604 #ifdef notyet 605 login_close(llc); 606 return (-1); 607 #endif 608 } 609 } 610 611 setlogincontext(lc, pwd, flags); 612 login_close(llc); 613 614 /* This needs to be done after anything that needs root privs */ 615 if ((flags & LOGIN_SETUSER) && setuid(uid) != 0) { 616 syslog(LOG_ERR, "setuid(%lu): %m", (u_long)uid); 617 return (-1); /* Paranoia again */ 618 } 619 620 /* 621 * Now, we repeat some of the above for the user's private entries 622 */ 623 if (geteuid() == uid && (lc = login_getuserclass(pwd)) != NULL) { 624 setlogincontext(lc, pwd, flags); 625 if (flags & LOGIN_SETPRIORITY) 626 setclasspriority(lc, pwd); 627 login_close(lc); 628 } 629 630 return (0); 631 } 632