1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1988, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/types.h> 33 #include <sys/procctl.h> 34 35 #include <ctype.h> 36 #include <err.h> 37 #include <errno.h> 38 #include <grp.h> 39 #include <limits.h> 40 #include <paths.h> 41 #include <pwd.h> 42 #include <stdbool.h> 43 #include <stdio.h> 44 #include <stdlib.h> 45 #include <string.h> 46 #include <unistd.h> 47 48 static void usage(void) __dead2; 49 50 static gid_t 51 resolve_group(const char *group) 52 { 53 char *endp; 54 struct group *gp; 55 unsigned long gid; 56 57 gp = getgrnam(group); 58 if (gp != NULL) 59 return (gp->gr_gid); 60 61 /* 62 * Numeric IDs don't need a trip through the database to check them, 63 * POSIX seems to think we should generally accept a numeric ID as long 64 * as it's within the valid range. 65 */ 66 errno = 0; 67 gid = strtoul(group, &endp, 0); 68 if (errno == 0 && *endp == '\0' && (gid_t)gid >= 0 && gid <= GID_MAX) 69 return (gid); 70 71 errx(1, "no such group '%s'", group); 72 } 73 74 static uid_t 75 resolve_user(const char *user) 76 { 77 char *endp; 78 struct passwd *pw; 79 unsigned long uid; 80 81 pw = getpwnam(user); 82 if (pw != NULL) 83 return (pw->pw_uid); 84 85 errno = 0; 86 uid = strtoul(user, &endp, 0); 87 if (errno == 0 && *endp == '\0' && (uid_t)uid >= 0 && uid <= UID_MAX) 88 return (uid); 89 90 errx(1, "no such user '%s'", user); 91 } 92 93 int 94 main(int argc, char *argv[]) 95 { 96 const char *group, *p, *shell, *user; 97 char *grouplist; 98 long ngroups_max; 99 gid_t gid, *gidlist; 100 uid_t uid; 101 int arg, ch, error, gids; 102 bool nonprivileged; 103 104 gid = 0; 105 uid = 0; 106 user = group = grouplist = NULL; 107 nonprivileged = false; 108 while ((ch = getopt(argc, argv, "G:g:u:n")) != -1) { 109 switch(ch) { 110 case 'u': 111 user = optarg; 112 if (*user == '\0') 113 usage(); 114 break; 115 case 'g': 116 group = optarg; 117 if (*group == '\0') 118 usage(); 119 break; 120 case 'G': 121 grouplist = optarg; 122 if (*grouplist == '\0') 123 usage(); 124 break; 125 case 'n': 126 nonprivileged = true; 127 break; 128 case '?': 129 default: 130 usage(); 131 } 132 } 133 argc -= optind; 134 argv += optind; 135 136 if (argc < 1) 137 usage(); 138 139 if (group != NULL) 140 gid = resolve_group(group); 141 142 ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1; 143 if ((gidlist = malloc(sizeof(gid_t) * ngroups_max)) == NULL) 144 err(1, "malloc"); 145 /* Populate the egid slot in our groups to avoid accidents. */ 146 if (gid == 0) 147 gidlist[0] = getegid(); 148 else 149 gidlist[0] = gid; 150 for (gids = 1; 151 (p = strsep(&grouplist, ",")) != NULL && gids < ngroups_max; ) { 152 if (*p == '\0') 153 continue; 154 155 gidlist[gids++] = resolve_group(p); 156 } 157 if (p != NULL && gids == ngroups_max) 158 errx(1, "too many supplementary groups provided"); 159 160 if (user != NULL) 161 uid = resolve_user(user); 162 163 if (nonprivileged) { 164 arg = PROC_NO_NEW_PRIVS_ENABLE; 165 error = procctl(P_PID, getpid(), PROC_NO_NEW_PRIVS_CTL, &arg); 166 if (error != 0) 167 err(1, "procctl"); 168 } 169 170 if (chdir(argv[0]) == -1) 171 err(1, "%s", argv[0]); 172 if (chroot(".") == -1) { 173 if (errno == EPERM && !nonprivileged && geteuid() != 0) 174 errx(1, "unprivileged use requires -n"); 175 err(1, "%s", argv[0]); 176 } 177 178 if (gids && setgroups(gids, gidlist) == -1) 179 err(1, "setgroups"); 180 if (group && setgid(gid) == -1) 181 err(1, "setgid"); 182 if (user && setuid(uid) == -1) 183 err(1, "setuid"); 184 185 if (argv[1]) { 186 execvp(argv[1], &argv[1]); 187 err(1, "%s", argv[1]); 188 } 189 190 if (!(shell = getenv("SHELL"))) 191 shell = _PATH_BSHELL; 192 execlp(shell, shell, "-i", (char *)NULL); 193 err(1, "%s", shell); 194 /* NOTREACHED */ 195 } 196 197 static void 198 usage(void) 199 { 200 (void)fprintf(stderr, "usage: chroot [-g group] [-G group,group,...] " 201 "[-u user] [-n] newroot [command]\n"); 202 exit(1); 203 } 204