1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1988, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/types.h> 33 #include <sys/procctl.h> 34 35 #include <ctype.h> 36 #include <err.h> 37 #include <errno.h> 38 #include <grp.h> 39 #include <limits.h> 40 #include <paths.h> 41 #include <pwd.h> 42 #include <stdbool.h> 43 #include <stdio.h> 44 #include <stdlib.h> 45 #include <string.h> 46 #include <unistd.h> 47 48 static void usage(void) __dead2; 49 50 static gid_t 51 resolve_group(const char *group) 52 { 53 char *endp; 54 struct group *gp; 55 unsigned long gid; 56 57 gp = getgrnam(group); 58 if (gp != NULL) 59 return (gp->gr_gid); 60 61 /* 62 * Numeric IDs don't need a trip through the database to check them, 63 * POSIX seems to think we should generally accept a numeric ID as long 64 * as it's within the valid range. 65 */ 66 errno = 0; 67 gid = strtoul(group, &endp, 0); 68 if (errno == 0 && *endp == '\0' && gid <= GID_MAX) 69 return (gid); 70 71 errx(1, "no such group '%s'", group); 72 } 73 74 static uid_t 75 resolve_user(const char *user) 76 { 77 char *endp; 78 struct passwd *pw; 79 unsigned long uid; 80 81 pw = getpwnam(user); 82 if (pw != NULL) 83 return (pw->pw_uid); 84 85 errno = 0; 86 uid = strtoul(user, &endp, 0); 87 if (errno == 0 && *endp == '\0' && uid <= UID_MAX) 88 return (uid); 89 90 errx(1, "no such user '%s'", user); 91 } 92 93 int 94 main(int argc, char *argv[]) 95 { 96 const char *group, *p, *shell, *user; 97 char *grouplist; 98 long ngroups_max; 99 gid_t gid, *gidlist; 100 uid_t uid; 101 int arg, ch, error, gids; 102 bool nonprivileged; 103 104 gid = 0; 105 uid = 0; 106 gids = 0; 107 user = group = grouplist = NULL; 108 gidlist = NULL; 109 nonprivileged = false; 110 while ((ch = getopt(argc, argv, "G:g:u:n")) != -1) { 111 switch(ch) { 112 case 'u': 113 user = optarg; 114 if (*user == '\0') 115 usage(); 116 break; 117 case 'g': 118 group = optarg; 119 if (*group == '\0') 120 usage(); 121 break; 122 case 'G': 123 grouplist = optarg; 124 125 /* 126 * XXX Why not allow us to drop all of our supplementary 127 * groups? 128 */ 129 if (*grouplist == '\0') 130 usage(); 131 break; 132 case 'n': 133 nonprivileged = true; 134 break; 135 case '?': 136 default: 137 usage(); 138 } 139 } 140 argc -= optind; 141 argv += optind; 142 143 if (argc < 1) 144 usage(); 145 146 if (group != NULL) 147 gid = resolve_group(group); 148 149 if (grouplist != NULL) { 150 ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1; 151 if ((gidlist = malloc(sizeof(gid_t) * ngroups_max)) == NULL) 152 err(1, "malloc"); 153 /* Populate the egid slot in our groups to avoid accidents. */ 154 if (gid == 0) 155 gidlist[0] = getegid(); 156 else 157 gidlist[0] = gid; 158 for (gids = 1; (p = strsep(&grouplist, ",")) != NULL && 159 gids < ngroups_max; ) { 160 if (*p == '\0') 161 continue; 162 163 gidlist[gids++] = resolve_group(p); 164 } 165 if (p != NULL && gids == ngroups_max) 166 errx(1, "too many supplementary groups provided"); 167 } 168 169 if (user != NULL) 170 uid = resolve_user(user); 171 172 if (nonprivileged) { 173 arg = PROC_NO_NEW_PRIVS_ENABLE; 174 error = procctl(P_PID, getpid(), PROC_NO_NEW_PRIVS_CTL, &arg); 175 if (error != 0) 176 err(1, "procctl"); 177 } 178 179 if (chdir(argv[0]) == -1) 180 err(1, "%s", argv[0]); 181 if (chroot(".") == -1) { 182 if (errno == EPERM && !nonprivileged && geteuid() != 0) 183 errx(1, "unprivileged use requires -n"); 184 err(1, "%s", argv[0]); 185 } 186 187 if (gidlist != NULL && setgroups(gids, gidlist) == -1) 188 err(1, "setgroups"); 189 if (group && setgid(gid) == -1) 190 err(1, "setgid"); 191 if (user && setuid(uid) == -1) 192 err(1, "setuid"); 193 194 if (argv[1]) { 195 execvp(argv[1], &argv[1]); 196 err(1, "%s", argv[1]); 197 } 198 199 if (!(shell = getenv("SHELL"))) 200 shell = _PATH_BSHELL; 201 execlp(shell, shell, "-i", (char *)NULL); 202 err(1, "%s", shell); 203 /* NOTREACHED */ 204 } 205 206 static void 207 usage(void) 208 { 209 (void)fprintf(stderr, "usage: chroot [-g group] [-G group,group,...] " 210 "[-u user] [-n] newroot [command]\n"); 211 exit(1); 212 } 213