1 /*********************************************************************** 2 * * 3 * This software is part of the ast package * 4 * Copyright (c) 1982-2009 AT&T Intellectual Property * 5 * and is licensed under the * 6 * Common Public License, Version 1.0 * 7 * by AT&T Intellectual Property * 8 * * 9 * A copy of the License is available at * 10 * http://www.opensource.org/licenses/cpl1.0.txt * 11 * (with md5 checksum 059e8cd6165cb4c31e351f2b69388fd9) * 12 * * 13 * Information and Software Systems Research * 14 * AT&T Research * 15 * Florham Park NJ * 16 * * 17 * David Korn <dgk@research.att.com> * 18 * * 19 ***********************************************************************/ 20 #pragma prototyped 21 /* 22 * This is a program to execute 'execute only' and suid/sgid shell scripts. 23 * This program must be owned by root and must have the set uid bit set. 24 * It must not have the set group id bit set. This program must be installed 25 * where the define parameter THISPROG indicates to work correctly on system V 26 * 27 * Written by David Korn 28 * AT&T Labs 29 * Enhanced by Rob Stampfli 30 */ 31 32 /* The file name of the script to execute is argv[0] 33 * Argv[1] is the program name 34 * The basic idea is to open the script as standard input, set the effective 35 * user and group id correctly, and then exec the shell. 36 * The complicated part is getting the effective uid of the caller and 37 * setting the effective uid/gid. The program which execs this program 38 * may pass file descriptor FDIN as an open file with mode SPECIAL if 39 * the effective user id is not the real user id. The effective 40 * user id for authentication purposes will be the owner of this 41 * open file. On systems without the setreuid() call, e[ug]id is set 42 * by copying this program to a /tmp/file, making it a suid and/or sgid 43 * program, and then execing this program. 44 * A forked version of this program waits until it can unlink the /tmp 45 * file and then exits. Actually, we fork() twice so the parent can 46 * wait for the child to complete. A pipe is used to guarantee that we 47 * do not remove the /tmp file too soon. 48 */ 49 50 #include <ast.h> 51 #include "FEATURE/externs" 52 #include <ls.h> 53 #include <sig.h> 54 #include <error.h> 55 #include <sys/wait.h> 56 #include "version.h" 57 58 #define SPECIAL 04100 /* setuid execute only by owner */ 59 #define FDIN 10 /* must be same as /dev/fd below */ 60 #undef FDSYNC 61 #define FDSYNC 11 /* used on sys5 to synchronize cleanup */ 62 #define FDVERIFY 12 /* used to validate /tmp process */ 63 #undef BLKSIZE 64 #define BLKSIZE sizeof(char*)*1024 65 #define THISPROG "/etc/suid_exec" 66 #define DEFSHELL "/bin/sh" 67 68 static void error_exit(const char*); 69 static int in_dir(const char*, const char*); 70 static int endsh(const char*); 71 #ifndef _lib_setregid 72 # undef _lib_setreuid 73 #endif 74 #ifndef _lib_setreuid 75 static void setids(int,uid_t,gid_t); 76 static int mycopy(int, int); 77 static void maketemp(char*); 78 #else 79 static void setids(int,int,int); 80 #endif /* _lib_setreuid */ 81 82 static const char version[] = "\n@(#)$Id: suid_exec "SH_RELEASE" $\n"; 83 static const char badopen[] = "cannot open"; 84 static const char badexec[] = "cannot exec"; 85 static const char devfd[] = "/dev/fd/10"; /* must match FDIN above */ 86 static char tmpname[] = "/tmp/SUIDXXXXXX"; 87 static char **arglist; 88 89 static char *shell; 90 static char *command; 91 static uid_t ruserid; 92 static uid_t euserid; 93 static gid_t rgroupid; 94 static gid_t egroupid; 95 static struct stat statb; 96 97 int main(int argc,char *argv[]) 98 { 99 register int m,n; 100 register char *p; 101 struct stat statx; 102 int mode; 103 uid_t effuid; 104 gid_t effgid; 105 NOT_USED(argc); 106 arglist = argv; 107 if((command = argv[1]) == 0) 108 error_exit(badexec); 109 ruserid = getuid(); 110 euserid = geteuid(); 111 rgroupid = getgid(); 112 egroupid = getegid(); 113 p = argv[0]; 114 #ifndef _lib_setreuid 115 maketemp(tmpname); 116 if(strcmp(p,tmpname)==0) 117 { 118 /* At this point, the presumption is that we are the 119 * version of THISPROG copied into /tmp, with the owner, 120 * group, and setuid/gid bits correctly set. This copy of 121 * the program is executable by anyone, so we must be careful 122 * not to allow just any invocation of it to succeed, since 123 * it is setuid/gid. Validate the proper execution by 124 * examining the FDVERIFY file descriptor -- if it is owned 125 * by root and is mode SPECIAL, then this is proof that it was 126 * passed by a program with superuser privileges -- hence we 127 * can presume legitimacy. Otherwise, bail out, as we suspect 128 * an impostor. 129 */ 130 if(fstat(FDVERIFY,&statb) < 0 || statb.st_uid != 0 || 131 (statb.st_mode & ~S_IFMT) != SPECIAL || close(FDVERIFY)<0) 132 error_exit(badexec); 133 /* This enables the grandchild to clean up /tmp file */ 134 close(FDSYNC); 135 /* Make sure that this is a valid invocation of the clone. 136 * Perhaps unnecessary, given FDVERIFY, but what the heck... 137 */ 138 if(stat(tmpname,&statb) < 0 || statb.st_nlink != 1 || 139 !S_ISREG(statb.st_mode)) 140 error_exit(badexec); 141 if(ruserid != euserid && 142 ((statb.st_mode & S_ISUID) == 0 || statb.st_uid != euserid)) 143 error_exit(badexec); 144 goto exec; 145 } 146 /* Make sure that this is the real setuid program, not the clone. 147 * It is possible by clever hacking to get past this point in the 148 * clone, but it doesn't do the hacker any good that I can see. 149 */ 150 if(euserid) 151 error_exit(badexec); 152 #endif /* _lib_setreuid */ 153 /* Open the script for reading first and then validate it. This 154 * prevents someone from pulling a switcheroo while we are validating. 155 */ 156 n = open(p,0); 157 if(n == FDIN) 158 { 159 n = dup(n); 160 close(FDIN); 161 } 162 if(n < 0) 163 error_exit(badopen); 164 /* validate execution rights to this script */ 165 if(fstat(FDIN,&statb) < 0 || (statb.st_mode & ~S_IFMT) != SPECIAL) 166 euserid = ruserid; 167 else 168 euserid = statb.st_uid; 169 /* do it the easy way if you can */ 170 if(euserid == ruserid && egroupid == rgroupid) 171 { 172 if(access(p,X_OK) < 0) 173 error_exit(badexec); 174 } 175 else 176 { 177 /* have to check access on each component */ 178 while(*p++) 179 { 180 if(*p == '/' || *p == 0) 181 { 182 m = *p; 183 *p = 0; 184 if(eaccess(argv[0],X_OK) < 0) 185 error_exit(badexec); 186 *p = m; 187 } 188 } 189 p = argv[0]; 190 } 191 if(fstat(n, &statb) < 0 || !S_ISREG(statb.st_mode)) 192 error_exit(badopen); 193 if(stat(p, &statx) < 0 || 194 statb.st_ino != statx.st_ino || statb.st_dev != statx.st_dev) 195 error_exit(badexec); 196 if(stat(THISPROG, &statx) < 0 || 197 (statb.st_ino == statx.st_ino && statb.st_dev == statx.st_dev)) 198 error_exit(badexec); 199 close(FDIN); 200 if(fcntl(n,F_DUPFD,FDIN) != FDIN) 201 error_exit(badexec); 202 close(n); 203 204 /* compute the desired new effective user and group id */ 205 effuid = euserid; 206 effgid = egroupid; 207 mode = 0; 208 if(statb.st_mode & S_ISUID) 209 effuid = statb.st_uid; 210 if(statb.st_mode & S_ISGID) 211 effgid = statb.st_gid; 212 213 /* see if group needs setting */ 214 if(effgid != egroupid) 215 if(effgid != rgroupid || setgid(rgroupid) < 0) 216 mode = S_ISGID; 217 218 /* now see if the uid needs setting */ 219 if(mode) 220 { 221 if(effuid != ruserid) 222 mode |= S_ISUID; 223 } 224 else if(effuid) 225 { 226 if(effuid != ruserid || setuid(ruserid) < 0) 227 mode = S_ISUID; 228 } 229 230 if(mode) 231 setids(mode, effuid, effgid); 232 #ifndef _lib_setreuid 233 exec: 234 #endif /* _lib_setreuid */ 235 /* only use SHELL if file is in trusted directory and ends in sh */ 236 shell = getenv("SHELL"); 237 if(shell == 0 || !endsh(shell) || ( 238 !in_dir("/bin",shell) && 239 !in_dir("/usr/bin",shell) && 240 !in_dir("/usr/lbin",shell) && 241 !in_dir("/usr/local/bin",shell))) 242 shell = DEFSHELL; 243 argv[0] = command; 244 argv[1] = (char*)devfd; 245 execv(shell,argv); 246 error_exit(badexec); 247 } 248 249 /* 250 * return true of shell ends in sh of ksh 251 */ 252 253 static int endsh(register const char *shell) 254 { 255 while(*shell) 256 shell++; 257 if(*--shell != 'h' || *--shell != 's') 258 return(0); 259 if(*--shell=='/') 260 return(1); 261 if(*shell=='k' && *--shell=='/') 262 return(1); 263 return(0); 264 } 265 266 267 /* 268 * return true of shell is in <dir> directory 269 */ 270 271 static int in_dir(register const char *dir,register const char *shell) 272 { 273 while(*dir) 274 { 275 if(*dir++ != *shell++) 276 return(0); 277 } 278 /* return true if next character is a '/' */ 279 return(*shell=='/'); 280 } 281 282 static void error_exit(const char *message) 283 { 284 sfprintf(sfstdout,"%s: %s\n",command,message); 285 exit(126); 286 } 287 288 289 /* 290 * This version of access checks against effective uid and effective gid 291 */ 292 293 int eaccess(register const char *name, register int mode) 294 { 295 struct stat statb; 296 if (stat(name, &statb) == 0) 297 { 298 if(euserid == 0) 299 { 300 if(!S_ISREG(statb.st_mode) || mode != 1) 301 return(0); 302 /* root needs execute permission for someone */ 303 mode = (S_IXUSR|S_IXGRP|S_IXOTH); 304 } 305 else if(euserid == statb.st_uid) 306 mode <<= 6; 307 else if(egroupid == statb.st_gid) 308 mode <<= 3; 309 #ifdef _lib_getgroups 310 /* on some systems you can be in several groups */ 311 else 312 { 313 static int maxgroups; 314 gid_t *groups=0; 315 register int n; 316 if(maxgroups==0) 317 { 318 /* first time */ 319 if((maxgroups=getgroups(0,groups)) < 0) 320 { 321 /* pre-POSIX system */ 322 maxgroups=NGROUPS_MAX; 323 } 324 } 325 groups = (gid_t*)malloc((maxgroups+1)*sizeof(gid_t)); 326 n = getgroups(maxgroups,groups); 327 while(--n >= 0) 328 { 329 if(groups[n] == statb.st_gid) 330 { 331 mode <<= 3; 332 break; 333 } 334 } 335 } 336 #endif /* _lib_getgroups */ 337 if(statb.st_mode & mode) 338 return(0); 339 } 340 return(-1); 341 } 342 343 #ifdef _lib_setreuid 344 static void setids(int mode,int owner,int group) 345 { 346 if(mode & S_ISGID) 347 setregid(rgroupid,group); 348 349 /* set effective uid even if S_ISUID is not set. This is because 350 * we are *really* executing EUID root at this point. Even if S_ISUID 351 * is not set, the value for owner that is passsed should be correct. 352 */ 353 setreuid(ruserid,owner); 354 } 355 356 #else 357 /* 358 * This version of setids creats a /tmp file and copies itself into it. 359 * The "clone" file is made executable with appropriate suid/sgid bits. 360 * Finally, the clone is exec'ed. This file is unlinked by a grandchild 361 * of this program, who waits around until the text is free. 362 */ 363 364 static void setids(int mode,uid_t owner,gid_t group) 365 { 366 register int n,m; 367 int pv[2]; 368 369 /* 370 * Create a token to pass to the new program for validation. 371 * This token can only be procured by someone running with an 372 * effective userid of root, and hence gives the clone a way to 373 * certify that it was really invoked by THISPROG. Someone who 374 * is already root could spoof us, but why would they want to? 375 * 376 * Since we are root here, we must be careful: What if someone 377 * linked a valuable file to tmpname? 378 */ 379 unlink(tmpname); /* should normally fail */ 380 #ifdef O_EXCL 381 if((n = open(tmpname, O_WRONLY | O_CREAT | O_EXCL, SPECIAL)) < 0 || 382 unlink(tmpname) < 0) 383 #else 384 if((n = open(tmpname, O_WRONLY | O_CREAT ,SPECIAL)) < 0 || unlink(tmpname) < 0) 385 #endif 386 error_exit(badexec); 387 if(n != FDVERIFY) 388 { 389 close(FDVERIFY); 390 if(fcntl(n,F_DUPFD,FDVERIFY) != FDVERIFY) 391 error_exit(badexec); 392 } 393 mode |= S_IEXEC|(S_IEXEC>>3)|(S_IEXEC>>6); 394 /* create a pipe for synchronization */ 395 if(pipe(pv) < 0) 396 error_exit(badexec); 397 if((n=fork()) == 0) 398 { /* child */ 399 close(FDVERIFY); 400 close(pv[1]); 401 if((n=fork()) == 0) 402 { /* grandchild -- cleans up clone file */ 403 signal(SIGHUP, SIG_IGN); 404 signal(SIGINT, SIG_IGN); 405 signal(SIGQUIT, SIG_IGN); 406 signal(SIGTERM, SIG_IGN); 407 read(pv[0],pv,1); /* wait for clone to close pipe */ 408 while(unlink(tmpname) < 0 && errno == ETXTBSY) 409 sleep(1); 410 exit(0); 411 } 412 else if(n == -1) 413 exit(1); 414 else 415 { 416 /* Create a set[ug]id file that will become the clone. 417 * To make this atomic, without need for chown(), the 418 * child takes on desired user and group. The only 419 * downsize of this that I can see is that it may 420 * screw up some per- * user accounting. 421 */ 422 if((m = open(THISPROG, O_RDONLY)) < 0) 423 exit(1); 424 if((mode & S_ISGID) && setgid(group) < 0) 425 exit(1); 426 if((mode & S_ISUID) && owner && setuid(owner) < 0) 427 exit(1); 428 #ifdef O_EXCL 429 if((n = open(tmpname,O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, mode)) < 0) 430 #else 431 unlink(tmpname); 432 if((n = open(tmpname,O_WRONLY|O_CREAT|O_TRUNC, mode)) < 0) 433 #endif /* O_EXCL */ 434 exit(1); 435 /* populate the clone */ 436 m = mycopy(m,n); 437 if(chmod(tmpname,mode) <0) 438 exit(1); 439 exit(m); 440 } 441 } 442 else if(n == -1) 443 error_exit(badexec); 444 else 445 { 446 arglist[0] = (char*)tmpname; 447 close(pv[0]); 448 /* move write end of pipe into FDSYNC */ 449 if(pv[1] != FDSYNC) 450 { 451 close(FDSYNC); 452 if(fcntl(pv[1],F_DUPFD,FDSYNC) != FDSYNC) 453 error_exit(badexec); 454 } 455 /* wait for child to die */ 456 while((m = wait(0)) != n) 457 if(m == -1 && errno != EINTR) 458 break; 459 /* Kill any setuid status at this point. That way, if the 460 * clone is not setuid, we won't exec it as root. Also, don't 461 * neglect to consider that someone could have switched the 462 * clone file on us. 463 */ 464 if(setuid(ruserid) < 0) 465 error_exit(badexec); 466 execv(tmpname,arglist); 467 error_exit(badexec); 468 } 469 } 470 471 /* 472 * create a unique name into the <template> 473 */ 474 475 static void maketemp(char *template) 476 { 477 register char *cp = template; 478 register pid_t n = getpid(); 479 /* skip to end of string */ 480 while(*++cp); 481 /* convert process id to string */ 482 while(n > 0) 483 { 484 *--cp = (n%10) + '0'; 485 n /= 10; 486 } 487 488 } 489 490 /* 491 * copy THISPROG into the open file number <fdo> and close <fdo> 492 */ 493 494 static int mycopy(int fdi, int fdo) 495 { 496 char buffer[BLKSIZE]; 497 register int n; 498 499 while((n = read(fdi,buffer,BLKSIZE)) > 0) 500 if(write(fdo,buffer,n) != n) 501 break; 502 close(fdi); 503 close(fdo); 504 return n; 505 } 506 507 #endif /* _lib_setreuid */ 508 509 510