source: branches/samba-3.0/source/lib/smbrun.c@ 770

Last change on this file since 770 was 60, checked in by Yuri Dario, 18 years ago

Use popen() for executing scripts, so .cmd/.exe/.sh scripts are supported. Fixes ticket:12 (and probably also ticket:26).
File size: 9.2 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3 run a command as a specified user
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19*/
20
21#include "includes.h"
22
23/* need to move this from here!! need some sleep ... */
24struct current_user current_user;
25
26/****************************************************************************
27This is a utility function of smbrun().
28****************************************************************************/
29
30static int setup_out_fd(void)
31{
32 int fd;
33 pstring path;
34
35 slprintf(path, sizeof(path)-1, "%s/smb.XXXXXX", tmpdir());
36
37 /* now create the file */
38 fd = smb_mkstemp(path);
39
40 if (fd == -1) {
41 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
42 path, strerror(errno) ));
43 return -1;
44 }
45
46 DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
47
48 /* Ensure file only kept around by open fd. */
49 unlink(path);
50 return fd;
51}
52
53/****************************************************************************
54run a command being careful about uid/gid handling and putting the output in
55outfd (or discard it if outfd is NULL).
56****************************************************************************/
57
58static int smbrun_internal(const char *cmd, int *outfd, BOOL sanitize)
59{
60 pid_t pid;
61 uid_t uid = current_user.ut.uid;
62 gid_t gid = current_user.ut.gid;
63
64 /*
65 * Lose any elevated privileges.
66 */
67 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
68 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
69
70 /* point our stdout at the file we want output to go into */
71
72 if (outfd && ((*outfd = setup_out_fd()) == -1)) {
73 return -1;
74 }
75
76#ifdef __EMX__
77
78 {
79 char buf[8192];
80 int n, w;
81 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
82 if (!newcmd) {
83 close(*outfd);
84 *outfd = -1;
85 return(82);
86 }
87 // execute script and capture stdout
88 FILE* pipe = popen( newcmd, "rb");
89 if (pipe) {
90 // get stdout from pipe
91 while( !feof( pipe)) {
92 n = fread( buf, 1, 8192, pipe);
93 // write to file if required
94 if (n>0 && outfd!=NULL)
95 w = write( *outfd, buf, n);
96 }
97 // close and return status
98 pclose( pipe);
99 return 0;
100 }
101 // error, close files
102 close(*outfd);
103 *outfd = -1;
104 return 83;
105 }
106
107#else
108
109 /* in this method we will exec /bin/sh with the correct
110 arguments, after first setting stdout to point at the file */
111
112 /*
113 * We need to temporarily stop CatchChild from eating
114 * SIGCLD signals as it also eats the exit status code. JRA.
115 */
116
117 CatchChildLeaveStatus();
118
119 if ((pid=sys_fork()) < 0) {
120 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
121 CatchChild();
122 if (outfd) {
123 close(*outfd);
124 *outfd = -1;
125 }
126 return errno;
127 }
128
129 if (pid) {
130 /*
131 * Parent.
132 */
133 int status=0;
134 pid_t wpid;
135
136
137 /* the parent just waits for the child to exit */
138 while((wpid = sys_waitpid(pid,&status,0)) < 0) {
139 if(errno == EINTR) {
140 errno = 0;
141 continue;
142 }
143 break;
144 }
145
146 CatchChild();
147
148 if (wpid != pid) {
149 DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
150 if (outfd) {
151 close(*outfd);
152 *outfd = -1;
153 }
154 return -1;
155 }
156
157 /* Reset the seek pointer. */
158 if (outfd) {
159 sys_lseek(*outfd, 0, SEEK_SET);
160 }
161
162#if defined(WIFEXITED) && defined(WEXITSTATUS)
163 if (WIFEXITED(status)) {
164 return WEXITSTATUS(status);
165 }
166#endif
167
168 return status;
169 }
170
171 CatchChild();
172
173 /* we are in the child. we exec /bin/sh to do the work for us. we
174 don't directly exec the command we want because it may be a
175 pipeline or anything else the config file specifies */
176
177 /* point our stdout at the file we want output to go into */
178 if (outfd) {
179 close(1);
180 if (sys_dup2(*outfd,1) != 1) {
181 DEBUG(2,("Failed to create stdout file descriptor\n"));
182 close(*outfd);
183 exit(80);
184 }
185 }
186
187 /* now completely lose our privileges. This is a fairly paranoid
188 way of doing it, but it does work on all systems that I know of */
189
190 become_user_permanently(uid, gid);
191
192 if (getuid() != uid || geteuid() != uid ||
193 getgid() != gid || getegid() != gid) {
194 /* we failed to lose our privileges - do not execute
195 the command */
196 exit(81); /* we can't print stuff at this stage,
197 instead use exit codes for debugging */
198 }
199
200#ifndef __INSURE__
201 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
202 2 point to /dev/null from the startup code */
203 {
204 int fd;
205 for (fd=3;fd<256;fd++) close(fd);
206 }
207#endif
208
209 {
210 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
211 if (!newcmd) {
212 exit(82);
213 }
214 execl("/bin/sh","sh","-c",newcmd,NULL);
215 }
216
217 /* not reached */
218 exit(83);
219 return 1;
220
221#endif // __EMX__
222
223}
224
225/****************************************************************************
226 Use only in known safe shell calls (printing).
227****************************************************************************/
228
229int smbrun_no_sanitize(const char *cmd, int *outfd)
230{
231 return smbrun_internal(cmd, outfd, False);
232}
233
234/****************************************************************************
235 By default this now sanitizes shell expansion.
236****************************************************************************/
237
238int smbrun(const char *cmd, int *outfd)
239{
240 return smbrun_internal(cmd, outfd, True);
241}
242
243/****************************************************************************
244run a command being careful about uid/gid handling and putting the output in
245outfd (or discard it if outfd is NULL).
246sends the provided secret to the child stdin.
247****************************************************************************/
248
249int smbrunsecret(const char *cmd, const char *secret)
250{
251 pid_t pid;
252 uid_t uid = current_user.ut.uid;
253 gid_t gid = current_user.ut.gid;
254 int ifd[2];
255
256 /*
257 * Lose any elevated privileges.
258 */
259 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
260 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
261
262 /* build up an input pipe */
263 if(pipe(ifd)) {
264 return -1;
265 }
266
267 /* in this method we will exec /bin/sh with the correct
268 arguments, after first setting stdout to point at the file */
269
270 /*
271 * We need to temporarily stop CatchChild from eating
272 * SIGCLD signals as it also eats the exit status code. JRA.
273 */
274
275 CatchChildLeaveStatus();
276
277 if ((pid=sys_fork()) < 0) {
278 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
279 CatchChild();
280 return errno;
281 }
282
283 if (pid) {
284 /*
285 * Parent.
286 */
287 int status = 0;
288 pid_t wpid;
289 size_t towrite;
290 ssize_t wrote;
291
292 close(ifd[0]);
293 /* send the secret */
294 towrite = strlen(secret);
295 wrote = write(ifd[1], secret, towrite);
296 if ( wrote != towrite ) {
297 DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
298 }
299 fsync(ifd[1]);
300 close(ifd[1]);
301
302 /* the parent just waits for the child to exit */
303 while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
304 if(errno == EINTR) {
305 errno = 0;
306 continue;
307 }
308 break;
309 }
310
311 CatchChild();
312
313 if (wpid != pid) {
314 DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
315 return -1;
316 }
317
318#if defined(WIFEXITED) && defined(WEXITSTATUS)
319 if (WIFEXITED(status)) {
320 return WEXITSTATUS(status);
321 }
322#endif
323
324 return status;
325 }
326
327 CatchChild();
328
329 /* we are in the child. we exec /bin/sh to do the work for us. we
330 don't directly exec the command we want because it may be a
331 pipeline or anything else the config file specifies */
332
333 close(ifd[1]);
334 close(0);
335 if (sys_dup2(ifd[0], 0) != 0) {
336 DEBUG(2,("Failed to create stdin file descriptor\n"));
337 close(ifd[0]);
338 exit(80);
339 }
340
341 /* now completely lose our privileges. This is a fairly paranoid
342 way of doing it, but it does work on all systems that I know of */
343
344 become_user_permanently(uid, gid);
345
346 if (getuid() != uid || geteuid() != uid ||
347 getgid() != gid || getegid() != gid) {
348 /* we failed to lose our privileges - do not execute
349 the command */
350 exit(81); /* we can't print stuff at this stage,
351 instead use exit codes for debugging */
352 }
353
354#ifndef __INSURE__
355 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
356 2 point to /dev/null from the startup code */
357 {
358 int fd;
359 for (fd = 3; fd < 256; fd++) close(fd);
360 }
361#endif
362
363 execl("/bin/sh", "sh", "-c", cmd, NULL);
364
365 /* not reached */
366 exit(82);
367 return 1;
368}
Note: See TracBrowser for help on using the repository browser.