source: branches/samba-3.2.x/source/lib/smbrun.c@ 1001

Last change on this file since 1001 was 133, checked in by Paul Smedley, 17 years ago

Update trunk to 3.2.0pre3
File size: 8.9 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3 run a command as a specified user
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18*/
19
20#include "includes.h"
21
22/* need to move this from here!! need some sleep ... */
23struct current_user current_user;
24
25/****************************************************************************
26This is a utility function of smbrun().
27****************************************************************************/
28
29static int setup_out_fd(void)
30{
31 int fd;
32 TALLOC_CTX *ctx = talloc_stackframe();
33 char *path = NULL;
34
35 path = talloc_asprintf(ctx,
36 "%s/smb.XXXXXX",
37 tmpdir());
38 if (!path) {
39 TALLOC_FREE(ctx);
40 errno = ENOMEM;
41 return -1;
42 }
43
44 /* now create the file */
45 fd = smb_mkstemp(path);
46
47 if (fd == -1) {
48 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
49 path, strerror(errno) ));
50 TALLOC_FREE(ctx);
51 return -1;
52 }
53
54 DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
55
56 /* Ensure file only kept around by open fd. */
57 unlink(path);
58 TALLOC_FREE(ctx);
59 return fd;
60}
61
62/****************************************************************************
63run a command being careful about uid/gid handling and putting the output in
64outfd (or discard it if outfd is NULL).
65****************************************************************************/
66
67static int smbrun_internal(const char *cmd, int *outfd, bool sanitize)
68{
69 pid_t pid;
70 uid_t uid = current_user.ut.uid;
71 gid_t gid = current_user.ut.gid;
72
73 /*
74 * Lose any elevated privileges.
75 */
76 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
77 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
78
79 /* point our stdout at the file we want output to go into */
80
81 if (outfd && ((*outfd = setup_out_fd()) == -1)) {
82 return -1;
83 }
84
85#ifdef __EMX__
86
87 {
88 char buf[8192];
89 int n, w;
90 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
91 if (!newcmd) {
92 close(*outfd);
93 *outfd = -1;
94 return(82);
95 }
96 // execute script and capture stdout
97 FILE* pipe = popen( newcmd, "rb");
98 if (pipe) {
99 // get stdout from pipe
100 while( !feof( pipe)) {
101 n = fread( buf, 1, 8192, pipe);
102 // write to file if required
103 if (n>0 && outfd!=NULL)
104 w = write( *outfd, buf, n);
105 }
106 // close and return status
107 pclose( pipe);
108 return 0;
109 }
110 // error, close files
111 close(*outfd);
112 *outfd = -1;
113 return 83;
114 }
115
116#else
117 /* in this method we will exec /bin/sh with the correct
118 arguments, after first setting stdout to point at the file */
119
120 /*
121 * We need to temporarily stop CatchChild from eating
122 * SIGCLD signals as it also eats the exit status code. JRA.
123 */
124
125 CatchChildLeaveStatus();
126
127 if ((pid=sys_fork()) < 0) {
128 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
129 CatchChild();
130 if (outfd) {
131 close(*outfd);
132 *outfd = -1;
133 }
134 return errno;
135 }
136
137 if (pid) {
138 /*
139 * Parent.
140 */
141 int status=0;
142 pid_t wpid;
143
144
145 /* the parent just waits for the child to exit */
146 while((wpid = sys_waitpid(pid,&status,0)) < 0) {
147 if(errno == EINTR) {
148 errno = 0;
149 continue;
150 }
151 break;
152 }
153
154 CatchChild();
155
156 if (wpid != pid) {
157 DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
158 if (outfd) {
159 close(*outfd);
160 *outfd = -1;
161 }
162 return -1;
163 }
164
165 /* Reset the seek pointer. */
166 if (outfd) {
167 sys_lseek(*outfd, 0, SEEK_SET);
168 }
169
170#if defined(WIFEXITED) && defined(WEXITSTATUS)
171 if (WIFEXITED(status)) {
172 return WEXITSTATUS(status);
173 }
174#endif
175
176 return status;
177 }
178
179 CatchChild();
180
181 /* we are in the child. we exec /bin/sh to do the work for us. we
182 don't directly exec the command we want because it may be a
183 pipeline or anything else the config file specifies */
184
185 /* point our stdout at the file we want output to go into */
186 if (outfd) {
187 close(1);
188 if (sys_dup2(*outfd,1) != 1) {
189 DEBUG(2,("Failed to create stdout file descriptor\n"));
190 close(*outfd);
191 exit(80);
192 }
193 }
194
195 /* now completely lose our privileges. This is a fairly paranoid
196 way of doing it, but it does work on all systems that I know of */
197
198 become_user_permanently(uid, gid);
199
200 if (getuid() != uid || geteuid() != uid ||
201 getgid() != gid || getegid() != gid) {
202 /* we failed to lose our privileges - do not execute
203 the command */
204 exit(81); /* we can't print stuff at this stage,
205 instead use exit codes for debugging */
206 }
207
208#ifndef __INSURE__
209 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
210 2 point to /dev/null from the startup code */
211 {
212 int fd;
213 for (fd=3;fd<256;fd++) close(fd);
214 }
215#endif
216
217 {
218 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
219 if (!newcmd) {
220 exit(82);
221 }
222 execl("/bin/sh","sh","-c",newcmd,NULL);
223 }
224
225 /* not reached */
226 exit(83);
227 return 1;
228#endif // __EMX__
229}
230
231/****************************************************************************
232 Use only in known safe shell calls (printing).
233****************************************************************************/
234
235int smbrun_no_sanitize(const char *cmd, int *outfd)
236{
237 return smbrun_internal(cmd, outfd, False);
238}
239
240/****************************************************************************
241 By default this now sanitizes shell expansion.
242****************************************************************************/
243
244int smbrun(const char *cmd, int *outfd)
245{
246 return smbrun_internal(cmd, outfd, True);
247}
248
249/****************************************************************************
250run a command being careful about uid/gid handling and putting the output in
251outfd (or discard it if outfd is NULL).
252sends the provided secret to the child stdin.
253****************************************************************************/
254
255int smbrunsecret(const char *cmd, const char *secret)
256{
257 pid_t pid;
258 uid_t uid = current_user.ut.uid;
259 gid_t gid = current_user.ut.gid;
260 int ifd[2];
261
262 /*
263 * Lose any elevated privileges.
264 */
265 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
266 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
267
268 /* build up an input pipe */
269 if(pipe(ifd)) {
270 return -1;
271 }
272
273 /* in this method we will exec /bin/sh with the correct
274 arguments, after first setting stdout to point at the file */
275
276 /*
277 * We need to temporarily stop CatchChild from eating
278 * SIGCLD signals as it also eats the exit status code. JRA.
279 */
280
281 CatchChildLeaveStatus();
282
283 if ((pid=sys_fork()) < 0) {
284 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
285 CatchChild();
286 return errno;
287 }
288
289 if (pid) {
290 /*
291 * Parent.
292 */
293 int status = 0;
294 pid_t wpid;
295 size_t towrite;
296 ssize_t wrote;
297
298 close(ifd[0]);
299 /* send the secret */
300 towrite = strlen(secret);
301 wrote = write(ifd[1], secret, towrite);
302 if ( wrote != towrite ) {
303 DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
304 }
305 fsync(ifd[1]);
306 close(ifd[1]);
307
308 /* the parent just waits for the child to exit */
309 while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
310 if(errno == EINTR) {
311 errno = 0;
312 continue;
313 }
314 break;
315 }
316
317 CatchChild();
318
319 if (wpid != pid) {
320 DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
321 return -1;
322 }
323
324#if defined(WIFEXITED) && defined(WEXITSTATUS)
325 if (WIFEXITED(status)) {
326 return WEXITSTATUS(status);
327 }
328#endif
329
330 return status;
331 }
332
333 CatchChild();
334
335 /* we are in the child. we exec /bin/sh to do the work for us. we
336 don't directly exec the command we want because it may be a
337 pipeline or anything else the config file specifies */
338
339 close(ifd[1]);
340 close(0);
341 if (sys_dup2(ifd[0], 0) != 0) {
342 DEBUG(2,("Failed to create stdin file descriptor\n"));
343 close(ifd[0]);
344 exit(80);
345 }
346
347 /* now completely lose our privileges. This is a fairly paranoid
348 way of doing it, but it does work on all systems that I know of */
349
350 become_user_permanently(uid, gid);
351
352 if (getuid() != uid || geteuid() != uid ||
353 getgid() != gid || getegid() != gid) {
354 /* we failed to lose our privileges - do not execute
355 the command */
356 exit(81); /* we can't print stuff at this stage,
357 instead use exit codes for debugging */
358 }
359
360#ifndef __INSURE__
361 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
362 2 point to /dev/null from the startup code */
363 {
364 int fd;
365 for (fd = 3; fd < 256; fd++) close(fd);
366 }
367#endif
368
369 execl("/bin/sh", "sh", "-c", cmd, NULL);
370
371 /* not reached */
372 exit(82);
373 return 1;
374}
Note: See TracBrowser for help on using the repository browser.