source: branches/samba-3.3.x/source/lib/smbrun.c@ 460

Last change on this file since 460 was 206, checked in by Herwig Bauernfeind, 16 years ago

Import Samba 3.3 branch at 3.0.0 level (psmedley's port)
File size: 9.3 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3 run a command as a specified user
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18*/
19
20#include "includes.h"
21
22/* need to move this from here!! need some sleep ... */
23struct current_user current_user;
24
25/****************************************************************************
26This is a utility function of smbrun().
27****************************************************************************/
28
29static int setup_out_fd(void)
30{
31 int fd;
32 TALLOC_CTX *ctx = talloc_stackframe();
33 char *path = NULL;
34
35 path = talloc_asprintf(ctx,
36 "%s/smb.XXXXXX",
37 tmpdir());
38 if (!path) {
39 TALLOC_FREE(ctx);
40 errno = ENOMEM;
41 return -1;
42 }
43
44 /* now create the file */
45 fd = smb_mkstemp(path);
46
47 if (fd == -1) {
48 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
49 path, strerror(errno) ));
50 TALLOC_FREE(ctx);
51 return -1;
52 }
53
54 DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
55
56 /* Ensure file only kept around by open fd. */
57 unlink(path);
58 TALLOC_FREE(ctx);
59 return fd;
60}
61
62/****************************************************************************
63run a command being careful about uid/gid handling and putting the output in
64outfd (or discard it if outfd is NULL).
65****************************************************************************/
66
67static int smbrun_internal(const char *cmd, int *outfd, bool sanitize)
68{
69 pid_t pid;
70 uid_t uid = current_user.ut.uid;
71 gid_t gid = current_user.ut.gid;
72
73 /*
74 * Lose any elevated privileges.
75 */
76 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
77 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
78
79 /* point our stdout at the file we want output to go into */
80
81 if (outfd && ((*outfd = setup_out_fd()) == -1)) {
82 return -1;
83 }
84
85#ifdef __EMX__
86
87 {
88 char buf[8192];
89 int n, w;
90 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
91 if (!newcmd) {
92 close(*outfd);
93 *outfd = -1;
94 return(82);
95 }
96 // execute script and capture stdout
97 FILE* pipe = popen( newcmd, "rb");
98 if (pipe) {
99 // get stdout from pipe
100 while( !feof( pipe)) {
101 n = fread( buf, 1, 8192, pipe);
102 // write to file if required
103 if (n>0 && outfd!=NULL)
104 w = write( *outfd, buf, n);
105 }
106 // close and return status
107 pclose( pipe);
108 return 0;
109 }
110 // error, close files
111 close(*outfd);
112 *outfd = -1;
113 return 83;
114 }
115
116#else
117
118 /* in this method we will exec /bin/sh with the correct
119 arguments, after first setting stdout to point at the file */
120
121 /*
122 * We need to temporarily stop CatchChild from eating
123 * SIGCLD signals as it also eats the exit status code. JRA.
124 */
125
126 CatchChildLeaveStatus();
127
128 if ((pid=sys_fork()) < 0) {
129 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
130 CatchChild();
131 if (outfd) {
132 close(*outfd);
133 *outfd = -1;
134 }
135 return errno;
136 }
137
138 if (pid) {
139 /*
140 * Parent.
141 */
142 int status=0;
143 pid_t wpid;
144
145
146 /* the parent just waits for the child to exit */
147 while((wpid = sys_waitpid(pid,&status,0)) < 0) {
148 if(errno == EINTR) {
149 errno = 0;
150 continue;
151 }
152 break;
153 }
154
155 CatchChild();
156
157 if (wpid != pid) {
158 DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
159 if (outfd) {
160 close(*outfd);
161 *outfd = -1;
162 }
163 return -1;
164 }
165
166 /* Reset the seek pointer. */
167 if (outfd) {
168 sys_lseek(*outfd, 0, SEEK_SET);
169 }
170
171#if defined(WIFEXITED) && defined(WEXITSTATUS)
172 if (WIFEXITED(status)) {
173 return WEXITSTATUS(status);
174 }
175#endif
176
177 return status;
178 }
179
180 CatchChild();
181
182 /* we are in the child. we exec /bin/sh to do the work for us. we
183 don't directly exec the command we want because it may be a
184 pipeline or anything else the config file specifies */
185
186 /* point our stdout at the file we want output to go into */
187 if (outfd) {
188 close(1);
189 if (sys_dup2(*outfd,1) != 1) {
190 DEBUG(2,("Failed to create stdout file descriptor\n"));
191 close(*outfd);
192 exit(80);
193 }
194 }
195
196 /* now completely lose our privileges. This is a fairly paranoid
197 way of doing it, but it does work on all systems that I know of */
198
199 become_user_permanently(uid, gid);
200
201 if (getuid() != uid || geteuid() != uid ||
202 getgid() != gid || getegid() != gid) {
203 /* we failed to lose our privileges - do not execute
204 the command */
205 exit(81); /* we can't print stuff at this stage,
206 instead use exit codes for debugging */
207 }
208
209#ifndef __INSURE__
210 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
211 2 point to /dev/null from the startup code */
212 {
213 int fd;
214 for (fd=3;fd<256;fd++) close(fd);
215 }
216#endif
217
218 {
219 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
220 if (!newcmd) {
221 exit(82);
222 }
223 execl("/bin/sh","sh","-c",newcmd,NULL);
224 }
225
226 /* not reached */
227 exit(83);
228 return 1;
229
230#endif // __EMX__
231
232}
233
234/****************************************************************************
235 Use only in known safe shell calls (printing).
236****************************************************************************/
237
238int smbrun_no_sanitize(const char *cmd, int *outfd)
239{
240 return smbrun_internal(cmd, outfd, False);
241}
242
243/****************************************************************************
244 By default this now sanitizes shell expansion.
245****************************************************************************/
246
247int smbrun(const char *cmd, int *outfd)
248{
249 return smbrun_internal(cmd, outfd, True);
250}
251
252/****************************************************************************
253run a command being careful about uid/gid handling and putting the output in
254outfd (or discard it if outfd is NULL).
255sends the provided secret to the child stdin.
256****************************************************************************/
257
258int smbrunsecret(const char *cmd, const char *secret)
259{
260 pid_t pid;
261 uid_t uid = current_user.ut.uid;
262 gid_t gid = current_user.ut.gid;
263 int ifd[2];
264
265 /*
266 * Lose any elevated privileges.
267 */
268 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
269 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
270
271 /* build up an input pipe */
272 if(pipe(ifd)) {
273 return -1;
274 }
275
276 /* in this method we will exec /bin/sh with the correct
277 arguments, after first setting stdout to point at the file */
278
279 /*
280 * We need to temporarily stop CatchChild from eating
281 * SIGCLD signals as it also eats the exit status code. JRA.
282 */
283
284 CatchChildLeaveStatus();
285
286 if ((pid=sys_fork()) < 0) {
287 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
288 CatchChild();
289 return errno;
290 }
291
292 if (pid) {
293 /*
294 * Parent.
295 */
296 int status = 0;
297 pid_t wpid;
298 size_t towrite;
299 ssize_t wrote;
300
301 close(ifd[0]);
302 /* send the secret */
303 towrite = strlen(secret);
304 wrote = write(ifd[1], secret, towrite);
305 if ( wrote != towrite ) {
306 DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
307 }
308 fsync(ifd[1]);
309 close(ifd[1]);
310
311 /* the parent just waits for the child to exit */
312 while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
313 if(errno == EINTR) {
314 errno = 0;
315 continue;
316 }
317 break;
318 }
319
320 CatchChild();
321
322 if (wpid != pid) {
323 DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
324 return -1;
325 }
326
327#if defined(WIFEXITED) && defined(WEXITSTATUS)
328 if (WIFEXITED(status)) {
329 return WEXITSTATUS(status);
330 }
331#endif
332
333 return status;
334 }
335
336 CatchChild();
337
338 /* we are in the child. we exec /bin/sh to do the work for us. we
339 don't directly exec the command we want because it may be a
340 pipeline or anything else the config file specifies */
341
342 close(ifd[1]);
343 close(0);
344 if (sys_dup2(ifd[0], 0) != 0) {
345 DEBUG(2,("Failed to create stdin file descriptor\n"));
346 close(ifd[0]);
347 exit(80);
348 }
349
350 /* now completely lose our privileges. This is a fairly paranoid
351 way of doing it, but it does work on all systems that I know of */
352
353 become_user_permanently(uid, gid);
354
355 if (getuid() != uid || geteuid() != uid ||
356 getgid() != gid || getegid() != gid) {
357 /* we failed to lose our privileges - do not execute
358 the command */
359 exit(81); /* we can't print stuff at this stage,
360 instead use exit codes for debugging */
361 }
362
363#ifndef __INSURE__
364 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
365 2 point to /dev/null from the startup code */
366 {
367 int fd;
368 for (fd = 3; fd < 256; fd++) close(fd);
369 }
370#endif
371
372 execl("/bin/sh", "sh", "-c", cmd, NULL);
373
374 /* not reached */
375 exit(82);
376 return 1;
377}
Note: See TracBrowser for help on using the repository browser.