Context Navigation

source: branches/samba-3.5.x/source3/lib/smbrun.c@ 791

Visit:

Last change on this file since 791 was 454, checked in by Silvan Scherrer, 15 years ago
Samba Server 3.5: merged changes from 3.3
File size: 9.0 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	run a command as a specified user
4	Copyright (C) Andrew Tridgell 1992-1998
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 3 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program. If not, see <http://www.gnu.org/licenses/>.
18	*/
19
20	#include "includes.h"
21
22	/* need to move this from here!! need some sleep ... */
23	struct current_user current_user;
24
25	/****************************************************************************
26	This is a utility function of smbrun().
27	****************************************************************************/
28
29	static int setup_out_fd(void)
30	{
31	int fd;
32	TALLOC_CTX *ctx = talloc_stackframe();
33	char *path = NULL;
34
35	path = talloc_asprintf(ctx,
36	"%s/smb.XXXXXX",
37	tmpdir());
38	if (!path) {
39	TALLOC_FREE(ctx);
40	errno = ENOMEM;
41	return -1;
42	}
43
44	/* now create the file */
45	fd = mkstemp(path);
46
47	if (fd == -1) {
48	DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
49	path, strerror(errno) ));
50	TALLOC_FREE(ctx);
51	return -1;
52	}
53
54	DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
55
56	/* Ensure file only kept around by open fd. */
57	unlink(path);
58	TALLOC_FREE(ctx);
59	return fd;
60	}
61
62	/****************************************************************************
63	run a command being careful about uid/gid handling and putting the output in
64	outfd (or discard it if outfd is NULL).
65	****************************************************************************/
66
67	static int smbrun_internal(const char cmd, int outfd, bool sanitize)
68	{
69	pid_t pid;
70	uid_t uid = current_user.ut.uid;
71	gid_t gid = current_user.ut.gid;
72
73	/*
74	* Lose any elevated privileges.
75	*/
76	drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
77	drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
78
79	/* point our stdout at the file we want output to go into */
80
81	if (outfd && ((*outfd = setup_out_fd()) == -1)) {
82	return -1;
83	}
84
85	#ifdef __OS2__
86	char buf[8192];
87	int n, w;
88	const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
89	if (!newcmd) {
90	close(*outfd);
91	*outfd = -1;
92	return(82);
93	}
94	// execute script and capture stdout
95	FILE* pipe = popen( newcmd, "rb");
96	if (pipe) {
97	// get stdout from pipe
98	while( !feof( pipe)) {
99	n = fread( buf, 1, 8192, pipe);
100	// write to file if required
101	if (n>0 && outfd!=NULL)
102	w = write( *outfd, buf, n);
103	}
104	// close and return status
105	pclose( pipe);
106	return 0;
107	}
108	// error, close files
109	close(*outfd);
110	*outfd = -1;
111	return 83;
112	#else
113	/* in this method we will exec /bin/sh with the correct
114	arguments, after first setting stdout to point at the file */
115
116	/*
117	* We need to temporarily stop CatchChild from eating
118	* SIGCLD signals as it also eats the exit status code. JRA.
119	*/
120
121	CatchChildLeaveStatus();
122
123	if ((pid=sys_fork()) < 0) {
124	DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
125	CatchChild();
126	if (outfd) {
127	close(*outfd);
128	*outfd = -1;
129	}
130	return errno;
131	}
132
133	if (pid) {
134	/*
135	* Parent.
136	*/
137	int status=0;
138	pid_t wpid;
139
140
141	/* the parent just waits for the child to exit */
142	while((wpid = sys_waitpid(pid,&status,0)) < 0) {
143	if(errno == EINTR) {
144	errno = 0;
145	continue;
146	}
147	break;
148	}
149
150	CatchChild();
151
152	if (wpid != pid) {
153	DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
154	if (outfd) {
155	close(*outfd);
156	*outfd = -1;
157	}
158	return -1;
159	}
160
161	/* Reset the seek pointer. */
162	if (outfd) {
163	sys_lseek(*outfd, 0, SEEK_SET);
164	}
165
166	#if defined(WIFEXITED) && defined(WEXITSTATUS)
167	if (WIFEXITED(status)) {
168	return WEXITSTATUS(status);
169	}
170	#endif
171
172	return status;
173	}
174
175	CatchChild();
176
177	/* we are in the child. we exec /bin/sh to do the work for us. we
178	don't directly exec the command we want because it may be a
179	pipeline or anything else the config file specifies */
180
181	/* point our stdout at the file we want output to go into */
182	if (outfd) {
183	close(1);
184	if (dup2(*outfd,1) != 1) {
185	DEBUG(2,("Failed to create stdout file descriptor\n"));
186	close(*outfd);
187	exit(80);
188	}
189	}
190
191	/* now completely lose our privileges. This is a fairly paranoid
192	way of doing it, but it does work on all systems that I know of */
193
194	become_user_permanently(uid, gid);
195
196	if (!non_root_mode()) {
197	if (getuid() != uid \|\| geteuid() != uid \|\|
198	getgid() != gid \|\| getegid() != gid) {
199	/* we failed to lose our privileges - do not execute
200	the command */
201	exit(81); /* we can't print stuff at this stage,
202	instead use exit codes for debugging */
203	}
204	}
205
206	#ifndef __INSURE__
207	/* close all other file descriptors, leaving only 0, 1 and 2. 0 and
208	2 point to /dev/null from the startup code */
209	{
210	int fd;
211	for (fd=3;fd<256;fd++) close(fd);
212	}
213	#endif
214
215	{
216	char *newcmd = NULL;
217	if (sanitize) {
218	newcmd = escape_shell_string(cmd);
219	if (!newcmd)
220	exit(82);
221	}
222
223	execl("/bin/sh","sh","-c",
224	newcmd ? (const char *)newcmd : cmd, NULL);
225
226	SAFE_FREE(newcmd);
227	}
228
229	/* not reached */
230	exit(83);
231	return 1;
232	#endif
233	}
234
235	/****************************************************************************
236	Use only in known safe shell calls (printing).
237	****************************************************************************/
238
239	int smbrun_no_sanitize(const char cmd, int outfd)
240	{
241	return smbrun_internal(cmd, outfd, False);
242	}
243
244	/****************************************************************************
245	By default this now sanitizes shell expansion.
246	****************************************************************************/
247
248	int smbrun(const char cmd, int outfd)
249	{
250	return smbrun_internal(cmd, outfd, True);
251	}
252
253	/****************************************************************************
254	run a command being careful about uid/gid handling and putting the output in
255	outfd (or discard it if outfd is NULL).
256	sends the provided secret to the child stdin.
257	****************************************************************************/
258
259	int smbrunsecret(const char cmd, const char secret)
260	{
261	pid_t pid;
262	uid_t uid = current_user.ut.uid;
263	gid_t gid = current_user.ut.gid;
264	int ifd[2];
265
266	/*
267	* Lose any elevated privileges.
268	*/
269	drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
270	drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
271
272	/* build up an input pipe */
273	if(pipe(ifd)) {
274	return -1;
275	}
276
277	/* in this method we will exec /bin/sh with the correct
278	arguments, after first setting stdout to point at the file */
279
280	/*
281	* We need to temporarily stop CatchChild from eating
282	* SIGCLD signals as it also eats the exit status code. JRA.
283	*/
284
285	CatchChildLeaveStatus();
286
287	if ((pid=sys_fork()) < 0) {
288	DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
289	CatchChild();
290	return errno;
291	}
292
293	if (pid) {
294	/*
295	* Parent.
296	*/
297	int status = 0;
298	pid_t wpid;
299	size_t towrite;
300	ssize_t wrote;
301
302	close(ifd[0]);
303	/* send the secret */
304	towrite = strlen(secret);
305	wrote = write(ifd[1], secret, towrite);
306	if ( wrote != towrite ) {
307	DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
308	}
309	fsync(ifd[1]);
310	close(ifd[1]);
311
312	/* the parent just waits for the child to exit */
313	while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
314	if(errno == EINTR) {
315	errno = 0;
316	continue;
317	}
318	break;
319	}
320
321	CatchChild();
322
323	if (wpid != pid) {
324	DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
325	return -1;
326	}
327
328	#if defined(WIFEXITED) && defined(WEXITSTATUS)
329	if (WIFEXITED(status)) {
330	return WEXITSTATUS(status);
331	}
332	#endif
333
334	return status;
335	}
336
337	CatchChild();
338
339	/* we are in the child. we exec /bin/sh to do the work for us. we
340	don't directly exec the command we want because it may be a
341	pipeline or anything else the config file specifies */
342
343	close(ifd[1]);
344	close(0);
345	if (dup2(ifd[0], 0) != 0) {
346	DEBUG(2,("Failed to create stdin file descriptor\n"));
347	close(ifd[0]);
348	exit(80);
349	}
350
351	/* now completely lose our privileges. This is a fairly paranoid
352	way of doing it, but it does work on all systems that I know of */
353
354	become_user_permanently(uid, gid);
355
356	if (!non_root_mode()) {
357	if (getuid() != uid \|\| geteuid() != uid \|\|
358	getgid() != gid \|\| getegid() != gid) {
359	/* we failed to lose our privileges - do not execute
360	the command */
361	exit(81); /* we can't print stuff at this stage,
362	instead use exit codes for debugging */
363	}
364	}
365
366	#ifndef __INSURE__
367	/* close all other file descriptors, leaving only 0, 1 and 2. 0 and
368	2 point to /dev/null from the startup code */
369	{
370	int fd;
371	for (fd = 3; fd < 256; fd++) close(fd);
372	}
373	#endif
374
375	execl("/bin/sh", "sh", "-c", cmd, NULL);
376
377	/* not reached */
378	exit(82);
379	return 1;
380	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: