source: trunk/server/source3/lib/smbrun.c

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.0
File size: 9.0 KB
RevLine 
[414]1/*
2 Unix SMB/CIFS implementation.
3 run a command as a specified user
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18*/
19
20#include "includes.h"
21
22/* need to move this from here!! need some sleep ... */
23struct current_user current_user;
24
25/****************************************************************************
26This is a utility function of smbrun().
27****************************************************************************/
28
29static int setup_out_fd(void)
30{
31 int fd;
32 TALLOC_CTX *ctx = talloc_stackframe();
33 char *path = NULL;
34
35 path = talloc_asprintf(ctx,
36 "%s/smb.XXXXXX",
37 tmpdir());
38 if (!path) {
39 TALLOC_FREE(ctx);
40 errno = ENOMEM;
41 return -1;
42 }
43
44 /* now create the file */
45 fd = mkstemp(path);
46
47 if (fd == -1) {
48 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
49 path, strerror(errno) ));
50 TALLOC_FREE(ctx);
51 return -1;
52 }
53
54 DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
55
56 /* Ensure file only kept around by open fd. */
57 unlink(path);
58 TALLOC_FREE(ctx);
59 return fd;
60}
61
62/****************************************************************************
63run a command being careful about uid/gid handling and putting the output in
64outfd (or discard it if outfd is NULL).
65****************************************************************************/
66
67static int smbrun_internal(const char *cmd, int *outfd, bool sanitize)
68{
69 pid_t pid;
70 uid_t uid = current_user.ut.uid;
71 gid_t gid = current_user.ut.gid;
72
73 /*
74 * Lose any elevated privileges.
75 */
76 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
77 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
78
79 /* point our stdout at the file we want output to go into */
80
81 if (outfd && ((*outfd = setup_out_fd()) == -1)) {
82 return -1;
[745]83 }
[414]84
[745]85#ifdef __OS2__
86 char buf[8192];
87 int n, w;
88 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
89 if (!newcmd) {
90 close(*outfd);
91 *outfd = -1;
92 return(82);
93 }
94 // execute script and capture stdout
95 FILE* pipe = popen( newcmd, "rb");
96 if (pipe) {
97 // get stdout from pipe
98 while( !feof( pipe)) {
99 n = fread( buf, 1, 8192, pipe);
100 // write to file if required
101 if (n>0 && outfd!=NULL)
102 w = write( *outfd, buf, n);
103 }
104 // close and return status
105 pclose( pipe);
106 return 0;
107 }
108 // error, close files
109 close(*outfd);
110 *outfd = -1;
111 return 83;
[454]112#else
[414]113 /* in this method we will exec /bin/sh with the correct
114 arguments, after first setting stdout to point at the file */
115
116 /*
117 * We need to temporarily stop CatchChild from eating
118 * SIGCLD signals as it also eats the exit status code. JRA.
119 */
120
121 CatchChildLeaveStatus();
122
123 if ((pid=sys_fork()) < 0) {
124 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
125 CatchChild();
126 if (outfd) {
127 close(*outfd);
128 *outfd = -1;
129 }
130 return errno;
131 }
132
133 if (pid) {
134 /*
135 * Parent.
136 */
137 int status=0;
138 pid_t wpid;
139
140
141 /* the parent just waits for the child to exit */
142 while((wpid = sys_waitpid(pid,&status,0)) < 0) {
143 if(errno == EINTR) {
144 errno = 0;
145 continue;
146 }
147 break;
148 }
149
150 CatchChild();
151
152 if (wpid != pid) {
153 DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
154 if (outfd) {
155 close(*outfd);
156 *outfd = -1;
157 }
158 return -1;
159 }
160
161 /* Reset the seek pointer. */
162 if (outfd) {
163 sys_lseek(*outfd, 0, SEEK_SET);
164 }
165
166#if defined(WIFEXITED) && defined(WEXITSTATUS)
167 if (WIFEXITED(status)) {
168 return WEXITSTATUS(status);
169 }
170#endif
171
172 return status;
173 }
174
175 CatchChild();
176
177 /* we are in the child. we exec /bin/sh to do the work for us. we
178 don't directly exec the command we want because it may be a
179 pipeline or anything else the config file specifies */
180
181 /* point our stdout at the file we want output to go into */
182 if (outfd) {
183 close(1);
184 if (dup2(*outfd,1) != 1) {
185 DEBUG(2,("Failed to create stdout file descriptor\n"));
186 close(*outfd);
187 exit(80);
188 }
189 }
190
191 /* now completely lose our privileges. This is a fairly paranoid
192 way of doing it, but it does work on all systems that I know of */
193
194 become_user_permanently(uid, gid);
195
196 if (!non_root_mode()) {
197 if (getuid() != uid || geteuid() != uid ||
198 getgid() != gid || getegid() != gid) {
199 /* we failed to lose our privileges - do not execute
200 the command */
201 exit(81); /* we can't print stuff at this stage,
202 instead use exit codes for debugging */
203 }
204 }
205
206#ifndef __INSURE__
207 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
208 2 point to /dev/null from the startup code */
209 {
210 int fd;
211 for (fd=3;fd<256;fd++) close(fd);
212 }
213#endif
214
215 {
216 char *newcmd = NULL;
217 if (sanitize) {
218 newcmd = escape_shell_string(cmd);
219 if (!newcmd)
220 exit(82);
221 }
222
223 execl("/bin/sh","sh","-c",
224 newcmd ? (const char *)newcmd : cmd, NULL);
225
226 SAFE_FREE(newcmd);
227 }
228
229 /* not reached */
230 exit(83);
[745]231 return 1;
[454]232#endif
[414]233}
234
235/****************************************************************************
236 Use only in known safe shell calls (printing).
237****************************************************************************/
238
239int smbrun_no_sanitize(const char *cmd, int *outfd)
240{
241 return smbrun_internal(cmd, outfd, False);
242}
243
244/****************************************************************************
245 By default this now sanitizes shell expansion.
246****************************************************************************/
247
248int smbrun(const char *cmd, int *outfd)
249{
250 return smbrun_internal(cmd, outfd, True);
251}
252
253/****************************************************************************
254run a command being careful about uid/gid handling and putting the output in
255outfd (or discard it if outfd is NULL).
256sends the provided secret to the child stdin.
257****************************************************************************/
258
259int smbrunsecret(const char *cmd, const char *secret)
260{
261 pid_t pid;
262 uid_t uid = current_user.ut.uid;
263 gid_t gid = current_user.ut.gid;
264 int ifd[2];
265
266 /*
267 * Lose any elevated privileges.
268 */
269 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
270 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
271
272 /* build up an input pipe */
273 if(pipe(ifd)) {
274 return -1;
275 }
276
277 /* in this method we will exec /bin/sh with the correct
278 arguments, after first setting stdout to point at the file */
279
280 /*
281 * We need to temporarily stop CatchChild from eating
282 * SIGCLD signals as it also eats the exit status code. JRA.
283 */
284
285 CatchChildLeaveStatus();
286
287 if ((pid=sys_fork()) < 0) {
288 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
289 CatchChild();
290 return errno;
291 }
292
293 if (pid) {
294 /*
295 * Parent.
296 */
297 int status = 0;
298 pid_t wpid;
299 size_t towrite;
300 ssize_t wrote;
301
302 close(ifd[0]);
303 /* send the secret */
304 towrite = strlen(secret);
305 wrote = write(ifd[1], secret, towrite);
306 if ( wrote != towrite ) {
307 DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
308 }
309 fsync(ifd[1]);
310 close(ifd[1]);
311
312 /* the parent just waits for the child to exit */
313 while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
314 if(errno == EINTR) {
315 errno = 0;
316 continue;
317 }
318 break;
319 }
320
321 CatchChild();
322
323 if (wpid != pid) {
324 DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
325 return -1;
326 }
327
328#if defined(WIFEXITED) && defined(WEXITSTATUS)
329 if (WIFEXITED(status)) {
330 return WEXITSTATUS(status);
331 }
332#endif
333
334 return status;
335 }
336
337 CatchChild();
338
339 /* we are in the child. we exec /bin/sh to do the work for us. we
340 don't directly exec the command we want because it may be a
341 pipeline or anything else the config file specifies */
342
343 close(ifd[1]);
344 close(0);
345 if (dup2(ifd[0], 0) != 0) {
346 DEBUG(2,("Failed to create stdin file descriptor\n"));
347 close(ifd[0]);
348 exit(80);
349 }
350
351 /* now completely lose our privileges. This is a fairly paranoid
352 way of doing it, but it does work on all systems that I know of */
353
354 become_user_permanently(uid, gid);
355
356 if (!non_root_mode()) {
357 if (getuid() != uid || geteuid() != uid ||
358 getgid() != gid || getegid() != gid) {
359 /* we failed to lose our privileges - do not execute
360 the command */
361 exit(81); /* we can't print stuff at this stage,
362 instead use exit codes for debugging */
363 }
364 }
365
366#ifndef __INSURE__
367 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
368 2 point to /dev/null from the startup code */
369 {
370 int fd;
371 for (fd = 3; fd < 256; fd++) close(fd);
372 }
373#endif
374
375 execl("/bin/sh", "sh", "-c", cmd, NULL);
376
377 /* not reached */
378 exit(82);
379 return 1;
380}
Note: See TracBrowser for help on using the repository browser.