| 1 | n/a | /* |
|---|
| 2 | n/a | Template for a setuid program that calls a script. |
|---|
| 3 | n/a | |
|---|
| 4 | n/a | The script should be in an unwritable directory and should itself |
|---|
| 5 | n/a | be unwritable. In fact all parent directories up to the root |
|---|
| 6 | n/a | should be unwritable. The script must not be setuid, that's what |
|---|
| 7 | n/a | this program is for. |
|---|
| 8 | n/a | |
|---|
| 9 | n/a | This is a template program. You need to fill in the name of the |
|---|
| 10 | n/a | script that must be executed. This is done by changing the |
|---|
| 11 | n/a | definition of FULL_PATH below. |
|---|
| 12 | n/a | |
|---|
| 13 | n/a | There are also some rules that should be adhered to when writing |
|---|
| 14 | n/a | the script itself. |
|---|
| 15 | n/a | |
|---|
| 16 | n/a | The first and most important rule is to never, ever trust that the |
|---|
| 17 | n/a | user of the program will behave properly. Program defensively. |
|---|
| 18 | n/a | Check your arguments for reasonableness. If the user is allowed to |
|---|
| 19 | n/a | create files, check the names of the files. If the program depends |
|---|
| 20 | n/a | on argv[0] for the action it should perform, check it. |
|---|
| 21 | n/a | |
|---|
| 22 | n/a | Assuming the script is a Bourne shell script, the first line of the |
|---|
| 23 | n/a | script should be |
|---|
| 24 | n/a | #!/bin/sh - |
|---|
| 25 | n/a | The - is important, don't omit it. If you're using esh, the first |
|---|
| 26 | n/a | line should be |
|---|
| 27 | n/a | #!/usr/local/bin/esh -f |
|---|
| 28 | n/a | and for ksh, the first line should be |
|---|
| 29 | n/a | #!/usr/local/bin/ksh -p |
|---|
| 30 | n/a | The script should then set the variable IFS to the string |
|---|
| 31 | n/a | consisting of <space>, <tab>, and <newline>. After this (*not* |
|---|
| 32 | n/a | before!), the PATH variable should be set to a reasonable value and |
|---|
| 33 | n/a | exported. Do not expect the PATH to have a reasonable value, so do |
|---|
| 34 | n/a | not trust the old value of PATH. You should then set the umask of |
|---|
| 35 | n/a | the program by calling |
|---|
| 36 | n/a | umask 077 # or 022 if you want the files to be readable |
|---|
| 37 | n/a | If you plan to change directories, you should either unset CDPATH |
|---|
| 38 | n/a | or set it to a good value. Setting CDPATH to just ``.'' (dot) is a |
|---|
| 39 | n/a | good idea. |
|---|
| 40 | n/a | If, for some reason, you want to use csh, the first line should be |
|---|
| 41 | n/a | #!/bin/csh -fb |
|---|
| 42 | n/a | You should then set the path variable to something reasonable, |
|---|
| 43 | n/a | without trusting the inherited path. Here too, you should set the |
|---|
| 44 | n/a | umask using the command |
|---|
| 45 | n/a | umask 077 # or 022 if you want the files to be readable |
|---|
| 46 | n/a | */ |
|---|
| 47 | n/a | |
|---|
| 48 | n/a | #include <unistd.h> |
|---|
| 49 | n/a | #include <stdlib.h> |
|---|
| 50 | n/a | #include <stdio.h> |
|---|
| 51 | n/a | #include <sys/types.h> |
|---|
| 52 | n/a | #include <sys/stat.h> |
|---|
| 53 | n/a | #include <string.h> |
|---|
| 54 | n/a | |
|---|
| 55 | n/a | /* CONFIGURATION SECTION */ |
|---|
| 56 | n/a | |
|---|
| 57 | n/a | #ifndef FULL_PATH /* so that this can be specified from the Makefile */ |
|---|
| 58 | n/a | /* Uncomment the following line: |
|---|
| 59 | n/a | #define FULL_PATH "/full/path/of/script" |
|---|
| 60 | n/a | * Then comment out the #error line. */ |
|---|
| 61 | n/a | #error "You must define FULL_PATH somewhere" |
|---|
| 62 | n/a | #endif |
|---|
| 63 | n/a | #ifndef UMASK |
|---|
| 64 | n/a | #define UMASK 077 |
|---|
| 65 | n/a | #endif |
|---|
| 66 | n/a | |
|---|
| 67 | n/a | /* END OF CONFIGURATION SECTION */ |
|---|
| 68 | n/a | |
|---|
| 69 | n/a | #if defined(__STDC__) && defined(__sgi) |
|---|
| 70 | n/a | #define environ _environ |
|---|
| 71 | n/a | #endif |
|---|
| 72 | n/a | |
|---|
| 73 | n/a | /* don't change def_IFS */ |
|---|
| 74 | n/a | char def_IFS[] = "IFS= \t\n"; |
|---|
| 75 | n/a | /* you may want to change def_PATH, but you should really change it in */ |
|---|
| 76 | n/a | /* your script */ |
|---|
| 77 | n/a | #ifdef __sgi |
|---|
| 78 | n/a | char def_PATH[] = "PATH=/usr/bsd:/usr/bin:/bin:/usr/local/bin:/usr/sbin"; |
|---|
| 79 | n/a | #else |
|---|
| 80 | n/a | char def_PATH[] = "PATH=/usr/ucb:/usr/bin:/bin:/usr/local/bin"; |
|---|
| 81 | n/a | #endif |
|---|
| 82 | n/a | /* don't change def_CDPATH */ |
|---|
| 83 | n/a | char def_CDPATH[] = "CDPATH=."; |
|---|
| 84 | n/a | /* don't change def_ENV */ |
|---|
| 85 | n/a | char def_ENV[] = "ENV=:"; |
|---|
| 86 | n/a | |
|---|
| 87 | n/a | /* |
|---|
| 88 | n/a | This function changes all environment variables that start with LD_ |
|---|
| 89 | n/a | into variables that start with XD_. This is important since we |
|---|
| 90 | n/a | don't want the script that is executed to use any funny shared |
|---|
| 91 | n/a | libraries. |
|---|
| 92 | n/a | |
|---|
| 93 | n/a | The other changes to the environment are, strictly speaking, not |
|---|
| 94 | n/a | needed here. They can safely be done in the script. They are done |
|---|
| 95 | n/a | here because we don't trust the script writer (just like the script |
|---|
| 96 | n/a | writer shouldn't trust the user of the script). |
|---|
| 97 | n/a | If IFS is set in the environment, set it to space,tab,newline. |
|---|
| 98 | n/a | If CDPATH is set in the environment, set it to ``.''. |
|---|
| 99 | n/a | Set PATH to a reasonable default. |
|---|
| 100 | n/a | */ |
|---|
| 101 | n/a | void |
|---|
| 102 | n/a | clean_environ(void) |
|---|
| 103 | n/a | { |
|---|
| 104 | n/a | char **p; |
|---|
| 105 | n/a | extern char **environ; |
|---|
| 106 | n/a | |
|---|
| 107 | n/a | for (p = environ; *p; p++) { |
|---|
| 108 | n/a | if (strncmp(*p, "LD_", 3) == 0) |
|---|
| 109 | n/a | **p = 'X'; |
|---|
| 110 | n/a | else if (strncmp(*p, "_RLD", 4) == 0) |
|---|
| 111 | n/a | **p = 'X'; |
|---|
| 112 | n/a | else if (strncmp(*p, "PYTHON", 6) == 0) |
|---|
| 113 | n/a | **p = 'X'; |
|---|
| 114 | n/a | else if (strncmp(*p, "IFS=", 4) == 0) |
|---|
| 115 | n/a | *p = def_IFS; |
|---|
| 116 | n/a | else if (strncmp(*p, "CDPATH=", 7) == 0) |
|---|
| 117 | n/a | *p = def_CDPATH; |
|---|
| 118 | n/a | else if (strncmp(*p, "ENV=", 4) == 0) |
|---|
| 119 | n/a | *p = def_ENV; |
|---|
| 120 | n/a | } |
|---|
| 121 | n/a | putenv(def_PATH); |
|---|
| 122 | n/a | } |
|---|
| 123 | n/a | |
|---|
| 124 | n/a | int |
|---|
| 125 | n/a | main(int argc, char **argv) |
|---|
| 126 | n/a | { |
|---|
| 127 | n/a | struct stat statb; |
|---|
| 128 | n/a | gid_t egid = getegid(); |
|---|
| 129 | n/a | uid_t euid = geteuid(); |
|---|
| 130 | n/a | |
|---|
| 131 | n/a | /* |
|---|
| 132 | n/a | Sanity check #1. |
|---|
| 133 | n/a | This check should be made compile-time, but that's not possible. |
|---|
| 134 | n/a | If you're sure that you specified a full path name for FULL_PATH, |
|---|
| 135 | n/a | you can omit this check. |
|---|
| 136 | n/a | */ |
|---|
| 137 | n/a | if (FULL_PATH[0] != '/') { |
|---|
| 138 | n/a | fprintf(stderr, "%s: %s is not a full path name\n", argv[0], |
|---|
| 139 | n/a | FULL_PATH); |
|---|
| 140 | n/a | fprintf(stderr, "You can only use this wrapper if you\n"); |
|---|
| 141 | n/a | fprintf(stderr, "compile it with an absolute path.\n"); |
|---|
| 142 | n/a | exit(1); |
|---|
| 143 | n/a | } |
|---|
| 144 | n/a | |
|---|
| 145 | n/a | /* |
|---|
| 146 | n/a | Sanity check #2. |
|---|
| 147 | n/a | Check that the owner of the script is equal to either the |
|---|
| 148 | n/a | effective uid or the super user. |
|---|
| 149 | n/a | */ |
|---|
| 150 | n/a | if (stat(FULL_PATH, &statb) < 0) { |
|---|
| 151 | n/a | perror("stat"); |
|---|
| 152 | n/a | exit(1); |
|---|
| 153 | n/a | } |
|---|
| 154 | n/a | if (statb.st_uid != 0 && statb.st_uid != euid) { |
|---|
| 155 | n/a | fprintf(stderr, "%s: %s has the wrong owner\n", argv[0], |
|---|
| 156 | n/a | FULL_PATH); |
|---|
| 157 | n/a | fprintf(stderr, "The script should be owned by root,\n"); |
|---|
| 158 | n/a | fprintf(stderr, "and shouldn't be writable by anyone.\n"); |
|---|
| 159 | n/a | exit(1); |
|---|
| 160 | n/a | } |
|---|
| 161 | n/a | |
|---|
| 162 | n/a | if (setregid(egid, egid) < 0) |
|---|
| 163 | n/a | perror("setregid"); |
|---|
| 164 | n/a | if (setreuid(euid, euid) < 0) |
|---|
| 165 | n/a | perror("setreuid"); |
|---|
| 166 | n/a | |
|---|
| 167 | n/a | clean_environ(); |
|---|
| 168 | n/a | |
|---|
| 169 | n/a | umask(UMASK); |
|---|
| 170 | n/a | |
|---|
| 171 | n/a | while (**argv == '-') /* don't let argv[0] start with '-' */ |
|---|
| 172 | n/a | (*argv)++; |
|---|
| 173 | n/a | execv(FULL_PATH, argv); |
|---|
| 174 | n/a | fprintf(stderr, "%s: could not execute the script\n", argv[0]); |
|---|
| 175 | n/a | exit(1); |
|---|
| 176 | n/a | } |
|---|
