Samba: lib/smbrun.c ソースファイル

00001 /* 
00002    Unix SMB/CIFS implementation.
00003    run a command as a specified user
00004    Copyright (C) Andrew Tridgell 1992-1998
00005    
00006    This program is free software; you can redistribute it and/or modify
00007    it under the terms of the GNU General Public License as published by
00008    the Free Software Foundation; either version 2 of the License, or
00009    (at your option) any later version.
00010    
00011    This program is distributed in the hope that it will be useful,
00012    but WITHOUT ANY WARRANTY; without even the implied warranty of
00013    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00014    GNU General Public License for more details.
00015    
00016    You should have received a copy of the GNU General Public License
00017    along with this program; if not, write to the Free Software
00018    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
00019 */
00020 
00021 #include "includes.h"
00022 
00023 /* need to move this from here!! need some sleep ... */
00024 struct current_user current_user;
00025 
00026 /****************************************************************************
00027 This is a utility function of smbrun().
00028 ****************************************************************************/
00029 
00030 static int setup_out_fd(void)
00031 {  
00032         int fd;
00033         pstring path;
00034 
00035         slprintf(path, sizeof(path)-1, "%s/smb.XXXXXX", tmpdir());
00036 
00037         /* now create the file */
00038         fd = smb_mkstemp(path);
00039 
00040         if (fd == -1) {
00041                 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
00042                         path, strerror(errno) ));
00043                 return -1;
00044         }
00045 
00046         DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
00047 
00048         /* Ensure file only kept around by open fd. */
00049         unlink(path);
00050         return fd;
00051 }
00052 
00053 /****************************************************************************
00054 run a command being careful about uid/gid handling and putting the output in
00055 outfd (or discard it if outfd is NULL).
00056 ****************************************************************************/
00057 
00058 static int smbrun_internal(const char *cmd, int *outfd, BOOL sanitize)
00059 {
00060         pid_t pid;
00061         uid_t uid = current_user.ut.uid;
00062         gid_t gid = current_user.ut.gid;
00063         
00064         /*
00065          * Lose any elevated privileges.
00066          */
00067         drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
00068         drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
00069 
00070         /* point our stdout at the file we want output to go into */
00071 
00072         if (outfd && ((*outfd = setup_out_fd()) == -1)) {
00073                 return -1;
00074         }
00075 
00076         /* in this method we will exec /bin/sh with the correct
00077            arguments, after first setting stdout to point at the file */
00078 
00079         /*
00080          * We need to temporarily stop CatchChild from eating
00081          * SIGCLD signals as it also eats the exit status code. JRA.
00082          */
00083 
00084         CatchChildLeaveStatus();
00085                                         
00086         if ((pid=sys_fork()) < 0) {
00087                 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
00088                 CatchChild(); 
00089                 if (outfd) {
00090                         close(*outfd);
00091                         *outfd = -1;
00092                 }
00093                 return errno;
00094         }
00095 
00096         if (pid) {
00097                 /*
00098                  * Parent.
00099                  */
00100                 int status=0;
00101                 pid_t wpid;
00102 
00103                 
00104                 /* the parent just waits for the child to exit */
00105                 while((wpid = sys_waitpid(pid,&status,0)) < 0) {
00106                         if(errno == EINTR) {
00107                                 errno = 0;
00108                                 continue;
00109                         }
00110                         break;
00111                 }
00112 
00113                 CatchChild(); 
00114 
00115                 if (wpid != pid) {
00116                         DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
00117                         if (outfd) {
00118                                 close(*outfd);
00119                                 *outfd = -1;
00120                         }
00121                         return -1;
00122                 }
00123 
00124                 /* Reset the seek pointer. */
00125                 if (outfd) {
00126                         sys_lseek(*outfd, 0, SEEK_SET);
00127                 }
00128 
00129 #if defined(WIFEXITED) && defined(WEXITSTATUS)
00130                 if (WIFEXITED(status)) {
00131                         return WEXITSTATUS(status);
00132                 }
00133 #endif
00134 
00135                 return status;
00136         }
00137         
00138         CatchChild(); 
00139         
00140         /* we are in the child. we exec /bin/sh to do the work for us. we
00141            don't directly exec the command we want because it may be a
00142            pipeline or anything else the config file specifies */
00143         
00144         /* point our stdout at the file we want output to go into */
00145         if (outfd) {
00146                 close(1);
00147                 if (sys_dup2(*outfd,1) != 1) {
00148                         DEBUG(2,("Failed to create stdout file descriptor\n"));
00149                         close(*outfd);
00150                         exit(80);
00151                 }
00152         }
00153 
00154         /* now completely lose our privileges. This is a fairly paranoid
00155            way of doing it, but it does work on all systems that I know of */
00156 
00157         become_user_permanently(uid, gid);
00158 
00159         if (getuid() != uid || geteuid() != uid ||
00160             getgid() != gid || getegid() != gid) {
00161                 /* we failed to lose our privileges - do not execute
00162                    the command */
00163                 exit(81); /* we can't print stuff at this stage,
00164                              instead use exit codes for debugging */
00165         }
00166         
00167 #ifndef __INSURE__
00168         /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
00169            2 point to /dev/null from the startup code */
00170         {
00171         int fd;
00172         for (fd=3;fd<256;fd++) close(fd);
00173         }
00174 #endif
00175 
00176         {
00177                 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
00178                 if (!newcmd) {
00179                         exit(82);
00180                 }
00181                 execl("/bin/sh","sh","-c",newcmd,NULL);  
00182         }
00183         
00184         /* not reached */
00185         exit(83);
00186         return 1;
00187 }
00188 
00189 /****************************************************************************
00190  Use only in known safe shell calls (printing).
00191 ****************************************************************************/
00192 
00193 int smbrun_no_sanitize(const char *cmd, int *outfd)
00194 {
00195         return smbrun_internal(cmd, outfd, False);
00196 }
00197 
00198 /****************************************************************************
00199  By default this now sanitizes shell expansion.
00200 ****************************************************************************/
00201 
00202 int smbrun(const char *cmd, int *outfd)
00203 {
00204         return smbrun_internal(cmd, outfd, True);
00205 }
00206 
00207 /****************************************************************************
00208 run a command being careful about uid/gid handling and putting the output in
00209 outfd (or discard it if outfd is NULL).
00210 sends the provided secret to the child stdin.
00211 ****************************************************************************/
00212 
00213 int smbrunsecret(const char *cmd, const char *secret)
00214 {
00215         pid_t pid;
00216         uid_t uid = current_user.ut.uid;
00217         gid_t gid = current_user.ut.gid;
00218         int ifd[2];
00219         
00220         /*
00221          * Lose any elevated privileges.
00222          */
00223         drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
00224         drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
00225 
00226         /* build up an input pipe */
00227         if(pipe(ifd)) {
00228                 return -1;
00229         }
00230 
00231         /* in this method we will exec /bin/sh with the correct
00232            arguments, after first setting stdout to point at the file */
00233 
00234         /*
00235          * We need to temporarily stop CatchChild from eating
00236          * SIGCLD signals as it also eats the exit status code. JRA.
00237          */
00238 
00239         CatchChildLeaveStatus();
00240                                         
00241         if ((pid=sys_fork()) < 0) {
00242                 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
00243                 CatchChild(); 
00244                 return errno;
00245         }
00246 
00247         if (pid) {
00248                 /*
00249                  * Parent.
00250                  */
00251                 int status = 0;
00252                 pid_t wpid;
00253                 size_t towrite;
00254                 ssize_t wrote;
00255                 
00256                 close(ifd[0]);
00257                 /* send the secret */
00258                 towrite = strlen(secret);
00259                 wrote = write(ifd[1], secret, towrite);
00260                 if ( wrote != towrite ) {
00261                     DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
00262                 }
00263                 fsync(ifd[1]);
00264                 close(ifd[1]);
00265 
00266                 /* the parent just waits for the child to exit */
00267                 while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
00268                         if(errno == EINTR) {
00269                                 errno = 0;
00270                                 continue;
00271                         }
00272                         break;
00273                 }
00274 
00275                 CatchChild(); 
00276 
00277                 if (wpid != pid) {
00278                         DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
00279                         return -1;
00280                 }
00281 
00282 #if defined(WIFEXITED) && defined(WEXITSTATUS)
00283                 if (WIFEXITED(status)) {
00284                         return WEXITSTATUS(status);
00285                 }
00286 #endif
00287 
00288                 return status;
00289         }
00290         
00291         CatchChild(); 
00292         
00293         /* we are in the child. we exec /bin/sh to do the work for us. we
00294            don't directly exec the command we want because it may be a
00295            pipeline or anything else the config file specifies */
00296         
00297         close(ifd[1]);
00298         close(0);
00299         if (sys_dup2(ifd[0], 0) != 0) {
00300                 DEBUG(2,("Failed to create stdin file descriptor\n"));
00301                 close(ifd[0]);
00302                 exit(80);
00303         }
00304 
00305         /* now completely lose our privileges. This is a fairly paranoid
00306            way of doing it, but it does work on all systems that I know of */
00307 
00308         become_user_permanently(uid, gid);
00309 
00310         if (getuid() != uid || geteuid() != uid ||
00311             getgid() != gid || getegid() != gid) {
00312                 /* we failed to lose our privileges - do not execute
00313                    the command */
00314                 exit(81); /* we can't print stuff at this stage,
00315                              instead use exit codes for debugging */
00316         }
00317         
00318 #ifndef __INSURE__
00319         /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
00320            2 point to /dev/null from the startup code */
00321         {
00322                 int fd;
00323                 for (fd = 3; fd < 256; fd++) close(fd);
00324         }
00325 #endif
00326 
00327         execl("/bin/sh", "sh", "-c", cmd, NULL);  
00328 
00329         /* not reached */
00330         exit(82);
00331         return 1;
00332 }