Add comment explaining the previous fix.
[Samba.git] / source / lib / smbrun.c
blob515fcd75c29ac78712bf575e0ec32a370adad6f7
1 /*
2 Unix SMB/CIFS implementation.
3 run a command as a specified user
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #include "includes.h"
22 /* need to move this from here!! need some sleep ... */
23 struct current_user current_user;
25 /****************************************************************************
26 This is a utility function of smbrun().
27 ****************************************************************************/
29 static int setup_out_fd(void)
31 int fd;
32 TALLOC_CTX *ctx = talloc_stackframe();
33 char *path = NULL;
35 path = talloc_asprintf(ctx,
36 "%s/smb.XXXXXX",
37 tmpdir());
38 if (!path) {
39 TALLOC_FREE(ctx);
40 errno = ENOMEM;
41 return -1;
44 /* now create the file */
45 fd = smb_mkstemp(path);
47 if (fd == -1) {
48 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
49 path, strerror(errno) ));
50 TALLOC_FREE(ctx);
51 return -1;
54 DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
56 /* Ensure file only kept around by open fd. */
57 unlink(path);
58 TALLOC_FREE(ctx);
59 return fd;
62 /****************************************************************************
63 run a command being careful about uid/gid handling and putting the output in
64 outfd (or discard it if outfd is NULL).
65 ****************************************************************************/
67 static int smbrun_internal(const char *cmd, int *outfd, bool sanitize)
69 pid_t pid;
70 uid_t uid = current_user.ut.uid;
71 gid_t gid = current_user.ut.gid;
74 * Lose any elevated privileges.
76 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
77 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
79 /* point our stdout at the file we want output to go into */
81 if (outfd && ((*outfd = setup_out_fd()) == -1)) {
82 return -1;
85 /* in this method we will exec /bin/sh with the correct
86 arguments, after first setting stdout to point at the file */
89 * We need to temporarily stop CatchChild from eating
90 * SIGCLD signals as it also eats the exit status code. JRA.
93 CatchChildLeaveStatus();
95 if ((pid=sys_fork()) < 0) {
96 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
97 CatchChild();
98 if (outfd) {
99 close(*outfd);
100 *outfd = -1;
102 return errno;
105 if (pid) {
107 * Parent.
109 int status=0;
110 pid_t wpid;
113 /* the parent just waits for the child to exit */
114 while((wpid = sys_waitpid(pid,&status,0)) < 0) {
115 if(errno == EINTR) {
116 errno = 0;
117 continue;
119 break;
122 CatchChild();
124 if (wpid != pid) {
125 DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
126 if (outfd) {
127 close(*outfd);
128 *outfd = -1;
130 return -1;
133 /* Reset the seek pointer. */
134 if (outfd) {
135 sys_lseek(*outfd, 0, SEEK_SET);
138 #if defined(WIFEXITED) && defined(WEXITSTATUS)
139 if (WIFEXITED(status)) {
140 return WEXITSTATUS(status);
142 #endif
144 return status;
147 CatchChild();
149 /* we are in the child. we exec /bin/sh to do the work for us. we
150 don't directly exec the command we want because it may be a
151 pipeline or anything else the config file specifies */
153 /* point our stdout at the file we want output to go into */
154 if (outfd) {
155 close(1);
156 if (sys_dup2(*outfd,1) != 1) {
157 DEBUG(2,("Failed to create stdout file descriptor\n"));
158 close(*outfd);
159 exit(80);
163 /* now completely lose our privileges. This is a fairly paranoid
164 way of doing it, but it does work on all systems that I know of */
166 become_user_permanently(uid, gid);
168 if (getuid() != uid || geteuid() != uid ||
169 getgid() != gid || getegid() != gid) {
170 /* we failed to lose our privileges - do not execute
171 the command */
172 exit(81); /* we can't print stuff at this stage,
173 instead use exit codes for debugging */
176 #ifndef __INSURE__
177 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
178 2 point to /dev/null from the startup code */
180 int fd;
181 for (fd=3;fd<256;fd++) close(fd);
183 #endif
186 const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
187 if (!newcmd) {
188 exit(82);
190 execl("/bin/sh","sh","-c",newcmd,NULL);
193 /* not reached */
194 exit(83);
195 return 1;
198 /****************************************************************************
199 Use only in known safe shell calls (printing).
200 ****************************************************************************/
202 int smbrun_no_sanitize(const char *cmd, int *outfd)
204 return smbrun_internal(cmd, outfd, False);
207 /****************************************************************************
208 By default this now sanitizes shell expansion.
209 ****************************************************************************/
211 int smbrun(const char *cmd, int *outfd)
213 return smbrun_internal(cmd, outfd, True);
216 /****************************************************************************
217 run a command being careful about uid/gid handling and putting the output in
218 outfd (or discard it if outfd is NULL).
219 sends the provided secret to the child stdin.
220 ****************************************************************************/
222 int smbrunsecret(const char *cmd, const char *secret)
224 pid_t pid;
225 uid_t uid = current_user.ut.uid;
226 gid_t gid = current_user.ut.gid;
227 int ifd[2];
230 * Lose any elevated privileges.
232 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
233 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
235 /* build up an input pipe */
236 if(pipe(ifd)) {
237 return -1;
240 /* in this method we will exec /bin/sh with the correct
241 arguments, after first setting stdout to point at the file */
244 * We need to temporarily stop CatchChild from eating
245 * SIGCLD signals as it also eats the exit status code. JRA.
248 CatchChildLeaveStatus();
250 if ((pid=sys_fork()) < 0) {
251 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
252 CatchChild();
253 return errno;
256 if (pid) {
258 * Parent.
260 int status = 0;
261 pid_t wpid;
262 size_t towrite;
263 ssize_t wrote;
265 close(ifd[0]);
266 /* send the secret */
267 towrite = strlen(secret);
268 wrote = write(ifd[1], secret, towrite);
269 if ( wrote != towrite ) {
270 DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
272 fsync(ifd[1]);
273 close(ifd[1]);
275 /* the parent just waits for the child to exit */
276 while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
277 if(errno == EINTR) {
278 errno = 0;
279 continue;
281 break;
284 CatchChild();
286 if (wpid != pid) {
287 DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
288 return -1;
291 #if defined(WIFEXITED) && defined(WEXITSTATUS)
292 if (WIFEXITED(status)) {
293 return WEXITSTATUS(status);
295 #endif
297 return status;
300 CatchChild();
302 /* we are in the child. we exec /bin/sh to do the work for us. we
303 don't directly exec the command we want because it may be a
304 pipeline or anything else the config file specifies */
306 close(ifd[1]);
307 close(0);
308 if (sys_dup2(ifd[0], 0) != 0) {
309 DEBUG(2,("Failed to create stdin file descriptor\n"));
310 close(ifd[0]);
311 exit(80);
314 /* now completely lose our privileges. This is a fairly paranoid
315 way of doing it, but it does work on all systems that I know of */
317 become_user_permanently(uid, gid);
319 if (getuid() != uid || geteuid() != uid ||
320 getgid() != gid || getegid() != gid) {
321 /* we failed to lose our privileges - do not execute
322 the command */
323 exit(81); /* we can't print stuff at this stage,
324 instead use exit codes for debugging */
327 #ifndef __INSURE__
328 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
329 2 point to /dev/null from the startup code */
331 int fd;
332 for (fd = 3; fd < 256; fd++) close(fd);
334 #endif
336 execl("/bin/sh", "sh", "-c", cmd, NULL);
338 /* not reached */
339 exit(82);
340 return 1;