search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vfs_acl_common: rename psd to psd_blob in get_nt_acl_internal()
[Samba.git] / source3 / lib / smbrun.c
blob55f7a871d3ac267eaeabe05a460cf35fbfdc6790
1 /*
2 Unix SMB/CIFS implementation.
3 run a command as a specified user
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/filesys.h"
22
23 /* need to move this from here!! need some sleep ... */
24 struct current_user current_user;
25
26 /****************************************************************************
27 This is a utility function of smbrun().
28 ****************************************************************************/
29
30 static int setup_out_fd(void)
31 {
32 int fd;
33 TALLOC_CTX *ctx = talloc_stackframe();
34 char *path = NULL;
35 mode_t mask;
36
37 path = talloc_asprintf(ctx,
38 "%s/smb.XXXXXX",
39 tmpdir());
40 if (!path) {
41 TALLOC_FREE(ctx);
42 errno = ENOMEM;
43 return -1;
44 }
45
46 /* now create the file */
47 mask = umask(S_IRWXO | S_IRWXG);
48 fd = mkstemp(path);
49 umask(mask);
50
51 if (fd == -1) {
52 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
53 path, strerror(errno) ));
54 TALLOC_FREE(ctx);
55 return -1;
56 }
57
58 DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
59
60 /* Ensure file only kept around by open fd. */
61 unlink(path);
62 TALLOC_FREE(ctx);
63 return fd;
64 }
65
66 /****************************************************************************
67 run a command being careful about uid/gid handling and putting the output in
68 outfd (or discard it if outfd is NULL).
69 ****************************************************************************/
70
71 static int smbrun_internal(const char *cmd, int *outfd, bool sanitize)
72 {
73 pid_t pid;
74 uid_t uid = current_user.ut.uid;
75 gid_t gid = current_user.ut.gid;
76 void (*saved_handler)(int);
77
78 /*
79 * Lose any elevated privileges.
80 */
81 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
82 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
83
84 /* point our stdout at the file we want output to go into */
85
86 if (outfd && ((*outfd = setup_out_fd()) == -1)) {
87 return -1;
88 }
89
90 /* in this method we will exec /bin/sh with the correct
91 arguments, after first setting stdout to point at the file */
92
93 /*
94 * We need to temporarily stop CatchChild from eating
95 * SIGCLD signals as it also eats the exit status code. JRA.
96 */
97
98 saved_handler = CatchChildLeaveStatus();
99
100 if ((pid=fork()) < 0) {
101 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
102 (void)CatchSignal(SIGCLD, saved_handler);
103 if (outfd) {
104 close(*outfd);
105 *outfd = -1;
106 }
107 return errno;
108 }
109
110 if (pid) {
111 /*
112 * Parent.
113 */
114 int status=0;
115 pid_t wpid;
116
117
118 /* the parent just waits for the child to exit */
119 while((wpid = sys_waitpid(pid,&status,0)) < 0) {
120 if(errno == EINTR) {
121 errno = 0;
122 continue;
123 }
124 break;
125 }
126
127 (void)CatchSignal(SIGCLD, saved_handler);
128
129 if (wpid != pid) {
130 DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
131 if (outfd) {
132 close(*outfd);
133 *outfd = -1;
134 }
135 return -1;
136 }
137
138 /* Reset the seek pointer. */
139 if (outfd) {
140 lseek(*outfd, 0, SEEK_SET);
141 }
142
143 #if defined(WIFEXITED) && defined(WEXITSTATUS)
144 if (WIFEXITED(status)) {
145 return WEXITSTATUS(status);
146 }
147 #endif
148
149 return status;
150 }
151
152 (void)CatchChild();
153
154 /* we are in the child. we exec /bin/sh to do the work for us. we
155 don't directly exec the command we want because it may be a
156 pipeline or anything else the config file specifies */
157
158 /* point our stdout at the file we want output to go into */
159 if (outfd) {
160 close(1);
161 if (dup2(*outfd,1) != 1) {
162 DEBUG(2,("Failed to create stdout file descriptor\n"));
163 close(*outfd);
164 exit(80);
165 }
166 }
167
168 /* now completely lose our privileges. This is a fairly paranoid
169 way of doing it, but it does work on all systems that I know of */
170
171 become_user_permanently(uid, gid);
172
173 if (!non_root_mode()) {
174 if (getuid() != uid || geteuid() != uid ||
175 getgid() != gid || getegid() != gid) {
176 /* we failed to lose our privileges - do not execute
177 the command */
178 exit(81); /* we can't print stuff at this stage,
179 instead use exit codes for debugging */
180 }
181 }
182
183 #ifndef __INSURE__
184 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
185 2 point to /dev/null from the startup code */
186 {
187 int fd;
188 for (fd=3;fd<256;fd++) close(fd);
189 }
190 #endif
191
192 {
193 char *newcmd = NULL;
194 if (sanitize) {
195 newcmd = escape_shell_string(cmd);
196 if (!newcmd)
197 exit(82);
198 }
199
200 execl("/bin/sh","sh","-c",
201 newcmd ? (const char *)newcmd : cmd, NULL);
202
203 SAFE_FREE(newcmd);
204 }
205
206 /* not reached */
207 exit(83);
208 return 1;
209 }
210
211 /****************************************************************************
212 Use only in known safe shell calls (printing).
213 ****************************************************************************/
214
215 int smbrun_no_sanitize(const char *cmd, int *outfd)
216 {
217 return smbrun_internal(cmd, outfd, False);
218 }
219
220 /****************************************************************************
221 By default this now sanitizes shell expansion.
222 ****************************************************************************/
223
224 int smbrun(const char *cmd, int *outfd)
225 {
226 return smbrun_internal(cmd, outfd, True);
227 }
228
229 /****************************************************************************
230 run a command being careful about uid/gid handling and putting the output in
231 outfd (or discard it if outfd is NULL).
232 sends the provided secret to the child stdin.
233 ****************************************************************************/
234
235 int smbrunsecret(const char *cmd, const char *secret)
236 {
237 pid_t pid;
238 uid_t uid = current_user.ut.uid;
239 gid_t gid = current_user.ut.gid;
240 int ifd[2];
241 void (*saved_handler)(int);
242
243 /*
244 * Lose any elevated privileges.
245 */
246 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
247 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
248
249 /* build up an input pipe */
250 if(pipe(ifd)) {
251 return -1;
252 }
253
254 /* in this method we will exec /bin/sh with the correct
255 arguments, after first setting stdout to point at the file */
256
257 /*
258 * We need to temporarily stop CatchChild from eating
259 * SIGCLD signals as it also eats the exit status code. JRA.
260 */
261
262 saved_handler = CatchChildLeaveStatus();
263
264 if ((pid=fork()) < 0) {
265 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
266 (void)CatchSignal(SIGCLD, saved_handler);
267 return errno;
268 }
269
270 if (pid) {
271 /*
272 * Parent.
273 */
274 int status = 0;
275 pid_t wpid;
276 size_t towrite;
277 ssize_t wrote;
278
279 close(ifd[0]);
280 /* send the secret */
281 towrite = strlen(secret);
282 wrote = write(ifd[1], secret, towrite);
283 if ( wrote != towrite ) {
284 DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
285 }
286 fsync(ifd[1]);
287 close(ifd[1]);
288
289 /* the parent just waits for the child to exit */
290 while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
291 if(errno == EINTR) {
292 errno = 0;
293 continue;
294 }
295 break;
296 }
297
298 (void)CatchSignal(SIGCLD, saved_handler);
299
300 if (wpid != pid) {
301 DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
302 return -1;
303 }
304
305 #if defined(WIFEXITED) && defined(WEXITSTATUS)
306 if (WIFEXITED(status)) {
307 return WEXITSTATUS(status);
308 }
309 #endif
310
311 return status;
312 }
313
314 (void)CatchChild();
315
316 /* we are in the child. we exec /bin/sh to do the work for us. we
317 don't directly exec the command we want because it may be a
318 pipeline or anything else the config file specifies */
319
320 close(ifd[1]);
321 close(0);
322 if (dup2(ifd[0], 0) != 0) {
323 DEBUG(2,("Failed to create stdin file descriptor\n"));
324 close(ifd[0]);
325 exit(80);
326 }
327
328 /* now completely lose our privileges. This is a fairly paranoid
329 way of doing it, but it does work on all systems that I know of */
330
331 become_user_permanently(uid, gid);
332
333 if (!non_root_mode()) {
334 if (getuid() != uid || geteuid() != uid ||
335 getgid() != gid || getegid() != gid) {
336 /* we failed to lose our privileges - do not execute
337 the command */
338 exit(81); /* we can't print stuff at this stage,
339 instead use exit codes for debugging */
340 }
341 }
342
343 #ifndef __INSURE__
344 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
345 2 point to /dev/null from the startup code */
346 {
347 int fd;
348 for (fd = 3; fd < 256; fd++) close(fd);
349 }
350 #endif
351
352 execl("/bin/sh", "sh", "-c", cmd, NULL);
353
354 /* not reached */
355 exit(82);
356 return 1;
357 }
Samba GIT mirror