search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
librpc: Shorten dcerpc_binding_handle_call a bit
[Samba/gebeck_regimport.git] / source3 / lib / smbrun.c
blob15a0c886e4779a81432f5edc0dfa1b79d22762f0
1 /*
2 Unix SMB/CIFS implementation.
3 run a command as a specified user
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/filesys.h"
22
23 /* need to move this from here!! need some sleep ... */
24 struct current_user current_user;
25
26 /****************************************************************************
27 This is a utility function of smbrun().
28 ****************************************************************************/
29
30 static int setup_out_fd(void)
31 {
32 int fd;
33 TALLOC_CTX *ctx = talloc_stackframe();
34 char *path = NULL;
35 mode_t mask;
36
37 path = talloc_asprintf(ctx,
38 "%s/smb.XXXXXX",
39 tmpdir());
40 if (!path) {
41 TALLOC_FREE(ctx);
42 errno = ENOMEM;
43 return -1;
44 }
45
46 /* now create the file */
47 mask = umask(S_IRWXO | S_IRWXG);
48 fd = mkstemp(path);
49 umask(mask);
50
51 if (fd == -1) {
52 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
53 path, strerror(errno) ));
54 TALLOC_FREE(ctx);
55 return -1;
56 }
57
58 DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
59
60 /* Ensure file only kept around by open fd. */
61 unlink(path);
62 TALLOC_FREE(ctx);
63 return fd;
64 }
65
66 /****************************************************************************
67 run a command being careful about uid/gid handling and putting the output in
68 outfd (or discard it if outfd is NULL).
69 ****************************************************************************/
70
71 static int smbrun_internal(const char *cmd, int *outfd, bool sanitize)
72 {
73 pid_t pid;
74 uid_t uid = current_user.ut.uid;
75 gid_t gid = current_user.ut.gid;
76
77 /*
78 * Lose any elevated privileges.
79 */
80 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
81 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
82
83 /* point our stdout at the file we want output to go into */
84
85 if (outfd && ((*outfd = setup_out_fd()) == -1)) {
86 return -1;
87 }
88
89 /* in this method we will exec /bin/sh with the correct
90 arguments, after first setting stdout to point at the file */
91
92 /*
93 * We need to temporarily stop CatchChild from eating
94 * SIGCLD signals as it also eats the exit status code. JRA.
95 */
96
97 CatchChildLeaveStatus();
98
99 if ((pid=fork()) < 0) {
100 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
101 CatchChild();
102 if (outfd) {
103 close(*outfd);
104 *outfd = -1;
105 }
106 return errno;
107 }
108
109 if (pid) {
110 /*
111 * Parent.
112 */
113 int status=0;
114 pid_t wpid;
115
116
117 /* the parent just waits for the child to exit */
118 while((wpid = sys_waitpid(pid,&status,0)) < 0) {
119 if(errno == EINTR) {
120 errno = 0;
121 continue;
122 }
123 break;
124 }
125
126 CatchChild();
127
128 if (wpid != pid) {
129 DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
130 if (outfd) {
131 close(*outfd);
132 *outfd = -1;
133 }
134 return -1;
135 }
136
137 /* Reset the seek pointer. */
138 if (outfd) {
139 lseek(*outfd, 0, SEEK_SET);
140 }
141
142 #if defined(WIFEXITED) && defined(WEXITSTATUS)
143 if (WIFEXITED(status)) {
144 return WEXITSTATUS(status);
145 }
146 #endif
147
148 return status;
149 }
150
151 CatchChild();
152
153 /* we are in the child. we exec /bin/sh to do the work for us. we
154 don't directly exec the command we want because it may be a
155 pipeline or anything else the config file specifies */
156
157 /* point our stdout at the file we want output to go into */
158 if (outfd) {
159 close(1);
160 if (dup2(*outfd,1) != 1) {
161 DEBUG(2,("Failed to create stdout file descriptor\n"));
162 close(*outfd);
163 exit(80);
164 }
165 }
166
167 /* now completely lose our privileges. This is a fairly paranoid
168 way of doing it, but it does work on all systems that I know of */
169
170 become_user_permanently(uid, gid);
171
172 if (!non_root_mode()) {
173 if (getuid() != uid || geteuid() != uid ||
174 getgid() != gid || getegid() != gid) {
175 /* we failed to lose our privileges - do not execute
176 the command */
177 exit(81); /* we can't print stuff at this stage,
178 instead use exit codes for debugging */
179 }
180 }
181
182 #ifndef __INSURE__
183 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
184 2 point to /dev/null from the startup code */
185 {
186 int fd;
187 for (fd=3;fd<256;fd++) close(fd);
188 }
189 #endif
190
191 {
192 char *newcmd = NULL;
193 if (sanitize) {
194 newcmd = escape_shell_string(cmd);
195 if (!newcmd)
196 exit(82);
197 }
198
199 execl("/bin/sh","sh","-c",
200 newcmd ? (const char *)newcmd : cmd, NULL);
201
202 SAFE_FREE(newcmd);
203 }
204
205 /* not reached */
206 exit(83);
207 return 1;
208 }
209
210 /****************************************************************************
211 Use only in known safe shell calls (printing).
212 ****************************************************************************/
213
214 int smbrun_no_sanitize(const char *cmd, int *outfd)
215 {
216 return smbrun_internal(cmd, outfd, False);
217 }
218
219 /****************************************************************************
220 By default this now sanitizes shell expansion.
221 ****************************************************************************/
222
223 int smbrun(const char *cmd, int *outfd)
224 {
225 return smbrun_internal(cmd, outfd, True);
226 }
227
228 /****************************************************************************
229 run a command being careful about uid/gid handling and putting the output in
230 outfd (or discard it if outfd is NULL).
231 sends the provided secret to the child stdin.
232 ****************************************************************************/
233
234 int smbrunsecret(const char *cmd, const char *secret)
235 {
236 pid_t pid;
237 uid_t uid = current_user.ut.uid;
238 gid_t gid = current_user.ut.gid;
239 int ifd[2];
240
241 /*
242 * Lose any elevated privileges.
243 */
244 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
245 drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
246
247 /* build up an input pipe */
248 if(pipe(ifd)) {
249 return -1;
250 }
251
252 /* in this method we will exec /bin/sh with the correct
253 arguments, after first setting stdout to point at the file */
254
255 /*
256 * We need to temporarily stop CatchChild from eating
257 * SIGCLD signals as it also eats the exit status code. JRA.
258 */
259
260 CatchChildLeaveStatus();
261
262 if ((pid=fork()) < 0) {
263 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
264 CatchChild();
265 return errno;
266 }
267
268 if (pid) {
269 /*
270 * Parent.
271 */
272 int status = 0;
273 pid_t wpid;
274 size_t towrite;
275 ssize_t wrote;
276
277 close(ifd[0]);
278 /* send the secret */
279 towrite = strlen(secret);
280 wrote = write(ifd[1], secret, towrite);
281 if ( wrote != towrite ) {
282 DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
283 }
284 fsync(ifd[1]);
285 close(ifd[1]);
286
287 /* the parent just waits for the child to exit */
288 while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
289 if(errno == EINTR) {
290 errno = 0;
291 continue;
292 }
293 break;
294 }
295
296 CatchChild();
297
298 if (wpid != pid) {
299 DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
300 return -1;
301 }
302
303 #if defined(WIFEXITED) && defined(WEXITSTATUS)
304 if (WIFEXITED(status)) {
305 return WEXITSTATUS(status);
306 }
307 #endif
308
309 return status;
310 }
311
312 CatchChild();
313
314 /* we are in the child. we exec /bin/sh to do the work for us. we
315 don't directly exec the command we want because it may be a
316 pipeline or anything else the config file specifies */
317
318 close(ifd[1]);
319 close(0);
320 if (dup2(ifd[0], 0) != 0) {
321 DEBUG(2,("Failed to create stdin file descriptor\n"));
322 close(ifd[0]);
323 exit(80);
324 }
325
326 /* now completely lose our privileges. This is a fairly paranoid
327 way of doing it, but it does work on all systems that I know of */
328
329 become_user_permanently(uid, gid);
330
331 if (!non_root_mode()) {
332 if (getuid() != uid || geteuid() != uid ||
333 getgid() != gid || getegid() != gid) {
334 /* we failed to lose our privileges - do not execute
335 the command */
336 exit(81); /* we can't print stuff at this stage,
337 instead use exit codes for debugging */
338 }
339 }
340
341 #ifndef __INSURE__
342 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
343 2 point to /dev/null from the startup code */
344 {
345 int fd;
346 for (fd = 3; fd < 256; fd++) close(fd);
347 }
348 #endif
349
350 execl("/bin/sh", "sh", "-c", cmd, NULL);
351
352 /* not reached */
353 exit(82);
354 return 1;
355 }
reg import