src/chroot.c

   1 /* chroot -- run command or shell with special root directory
   2    Copyright (C) 1995-2022 Free Software Foundation, Inc.
   3
   4    This program is free software: you can redistribute it and/or modify
   5    it under the terms of the GNU General Public License as published by
   6    the Free Software Foundation, either version 3 of the License, or
   7    (at your option) any later version.
   8
   9    This program is distributed in the hope that it will be useful,
  10    but WITHOUT ANY WARRANTY; without even the implied warranty of
  11    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12    GNU General Public License for more details.
  13
  14    You should have received a copy of the GNU General Public License
  15    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
  16
  17 /* Written by Roland McGrath.  */
  18
  19 #include <config.h>
  20 #include <getopt.h>
  21 #include <stdio.h>
  22 #include <sys/types.h>
  23 #include <pwd.h>
  24 #include <grp.h>
  25
  26 #include "system.h"
  27 #include "die.h"
  28 #include "error.h"
  29 #include "ignore-value.h"
  30 #include "mgetgroups.h"
  31 #include "quote.h"
  32 #include "root-dev-ino.h"
  33 #include "userspec.h"
  34 #include "xstrtol.h"
  35
  36 /* The official name of this program (e.g., no 'g' prefix).  */
  37 #define PROGRAM_NAME "chroot"
  38
  39 #define AUTHORS proper_name ("Roland McGrath")
  40
  41 #ifndef MAXGID
  42 # define MAXGID GID_T_MAX
  43 #endif
  44
  45 static inline bool uid_unset (uid_t uid) { return uid == (uid_t) -1; }
  46 static inline bool gid_unset (gid_t gid) { return gid == (gid_t) -1; }
  47 #define uid_set(x) (!uid_unset (x))
  48 #define gid_set(x) (!gid_unset (x))
  49
  50 enum
  51 {
  52   GROUPS = UCHAR_MAX + 1,
  53   USERSPEC,
  54   SKIP_CHDIR
  55 };
  56
  57 static struct option const long_opts[] =
  58 {
  59   {"groups", required_argument, NULL, GROUPS},
  60   {"userspec", required_argument, NULL, USERSPEC},
  61   {"skip-chdir", no_argument, NULL, SKIP_CHDIR},
  62   {GETOPT_HELP_OPTION_DECL},
  63   {GETOPT_VERSION_OPTION_DECL},
  64   {NULL, 0, NULL, 0}
  65 };
  66
  67 #if ! HAVE_SETGROUPS
  68 /* At least Interix lacks supplemental group support.  */
  69 static int
  70 setgroups (size_t size, MAYBE_UNUSED gid_t const *list)
  71 {
  72   if (size == 0)
  73     {
  74       /* Return success when clearing supplemental groups
  75          as ! HAVE_SETGROUPS should only be the case on
  76          platforms that don't support supplemental groups.  */
  77       return 0;
  78     }
  79   else
  80     {
  81       errno = ENOTSUP;
  82       return -1;
  83     }
  84 }
  85 #endif
  86
  87 /* Determine the group IDs for the specified supplementary GROUPS,
  88    which is a comma separated list of supplementary groups (names or numbers).
  89    Allocate an array for the parsed IDs and store it in PGIDS,
  90    which may be allocated even on parse failure.
  91    Update the number of parsed groups in PN_GIDS on success.
  92    Upon any failure return nonzero, and issue diagnostic if SHOW_ERRORS is true.
  93    Otherwise return zero.  */
  94
  95 static int
  96 parse_additional_groups (char const *groups, GETGROUPS_T **pgids,
  97                          size_t *pn_gids, bool show_errors)
  98 {
  99   GETGROUPS_T *gids = NULL;
 100   size_t n_gids_allocated = 0;
 101   size_t n_gids = 0;
 102   char *buffer = xstrdup (groups);
 103   char const *tmp;
 104   int ret = 0;
 105
 106   for (tmp = strtok (buffer, ","); tmp; tmp = strtok (NULL, ","))
 107     {
 108       struct group *g;
 109       uintmax_t value;
 110
 111       if (xstrtoumax (tmp, NULL, 10, &value, "") == LONGINT_OK
 112           && value <= MAXGID)
 113         {
 114           while (isspace (to_uchar (*tmp)))
 115             tmp++;
 116           if (*tmp != '+')
 117             {
 118               /* Handle the case where the name is numeric.  */
 119               g = getgrnam (tmp);
 120               if (g != NULL)
 121                 value = g->gr_gid;
 122             }
 123           /* Flag that we've got a group from the number.  */
 124           g = (struct group *) (intptr_t) ! NULL;
 125         }
 126       else
 127         {
 128           g = getgrnam (tmp);
 129           if (g != NULL)
 130             value = g->gr_gid;
 131         }
 132
 133       if (g == NULL)
 134         {
 135           ret = -1;
 136
 137           if (show_errors)
 138             {
 139               error (0, errno, _("invalid group %s"), quote (tmp));
 140               continue;
 141             }
 142
 143           break;
 144         }
 145
 146       if (n_gids == n_gids_allocated)
 147         gids = X2NREALLOC (gids, &n_gids_allocated);
 148       gids[n_gids++] = value;
 149     }
 150
 151   if (ret == 0 && n_gids == 0)
 152     {
 153       if (show_errors)
 154         error (0, 0, _("invalid group list %s"), quote (groups));
 155       ret = -1;
 156     }
 157
 158   *pgids = gids;
 159
 160   if (ret == 0)
 161     *pn_gids = n_gids;
 162
 163   free (buffer);
 164   return ret;
 165 }
 166
 167 /* Return whether the passed path is equivalent to "/".
 168    Note we don't compare against get_root_dev_ino() as "/"
 169    could be bind mounted to a separate location.  */
 170
 171 static bool
 172 is_root (char const *dir)
 173 {
 174   char *resolved = canonicalize_file_name (dir);
 175   bool is_res_root = resolved && STREQ ("/", resolved);
 176   free (resolved);
 177   return is_res_root;
 178 }
 179
 180 void
 181 usage (int status)
 182 {
 183   if (status != EXIT_SUCCESS)
 184     emit_try_help ();
 185   else
 186     {
 187       printf (_("\
 188 Usage: %s [OPTION] NEWROOT [COMMAND [ARG]...]\n\
 189   or:  %s OPTION\n\
 190 "), program_name, program_name);
 191
 192       fputs (_("\
 193 Run COMMAND with root directory set to NEWROOT.\n\
 194 \n\
 195 "), stdout);
 196
 197       fputs (_("\
 198       --groups=G_LIST        specify supplementary groups as g1,g2,..,gN\n\
 199 "), stdout);
 200       fputs (_("\
 201       --userspec=USER:GROUP  specify user and group (ID or name) to use\n\
 202 "), stdout);
 203       printf (_("\
 204       --skip-chdir           do not change working directory to %s\n\
 205 "), quoteaf ("/"));
 206
 207       fputs (HELP_OPTION_DESCRIPTION, stdout);
 208       fputs (VERSION_OPTION_DESCRIPTION, stdout);
 209       fputs (_("\
 210 \n\
 211 If no command is given, run '\"$SHELL\" -i' (default: '/bin/sh -i').\n\
 212 "), stdout);
 213       emit_ancillary_info (PROGRAM_NAME);
 214     }
 215   exit (status);
 216 }
 217
 218 int
 219 main (int argc, char **argv)
 220 {
 221   int c;
 222
 223   /* Input user and groups spec.  */
 224   char *userspec = NULL;
 225   char const *username = NULL;
 226   char const *groups = NULL;
 227   bool skip_chdir = false;
 228
 229   /* Parsed user and group IDs.  */
 230   uid_t uid = -1;
 231   gid_t gid = -1;
 232   GETGROUPS_T *out_gids = NULL;
 233   size_t n_gids = 0;
 234
 235   initialize_main (&argc, &argv);
 236   set_program_name (argv[0]);
 237   setlocale (LC_ALL, "");
 238   bindtextdomain (PACKAGE, LOCALEDIR);
 239   textdomain (PACKAGE);
 240
 241   initialize_exit_failure (EXIT_CANCELED);
 242   atexit (close_stdout);
 243
 244   while ((c = getopt_long (argc, argv, "+", long_opts, NULL)) != -1)
 245     {
 246       switch (c)
 247         {
 248         case USERSPEC:
 249           {
 250             userspec = optarg;
 251             /* Treat 'user:' just like 'user'
 252                as we lookup the primary group by default
 253                (and support doing so for UIDs as well as names.  */
 254             size_t userlen = strlen (userspec);
 255             if (userlen && userspec[userlen - 1] == ':')
 256               userspec[userlen - 1] = '\0';
 257             break;
 258           }
 259
 260         case GROUPS:
 261           groups = optarg;
 262           break;
 263
 264         case SKIP_CHDIR:
 265           skip_chdir = true;
 266           break;
 267
 268         case_GETOPT_HELP_CHAR;
 269
 270         case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
 271
 272         default:
 273           usage (EXIT_CANCELED);
 274         }
 275     }
 276
 277   if (argc <= optind)
 278     {
 279       error (0, 0, _("missing operand"));
 280       usage (EXIT_CANCELED);
 281     }
 282
 283   char const *newroot = argv[optind];
 284   bool is_oldroot = is_root (newroot);
 285
 286   if (! is_oldroot && skip_chdir)
 287     {
 288       error (0, 0, _("option --skip-chdir only permitted if NEWROOT is old %s"),
 289              quoteaf ("/"));
 290       usage (EXIT_CANCELED);
 291     }
 292
 293   if (! is_oldroot)
 294     {
 295       /* We have to look up users and groups twice.
 296         - First, outside the chroot to load potentially necessary passwd/group
 297           parsing plugins (e.g. NSS);
 298         - Second, inside chroot to redo parsing in case IDs are different.
 299           Within chroot lookup is the main justification for having
 300           the --user option supported by the chroot command itself.  */
 301       if (userspec)
 302         ignore_value (parse_user_spec (userspec, &uid, &gid, NULL, NULL));
 303
 304       /* If no gid is supplied or looked up, do so now.
 305         Also lookup the username for use with getgroups.  */
 306       if (uid_set (uid) && (! groups || gid_unset (gid)))
 307         {
 308           const struct passwd *pwd;
 309           if ((pwd = getpwuid (uid)))
 310             {
 311               if (gid_unset (gid))
 312                 gid = pwd->pw_gid;
 313               username = pwd->pw_name;
 314             }
 315         }
 316
 317       if (groups && *groups)
 318         ignore_value (parse_additional_groups (groups, &out_gids, &n_gids,
 319                                                false));
 320 #if HAVE_SETGROUPS
 321       else if (! groups && gid_set (gid) && username)
 322         {
 323           int ngroups = xgetgroups (username, gid, &out_gids);
 324           if (0 < ngroups)
 325             n_gids = ngroups;
 326         }
 327 #endif
 328     }
 329
 330   if (chroot (newroot) != 0)
 331     die (EXIT_CANCELED, errno, _("cannot change root directory to %s"),
 332          quoteaf (newroot));
 333
 334   if (! skip_chdir && chdir ("/"))
 335     die (EXIT_CANCELED, errno, _("cannot chdir to root directory"));
 336
 337   if (argc == optind + 1)
 338     {
 339       /* No command.  Run an interactive shell.  */
 340       char *shell = getenv ("SHELL");
 341       if (shell == NULL)
 342         shell = bad_cast ("/bin/sh");
 343       argv[0] = shell;
 344       argv[1] = bad_cast ("-i");
 345       argv[2] = NULL;
 346     }
 347   else
 348     {
 349       /* The following arguments give the command.  */
 350       argv += optind + 1;
 351     }
 352
 353   /* Attempt to set all three: supplementary groups, group ID, user ID.
 354      Diagnose any failures.  If any have failed, exit before execvp.  */
 355   if (userspec)
 356     {
 357       char const *err = parse_user_spec (userspec, &uid, &gid, NULL, NULL);
 358
 359       if (err && uid_unset (uid) && gid_unset (gid))
 360         die (EXIT_CANCELED, errno, "%s", (err));
 361     }
 362
 363   /* If no gid is supplied or looked up, do so now.
 364      Also lookup the username for use with getgroups.  */
 365   if (uid_set (uid) && (! groups || gid_unset (gid)))
 366     {
 367       const struct passwd *pwd;
 368       if ((pwd = getpwuid (uid)))
 369         {
 370           if (gid_unset (gid))
 371             gid = pwd->pw_gid;
 372           username = pwd->pw_name;
 373         }
 374       else if (gid_unset (gid))
 375         {
 376           die (EXIT_CANCELED, errno,
 377                _("no group specified for unknown uid: %d"), (int) uid);
 378         }
 379     }
 380
 381   GETGROUPS_T *gids = out_gids;
 382   GETGROUPS_T *in_gids = NULL;
 383   if (groups && *groups)
 384     {
 385       if (parse_additional_groups (groups, &in_gids, &n_gids, !n_gids) != 0)
 386         {
 387           if (! n_gids)
 388             return EXIT_CANCELED;
 389           /* else look-up outside the chroot worked, then go with those.  */
 390         }
 391       else
 392         gids = in_gids;
 393     }
 394 #if HAVE_SETGROUPS
 395   else if (! groups && gid_set (gid) && username)
 396     {
 397       int ngroups = xgetgroups (username, gid, &in_gids);
 398       if (ngroups <= 0)
 399         {
 400           if (! n_gids)
 401             die (EXIT_CANCELED, errno,
 402                  _("failed to get supplemental groups"));
 403           /* else look-up outside the chroot worked, then go with those.  */
 404         }
 405       else
 406         {
 407           n_gids = ngroups;
 408           gids = in_gids;
 409         }
 410     }
 411 #endif
 412
 413   if ((uid_set (uid) || groups) && setgroups (n_gids, gids) != 0)
 414     die (EXIT_CANCELED, errno, _("failed to set supplemental groups"));
 415
 416   free (in_gids);
 417   free (out_gids);
 418
 419   if (gid_set (gid) && setgid (gid))
 420     die (EXIT_CANCELED, errno, _("failed to set group-ID"));
 421
 422   if (uid_set (uid) && setuid (uid))
 423     die (EXIT_CANCELED, errno, _("failed to set user-ID"));
 424
 425   /* Execute the given command.  */
 426   execvp (argv[0], argv);
 427
 428   int exit_status = errno == ENOENT ? EXIT_ENOENT : EXIT_CANNOT_INVOKE;
 429   error (0, errno, _("failed to run command %s"), quote (argv[0]));
 430   return exit_status;
 431 }