privsep.c

   1 /*@ S-nail - a mail user agent derived from Berkeley Mail.
   2  *@ Privilege-separated dot file lock program (OPT_DOTLOCK=yes)
   3  *@ that is capable of calling setuid(2) and change its user identity
   4  *@ to the configured VAL_PRIVSEP_USER (usually "root"), in order to create
   5  *@ a dotlock file with the same UID/GID as the mailbox to be locked.
   6  *@ It should be started when chdir(2)d to the lock file's directory,
   7  *@ with a symlink-resolved target and with SIGPIPE being ignored.
   8  *
   9  * Copyright (c) 2015 - 2017 Steffen (Daode) Nurpmeso <steffen@sdaoden.eu>.
  10  *
  11  * Permission to use, copy, modify, and/or distribute this software for any
  12  * purpose with or without fee is hereby granted, provided that the above
  13  * copyright notice and this permission notice appear in all copies.
  14  *
  15  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  16  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  17  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  18  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  19  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  20  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  21  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  22  */
  23 #undef n_FILE
  24 #define n_FILE privsep
  25 #define n_PRIVSEP_SOURCE
  26
  27 #include "nail.h"
  28
  29 static void _ign_signal(int signum);
  30 static uiz_t n_msleep(uiz_t millis, bool_t ignint);
  31
  32 #include "dotlock.h"
  33
  34 static void
  35 _ign_signal(int signum){
  36    struct sigaction nact, oact;
  37
  38    nact.sa_handler = SIG_IGN;
  39    sigemptyset(&nact.sa_mask);
  40    nact.sa_flags = 0;
  41    sigaction(signum, &nact, &oact);
  42 }
  43
  44 static uiz_t
  45 n_msleep(uiz_t millis, bool_t ignint){
  46    uiz_t rv;
  47
  48 #ifdef HAVE_NANOSLEEP
  49    /* C99 */{
  50       struct timespec ts, trem;
  51       int i;
  52
  53       ts.tv_sec = millis / 1000;
  54       ts.tv_nsec = (millis %= 1000) * 1000 * 1000;
  55
  56       while((i = nanosleep(&ts, &trem)) != 0 && ignint)
  57          ts = trem;
  58       rv = (i == 0) ? 0 : (trem.tv_sec * 1000) + (trem.tv_nsec / (1000 * 1000));
  59    }
  60
  61 #elif defined HAVE_SLEEP
  62    if((millis /= 1000) == 0)
  63       millis = 1;
  64    while((rv = sleep((unsigned int)millis)) != 0 && ignint)
  65       millis = rv;
  66 #else
  67 # error Configuration should have detected a function for sleeping.
  68 #endif
  69    return rv;
  70 }
  71
  72 int
  73 main(int argc, char **argv){
  74    char hostbuf[64];
  75    struct n_dotlock_info di;
  76    struct stat stb;
  77    sigset_t nset, oset;
  78    enum n_dotlock_state dls;
  79
  80    /* We're a dumb helper, ensure as much as we can noone else uses us */
  81    if(argc != 12 ||
  82          strcmp(argv[ 0], VAL_PRIVSEP) ||
  83          (argv[1][0] != 'r' && argv[1][0] != 'w') ||
  84          strcmp(argv[ 1] + 1, "dotlock") ||
  85          strcmp(argv[ 2], "mailbox") ||
  86          strchr(argv[ 3], '/') != NULL /* Seal path injection.. */ ||
  87          strcmp(argv[ 4], "name") ||
  88          strcmp(argv[ 6], "hostname") ||
  89          strcmp(argv[ 8], "randstr") ||
  90          strchr(argv[ 9], '/') != NULL /* ..attack vector */ ||
  91          strcmp(argv[10], "pollmsecs") ||
  92          fstat(STDIN_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode) ||
  93          fstat(STDOUT_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode)){
  94 jeuse:
  95       fprintf(stderr,
  96          "This is a helper program of " VAL_UAGENT " (in " VAL_BINDIR ").\n"
  97          "  It is capable of gaining more privileges than " VAL_UAGENT "\n"
  98          "  and will be used to create lock files.\n"
  99          "  The sole purpose is outsourcing of high privileges into\n"
 100          "  fewest lines of code in order to reduce attack surface.\n"
 101          "  This program cannot be run by itself.\n");
 102       exit(n_EXIT_USE);
 103    }else{
 104       /* Prevent one more path injection attack vector, but be friendly */
 105       char const *ccp;
 106       size_t i;
 107       char *cp, c;
 108
 109       for(ccp = argv[7], cp = hostbuf, i = 0; (c = *ccp) != '\0'; ++cp, ++ccp){
 110          *cp = (c == '/' ? '_' : c);
 111          if(++i == sizeof(hostbuf) -1)
 112             break;
 113       }
 114       *cp = '\0';
 115       if(cp == hostbuf)
 116          goto jeuse;
 117       argv[7] = hostbuf;
 118    }
 119
 120    di.di_file_name = argv[3];
 121    di.di_lock_name = argv[5];
 122    di.di_hostname = argv[7];
 123    di.di_randstr = argv[9];
 124    di.di_pollmsecs = (size_t)strtoul(argv[11], NULL, 10);
 125
 126    /* Ensure the lock name and the file name are identical */
 127    /* C99 */{
 128       size_t i = strlen(di.di_file_name);
 129
 130       if(i == 0 || strncmp(di.di_file_name, di.di_lock_name, i) ||
 131             di.di_lock_name[i] == '\0' || strcmp(di.di_lock_name + i, ".lock"))
 132          goto jeuse;
 133    }
 134
 135    close(STDERR_FILENO);
 136
 137    /* In order to prevent stale lock files at all cost block any signals until
 138     * we have unlinked the lock file.
 139     * It is still not safe because we may be SIGKILLed and may linger around
 140     * because we have been SIGSTOPped, but unfortunately the standard doesn't
 141     * give any option, e.g. atcrash() or open(O_TEMPORARY_KEEP_NAME) or so, ---
 142     * and then again we should not unlink(2) the lock file unless our parent
 143     * has finalized the synchronization!  While at it, let me rant about the
 144     * default action of realtime signals, program termination */
 145    _ign_signal(SIGPIPE); /* (Inherited, though) */
 146    sigfillset(&nset);
 147    sigdelset(&nset, SIGCONT); /* (Rather redundant, though) */
 148    sigprocmask(SIG_BLOCK, &nset, &oset);
 149
 150    dls = n_DLS_NOPERM | n_DLS_ABANDON;
 151
 152    /* First of all: we only dotlock when the executing user has the necessary
 153     * rights to access the mailbox */
 154    if(access(di.di_file_name, (argv[1][0] == 'r' ? R_OK : R_OK | W_OK)))
 155       goto jmsg;
 156
 157    /* We need UID and GID information about the mailbox to lock */
 158    if(stat(di.di_file_name, di.di_stb = &stb) == -1)
 159       goto jmsg;
 160
 161    dls = n_DLS_PRIVFAILED | n_DLS_ABANDON;
 162
 163    /* This privsep helper only gets executed when needed, it thus doesn't make
 164     * sense to try to continue with initial privileges */
 165    if(setuid(geteuid()))
 166       goto jmsg;
 167
 168    dls = a_dotlock_create(&di);
 169
 170    /* Finally: notify our parent about the actual lock state.. */
 171 jmsg:
 172    write(STDOUT_FILENO, &dls, sizeof dls);
 173    close(STDOUT_FILENO);
 174
 175    /* ..then eventually wait until we shall remove the lock again, which will
 176     * be notified via the read returning */
 177    if(dls == n_DLS_NONE){
 178       read(STDIN_FILENO, &dls, sizeof dls);
 179
 180       unlink(di.di_lock_name);
 181    }
 182
 183    sigprocmask(SIG_SETMASK, &oset, NULL);
 184    return (dls == n_DLS_NONE ? n_EXIT_OK : n_EXIT_ERR);
 185 }
 186
 187 /* s-it-mode */