1 /*@ S-nail - a mail user agent derived from Berkeley Mail.
2 *@ Privilege-separated dot file lock program (WANT_DOTLOCK=yes)
3 *@ that is capable of calling setuid(2) and change its user identity
4 *@ to the configured PRIVSEP_USER (usually "root"), in order to create
5 *@ a dotlock file with the same UID/GID as the mailbox to be locked.
6 *@ It should be started when chdir(2)d to the lock file's directory,
7 *@ and SIGPIPE should be ignored.
9 * Copyright (c) 2015 Steffen (Daode) Nurpmeso <sdaoden@users.sf.net>.
11 * Permission to use, copy, modify, and/or distribute this software for any
12 * purpose with or without fee is hereby granted, provided that the above
13 * copyright notice and this permission notice appear in all copies.
15 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
16 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
17 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
18 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
19 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 #define n_FILE privsep
25 #define n_PRIVSEP_SOURCE
29 static void _ign_signal(int signum
);
30 static uiz_t
n_msleep(uiz_t millis
, bool_t ignint
);
35 _ign_signal(int signum
)
37 struct sigaction nact
, oact
;
39 nact
.sa_handler
= SIG_IGN
;
40 sigemptyset(&nact
.sa_mask
);
42 sigaction(signum
, &nact
, &oact
);
46 n_msleep(uiz_t millis
, bool_t ignint
){
51 struct timespec ts
, trem
;
54 ts
.tv_sec
= millis
/ 1000;
55 ts
.tv_nsec
= (millis
%= 1000) * 1000 * 1000;
57 while((i
= nanosleep(&ts
, &trem
)) != 0 && ignint
)
59 rv
= (i
== 0) ? 0 : (trem
.tv_sec
* 1000) + (trem
.tv_nsec
/ (1000 * 1000));
62 #elif defined HAVE_SLEEP
63 if((millis
/= 1000) == 0)
65 while((rv
= sleep((unsigned int)millis
)) != 0 && ignint
)
68 # error Configuration should have detected a function for sleeping.
74 main(int argc
, char **argv
)
76 struct dotlock_info di
;
79 enum dotlock_state dls
;
81 /* We're a dumb helper, ensure as much as we can noone else uses us */
83 strcmp(argv
[ 0], PRIVSEP
) ||
84 (argv
[1][0] != 'r' && argv
[1][0] != 'w') ||
85 strcmp(argv
[ 1] + 1, "dotlock") ||
86 strcmp(argv
[ 2], "mailbox") ||
87 strcmp(argv
[ 4], "name") ||
88 strcmp(argv
[ 6], "hostname") ||
89 strcmp(argv
[ 8], "randstr") ||
90 strcmp(argv
[10], "pollmsecs") ||
91 fstat(STDIN_FILENO
, &stb
) == -1 || !S_ISFIFO(stb
.st_mode
) ||
92 fstat(STDOUT_FILENO
, &stb
) == -1 || !S_ISFIFO(stb
.st_mode
)) {
95 "This is a helper program of \"" UAGENT
"\" (in " BINDIR
").\n"
96 " It is capable of gaining more privileges than \"" UAGENT
"\"\n"
97 " and will be used to create lock files.\n"
98 " It's sole purpose is outsourcing of high privileges into\n"
99 " fewest lines of code in order to reduce attack surface.\n"
100 " It cannot be run by itself.\n");
104 di
.di_file_name
= argv
[3];
105 di
.di_lock_name
= argv
[5];
106 di
.di_hostname
= argv
[7];
107 di
.di_randstr
= argv
[9];
108 di
.di_pollmsecs
= (size_t)strtoul(argv
[11], NULL
, 10);
110 size_t i
= strlen(di
.di_file_name
);
112 if (i
== 0 || strncmp(di
.di_file_name
, di
.di_lock_name
, i
) ||
113 di
.di_lock_name
[i
] == '\0' || strcmp(di
.di_lock_name
+ i
, ".lock"))
117 close(STDERR_FILENO
);
119 /* In order to prevent stale lock files at all cost block any signals until
120 * we have unlinked the lock file.
121 * It is still not safe because we may be SIGKILLed and may linger around
122 * because we have been SIGSTOPped, but unfortunately the standard doesn't
123 * give any option, e.g. atcrash() or open(O_TEMPORARY_KEEP_NAME) or so, ---
124 * and then again we should not unlink(2) the lock file unless our parent
125 * has finalized the synchronization! While at it, let me rant about the
126 * default action of realtime signals, program termination */
127 _ign_signal(SIGPIPE
); /* (Inherited, though) */
129 sigdelset(&nset
, SIGCONT
); /* (Rather redundant, though) */
130 sigprocmask(SIG_BLOCK
, &nset
, &oset
);
132 dls
= DLS_NOPERM
| DLS_ABANDON
;
134 /* First of all: we only dotlock when the executing user has the necessary
135 * rights to access the mailbox */
136 if (access(di
.di_file_name
, (argv
[1][0] == 'r' ? R_OK
: R_OK
| W_OK
)))
139 /* We need UID and GID information about the mailbox to lock */
140 if (stat(di
.di_file_name
, di
.di_stb
= &stb
) == -1)
143 dls
= DLS_PRIVFAILED
| DLS_ABANDON
;
145 /* This privsep helper only gets executed when needed, it thus doesn't make
146 * sense to try to continue with initial privileges */
147 if (setuid(geteuid()))
150 dls
= _dotlock_create(&di
);
152 /* Finally: notify our parent about the actual lock state.. */
154 write(STDOUT_FILENO
, &dls
, sizeof dls
);
155 close(STDOUT_FILENO
);
157 /* ..then eventually wait until we shall remove the lock again, which will
158 * be notified via the read returning */
159 if (dls
== DLS_NONE
) {
160 read(STDIN_FILENO
, &dls
, sizeof dls
);
162 unlink(di
.di_lock_name
);
165 sigprocmask(SIG_SETMASK
, &oset
, NULL
);
166 return (dls
== DLS_NONE
? EXIT_OK
: EXIT_ERR
);