1 /*@ S-nail - a mail user agent derived from Berkeley Mail.
2 *@ Privilege-separated dot file lock program (WANT_DOTLOCK=yes)
3 *@ that is capable of calling setuid(2) and change its user identity
4 *@ to the configured PRIVSEP_USER (usually "root"), in order to create
5 *@ a dotlock file with the same UID/GID as the mailbox to be locked.
6 *@ It should be started when chdir(2)d to the lock file's directory,
7 *@ and SIGPIPE should be ignored.
9 * Copyright (c) 2015 Steffen (Daode) Nurpmeso <sdaoden@users.sf.net>.
11 * Permission to use, copy, modify, and/or distribute this software for any
12 * purpose with or without fee is hereby granted, provided that the above
13 * copyright notice and this permission notice appear in all copies.
15 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
16 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
17 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
18 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
19 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 #define n_FILE privsep
25 #define n_PRIVSEP_SOURCE
29 static void _ign_signal(int signum
);
30 static uiz_t
n_msleep(uiz_t millis
, bool_t ignint
);
35 _ign_signal(int signum
){
36 struct sigaction nact
, oact
;
38 nact
.sa_handler
= SIG_IGN
;
39 sigemptyset(&nact
.sa_mask
);
41 sigaction(signum
, &nact
, &oact
);
45 n_msleep(uiz_t millis
, bool_t ignint
){
50 struct timespec ts
, trem
;
53 ts
.tv_sec
= millis
/ 1000;
54 ts
.tv_nsec
= (millis
%= 1000) * 1000 * 1000;
56 while((i
= nanosleep(&ts
, &trem
)) != 0 && ignint
)
58 rv
= (i
== 0) ? 0 : (trem
.tv_sec
* 1000) + (trem
.tv_nsec
/ (1000 * 1000));
61 #elif defined HAVE_SLEEP
62 if((millis
/= 1000) == 0)
64 while((rv
= sleep((unsigned int)millis
)) != 0 && ignint
)
67 # error Configuration should have detected a function for sleeping.
73 main(int argc
, char **argv
){
74 struct n_dotlock_info di
;
77 enum n_dotlock_state dls
;
79 /* We're a dumb helper, ensure as much as we can noone else uses us */
81 strcmp(argv
[ 0], PRIVSEP
) ||
82 (argv
[1][0] != 'r' && argv
[1][0] != 'w') ||
83 strcmp(argv
[ 1] + 1, "dotlock") ||
84 strcmp(argv
[ 2], "mailbox") ||
85 strcmp(argv
[ 4], "name") ||
86 strcmp(argv
[ 6], "hostname") ||
87 strcmp(argv
[ 8], "randstr") ||
88 strcmp(argv
[10], "pollmsecs") ||
89 fstat(STDIN_FILENO
, &stb
) == -1 || !S_ISFIFO(stb
.st_mode
) ||
90 fstat(STDOUT_FILENO
, &stb
) == -1 || !S_ISFIFO(stb
.st_mode
)){
93 "This is a helper program of \"" UAGENT
"\" (in " BINDIR
").\n"
94 " It is capable of gaining more privileges than \"" UAGENT
"\"\n"
95 " and will be used to create lock files.\n"
96 " It's sole purpose is outsourcing of high privileges into\n"
97 " fewest lines of code in order to reduce attack surface.\n"
98 " It cannot be run by itself.\n");
102 di
.di_file_name
= argv
[3];
103 di
.di_lock_name
= argv
[5];
104 di
.di_hostname
= argv
[7];
105 di
.di_randstr
= argv
[9];
106 di
.di_pollmsecs
= (size_t)strtoul(argv
[11], NULL
, 10);
108 size_t i
= strlen(di
.di_file_name
);
110 if(i
== 0 || strncmp(di
.di_file_name
, di
.di_lock_name
, i
) ||
111 di
.di_lock_name
[i
] == '\0' || strcmp(di
.di_lock_name
+ i
, ".lock"))
115 close(STDERR_FILENO
);
117 /* In order to prevent stale lock files at all cost block any signals until
118 * we have unlinked the lock file.
119 * It is still not safe because we may be SIGKILLed and may linger around
120 * because we have been SIGSTOPped, but unfortunately the standard doesn't
121 * give any option, e.g. atcrash() or open(O_TEMPORARY_KEEP_NAME) or so, ---
122 * and then again we should not unlink(2) the lock file unless our parent
123 * has finalized the synchronization! While at it, let me rant about the
124 * default action of realtime signals, program termination */
125 _ign_signal(SIGPIPE
); /* (Inherited, though) */
127 sigdelset(&nset
, SIGCONT
); /* (Rather redundant, though) */
128 sigprocmask(SIG_BLOCK
, &nset
, &oset
);
130 dls
= n_DLS_NOPERM
| n_DLS_ABANDON
;
132 /* First of all: we only dotlock when the executing user has the necessary
133 * rights to access the mailbox */
134 if(access(di
.di_file_name
, (argv
[1][0] == 'r' ? R_OK
: R_OK
| W_OK
)))
137 /* We need UID and GID information about the mailbox to lock */
138 if(stat(di
.di_file_name
, di
.di_stb
= &stb
) == -1)
141 dls
= n_DLS_PRIVFAILED
| n_DLS_ABANDON
;
143 /* This privsep helper only gets executed when needed, it thus doesn't make
144 * sense to try to continue with initial privileges */
145 if(setuid(geteuid()))
148 dls
= a_dotlock_create(&di
);
150 /* Finally: notify our parent about the actual lock state.. */
152 write(STDOUT_FILENO
, &dls
, sizeof dls
);
153 close(STDOUT_FILENO
);
155 /* ..then eventually wait until we shall remove the lock again, which will
156 * be notified via the read returning */
157 if(dls
== n_DLS_NONE
){
158 read(STDIN_FILENO
, &dls
, sizeof dls
);
160 unlink(di
.di_lock_name
);
163 sigprocmask(SIG_SETMASK
, &oset
, NULL
);
164 return (dls
== n_DLS_NONE
? EXIT_OK
: EXIT_ERR
);