Merge branch 'topic/shoens-2000'
[s-mailx.git] / privsep.c
blob05752f31c8a96126afd238deb14c4100b3b5a43d
1 /*@ S-nail - a mail user agent derived from Berkeley Mail.
2 *@ Privilege-separated dot file lock program (WANT_DOTLOCK=yes)
3 *@ that is capable of calling setuid(2) and change its user identity
4 *@ to the configured PRIVSEP_USER (usually "root"), in order to create
5 *@ a dotlock file with the same UID/GID as the mailbox to be locked.
6 *@ It should be started when chdir(2)d to the lock file's directory,
7 *@ and SIGPIPE should be ignored.
9 * Copyright (c) 2015 Steffen (Daode) Nurpmeso <sdaoden@users.sf.net>.
11 * Permission to use, copy, modify, and/or distribute this software for any
12 * purpose with or without fee is hereby granted, provided that the above
13 * copyright notice and this permission notice appear in all copies.
15 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
16 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
17 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
18 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
19 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 #undef n_FILE
24 #define n_FILE privsep
25 #define n_PRIVSEP_SOURCE
27 #include "nail.h"
29 static void _ign_signal(int signum);
30 static uiz_t n_msleep(uiz_t millis, bool_t ignint);
32 #include "dotlock.h"
34 static void
35 _ign_signal(int signum){
36 struct sigaction nact, oact;
38 nact.sa_handler = SIG_IGN;
39 sigemptyset(&nact.sa_mask);
40 nact.sa_flags = 0;
41 sigaction(signum, &nact, &oact);
44 static uiz_t
45 n_msleep(uiz_t millis, bool_t ignint){
46 uiz_t rv;
48 #ifdef HAVE_NANOSLEEP
49 /* C99 */{
50 struct timespec ts, trem;
51 int i;
53 ts.tv_sec = millis / 1000;
54 ts.tv_nsec = (millis %= 1000) * 1000 * 1000;
56 while((i = nanosleep(&ts, &trem)) != 0 && ignint)
57 ts = trem;
58 rv = (i == 0) ? 0 : (trem.tv_sec * 1000) + (trem.tv_nsec / (1000 * 1000));
61 #elif defined HAVE_SLEEP
62 if((millis /= 1000) == 0)
63 millis = 1;
64 while((rv = sleep((unsigned int)millis)) != 0 && ignint)
65 millis = rv;
66 #else
67 # error Configuration should have detected a function for sleeping.
68 #endif
69 return rv;
72 int
73 main(int argc, char **argv){
74 struct n_dotlock_info di;
75 struct stat stb;
76 sigset_t nset, oset;
77 enum n_dotlock_state dls;
79 /* We're a dumb helper, ensure as much as we can noone else uses us */
80 if(argc != 12 ||
81 strcmp(argv[ 0], PRIVSEP) ||
82 (argv[1][0] != 'r' && argv[1][0] != 'w') ||
83 strcmp(argv[ 1] + 1, "dotlock") ||
84 strcmp(argv[ 2], "mailbox") ||
85 strcmp(argv[ 4], "name") ||
86 strcmp(argv[ 6], "hostname") ||
87 strcmp(argv[ 8], "randstr") ||
88 strcmp(argv[10], "pollmsecs") ||
89 fstat(STDIN_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode) ||
90 fstat(STDOUT_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode)){
91 jeuse:
92 fprintf(stderr,
93 "This is a helper program of \"" UAGENT "\" (in " BINDIR ").\n"
94 " It is capable of gaining more privileges than \"" UAGENT "\"\n"
95 " and will be used to create lock files.\n"
96 " It's sole purpose is outsourcing of high privileges into\n"
97 " fewest lines of code in order to reduce attack surface.\n"
98 " It cannot be run by itself.\n");
99 exit(EXIT_USE);
102 di.di_file_name = argv[3];
103 di.di_lock_name = argv[5];
104 di.di_hostname = argv[7];
105 di.di_randstr = argv[9];
106 di.di_pollmsecs = (size_t)strtoul(argv[11], NULL, 10);
108 size_t i = strlen(di.di_file_name);
110 if(i == 0 || strncmp(di.di_file_name, di.di_lock_name, i) ||
111 di.di_lock_name[i] == '\0' || strcmp(di.di_lock_name + i, ".lock"))
112 goto jeuse;
115 close(STDERR_FILENO);
117 /* In order to prevent stale lock files at all cost block any signals until
118 * we have unlinked the lock file.
119 * It is still not safe because we may be SIGKILLed and may linger around
120 * because we have been SIGSTOPped, but unfortunately the standard doesn't
121 * give any option, e.g. atcrash() or open(O_TEMPORARY_KEEP_NAME) or so, ---
122 * and then again we should not unlink(2) the lock file unless our parent
123 * has finalized the synchronization! While at it, let me rant about the
124 * default action of realtime signals, program termination */
125 _ign_signal(SIGPIPE); /* (Inherited, though) */
126 sigfillset(&nset);
127 sigdelset(&nset, SIGCONT); /* (Rather redundant, though) */
128 sigprocmask(SIG_BLOCK, &nset, &oset);
130 dls = n_DLS_NOPERM | n_DLS_ABANDON;
132 /* First of all: we only dotlock when the executing user has the necessary
133 * rights to access the mailbox */
134 if(access(di.di_file_name, (argv[1][0] == 'r' ? R_OK : R_OK | W_OK)))
135 goto jmsg;
137 /* We need UID and GID information about the mailbox to lock */
138 if(stat(di.di_file_name, di.di_stb = &stb) == -1)
139 goto jmsg;
141 dls = n_DLS_PRIVFAILED | n_DLS_ABANDON;
143 /* This privsep helper only gets executed when needed, it thus doesn't make
144 * sense to try to continue with initial privileges */
145 if(setuid(geteuid()))
146 goto jmsg;
148 dls = a_dotlock_create(&di);
150 /* Finally: notify our parent about the actual lock state.. */
151 jmsg:
152 write(STDOUT_FILENO, &dls, sizeof dls);
153 close(STDOUT_FILENO);
155 /* ..then eventually wait until we shall remove the lock again, which will
156 * be notified via the read returning */
157 if(dls == n_DLS_NONE){
158 read(STDIN_FILENO, &dls, sizeof dls);
160 unlink(di.di_lock_name);
163 sigprocmask(SIG_SETMASK, &oset, NULL);
164 return (dls == n_DLS_NONE ? EXIT_OK : EXIT_ERR);
167 /* s-it-mode */