bin/rootwrap.c

   1 /*****************************************************************************
   2  * rootwrap.c
   3  *****************************************************************************
   4  * Copyright © 2005-2008 Rémi Denis-Courmont
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License as published by
   8  * the Free Software Foundation; either version 2 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  * GNU General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program; if not, write to the Free Software
  18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
  19  *****************************************************************************/
  20
  21 #ifdef HAVE_CONFIG_H
  22 # include <config.h>
  23 #endif
  24 #define _XPG4_2 /* ancilliary data on Solaris */
  25
  26 #include <stdlib.h> /* exit() */
  27 #include <stdio.h>
  28 #include <string.h>
  29
  30 #include <sys/types.h>
  31 #include <unistd.h>
  32 #include <fcntl.h>
  33 #include <sys/stat.h>
  34 #include <sys/socket.h>
  35 #include <sys/uio.h>
  36 #include <sys/resource.h> /* getrlimit() */
  37 #ifdef RLIMIT_RTPRIO
  38 #include <sched.h>
  39 #endif
  40 #include <errno.h>
  41 #include <netinet/in.h>
  42
  43 #if defined (AF_INET6) && !defined (IPV6_V6ONLY)
  44 # warning Uho, your IPv6 support is broken and has been disabled. Fix your C library.
  45 # undef AF_INET6
  46 #endif
  47
  48 #ifndef AF_LOCAL
  49 # define AF_LOCAL AF_UNIX
  50 #endif
  51 /* Required yet non-standard cmsg functions */
  52 #ifndef CMSG_ALIGN
  53 # define CMSG_ALIGN(len) (((len) + sizeof(intptr_t)-1) & ~(sizeof(intptr_t)-1))
  54 #endif
  55 #ifndef CMSG_SPACE
  56 # define CMSG_SPACE(len) (CMSG_ALIGN(sizeof(struct cmsghdr)) + CMSG_ALIGN(len))
  57 #endif
  58 #ifndef CMSG_LEN
  59 # define CMSG_LEN(len) (CMSG_ALIGN(sizeof(struct cmsghdr)) + (len))
  60 #endif
  61
  62 static inline int is_allowed_port (uint16_t port)
  63 {
  64     port = ntohs (port);
  65     return (port == 80) || (port == 443) || (port == 554);
  66 }
  67
  68
  69 static inline int send_err (int fd, int err)
  70 {
  71     return send (fd, &err, sizeof (err), 0) == sizeof (err) ? 0 : -1;
  72 }
  73
  74 /**
  75  * Send a file descriptor to another process
  76  */
  77 static int send_fd (int p, int fd)
  78 {
  79     struct msghdr hdr;
  80     struct iovec iov;
  81     struct cmsghdr *cmsg;
  82     char buf[CMSG_SPACE (sizeof (fd))];
  83     int val = 0;
  84
  85     hdr.msg_name = NULL;
  86     hdr.msg_namelen = 0;
  87     hdr.msg_iov = &iov;
  88     hdr.msg_iovlen = 1;
  89     hdr.msg_control = buf;
  90     hdr.msg_controllen = sizeof (buf);
  91
  92     iov.iov_base = &val;
  93     iov.iov_len = sizeof (val);
  94
  95     cmsg = CMSG_FIRSTHDR (&hdr);
  96     cmsg->cmsg_level = SOL_SOCKET;
  97     cmsg->cmsg_type = SCM_RIGHTS;
  98     cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
  99     memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
 100     hdr.msg_controllen = cmsg->cmsg_len;
 101
 102     return sendmsg (p, &hdr, 0) == sizeof (val) ? 0 : -1;
 103 }
 104
 105
 106 /**
 107  * Background process run as root to open privileged TCP ports.
 108  */
 109 static void rootprocess (int fd)
 110 {
 111     union
 112     {
 113         struct sockaddr         sa;
 114         struct sockaddr_storage ss;
 115         struct sockaddr_in      sin;
 116 #ifdef AF_INET6
 117         struct sockaddr_in6     sin6;
 118 #endif
 119     } addr;
 120
 121     while (recv (fd, &addr.ss, sizeof (addr.ss), 0) == sizeof (addr.ss))
 122     {
 123         unsigned len;
 124         int sock;
 125         int family;
 126
 127         switch (addr.sa.sa_family)
 128         {
 129             case AF_INET:
 130                 if (!is_allowed_port (addr.sin.sin_port))
 131                 {
 132                     if (send_err (fd, EACCES))
 133                         return;
 134                     continue;
 135                 }
 136                 len = sizeof (struct sockaddr_in);
 137                 family = PF_INET;
 138                 break;
 139
 140 #ifdef AF_INET6
 141             case AF_INET6:
 142                 if (!is_allowed_port (addr.sin6.sin6_port))
 143                 {
 144                     if (send_err (fd, EACCES))
 145                         return;
 146                     continue;
 147                 }
 148                 len = sizeof (struct sockaddr_in6);
 149                 family = PF_INET6;
 150                 break;
 151 #endif
 152
 153             default:
 154                 if (send_err (fd, EAFNOSUPPORT))
 155                     return;
 156                 continue;
 157         }
 158
 159         sock = socket (family, SOCK_STREAM, IPPROTO_TCP);
 160         if (sock != -1)
 161         {
 162             const int val = 1;
 163
 164             setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, &val, sizeof (val));
 165 #ifdef AF_INET6
 166             if (addr.sa.sa_family == AF_INET6)
 167                 setsockopt (sock, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof (val));
 168 #endif
 169             if (bind (sock, &addr.sa, len) == 0)
 170             {
 171                 send_fd (fd, sock);
 172                 close (sock);
 173                 continue;
 174             }
 175             close (sock);
 176         }
 177         send_err (fd, errno);
 178     }
 179 }
 180
 181 /* TODO?
 182  *  - use libcap if available,
 183  *  - call chroot
 184  */
 185
 186 int main (int argc, char *argv[])
 187 {
 188     /* Support for dynamically opening RTSP, HTTP and HTTP/SSL ports */
 189     int pair[2];
 190
 191     if (socketpair (AF_LOCAL, SOCK_STREAM, 0, pair))
 192         return 1;
 193     if (pair[0] < 3)
 194         goto error; /* we want 0, 1 and 2 open */
 195
 196     pid_t pid = fork ();
 197     switch (pid)
 198     {
 199         case -1:
 200             goto error;
 201
 202         case 0:
 203         {
 204             int null = open ("/dev/null", O_RDWR);
 205             if (null != -1)
 206             {
 207                 dup2 (null, 0);
 208                 dup2 (null, 1);
 209                 dup2 (null, 2);
 210                 close (null);
 211             }
 212             close (pair[0]);
 213             setsid ();
 214             rootprocess (pair[1]);
 215             exit (0);
 216         }
 217     }
 218
 219     close (pair[1]);
 220     pair[1] = -1;
 221
 222     char buf[21];
 223     snprintf (buf, sizeof (buf), "%d", pair[0]);
 224     setenv ("VLC_ROOTWRAP_SOCK", buf, 1);
 225
 226     /* Support for real-time priorities */
 227 #ifdef RLIMIT_RTPRIO
 228     struct rlimit rlim;
 229     rlim.rlim_max = rlim.rlim_cur = sched_get_priority_min (SCHED_RR) + 24;
 230     setrlimit (RLIMIT_RTPRIO, &rlim);
 231 #endif
 232
 233     uid_t uid = getuid ();
 234     if (uid == 0)
 235     {
 236         const char *sudo = getenv ("SUDO_UID");
 237         if (sudo)
 238             uid = atoi (sudo);
 239     }
 240     if (uid == 0)
 241     {
 242         fprintf (stderr, "Cannot determine unprivileged user for VLC!\n");
 243         exit (1);
 244     }
 245     setuid (uid);
 246
 247     if (!setuid (0)) /* sanity check: we cannot get root back */
 248         exit (1);
 249
 250     /* Yeah, the user can execute just about anything from here.
 251      * But we've dropped privileges, so it does not matter. */
 252     if (strlen (argv[0]) < sizeof ("-wrapper"))
 253         goto error;
 254     argv[0][strlen (argv[0]) - strlen ("-wrapper")] = '\0';
 255
 256     (void)argc;
 257     if (execvp (argv[0], argv))
 258         perror (argv[0]);
 259
 260 error:
 261     close (pair[0]);
 262     if (pair[1] != -1)
 263         close (pair[1]);
 264     return 1;
 265 }