bin/rootwrap.c

   1 /*****************************************************************************
   2  * rootwrap.c
   3  *****************************************************************************
   4  * Copyright © 2005-2008 Rémi Denis-Courmont
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License as published by
   8  * the Free Software Foundation; either version 2 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  * GNU General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program; if not, write to the Free Software
  18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
  19  *****************************************************************************/
  20
  21 #if HAVE_CONFIG_H
  22 # include <config.h>
  23 #endif
  24 #define _XPG4_2 /* ancilliary data on Solaris */
  25
  26 #include <stdlib.h> /* exit() */
  27 #include <stdio.h>
  28 #include <string.h>
  29
  30 #include <sys/types.h>
  31 #include <unistd.h>
  32 #include <fcntl.h>
  33 #include <sys/stat.h>
  34 #include <sys/socket.h>
  35 #include <sys/uio.h>
  36 #include <sys/resource.h> /* getrlimit() */
  37 #include <sched.h>
  38 #include <errno.h>
  39 #include <netinet/in.h>
  40
  41 #if defined (AF_INET6) && !defined (IPV6_V6ONLY)
  42 # warning Uho, your IPv6 support is broken and has been disabled. Fix your C library.
  43 # undef AF_INET6
  44 #endif
  45
  46 #ifndef AF_LOCAL
  47 # define AF_LOCAL AF_UNIX
  48 #endif
  49 /* Required yet non-standard cmsg functions */
  50 #ifndef CMSG_ALIGN
  51 # define CMSG_ALIGN(len) (((len) + sizeof(intptr_t)-1) & ~(sizeof(intptr_t)-1))
  52 #endif
  53 #ifndef CMSG_SPACE
  54 # define CMSG_SPACE(len) (CMSG_ALIGN(sizeof(struct cmsghdr)) + CMSG_ALIGN(len))
  55 #endif
  56 #ifndef CMSG_LEN
  57 # define CMSG_LEN(len) (CMSG_ALIGN(sizeof(struct cmsghdr)) + (len))
  58 #endif
  59
  60 static inline int is_allowed_port (uint16_t port)
  61 {
  62     port = ntohs (port);
  63     return (port == 80) || (port == 443) || (port == 554);
  64 }
  65
  66
  67 static inline int send_err (int fd, int err)
  68 {
  69     return send (fd, &err, sizeof (err), 0) == sizeof (err) ? 0 : -1;
  70 }
  71
  72 /**
  73  * Send a file descriptor to another process
  74  */
  75 static int send_fd (int p, int fd)
  76 {
  77     struct msghdr hdr;
  78     struct iovec iov;
  79     struct cmsghdr *cmsg;
  80     char buf[CMSG_SPACE (sizeof (fd))];
  81     int val = 0;
  82
  83     hdr.msg_name = NULL;
  84     hdr.msg_namelen = 0;
  85     hdr.msg_iov = &iov;
  86     hdr.msg_iovlen = 1;
  87     hdr.msg_control = buf;
  88     hdr.msg_controllen = sizeof (buf);
  89
  90     iov.iov_base = &val;
  91     iov.iov_len = sizeof (val);
  92
  93     cmsg = CMSG_FIRSTHDR (&hdr);
  94     cmsg->cmsg_level = SOL_SOCKET;
  95     cmsg->cmsg_type = SCM_RIGHTS;
  96     cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
  97     memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
  98     hdr.msg_controllen = cmsg->cmsg_len;
  99
 100     return sendmsg (p, &hdr, 0) == sizeof (val) ? 0 : -1;
 101 }
 102
 103
 104 /**
 105  * Background process run as root to open privileged TCP ports.
 106  */
 107 static void rootprocess (int fd)
 108 {
 109     union
 110     {
 111         struct sockaddr         sa;
 112         struct sockaddr_storage ss;
 113         struct sockaddr_in      sin;
 114 #ifdef AF_INET6
 115         struct sockaddr_in6     sin6;
 116 #endif
 117     } addr;
 118
 119     while (recv (fd, &addr.ss, sizeof (addr.ss), 0) == sizeof (addr.ss))
 120     {
 121         unsigned len;
 122         int sock;
 123         int family;
 124
 125         switch (addr.sa.sa_family)
 126         {
 127             case AF_INET:
 128                 if (!is_allowed_port (addr.sin.sin_port))
 129                 {
 130                     if (send_err (fd, EACCES))
 131                         return;
 132                     continue;
 133                 }
 134                 len = sizeof (struct sockaddr_in);
 135                 family = PF_INET;
 136                 break;
 137
 138 #ifdef AF_INET6
 139             case AF_INET6:
 140                 if (!is_allowed_port (addr.sin6.sin6_port))
 141                 {
 142                     if (send_err (fd, EACCES))
 143                         return;
 144                     continue;
 145                 }
 146                 len = sizeof (struct sockaddr_in6);
 147                 family = PF_INET6;
 148                 break;
 149 #endif
 150
 151             default:
 152                 if (send_err (fd, EAFNOSUPPORT))
 153                     return;
 154                 continue;
 155         }
 156
 157         sock = socket (family, SOCK_STREAM, IPPROTO_TCP);
 158         if (sock != -1)
 159         {
 160             const int val = 1;
 161
 162             setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, &val, sizeof (val));
 163 #ifdef AF_INET6
 164             if (addr.sa.sa_family == AF_INET6)
 165                 setsockopt (sock, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof (val));
 166 #endif
 167             if (bind (sock, &addr.sa, len) == 0)
 168             {
 169                 send_fd (fd, sock);
 170                 close (sock);
 171                 continue;
 172             }
 173         }
 174         send_err (fd, errno);
 175     }
 176 }
 177
 178 /* TODO?
 179  *  - use libcap if available,
 180  *  - call chroot
 181  */
 182
 183 int main (int argc, char *argv[])
 184 {
 185     /* Support for dynamically opening RTSP, HTTP and HTTP/SSL ports */
 186     int pair[2];
 187
 188     if (socketpair (AF_LOCAL, SOCK_STREAM, 0, pair))
 189         return 1;
 190     if (pair[0] < 3)
 191         goto error; /* we want 0, 1 and 2 open */
 192
 193     pid_t pid = fork ();
 194     switch (pid)
 195     {
 196         case -1:
 197             goto error;
 198
 199         case 0:
 200         {
 201             int null = open ("/dev/null", O_RDWR);
 202             if (null != -1)
 203             {
 204                 dup2 (null, 0);
 205                 dup2 (null, 1);
 206                 dup2 (null, 2);
 207                 close (null);
 208             }
 209             close (pair[0]);
 210             setsid ();
 211             rootprocess (pair[1]);
 212             exit (0);
 213         }
 214     }
 215
 216     close (pair[1]);
 217     pair[1] = -1;
 218
 219     char buf[21];
 220     snprintf (buf, sizeof (buf), "%d", pair[0]);
 221     setenv ("VLC_ROOTWRAP_SOCK", buf, 1);
 222
 223     /* Support for real-time priorities */
 224 #ifdef RLIMIT_RTPRIO
 225     struct rlimit rlim;
 226     rlim.rlim_max = rlim.rlim_cur = sched_get_priority_min (SCHED_RR) + 24;
 227     setrlimit (RLIMIT_RTPRIO, &rlim);
 228 #endif
 229
 230     uid_t uid = getuid ();
 231     if (uid == 0)
 232     {
 233         const char *sudo = getenv ("SUDO_UID");
 234         if (sudo)
 235             uid = atoi (sudo);
 236     }
 237     if (uid == 0)
 238     {
 239         fprintf (stderr, "Cannot determine unprivileged user for VLC!\n");
 240         exit (1);
 241     }
 242     setuid (uid);
 243
 244     if (!setuid (0)) /* sanity check: we cannot get root back */
 245         exit (1);
 246
 247     /* Yeah, the user can execute just about anything from here.
 248      * But we've dropped privileges, so it does not matter. */
 249     if (strlen (argv[0]) < sizeof ("-wrapper"))
 250         goto error;
 251     argv[0][strlen (argv[0]) - strlen ("-wrapper")] = '\0';
 252
 253     (void)argc;
 254     if (execvp (argv[0], argv))
 255         perror (argv[0]);
 256
 257 error:
 258     close (pair[0]);
 259     if (pair[1] != -1)
 260         close (pair[1]);
 261     return 1;
 262 }