Initial version

[suidgw.git] / suidgw.c

/*
 *  A simple gateway for set-uid scripts
 *
 *  (c) 2013 Martin Mares <mj@ucw.cz>
 */

#undef DEBUG

#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <pwd.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <sys/stat.h>
#include <unistd.h>

#define NONRET __attribute__((noreturn))
#define UNUSED __attribute__((unused))

#ifdef DEBUG
#define DBG(...) printf(__VA_ARGS__)
#else
#define DBG(...) do { } while (0)
#endif

static char program_name[PATH_MAX];
static char script_path[PATH_MAX];
static uid_t use_uid;
static gid_t use_gid;

static const char * const script_dirs[] = {
  "/usr/local/lib/suidgw",
  "/usr/lib/suidgw",
#ifdef DEBUG
  "./scripts",
#endif
  NULL
};

static char *sanitized_env[] = {
  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
  NULL
};

static void NONRET die(const char *fmt, ...)
{
  va_list args;
  va_start(args, fmt);
  fprintf(stderr, "suidgw: ");
  vfprintf(stderr, fmt, args);
  fputc('\n', stderr);
  exit(1);
}

static void sanitize_fds(void)
{
  // Make sure that nobody is playing dirty games with our file descriptors
  int fd;
  do
    {
      fd = open("/dev/null", O_RDWR);
      if (fd < 0)
        die("Cannot open /dev/null: %m");
    }
  while (fd <= 2);
  close(fd);
}

static bool get_program_name(const char *arg0)
{
  // If arg0 is a path, extract the last component
  const char *p = strrchr(arg0, '/');
  if (p)
    p++;
  else
    p = arg0;

  // Reject empty and oversized names
  if (!p[0] || strlen(p) >= PATH_MAX)
    return 0;

  // Reject invalid characters
  for (const char *q = p; *q; q++)
    {
      int c = *q;
      if (! (c >= 'a' && c <= 'z' ||
             c >= 'A' && c <= 'Z' ||
             c >= '0' && c <= '9' ||
             c == '-' ||
             c == '_'))
        return 0;
    }

  DBG("Program name: <%s>\n", p);
  strcpy(program_name, p);
  return 1;
}

static void find_script(void)
{
  for (int i = 0; script_dirs[i]; i++)
    {
      int len = snprintf(script_path, PATH_MAX, "%s/%s", script_dirs[i], program_name);
      if (len >= PATH_MAX)
        continue;
      DBG("Trying <%s>\n", script_path);
      if (access(script_path, X_OK) >= 0)
        {
          DBG("Found <%s>\n", script_path);
          return;
        }
      if (errno != ENOENT)
        die("Cannot run %s: %m", script_path);
    }

  die("Unable to find script %s", program_name);
}

static void check_stat(void)
{
  struct stat st;
  if (stat(script_path, &st) < 0)
    die("Cannot stat %s: %m", script_path);

  if (!S_ISREG(st.st_mode))
    die("Not a regular file: %s", script_path);
  if (!(st.st_mode & (S_ISUID | S_ISGID)))
    die("Missing suid/sgid: %s", script_path);

  use_uid = (st.st_mode & S_ISUID) ? st.st_uid : getuid();
  use_gid = (st.st_mode & S_ISGID) ? st.st_gid : getgid();
  DBG("Will use uid=%d gid=%d\n", (int) use_uid, (int) use_gid);
}

static void switch_ugid(void)
{
  if (setegid(use_gid) < 0)
    die("Failed to set group id: %m");

  if (seteuid(use_uid) < 0)
    die("Failed to set user id: %m");
}

int main(int argc UNUSED, char **argv)
{
  sanitize_fds();

  if (geteuid())
    die("Must be run setuid");

  struct passwd *pwd = getpwuid(getuid());
  if (!pwd)
    die("You don't exist");

  openlog("suidgw", LOG_NDELAY | LOG_PID, LOG_AUTH);

  if (!get_program_name(argv[0]))
    die("Unable to parse program name %s", argv[0]);

  find_script();
  check_stat();
  switch_ugid();

  syslog(LOG_INFO, "User %s executes %s with uid=%d, gid=%d",
    pwd->pw_name, script_path, (int) use_uid, (int) use_gid);

  if (execve(script_path, argv, sanitized_env) < 0)
    die("Cannot execute %s: %m", script_path);

  die("This must never happen");
}