cpython/Misc/setuid-prog.c

/*
   Template for a setuid program that calls a script.

   The script should be in an unwritable directory and should itself
   be unwritable.  In fact all parent directories up to the root
   should be unwritable.  The script must not be setuid, that's what
   this program is for.

   This is a template program.  You need to fill in the name of the
   script that must be executed.  This is done by changing the
   definition of FULL_PATH below.

   There are also some rules that should be adhered to when writing
   the script itself.

   The first and most important rule is to never, ever trust that the
   user of the program will behave properly.  Program defensively.
   Check your arguments for reasonableness.  If the user is allowed to
   create files, check the names of the files.  If the program depends
   on argv[0] for the action it should perform, check it.

   Assuming the script is a Bourne shell script, the first line of the
   script should be
	#!/bin/sh -
   The - is important, don't omit it.  If you're using esh, the first
   line should be
	#!/usr/local/bin/esh -f
   and for ksh, the first line should be
	#!/usr/local/bin/ksh -p
   The script should then set the variable IFS to the string
   consisting of <space>, <tab>, and <newline>.  After this (*not*
   before!), the PATH variable should be set to a reasonable value and
   exported.  Do not expect the PATH to have a reasonable value, so do
   not trust the old value of PATH.  You should then set the umask of
   the program by calling
	umask 077 # or 022 if you want the files to be readable
   If you plan to change directories, you should either unset CDPATH
   or set it to a good value.  Setting CDPATH to just ``.'' (dot) is a
   good idea.
   If, for some reason, you want to use csh, the first line should be
	#!/bin/csh -fb
   You should then set the path variable to something reasonable,
   without trusting the inherited path.  Here too, you should set the
   umask using the command
	umask 077 # or 022 if you want the files to be readable
*/

#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <string.h>

/* CONFIGURATION SECTION */

#ifndef FULL_PATH	/* so that this can be specified from the Makefile */
/* Uncomment the following line:
#define FULL_PATH	"/full/path/of/script" 
* Then comment out the #error line. */
#error "You must define FULL_PATH somewhere"
#endif
#ifndef UMASK
#define UMASK		077
#endif

/* END OF CONFIGURATION SECTION */

#if defined(__STDC__) && defined(__sgi)
#define environ _environ
#endif

/* don't change def_IFS */
char def_IFS[] = "IFS= \t\n";
/* you may want to change def_PATH, but you should really change it in */
/* your script */
#ifdef __sgi
char def_PATH[] = "PATH=/usr/bsd:/usr/bin:/bin:/usr/local/bin:/usr/sbin";
#else
char def_PATH[] = "PATH=/usr/ucb:/usr/bin:/bin:/usr/local/bin";
#endif
/* don't change def_CDPATH */
char def_CDPATH[] = "CDPATH=.";
/* don't change def_ENV */
char def_ENV[] = "ENV=:";

/*
   This function changes all environment variables that start with LD_
   into variables that start with XD_.  This is important since we
   don't want the script that is executed to use any funny shared
   libraries.

   The other changes to the environment are, strictly speaking, not
   needed here.  They can safely be done in the script.  They are done
   here because we don't trust the script writer (just like the script
   writer shouldn't trust the user of the script).
   If IFS is set in the environment, set it to space,tab,newline.
   If CDPATH is set in the environment, set it to ``.''.
   Set PATH to a reasonable default.
*/
void
clean_environ(void)
{
	char **p;
	extern char **environ;

	for (p = environ; *p; p++) {
		if (strncmp(*p, "LD_", 3) == 0)
			**p = 'X';
		else if (strncmp(*p, "_RLD", 4) == 0)
			**p = 'X';
		else if (strncmp(*p, "PYTHON", 6) == 0)
			**p = 'X';
		else if (strncmp(*p, "IFS=", 4) == 0)
			*p = def_IFS;
		else if (strncmp(*p, "CDPATH=", 7) == 0)
			*p = def_CDPATH;
		else if (strncmp(*p, "ENV=", 4) == 0)
			*p = def_ENV;
	}
	putenv(def_PATH);
}

int
main(int argc, char **argv)
{
	struct stat statb;
	gid_t egid = getegid();
	uid_t euid = geteuid();

	/*
	   Sanity check #1.
	   This check should be made compile-time, but that's not possible.
	   If you're sure that you specified a full path name for FULL_PATH,
	   you can omit this check.
	*/
	if (FULL_PATH[0] != '/') {
		fprintf(stderr, "%s: %s is not a full path name\n", argv[0],
			FULL_PATH);
		fprintf(stderr, "You can only use this wrapper if you\n");
		fprintf(stderr, "compile it with an absolute path.\n");
		exit(1);
	}

	/*
	   Sanity check #2.
	   Check that the owner of the script is equal to either the
	   effective uid or the super user.
	*/
	if (stat(FULL_PATH, &statb) < 0) {
		perror("stat");
		exit(1);
	}
	if (statb.st_uid != 0 && statb.st_uid != euid) {
		fprintf(stderr, "%s: %s has the wrong owner\n", argv[0],
			FULL_PATH);
		fprintf(stderr, "The script should be owned by root,\n");
		fprintf(stderr, "and shouldn't be writeable by anyone.\n");
		exit(1);
	}

	if (setregid(egid, egid) < 0)
		perror("setregid");
	if (setreuid(euid, euid) < 0)
		perror("setreuid");

	clean_environ();

	umask(UMASK);

	while (**argv == '-')	/* don't let argv[0] start with '-' */
		(*argv)++;
	execv(FULL_PATH, argv);
	fprintf(stderr, "%s: could not execute the script\n", argv[0]);
	exit(1);
}