ladybird/Userland/Utilities/pls.cpp

/*
 * Copyright (c) 2021, Jesse Buhagiar <jooster669@gmail.com>
 * Copyright (c) 2021, Andreas Kling <kling@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <LibCore/Account.h>
#include <LibCore/ArgsParser.h>
#include <LibCore/GetPassword.h>
#include <LibCore/System.h>
#include <LibMain/Main.h>
#include <unistd.h>

ErrorOr<int> serenity_main(Main::Arguments arguments)
{
    Vector<StringView> command;
    Core::ArgsParser args_parser;
    uid_t as_user_uid = 0;
    args_parser.set_stop_on_first_non_option(true);
    args_parser.add_option(as_user_uid, "User to execute as", nullptr, 'u', "UID");
    args_parser.add_positional_argument(command, "Command to run at elevated privilege level", "command");
    args_parser.parse(arguments);

    TRY(Core::System::pledge("stdio rpath exec id tty"));

    TRY(Core::System::seteuid(0));

    auto as_user = TRY(Core::Account::from_uid(as_user_uid));

    // If the current user is not a superuser, make them authenticate themselves.
    if (auto uid = getuid()) {
        auto account = TRY(Core::Account::from_uid(uid));
        if (account.has_password()) {
            auto password = TRY(Core::get_password());
            if (!account.authenticate(password))
                return Error::from_string_literal("Incorrect or disabled password."sv);
        }
    }

    TRY(Core::System::pledge("stdio rpath exec id"));

    TRY(Core::System::setgid(0));
    TRY(Core::System::setuid(as_user_uid));

    TRY(Core::System::pledge("stdio rpath exec"));

    Vector<String> exec_environment_strings;
    Vector<StringView> exec_environment;
    if (auto* term = getenv("TERM")) {
        exec_environment_strings.append(String::formatted("TERM={}", term));
        exec_environment.append(exec_environment_strings.last());
    }

    Vector<String> exec_arguments;
    exec_arguments.ensure_capacity(command.size());
    for (auto const& it : command)
        exec_arguments.append(it.to_string());

    TRY(Core::System::exec(command.at(0), command, Core::System::SearchInPath::Yes, exec_environment));
    return 0;
}
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00			`/*`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-17 00:55:05 +10:00			`* Copyright (c) 2021, Jesse Buhagiar <jooster669@gmail.com>`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 22:06:28 +02:00			`* Copyright (c) 2021, Andreas Kling <kling@serenityos.org>`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00			`*`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-17 00:55:05 +10:00			`* SPDX-License-Identifier: BSD-2-Clause`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00			`*/`

			`#include <LibCore/Account.h>`
			`#include <LibCore/ArgsParser.h>`
			`#include <LibCore/GetPassword.h>`
pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`#include <LibCore/System.h>`
			`#include <LibMain/Main.h>`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00			`#include <unistd.h>`

pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`ErrorOr<int> serenity_main(Main::Arguments arguments)`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00			`{`
pls: Use Core::System::exec() 2022-03-12 20:58:50 +00:00			`Vector<StringView> command;`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00			`Core::ArgsParser args_parser;`
Userland: Add as-user execution to the pls utility Commands may be executed as a specific user by passing the user's UID to the '-u' flag in pls. 2021-08-16 03:58:34 +01:00			`uid_t as_user_uid = 0;`
pls: Stop on first non option when parsing arguments This allows using pls on a program with arguments more ergonomically, e.g. `pls -- echo "hello friends"` can now simply be done as: `pls echo "hello friends"`. 2021-12-28 20:10:22 +02:00			`args_parser.set_stop_on_first_non_option(true);`
Userland: Add as-user execution to the pls utility Commands may be executed as a specific user by passing the user's UID to the '-u' flag in pls. 2021-08-16 03:58:34 +01:00			`args_parser.add_option(as_user_uid, "User to execute as", nullptr, 'u', "UID");`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00			`args_parser.add_positional_argument(command, "Command to run at elevated privilege level", "command");`
pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`args_parser.parse(arguments);`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00
pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`TRY(Core::System::pledge("stdio rpath exec id tty"));`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00
pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`TRY(Core::System::seteuid(0));`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-17 00:55:05 +10:00
pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`auto as_user = TRY(Core::Account::from_uid(as_user_uid));`
Userland: Add as-user execution to the pls utility Commands may be executed as a specific user by passing the user's UID to the '-u' flag in pls. 2021-08-16 03:58:34 +01:00
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 22:06:28 +02:00			`// If the current user is not a superuser, make them authenticate themselves.`
			`if (auto uid = getuid()) {`
pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`auto account = TRY(Core::Account::from_uid(uid));`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 22:06:28 +02:00			`if (account.has_password()) {`
pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`auto password = TRY(Core::get_password());`
			`if (!account.authenticate(password))`
			`return Error::from_string_literal("Incorrect or disabled password."sv);`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 22:06:28 +02:00			`}`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00			`}`

pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`TRY(Core::System::pledge("stdio rpath exec id"));`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00
pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`TRY(Core::System::setgid(0));`
			`TRY(Core::System::setuid(as_user_uid));`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-17 00:55:05 +10:00
pls: Port to LibMain :^) 2021-12-16 19:18:37 +01:00			`TRY(Core::System::pledge("stdio rpath exec"));`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00
pls: Use Core::System::exec() 2022-03-12 20:58:50 +00:00			`Vector<String> exec_environment_strings;`
			`Vector<StringView> exec_environment;`
			`if (auto* term = getenv("TERM")) {`
			`exec_environment_strings.append(String::formatted("TERM={}", term));`
			`exec_environment.append(exec_environment_strings.last());`
			`}`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00
pls: Use Core::System::exec() 2022-03-12 20:58:50 +00:00			`Vector<String> exec_arguments;`
			`exec_arguments.ensure_capacity(command.size());`
			`for (auto const& it : command)`
			`exec_arguments.append(it.to_string());`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00
pls: Use Core::System::exec() 2022-03-12 20:58:50 +00:00			`TRY(Core::System::exec(command.at(0), command, Core::System::SearchInPath::Yes, exec_environment));`
Userland: Implement `pls`, a sudo clone 2021-04-14 12:23:55 +10:00			`return 0;`
			`}`