1 /* $NetBSD: login_cap.c,v 1.29 2007/12/04 22:09:02 mjf Exp $ */
4 * Copyright (c) 1995,1997 Berkeley Software Design, Inc. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. All advertising materials mentioning features or use of this software
15 * must display the following acknowledgement:
16 * This product includes software developed by Berkeley Software Design,
18 * 4. The name of Berkeley Software Design, Inc. may not be used to endorse
19 * or promote products derived from this software without specific prior
22 * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * BSDI login_cap.c,v 2.13 1998/02/07 03:17:05 prb Exp
37 #include <sys/cdefs.h>
38 #if defined(LIBC_SCCS) && !defined(lint)
39 __RCSID("$NetBSD: login_cap.c,v 1.29 2007/12/04 22:09:02 mjf Exp $");
40 #endif /* LIBC_SCCS and not lint */
42 #include <sys/types.h>
45 #include <sys/resource.h>
46 #include <sys/param.h>
54 #include <login_cap.h>
64 static u_quad_t
multiply(u_quad_t
, u_quad_t
);
65 static u_quad_t
strtolimit(const char *, char **, int);
66 static u_quad_t
strtosize(const char *, char **, int);
67 static int gsetrl(login_cap_t
*, int, const char *, int type
);
68 static int isinfinite(const char *);
69 static int envset(void *, const char *, const char *, int);
72 login_getclass(const char *class)
74 const char *classfiles
[2];
78 /* class may be NULL */
80 if (secure_path(_PATH_LOGIN_CONF
) == 0) {
81 classfiles
[0] = _PATH_LOGIN_CONF
;
87 if ((lc
= malloc(sizeof(login_cap_t
))) == NULL
) {
88 syslog(LOG_ERR
, "%s:%d malloc: %m", __FILE__
, __LINE__
);
95 if (class == NULL
|| class[0] == '\0')
96 class = LOGIN_DEFCLASS
;
98 if ((lc
->lc_class
= strdup(class)) == NULL
) {
99 syslog(LOG_ERR
, "%s:%d strdup: %m", __FILE__
, __LINE__
);
105 * Not having a login.conf file is not an error condition.
106 * The individual routines deal reasonably with missing
107 * capabilities and use default values.
109 if (classfiles
[0] == NULL
)
112 if ((res
= cgetent(&lc
->lc_cap
, classfiles
, lc
->lc_class
)) != 0) {
116 syslog(LOG_ERR
, "%s: couldn't resolve 'tc'",
120 if (strcmp(lc
->lc_class
, LOGIN_DEFCLASS
) == 0)
122 syslog(LOG_ERR
, "%s: unknown class", lc
->lc_class
);
125 syslog(LOG_ERR
, "%s: getting class information: %m",
129 syslog(LOG_ERR
, "%s: 'tc' reference loop",
133 syslog(LOG_ERR
, "%s: unexpected cgetent error",
145 login_getpwclass(const struct passwd
*pwd
)
148 /* pwd may be NULL */
150 return login_getclass(pwd
? pwd
->pw_class
: NULL
);
154 login_getcapstr(login_cap_t
*lc
, const char *cap
, char *def
, char *e
)
161 _DIAGASSERT(cap
!= NULL
);
163 if (!lc
|| !lc
->lc_cap
)
166 switch (status
= cgetstr(lc
->lc_cap
, cap
, &res
)) {
172 syslog(LOG_ERR
, "%s: getting capability %s: %m",
180 syslog(LOG_ERR
, "%s: unexpected error with capability %s",
189 login_getcaptime(login_cap_t
*lc
, const char *cap
, quad_t def
, quad_t e
)
192 char *res
= NULL
, *sres
;
196 _DIAGASSERT(cap
!= NULL
);
199 if (!lc
|| !lc
->lc_cap
)
202 switch (status
= cgetstr(lc
->lc_cap
, cap
, &res
)) {
208 syslog(LOG_ERR
, "%s: getting capability %s: %m",
217 syslog(LOG_ERR
, "%s: unexpected error with capability %s",
226 return (RLIM_INFINITY
);
233 r
= strtoq(res
, &ep
, 0);
234 if (!ep
|| ep
== res
||
235 ((r
== QUAD_MIN
|| r
== QUAD_MAX
) && errno
== ERANGE
)) {
237 syslog(LOG_ERR
, "%s:%s=%s: invalid time",
238 lc
->lc_class
, cap
, sres
);
259 r
*= 60 * 60 * 24 * 7;
261 case 'y': case 'Y': /* Pretty absurd */
262 r
*= 60 * 60 * 24 * 365;
275 login_getcapnum(login_cap_t
*lc
, const char *cap
, quad_t def
, quad_t e
)
282 _DIAGASSERT(cap
!= NULL
);
285 if (!lc
|| !lc
->lc_cap
)
288 switch (status
= cgetstr(lc
->lc_cap
, cap
, &res
)) {
294 syslog(LOG_ERR
, "%s: getting capability %s: %m",
303 syslog(LOG_ERR
, "%s: unexpected error with capability %s",
312 return (RLIM_INFINITY
);
315 q
= strtoq(res
, &ep
, 0);
316 if (!ep
|| ep
== res
|| ep
[0] ||
317 ((q
== QUAD_MIN
|| q
== QUAD_MAX
) && errno
== ERANGE
)) {
318 syslog(LOG_ERR
, "%s:%s=%s: invalid number",
319 lc
->lc_class
, cap
, res
);
329 login_getcapsize(login_cap_t
*lc
, const char *cap
, quad_t def
, quad_t e
)
336 _DIAGASSERT(cap
!= NULL
);
340 if (!lc
|| !lc
->lc_cap
)
343 switch (status
= cgetstr(lc
->lc_cap
, cap
, &res
)) {
349 syslog(LOG_ERR
, "%s: getting capability %s: %m",
358 syslog(LOG_ERR
, "%s: unexpected error with capability %s",
367 q
= strtolimit(res
, &ep
, 0);
368 if (!ep
|| ep
== res
|| (ep
[0] && ep
[1]) ||
369 ((q
== QUAD_MIN
|| q
== QUAD_MAX
) && errno
== ERANGE
)) {
370 syslog(LOG_ERR
, "%s:%s=%s: invalid size",
371 lc
->lc_class
, cap
, res
);
381 login_getcapbool(login_cap_t
*lc
, const char *cap
, u_int def
)
384 _DIAGASSERT(cap
!= NULL
);
386 if (!lc
|| !lc
->lc_cap
)
389 return (cgetcap(lc
->lc_cap
, cap
, ':') != NULL
);
393 login_close(login_cap_t
*lc
)
416 { RLIMIT_CPU
, R_CTIME
, "cputime", },
417 { RLIMIT_FSIZE
, R_CSIZE
, "filesize", },
418 { RLIMIT_DATA
, R_CSIZE
, "datasize", },
419 { RLIMIT_STACK
, R_CSIZE
, "stacksize", },
421 { RLIMIT_RSS
, R_CSIZE
, "memoryuse", },
422 { RLIMIT_MEMLOCK
, R_CSIZE
, "memorylocked", },
423 { RLIMIT_NPROC
, R_CNUMB
, "maxproc", },
425 { RLIMIT_NOFILE
, R_CNUMB
, "openfiles", },
426 { RLIMIT_CORE
, R_CSIZE
, "coredumpsize", },
428 { RLIMIT_SBSIZE
, R_CSIZE
, "sbsize", },
434 gsetrl(login_cap_t
*lc
, int what
, const char *name
, int type
)
441 _DIAGASSERT(name
!= NULL
);
443 (void)snprintf(name_cur
, sizeof(name_cur
), "%s-cur", name
);
444 (void)snprintf(name_max
, sizeof(name_max
), "%s-max", name
);
446 if (getrlimit(what
, &r
)) {
447 syslog(LOG_ERR
, "getting resource limit: %m");
451 #define RCUR r.rlim_cur
452 #define RMAX r.rlim_max
456 RCUR
= login_getcaptime(lc
, name
, RCUR
, RCUR
);
457 RMAX
= login_getcaptime(lc
, name
, RMAX
, RMAX
);
458 rl
.rlim_cur
= login_getcaptime(lc
, name_cur
, RCUR
, RCUR
);
459 rl
.rlim_max
= login_getcaptime(lc
, name_max
, RMAX
, RMAX
);
462 RCUR
= login_getcapsize(lc
, name
, RCUR
, RCUR
);
463 RMAX
= login_getcapsize(lc
, name
, RMAX
, RMAX
);
464 rl
.rlim_cur
= login_getcapsize(lc
, name_cur
, RCUR
, RCUR
);
465 rl
.rlim_max
= login_getcapsize(lc
, name_max
, RMAX
, RMAX
);
468 RCUR
= login_getcapnum(lc
, name
, RCUR
, RCUR
);
469 RMAX
= login_getcapnum(lc
, name
, RMAX
, RMAX
);
470 rl
.rlim_cur
= login_getcapnum(lc
, name_cur
, RCUR
, RCUR
);
471 rl
.rlim_max
= login_getcapnum(lc
, name_max
, RMAX
, RMAX
);
474 syslog(LOG_ERR
, "%s: invalid type %d setting resource limit %s",
475 lc
->lc_class
, type
, name
);
480 if (setrlimit(what
, &rl
)) {
481 syslog(LOG_ERR
, "%s: setting resource limit %s: %m",
493 envset(void *envp __unused
, const char *name
, const char *value
, int overwrite
)
495 return setenv(name
, value
, overwrite
);
499 setuserenv(login_cap_t
*lc
, envfunc_t senv
, void *envp
)
501 const char *stop
= ", \t";
505 char *str
= login_getcapstr(lc
, "setenv", NULL
, NULL
);
507 if (str
== NULL
|| *str
== '\0')
511 * count the sub-strings, this may over-count since we don't
512 * account for escaped delimiters.
514 for (i
= 1, ptr
= str
; *ptr
; i
++) {
515 ptr
+= strcspn(ptr
, stop
);
520 /* allocate ptr array and string */
522 res
= malloc(count
* sizeof(char *) + strlen(str
) + 1);
527 ptr
= (char *)(void *)&res
[count
];
528 (void)strcpy(ptr
, str
);
531 for (i
= 0; (res
[i
] = stresep(&ptr
, stop
, '\\')) != NULL
; )
537 for (i
= 0; i
< count
; i
++) {
538 if ((ptr
= strchr(res
[i
], '=')) != NULL
)
542 (void)(*senv
)(envp
, res
[i
], ptr
? ptr
: "", 1);
550 setclasscontext(const char *class, u_int flags
)
555 flags
&= LOGIN_SETRESOURCES
| LOGIN_SETPRIORITY
| LOGIN_SETUMASK
|
558 lc
= login_getclass(class);
559 ret
= lc
? setusercontext(lc
, NULL
, 0, flags
) : -1;
565 setusercontext(login_cap_t
*lc
, struct passwd
*pwd
, uid_t uid
, u_int flags
)
567 char per_user_tmp
[MAXPATHLEN
+ 1];
568 const char *component_name
;
577 flc
= lc
= login_getclass(pwd
? pwd
->pw_class
: NULL
);
579 #define LOGIN_SETLOGIN 0
581 * Without the pwd entry being passed we cannot set either
582 * the group or the login. We could complain about it.
585 flags
&= ~(LOGIN_SETGROUP
|LOGIN_SETLOGIN
);
587 #ifdef LOGIN_OSETGROUP
589 flags
&= ~LOGIN_OSETGROUP
;
590 if (flags
& LOGIN_OSETGROUP
)
591 flags
= (flags
& ~LOGIN_OSETGROUP
) | LOGIN_SETGROUP
;
593 if (flags
& LOGIN_SETRESOURCES
)
594 for (i
= 0; r_list
[i
].name
; ++i
)
595 (void)gsetrl(lc
, r_list
[i
].what
, r_list
[i
].name
,
598 if (flags
& LOGIN_SETPRIORITY
) {
599 p
= login_getcapnum(lc
, "priority", (quad_t
)0, (quad_t
)0);
601 if (setpriority(PRIO_PROCESS
, 0, (int)p
) == -1)
602 syslog(LOG_ERR
, "%s: setpriority: %m", lc
->lc_class
);
605 if (flags
& LOGIN_SETUMASK
) {
606 p
= login_getcapnum(lc
, "umask", (quad_t
) LOGIN_DEFUMASK
,
607 (quad_t
)LOGIN_DEFUMASK
);
611 if (flags
& LOGIN_SETGID
) {
612 if (setgid(pwd
->pw_gid
) == -1) {
613 syslog(LOG_ERR
, "setgid(%d): %m", pwd
->pw_gid
);
619 if (flags
& LOGIN_SETGROUPS
) {
620 if (initgroups(pwd
->pw_name
, pwd
->pw_gid
) == -1) {
621 syslog(LOG_ERR
, "initgroups(%s,%d): %m",
622 pwd
->pw_name
, pwd
->pw_gid
);
628 /* Create per-user temporary directories if needed. */
629 if ((len
= readlink("/tmp", per_user_tmp
,
630 sizeof(per_user_tmp
) - 6)) != -1) {
632 static const char atuid
[] = "/@ruid";
635 /* readlink does not nul-terminate the string */
636 per_user_tmp
[len
] = '\0';
638 /* Check if it's magic symlink. */
639 lp
= strstr(per_user_tmp
, atuid
);
640 if (lp
!= NULL
&& *(lp
+ (sizeof(atuid
) - 1)) == '\0') {
643 if (snprintf(lp
, 11, "/%u", pwd
->pw_uid
) > 10) {
644 syslog(LOG_ERR
, "real temporary path too long");
648 if (mkdir(per_user_tmp
, S_IRWXU
) != -1) {
649 if (chown(per_user_tmp
, pwd
->pw_uid
,
651 component_name
= "chown";
656 * Must set sticky bit for tmp directory, some
657 * programs rely on this.
659 if(chmod(per_user_tmp
, S_IRWXU
| S_ISVTX
)) {
660 component_name
= "chmod";
664 if (errno
!= EEXIST
) {
665 component_name
= "mkdir";
669 * We must ensure that we own the
670 * directory and that is has the correct
671 * permissions, otherwise a DOS attack
675 if (stat(per_user_tmp
, &sb
) == -1) {
676 component_name
= "stat";
680 if (sb
.st_uid
!= pwd
->pw_uid
) {
681 if (chown(per_user_tmp
,
682 pwd
->pw_uid
, pwd
->pw_gid
)) {
683 component_name
= "chown";
688 if (sb
.st_mode
!= (S_IRWXU
| S_ISVTX
)) {
689 if (chmod(per_user_tmp
,
690 S_IRWXU
| S_ISVTX
)) {
691 component_name
= "chmod";
701 if (flags
& LOGIN_SETLOGIN
)
702 if (setlogin(pwd
->pw_name
) == -1) {
703 syslog(LOG_ERR
, "setlogin(%s) failure: %m",
709 if (flags
& LOGIN_SETUSER
)
710 if (setuid(uid
) == -1) {
711 syslog(LOG_ERR
, "setuid(%d): %m", uid
);
716 if (flags
& LOGIN_SETENV
)
717 setuserenv(lc
, envset
, NULL
);
719 if (flags
& LOGIN_SETPATH
)
720 setuserpath(lc
, pwd
? pwd
->pw_dir
: "", envset
, NULL
);
726 if (component_name
!= NULL
) {
727 syslog(LOG_ERR
, "%s %s: %m", component_name
, per_user_tmp
);
731 syslog(LOG_ERR
, "%s: %m", per_user_tmp
);
738 setuserpath(login_cap_t
*lc
, const char *home
, envfunc_t senv
, void *envp
)
746 _DIAGASSERT(home
!= NULL
);
750 p
= path
= login_getcapstr(lc
, "path", NULL
, NULL
);
755 plen
= (p
- path
) + cnt
* (hlen
+ 1) + 1;
757 q
= path
= malloc(plen
);
760 p
+= strspn(p
, " \t");
763 plen
= strcspn(p
, " \t");
764 if (hlen
== 0 && *p
== '~') {
783 cpath
= _PATH_DEFPATH
;
785 cpath
= _PATH_DEFPATH
;
786 if ((*senv
)(envp
, "PATH", cpath
, 1))
787 warn("could not set PATH");
791 * Convert an expression of the following forms
793 * 2) A number followed by a b (mult by 512).
794 * 3) A number followed by a k (mult by 1024).
795 * 5) A number followed by a m (mult by 1024 * 1024).
796 * 6) A number followed by a g (mult by 1024 * 1024 * 1024).
797 * 7) A number followed by a t (mult by 1024 * 1024 * 1024 * 1024).
798 * 8) Two or more numbers (with/without k,b,m,g, or t).
799 * separated by x (also * for backwards compatibility), specifying
800 * the product of the indicated values.
803 strtosize(const char *str
, char **endptr
, int radix
)
808 _DIAGASSERT(str
!= NULL
);
809 /* endptr may be NULL */
812 num
= strtouq(str
, &expr
, radix
);
813 if (errno
|| expr
== str
) {
821 num
= multiply(num
, (u_quad_t
)512);
825 num
= multiply(num
, (u_quad_t
)1024);
829 num
= multiply(num
, (u_quad_t
)1024 * 1024);
833 num
= multiply(num
, (u_quad_t
)1024 * 1024 * 1024);
837 num
= multiply(num
, (u_quad_t
)1024 * 1024);
838 num
= multiply(num
, (u_quad_t
)1024 * 1024);
847 case '*': /* Backward compatible. */
849 num2
= strtosize(expr
+1, &expr2
, radix
);
855 if (expr2
== expr
+ 1) {
861 num
= multiply(num
, num2
);
877 strtolimit(const char *str
, char **endptr
, int radix
)
880 _DIAGASSERT(str
!= NULL
);
881 /* endptr may be NULL */
883 if (isinfinite(str
)) {
885 *endptr
= (char *)__UNCONST(str
) + strlen(str
);
886 return ((u_quad_t
)RLIM_INFINITY
);
888 return (strtosize(str
, endptr
, radix
));
892 isinfinite(const char *s
)
894 static const char *infs
[] = {
903 _DIAGASSERT(s
!= NULL
);
905 for (i
= infs
; *i
; i
++) {
906 if (!strcasecmp(s
, *i
))
913 multiply(u_quad_t n1
, u_quad_t n2
)
921 * Get rid of the simple cases
923 if (n1
== 0 || n2
== 0)
931 * sizeof() returns number of bytes needed for storage.
932 * This may be different from the actual number of useful bits.
935 bpw
= sizeof(u_quad_t
) * 8;
936 while (((u_quad_t
)1 << (bpw
-1)) == 0)
941 * First check the magnitude of each number. If the sum of the
942 * magnatude is way to high, reject the number. (If this test
943 * is not done then the first multiply below may overflow.)
945 for (b1
= bpw
; (((u_quad_t
)1 << (b1
-1)) & n1
) == 0; --b1
)
947 for (b2
= bpw
; (((u_quad_t
)1 << (b2
-1)) & n2
) == 0; --b2
)
949 if (b1
+ b2
- 2 > bpw
) {
955 * Decompose the multiplication to be:
960 * (h1 + l1) * (h2 + l2)
961 * (h1 * h2) + (h1 * l2) + (l1 * h2) + (l1 * l2)
963 * Since h1 && h2 do not have the low bit set, we can then say:
965 * (h1>>1 * h2>>1 * 4) + ...
967 * So if (h1>>1 * h2>>1) > (1<<(bpw - 2)) then the result will
970 * Finally, if MAX - ((h1 * l2) + (l1 * h2) + (l1 * l2)) < (h1*h2)
971 * then adding in residual amout will cause an overflow.
974 m
= (n1
>> 1) * (n2
>> 1);
976 if (m
>= ((u_quad_t
)1 << (bpw
-2))) {
984 + (n2
& 1) * (n1
& ~(u_quad_t
)1)
985 + (n1
& 1) * (n2
& ~(u_quad_t
)1);
987 if ((u_quad_t
)(m
+ r
) < m
) {