2 Unix SMB/CIFS implementation.
3 run a command as a specified user
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "system/filesys.h"
23 /* need to move this from here!! need some sleep ... */
24 struct current_user current_user
;
26 /****************************************************************************
27 This is a utility function of smbrun().
28 ****************************************************************************/
30 static int setup_out_fd(void)
33 TALLOC_CTX
*ctx
= talloc_stackframe();
37 path
= talloc_asprintf(ctx
,
46 /* now create the file */
47 mask
= umask(S_IRWXO
| S_IRWXG
);
52 DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
53 path
, strerror(errno
) ));
58 DEBUG(10,("setup_out_fd: Created tmp file %s\n", path
));
60 /* Ensure file only kept around by open fd. */
66 /****************************************************************************
67 run a command being careful about uid/gid handling and putting the output in
68 outfd (or discard it if outfd is NULL).
69 ****************************************************************************/
71 static int smbrun_internal(const char *cmd
, int *outfd
, bool sanitize
,
75 uid_t uid
= current_user
.ut
.uid
;
76 gid_t gid
= current_user
.ut
.gid
;
77 void (*saved_handler
)(int);
80 * Lose any elevated privileges.
82 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY
);
83 drop_effective_capability(DMAPI_ACCESS_CAPABILITY
);
85 /* point our stdout at the file we want output to go into */
87 if (outfd
&& ((*outfd
= setup_out_fd()) == -1)) {
91 /* in this method we will exec /bin/sh with the correct
92 arguments, after first setting stdout to point at the file */
95 * We need to temporarily stop CatchChild from eating
96 * SIGCLD signals as it also eats the exit status code. JRA.
99 saved_handler
= CatchChildLeaveStatus();
101 if ((pid
=fork()) < 0) {
102 DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno
) ));
103 (void)CatchSignal(SIGCLD
, saved_handler
);
119 /* the parent just waits for the child to exit */
120 while((wpid
= waitpid(pid
,&status
,0)) < 0) {
128 (void)CatchSignal(SIGCLD
, saved_handler
);
131 DEBUG(2,("waitpid(%d) : %s\n",(int)pid
,strerror(errno
)));
139 /* Reset the seek pointer. */
141 lseek(*outfd
, 0, SEEK_SET
);
144 #if defined(WIFEXITED) && defined(WEXITSTATUS)
145 if (WIFEXITED(status
)) {
146 return WEXITSTATUS(status
);
155 /* we are in the child. we exec /bin/sh to do the work for us. we
156 don't directly exec the command we want because it may be a
157 pipeline or anything else the config file specifies */
159 /* point our stdout at the file we want output to go into */
162 if (dup2(*outfd
,1) != 1) {
163 DEBUG(2,("Failed to create stdout file descriptor\n"));
169 /* now completely lose our privileges. This is a fairly paranoid
170 way of doing it, but it does work on all systems that I know of */
172 become_user_permanently(uid
, gid
);
174 if (!non_root_mode()) {
175 if (getuid() != uid
|| geteuid() != uid
||
176 getgid() != gid
|| getegid() != gid
) {
177 /* we failed to lose our privileges - do not execute
179 exit(81); /* we can't print stuff at this stage,
180 instead use exit codes for debugging */
184 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
185 2 point to /dev/null from the startup code */
191 newcmd
= escape_shell_string(cmd
);
197 execle("/bin/sh","sh","-c",
198 newcmd
? (const char *)newcmd
: cmd
, NULL
,
201 execl("/bin/sh","sh","-c",
202 newcmd
? (const char *)newcmd
: cmd
, NULL
);
213 /****************************************************************************
214 Use only in known safe shell calls (printing).
215 ****************************************************************************/
217 int smbrun_no_sanitize(const char *cmd
, int *outfd
, char * const *env
)
219 return smbrun_internal(cmd
, outfd
, false, env
);
222 /****************************************************************************
223 By default this now sanitizes shell expansion.
224 ****************************************************************************/
226 int smbrun(const char *cmd
, int *outfd
, char * const *env
)
228 return smbrun_internal(cmd
, outfd
, true, env
);
231 /****************************************************************************
232 run a command being careful about uid/gid handling and putting the output in
233 outfd (or discard it if outfd is NULL).
234 sends the provided secret to the child stdin.
235 ****************************************************************************/
237 int smbrunsecret(const char *cmd
, const char *secret
)
240 uid_t uid
= current_user
.ut
.uid
;
241 gid_t gid
= current_user
.ut
.gid
;
243 void (*saved_handler
)(int);
246 * Lose any elevated privileges.
248 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY
);
249 drop_effective_capability(DMAPI_ACCESS_CAPABILITY
);
251 /* build up an input pipe */
256 /* in this method we will exec /bin/sh with the correct
257 arguments, after first setting stdout to point at the file */
260 * We need to temporarily stop CatchChild from eating
261 * SIGCLD signals as it also eats the exit status code. JRA.
264 saved_handler
= CatchChildLeaveStatus();
266 if ((pid
=fork()) < 0) {
267 DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno
)));
268 (void)CatchSignal(SIGCLD
, saved_handler
);
282 /* send the secret */
283 towrite
= strlen(secret
);
284 wrote
= write(ifd
[1], secret
, towrite
);
285 if ( wrote
!= towrite
) {
286 DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote
,(unsigned long)towrite
));
291 /* the parent just waits for the child to exit */
292 while((wpid
= waitpid(pid
, &status
, 0)) < 0) {
300 (void)CatchSignal(SIGCLD
, saved_handler
);
303 DEBUG(2, ("waitpid(%d) : %s\n", (int)pid
, strerror(errno
)));
307 #if defined(WIFEXITED) && defined(WEXITSTATUS)
308 if (WIFEXITED(status
)) {
309 return WEXITSTATUS(status
);
318 /* we are in the child. we exec /bin/sh to do the work for us. we
319 don't directly exec the command we want because it may be a
320 pipeline or anything else the config file specifies */
324 if (dup2(ifd
[0], 0) != 0) {
325 DEBUG(2,("Failed to create stdin file descriptor\n"));
330 /* now completely lose our privileges. This is a fairly paranoid
331 way of doing it, but it does work on all systems that I know of */
333 become_user_permanently(uid
, gid
);
335 if (!non_root_mode()) {
336 if (getuid() != uid
|| geteuid() != uid
||
337 getgid() != gid
|| getegid() != gid
) {
338 /* we failed to lose our privileges - do not execute
340 exit(81); /* we can't print stuff at this stage,
341 instead use exit codes for debugging */
345 /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
346 2 point to /dev/null from the startup code */
349 execl("/bin/sh", "sh", "-c", cmd
, NULL
);