From 6b3d4df8053a8dd6e53b5415c1793d553d35e883 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Fri, 17 Jun 2016 20:19:30 -0400 Subject: mv bin/{,nshd-}setuid --- .gitignore | 4 -- Makefile | 6 +-- bin/.gitignore | 4 ++ bin/nshd-setuid.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ bin/setuid.c | 108 ------------------------------------------------------ nshd.service.in | 2 +- 6 files changed, 116 insertions(+), 116 deletions(-) create mode 100644 bin/.gitignore create mode 100644 bin/nshd-setuid.c delete mode 100644 bin/setuid.c diff --git a/.gitignore b/.gitignore index a75421c..6069d5d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,4 @@ /LICENSE.*.txt -/bin/common.rb -/bin/nshd -/bin/nshd-tester -/bin/setuid /nshd.service /nshd.sysusers diff --git a/Makefile b/Makefile index 3a546fe..43af046 100644 --- a/Makefile +++ b/Makefile @@ -36,7 +36,7 @@ CGO_ENABLED = 1 at.subdirs += go/lukeshu.com/git/go/libnslcd.git/proto -programs = setuid nshd-tester nshd common.rb +programs = nshd nshd-setuid nshd-tester common.rb scripts = $(filter-out %.c %.o $(programs) common.rb common.rb.in,$(notdir $(wildcard $(srcdir)/bin/*))) std.gen_files += LICENSE.lgpl-2.1.txt LICENSE.gpl-2.txt LICENSE.apache-2.0.txt @@ -72,14 +72,14 @@ $(outdir)/.gopath/bin/cmd-nshd: $(call golang.src,$(outdir)/.gopath) $(_gen) $(_ $(outdir)/%.o: $(srcdir)/%.c $(var)CC $(var)CPPFLAGS $(var)CFLAGS $(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $(filter-out $(var)%,$^) -$(outdir)/bin/nshd-tester $(outdir)/bin/setuid: \ +$(outdir)/bin/nshd-tester $(outdir)/bin/nshd-setuid: \ $(outdir)/%: $(outdir)/%.o $(var)CC $(var)LDFLAGS $(CC) $(LDFLAGS) -o $@ $(filter-out $(var)%,$^) $(outdir)/%: $(srcdir)/%.in < $< sed $(foreach v,$(patsubst $(var)%,%,$(filter $(var)%,$^)), -e 's|@$v@|$($v)|g' ) > $@ -$(outdir)/bin/setuid: -ldl +$(outdir)/bin/nshd-setuid: -ldl $(outdir)/nshd.service: $(var)user $(var)bindir $(outdir)/nshd.sysusers: $(var)user $(outdir)/bin/common.rb: $(var)conf_file diff --git a/bin/.gitignore b/bin/.gitignore new file mode 100644 index 0000000..b73f922 --- /dev/null +++ b/bin/.gitignore @@ -0,0 +1,4 @@ +/common.rb +/nshd +/nshd-setuid +/nshd-tester diff --git a/bin/nshd-setuid.c b/bin/nshd-setuid.c new file mode 100644 index 0000000..aa8847b --- /dev/null +++ b/bin/nshd-setuid.c @@ -0,0 +1,108 @@ +/* + Copyright (C) 2006 West Consulting + Copyright (C) 2006-2015 Arthur de Jong + Copyright (C) 2015-2016 Luke Shumaker + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA +*/ + +#include /* for dlopen(3), dlsym(3), and dlerror(3) */ +#include /* for errno */ +#include /* for getpwnam(3) */ +#include /* for printf(3) and fprintf(3) */ +#include /* for strerror(3) */ +#include /* for 'struct passwd' and 'struct group' */ +#include /* for SD_{WARNING,DEBUG} */ +#include /* for setuid(3), setgid(3), and dup2(3) */ + +#define EXIT_SUCCESS 0 +#define EXIT_FAILURE 1 +#define EXIT_INVALIDARGUMENT 2 +#define EXIT_NOPERMISSION 4 + +const char *nss_module_soname = "libnss_ldap.so.2"; +const char *nss_module_sym_version = "_nss_ldap_version"; +const char *nss_module_sym_enablelookups = "_nss_ldap_enablelookups"; + +static void disable_nss_module(void) { + char *err; + + dlerror(); + void *handle = dlopen(nss_module_soname, RTLD_LAZY | RTLD_NODELETE); + err = dlerror(); + if (handle == NULL) { + fprintf(stderr, SD_WARNING "NSS module %s not loaded: %s\n", nss_module_soname, err); + return; + } + + dlerror(); + char **version_info = dlsym(handle, nss_module_sym_version); + err = dlerror(); + if ((version_info != NULL) && (err == NULL)) { + fprintf(stderr, SD_DEBUG "NSS module %s version %s %s\n", nss_module_soname, + version_info[0], + version_info[1]); + } else { + fprintf(stderr, SD_WARNING "NSS module %s version missing: %s\n", nss_module_soname, err); + } + + dlerror(); + int *enable_flag = dlsym(handle, nss_module_sym_enablelookups); + err = dlerror(); + if ((enable_flag == NULL) || (err != NULL)) { + fprintf(stderr, SD_WARNING "Unable to disable NSS ldap module for nslcd process: %s\n", err); + dlclose(handle); + return; + } + *enable_flag = 0; + dlclose(handle); +} + +void usage(char *cmd) { + printf("Usage: %s USERNAME COMMAND...\n", cmd); + printf("A simple setuid(3) wrapper that runs with the `ldap' NSS module disabled\n"); +} + +int main(int argc, char *argv[]) { + if (argc < 3) { + dup2(2, 1); + usage(argv[0]); + return EXIT_INVALIDARGUMENT; + } + + disable_nss_module(); + + struct passwd *passwd = getpwnam(argv[1]); + if (passwd == NULL) { + fprintf(stderr, SD_ERR "Could not look up user: %s\n", argv[1]); + return EXIT_FAILURE; + } + + if (setgid(passwd->pw_gid) != 0) { + fprintf(stderr, SD_ERR "Could not setgid(%lu): %s\n", + (unsigned long int)passwd->pw_gid, strerror(errno)); + return EXIT_NOPERMISSION; + } + if (setuid(passwd->pw_uid) != 0) { + fprintf(stderr, SD_ERR "Could not setuid(%lu): %s\n", + (unsigned long int)passwd->pw_gid, strerror(errno)); + return EXIT_NOPERMISSION; + } + + execvp(argv[2], &argv[2]); + fprintf(stderr, SD_ERR "Could not exec: %s\n", strerror(errno)); + return EXIT_FAILURE; +} diff --git a/bin/setuid.c b/bin/setuid.c deleted file mode 100644 index aa8847b..0000000 --- a/bin/setuid.c +++ /dev/null @@ -1,108 +0,0 @@ -/* - Copyright (C) 2006 West Consulting - Copyright (C) 2006-2015 Arthur de Jong - Copyright (C) 2015-2016 Luke Shumaker - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - 02110-1301 USA -*/ - -#include /* for dlopen(3), dlsym(3), and dlerror(3) */ -#include /* for errno */ -#include /* for getpwnam(3) */ -#include /* for printf(3) and fprintf(3) */ -#include /* for strerror(3) */ -#include /* for 'struct passwd' and 'struct group' */ -#include /* for SD_{WARNING,DEBUG} */ -#include /* for setuid(3), setgid(3), and dup2(3) */ - -#define EXIT_SUCCESS 0 -#define EXIT_FAILURE 1 -#define EXIT_INVALIDARGUMENT 2 -#define EXIT_NOPERMISSION 4 - -const char *nss_module_soname = "libnss_ldap.so.2"; -const char *nss_module_sym_version = "_nss_ldap_version"; -const char *nss_module_sym_enablelookups = "_nss_ldap_enablelookups"; - -static void disable_nss_module(void) { - char *err; - - dlerror(); - void *handle = dlopen(nss_module_soname, RTLD_LAZY | RTLD_NODELETE); - err = dlerror(); - if (handle == NULL) { - fprintf(stderr, SD_WARNING "NSS module %s not loaded: %s\n", nss_module_soname, err); - return; - } - - dlerror(); - char **version_info = dlsym(handle, nss_module_sym_version); - err = dlerror(); - if ((version_info != NULL) && (err == NULL)) { - fprintf(stderr, SD_DEBUG "NSS module %s version %s %s\n", nss_module_soname, - version_info[0], - version_info[1]); - } else { - fprintf(stderr, SD_WARNING "NSS module %s version missing: %s\n", nss_module_soname, err); - } - - dlerror(); - int *enable_flag = dlsym(handle, nss_module_sym_enablelookups); - err = dlerror(); - if ((enable_flag == NULL) || (err != NULL)) { - fprintf(stderr, SD_WARNING "Unable to disable NSS ldap module for nslcd process: %s\n", err); - dlclose(handle); - return; - } - *enable_flag = 0; - dlclose(handle); -} - -void usage(char *cmd) { - printf("Usage: %s USERNAME COMMAND...\n", cmd); - printf("A simple setuid(3) wrapper that runs with the `ldap' NSS module disabled\n"); -} - -int main(int argc, char *argv[]) { - if (argc < 3) { - dup2(2, 1); - usage(argv[0]); - return EXIT_INVALIDARGUMENT; - } - - disable_nss_module(); - - struct passwd *passwd = getpwnam(argv[1]); - if (passwd == NULL) { - fprintf(stderr, SD_ERR "Could not look up user: %s\n", argv[1]); - return EXIT_FAILURE; - } - - if (setgid(passwd->pw_gid) != 0) { - fprintf(stderr, SD_ERR "Could not setgid(%lu): %s\n", - (unsigned long int)passwd->pw_gid, strerror(errno)); - return EXIT_NOPERMISSION; - } - if (setuid(passwd->pw_uid) != 0) { - fprintf(stderr, SD_ERR "Could not setuid(%lu): %s\n", - (unsigned long int)passwd->pw_gid, strerror(errno)); - return EXIT_NOPERMISSION; - } - - execvp(argv[2], &argv[2]); - fprintf(stderr, SD_ERR "Could not exec: %s\n", strerror(errno)); - return EXIT_FAILURE; -} diff --git a/nshd.service.in b/nshd.service.in index 80b83a9..b560ddc 100644 --- a/nshd.service.in +++ b/nshd.service.in @@ -8,5 +8,5 @@ Type=notify # would deadlock as it tries to poll the nslcd socket to ask if it # knows who the user is. It would time out after 1 minute, but that's # still not good. -ExecStart=@bindir@/setuid @user@ @bindir@/nshd +ExecStart=@bindir@/nshd-setuid @user@ @bindir@/nshd ExecReload=/bin/kill -HUP $MAINPID -- cgit v1.2.3