Initial revision

1 files changed, 172 insertions, 0 deletions

diff --git a/Misc/setuid-prog.c b/Misc/setuid-prog.c
new file mode 100644
index 0000000..6f25493
--- /dev/null
+++ b/Misc/setuid-prog.c
@@ -0,0 +1,172 @@
+/*
+   Template for a setuid program that calls a script.
+
+   The script should be in an unwritable directory and should itself
+   be unwritable.  In fact all parent directories up to the root
+   should be unwritable.  The script must not be setuid, that's what
+   this program is for.
+
+   This is a template program.  You need to fill in the name of the
+   script that must be executed.  This is done by changing the
+   definition of FULL_PATH below.
+
+   There are also some rules that should be adhered to when writing
+   the script itself.
+
+   The first and most important rule is to never, ever trust that the
+   user of the program will behave properly.  Program defensively.
+   Check your arguments for reasonableness.  If the user is allowed to
+   create files, check the names of the files.  If the program depends
+   on argv[0] for the action it should perform, check it.
+
+   Assuming the script is a Bourne shell script, the first line of the
+   script should be
+	#!/bin/sh -
+   The - is important, don't omit it.  If you're using esh, the first
+   line should be
+	#!/usr/local/bin/esh -f
+   and for ksh, the first line should be
+	#!/usr/local/bin/ksh -p
+   The script should then set the variable IFS to the string
+   consisting of <space>, <tab>, and <newline>.  After this (*not*
+   before!), the PATH variable should be set to a reasonable value and
+   exported.  Do not expect the PATH to have a reasonable value, so do
+   not trust the old value of PATH.  You should then set the umask of
+   the program by calling
+	umask 077 # or 022 if you want the files to be readable
+   If you plan to change directories, you should either unset CDPATH
+   or set it to a good value.  Setting CDPATH to just ``.'' (dot) is a
+   good idea.
+   If, for some reason, you want to use csh, the first line should be
+	#!/bin/csh -fb
+   You should then set the path variable to something reasonable,
+   without trusting the inherited path.  Here too, you should set the
+   umask using the command
+	umask 077 # or 022 if you want the files to be readable
+*/
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+/* CONFIGURATION SECTION */
+
+#ifndef FULL_PATH	/* so that this can be specified from the Makefile */
+#define FULL_PATH	"/full/path/of/script"
+#endif
+#ifndef UMASK
+#define UMASK		077
+#endif
+
+/* END OF CONFIGURATION SECTION */
+
+#if defined(__STDC__) && defined(__sgi)
+#define environ _environ
+#endif
+
+/* don't change def_IFS */
+char def_IFS[] = "IFS= \t\n";
+/* you may want to change def_PATH, but you should really change it in */
+/* your script */
+#ifdef __sgi
+char def_PATH[] = "PATH=/usr/bsd:/usr/bin:/bin:/usr/local/bin:/usr/sbin";
+#else
+char def_PATH[] = "PATH=/usr/ucb:/usr/bin:/bin:/usr/local/bin";
+#endif
+/* don't change def_CDPATH */
+char def_CDPATH[] = "CDPATH=.";
+/* don't change def_ENV */
+char def_ENV[] = "ENV=:";
+
+/*
+   This function changes all environment variables that start with LD_
+   into variables that start with XD_.  This is important since we
+   don't want the script that is executed to use any funny shared
+   libraries.
+
+   The other changes to the environment are, strictly speaking, not
+   needed here.  They can safely be done in the script.  They are done
+   here because we don't trust the script writer (just like the script
+   writer shouldn't trust the user of the script).
+   If IFS is set in the environment, set it to space,tab,newline.
+   If CDPATH is set in the environment, set it to ``.''.
+   Set PATH to a reasonable default.
+*/
+void
+clean_environ(void)
+{
+	char **p;
+	extern char **environ;
+
+	for (p = environ; *p; p++) {
+		if (strncmp(*p, "LD_", 3) == 0)
+			**p = 'X';
+		else if (strncmp(*p, "_RLD", 4) == 0)
+			**p = 'X';
+		else if (strncmp(*p, "IFS=", 4) == 0)
+			*p = def_IFS;
+		else if (strncmp(*p, "CDPATH=", 7) == 0)
+			*p = def_CDPATH;
+		else if (strncmp(*p, "ENV=", 4) == 0)
+			*p = def_ENV;
+	}
+	putenv(def_PATH);
+}
+
+int
+main(int argc, char **argv)
+{
+	struct stat statb;
+	gid_t egid = getegid();
+	uid_t euid = geteuid();
+
+	/*
+	   Sanity check #1.
+	   This check should be made compile-time, but that's not possible.
+	   If you're sure that you specified a full path name for FULL_PATH,
+	   you can omit this check.
+	*/
+	if (FULL_PATH[0] != '/') {
+		fprintf(stderr, "%s: %s is not a full path name\n", argv[0],
+			FULL_PATH);
+		fprintf(stderr, "Tell this program's maintainer that s\\he ");
+		fprintf(stderr, "fouled up some simple rules\n");
+		fprintf(stderr, "pretty badly.\n");
+		exit(1);
+	}
+
+	/*
+	   Sanity check #2.
+	   Check that the owner of the script is equal to either the
+	   effective uid or the super user.
+	*/
+	if (stat(FULL_PATH, &statb) < 0) {
+		perror("stat");
+		exit(1);
+	}
+	if (statb.st_uid != 0 && statb.st_uid != euid) {
+		fprintf(stderr, "%s: %s has the wrong owner\n", argv[0],
+			FULL_PATH);
+		fprintf(stderr, "Tell this program's maintainer that the ");
+		fprintf(stderr, "script should be owned by him/herself or the\n");
+		fprintf(stderr, "superuser.\n");
+		exit(1);
+	}
+
+	if (setregid(egid, egid) < 0)
+		perror("setregid");
+	if (setreuid(euid, euid) < 0)
+		perror("setreuid");
+
+	clean_environ();
+
+	umask(UMASK);
+
+	while (**argv == '-')	/* don't let argv[0] start with '-' */
+		(*argv)++;
+	execv(FULL_PATH, argv);
+	fprintf(stderr, "%s: could not execute the script\n", argv[0]);
+	exit(1);
+}