diff options
Diffstat (limited to 'Misc/setuid-prog.c')
-rw-r--r-- | Misc/setuid-prog.c | 176 |
1 files changed, 0 insertions, 176 deletions
diff --git a/Misc/setuid-prog.c b/Misc/setuid-prog.c deleted file mode 100644 index 3785d99..0000000 --- a/Misc/setuid-prog.c +++ /dev/null @@ -1,176 +0,0 @@ -/* - Template for a setuid program that calls a script. - - The script should be in an unwritable directory and should itself - be unwritable. In fact all parent directories up to the root - should be unwritable. The script must not be setuid, that's what - this program is for. - - This is a template program. You need to fill in the name of the - script that must be executed. This is done by changing the - definition of FULL_PATH below. - - There are also some rules that should be adhered to when writing - the script itself. - - The first and most important rule is to never, ever trust that the - user of the program will behave properly. Program defensively. - Check your arguments for reasonableness. If the user is allowed to - create files, check the names of the files. If the program depends - on argv[0] for the action it should perform, check it. - - Assuming the script is a Bourne shell script, the first line of the - script should be - #!/bin/sh - - The - is important, don't omit it. If you're using esh, the first - line should be - #!/usr/local/bin/esh -f - and for ksh, the first line should be - #!/usr/local/bin/ksh -p - The script should then set the variable IFS to the string - consisting of <space>, <tab>, and <newline>. After this (*not* - before!), the PATH variable should be set to a reasonable value and - exported. Do not expect the PATH to have a reasonable value, so do - not trust the old value of PATH. You should then set the umask of - the program by calling - umask 077 # or 022 if you want the files to be readable - If you plan to change directories, you should either unset CDPATH - or set it to a good value. Setting CDPATH to just ``.'' (dot) is a - good idea. - If, for some reason, you want to use csh, the first line should be - #!/bin/csh -fb - You should then set the path variable to something reasonable, - without trusting the inherited path. Here too, you should set the - umask using the command - umask 077 # or 022 if you want the files to be readable -*/ - -#include <unistd.h> -#include <stdlib.h> -#include <stdio.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <string.h> - -/* CONFIGURATION SECTION */ - -#ifndef FULL_PATH /* so that this can be specified from the Makefile */ -/* Uncomment the following line: -#define FULL_PATH "/full/path/of/script" -* Then comment out the #error line. */ -#error "You must define FULL_PATH somewhere" -#endif -#ifndef UMASK -#define UMASK 077 -#endif - -/* END OF CONFIGURATION SECTION */ - -#if defined(__STDC__) && defined(__sgi) -#define environ _environ -#endif - -/* don't change def_IFS */ -char def_IFS[] = "IFS= \t\n"; -/* you may want to change def_PATH, but you should really change it in */ -/* your script */ -#ifdef __sgi -char def_PATH[] = "PATH=/usr/bsd:/usr/bin:/bin:/usr/local/bin:/usr/sbin"; -#else -char def_PATH[] = "PATH=/usr/ucb:/usr/bin:/bin:/usr/local/bin"; -#endif -/* don't change def_CDPATH */ -char def_CDPATH[] = "CDPATH=."; -/* don't change def_ENV */ -char def_ENV[] = "ENV=:"; - -/* - This function changes all environment variables that start with LD_ - into variables that start with XD_. This is important since we - don't want the script that is executed to use any funny shared - libraries. - - The other changes to the environment are, strictly speaking, not - needed here. They can safely be done in the script. They are done - here because we don't trust the script writer (just like the script - writer shouldn't trust the user of the script). - If IFS is set in the environment, set it to space,tab,newline. - If CDPATH is set in the environment, set it to ``.''. - Set PATH to a reasonable default. -*/ -void -clean_environ(void) -{ - char **p; - extern char **environ; - - for (p = environ; *p; p++) { - if (strncmp(*p, "LD_", 3) == 0) - **p = 'X'; - else if (strncmp(*p, "_RLD", 4) == 0) - **p = 'X'; - else if (strncmp(*p, "PYTHON", 6) == 0) - **p = 'X'; - else if (strncmp(*p, "IFS=", 4) == 0) - *p = def_IFS; - else if (strncmp(*p, "CDPATH=", 7) == 0) - *p = def_CDPATH; - else if (strncmp(*p, "ENV=", 4) == 0) - *p = def_ENV; - } - putenv(def_PATH); -} - -int -main(int argc, char **argv) -{ - struct stat statb; - gid_t egid = getegid(); - uid_t euid = geteuid(); - - /* - Sanity check #1. - This check should be made compile-time, but that's not possible. - If you're sure that you specified a full path name for FULL_PATH, - you can omit this check. - */ - if (FULL_PATH[0] != '/') { - fprintf(stderr, "%s: %s is not a full path name\n", argv[0], - FULL_PATH); - fprintf(stderr, "You can only use this wrapper if you\n"); - fprintf(stderr, "compile it with an absolute path.\n"); - exit(1); - } - - /* - Sanity check #2. - Check that the owner of the script is equal to either the - effective uid or the super user. - */ - if (stat(FULL_PATH, &statb) < 0) { - perror("stat"); - exit(1); - } - if (statb.st_uid != 0 && statb.st_uid != euid) { - fprintf(stderr, "%s: %s has the wrong owner\n", argv[0], - FULL_PATH); - fprintf(stderr, "The script should be owned by root,\n"); - fprintf(stderr, "and shouldn't be writable by anyone.\n"); - exit(1); - } - - if (setregid(egid, egid) < 0) - perror("setregid"); - if (setreuid(euid, euid) < 0) - perror("setreuid"); - - clean_environ(); - - umask(UMASK); - - while (**argv == '-') /* don't let argv[0] start with '-' */ - (*argv)++; - execv(FULL_PATH, argv); - fprintf(stderr, "%s: could not execute the script\n", argv[0]); - exit(1); -} |