* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
- * Based in part on code from sash, Copyright (c) 1999 by David I. Bell
+ * Based in part on code from sash, Copyright (c) 1999 by David I. Bell
* Permission has been granted to redistribute this code under the GPL.
*
*/
+#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#undef PROTOTYPES
#include "applets.h"
-#define bb_need_full_version
-#define BB_DECLARE_EXTERN
-#include "messages.c"
-
struct BB_applet *applet_using;
/* The -1 arises because of the {0,NULL,0,-1} entry above. */
const size_t NUM_APPLETS = (sizeof (applets) / sizeof (struct BB_applet) - 1);
-extern void show_usage(void)
+
+#ifdef CONFIG_FEATURE_SUID
+
+static void check_suid (struct BB_applet *app);
+
+#ifdef CONFIG_FEATURE_SUID_CONFIG
+
+#include <sys/stat.h>
+#include <ctype.h>
+#include "pwd_.h"
+#include "grp_.h"
+
+static int parse_config_file (void);
+
+static int config_ok;
+
+#define CONFIG_FILE "/etc/busybox.conf"
+
+/* applets [] is const, so we have to define this "override" structure */
+struct BB_suid_config
{
- const char *format_string;
- const char *usage_string = usage_messages;
- int i;
+ struct BB_applet *m_applet;
- for (i = applet_using - applets; i > 0; ) {
- if (!*usage_string++) {
- --i;
- }
+ uid_t m_uid;
+ gid_t m_gid;
+ mode_t m_mode;
+
+ struct BB_suid_config *m_next;
+};
+
+static struct BB_suid_config *suid_config;
+
+#endif /* CONFIG_FEATURE_SUID_CONFIG */
+
+#endif /* CONFIG_FEATURE_SUID */
+
+
+
+extern void
+bb_show_usage (void)
+{
+ const char *format_string;
+ const char *usage_string = usage_messages;
+ int i;
+
+ for (i = applet_using - applets; i > 0;) {
+ if (!*usage_string++) {
+ --i;
+ }
+ }
+
+ format_string = "%s\n\nUsage: %s %s\n\n";
+ if (*usage_string == '\b')
+ format_string = "%s\n\nNo help available.\n\n";
+ fprintf (stderr, format_string, bb_msg_full_version, applet_using->name,
+ usage_string);
+
+ exit (EXIT_FAILURE);
+}
+
+static int
+applet_name_compare (const void *x, const void *y)
+{
+ const char *name = x;
+ const struct BB_applet *applet = y;
+
+ return strcmp (name, applet->name);
+}
+
+extern const size_t NUM_APPLETS;
+
+struct BB_applet *
+find_applet_by_name (const char *name)
+{
+ return bsearch (name, applets, NUM_APPLETS, sizeof (struct BB_applet),
+ applet_name_compare);
+}
+
+void
+run_applet_by_name (const char *name, int argc, char **argv)
+{
+ static int recurse_level = 0;
+ extern int been_there_done_that; /* From busybox.c */
+
+#ifdef CONFIG_FEATURE_SUID_CONFIG
+ if (recurse_level == 0)
+ config_ok = parse_config_file ();
+#endif
+
+ recurse_level++;
+ /* Do a binary search to find the applet entry given the name. */
+ if ((applet_using = find_applet_by_name (name)) != NULL) {
+ bb_applet_name = applet_using->name;
+ if (argv[1] && strcmp (argv[1], "--help") == 0) {
+ if (strcmp (applet_using->name, "busybox") == 0) {
+ if (argv[2])
+ applet_using = find_applet_by_name (argv[2]);
+ else
+ applet_using = NULL;
+ }
+ if (applet_using)
+ bb_show_usage ();
+ been_there_done_that = 1;
+ busybox_main (0, NULL);
}
- format_string = "%s\n\nUsage: %s %s\n\n";
- if(*usage_string == 0)
- format_string = "%s\n\nNo help available.\n\n";
- fprintf(stderr, format_string,
- full_version, applet_using->name, usage_string);
- exit(EXIT_FAILURE);
+#ifdef CONFIG_FEATURE_SUID
+ check_suid (applet_using);
+#endif
+
+ exit ((*(applet_using->main)) (argc, argv));
+ }
+ /* Just in case they have renamed busybox - Check argv[1] */
+ if (recurse_level == 1) {
+ run_applet_by_name ("busybox", argc, argv);
+ }
+ recurse_level--;
}
-static int applet_name_compare(const void *x, const void *y)
+
+#ifdef CONFIG_FEATURE_SUID
+
+#ifdef CONFIG_FEATURE_SUID_CONFIG
+
+/* check if u is member of group g */
+static int
+ingroup (uid_t u, gid_t g)
{
- const char *name = x;
- const struct BB_applet *applet = y;
+ struct group *grp = getgrgid (g);
+
+ if (grp) {
+ char **mem;
+
+ for (mem = grp->gr_mem; *mem; mem++) {
+ struct passwd *pwd = getpwnam (*mem);
- return strcmp(name, applet->name);
+ if (pwd && (pwd->pw_uid == u))
+ return 1;
+ }
+ }
+ return 0;
}
-extern size_t NUM_APPLETS;
+#endif
+
-struct BB_applet *find_applet_by_name(const char *name)
+void
+check_suid (struct BB_applet *applet)
{
- return bsearch(name, applets, NUM_APPLETS, sizeof(struct BB_applet),
- applet_name_compare);
+ uid_t ruid = getuid (); /* real [ug]id */
+ uid_t rgid = getgid ();
+
+#ifdef CONFIG_FEATURE_SUID_CONFIG
+ if (config_ok) {
+ struct BB_suid_config *sct;
+
+ for (sct = suid_config; sct; sct = sct->m_next) {
+ if (sct->m_applet == applet)
+ break;
+ }
+ if (sct) {
+ mode_t m = sct->m_mode;
+
+ if (sct->m_uid == ruid) /* same uid */
+ m >>= 6;
+ else if ((sct->m_gid == rgid) || ingroup (ruid, sct->m_gid)) /* same group / in group */
+ m >>= 3;
+
+ if (!(m & S_IXOTH)) /* is x bit not set ? */
+ bb_error_msg_and_die ("You have no permission to run this applet!");
+
+ if ((sct->m_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { /* *both* have to be set for sgid */
+ if (setegid (sct->m_gid))
+ bb_error_msg_and_die
+ ("BusyBox binary has insufficient rights to set proper GID for applet!");
+ } else
+ setgid (rgid); /* no sgid -> drop */
+
+ if (sct->m_mode & S_ISUID) {
+ if (seteuid (sct->m_uid))
+ bb_error_msg_and_die
+ ("BusyBox binary has insufficient rights to set proper UID for applet!");
+ } else
+ setuid (ruid); /* no suid -> drop */
+ } else {
+ /* default: drop all priviledges */
+ setgid (rgid);
+ setuid (ruid);
+ }
+ return;
+ } else {
+#ifndef CONFIG_FEATURE_SUID_CONFIG_QUIET
+ static int onetime = 0;
+
+ if (!onetime) {
+ onetime = 1;
+ fprintf (stderr, "Using fallback suid method\n");
+ }
+#endif
+ }
+#endif
+
+ if (applet->need_suid == _BB_SUID_ALWAYS) {
+ if (geteuid () != 0)
+ bb_error_msg_and_die ("This applet requires root priviledges!");
+ } else if (applet->need_suid == _BB_SUID_NEVER) {
+ setgid (rgid); /* drop all priviledges */
+ setuid (ruid);
+ }
}
-void run_applet_by_name(const char *name, int argc, char **argv)
+#ifdef CONFIG_FEATURE_SUID_CONFIG
+
+
+#define parse_error(x) { err=x; goto pe_label; }
+
+
+int
+parse_config_file (void)
{
- /* Do a binary search to find the applet entry given the name. */
- if ((applet_using = find_applet_by_name(name)) != NULL) {
- applet_name = applet_using->name;
- if (argv[1] && strcmp(argv[1], "--help") == 0)
- show_usage();
- exit((*(applet_using->main)) (argc, argv));
+ struct stat st;
+ char *err = 0;
+ FILE *f = 0;
+ int lc = 0;
+
+ suid_config = 0;
+
+ /* is there a config file ? */
+ if (stat (CONFIG_FILE, &st) == 0) {
+ /* is it owned by root with no write perm. for group and others ? */
+ if (S_ISREG (st.st_mode) && (st.st_uid == 0)
+ && (!(st.st_mode & (S_IWGRP | S_IWOTH)))) {
+ /* that's ok .. then try to open it */
+ f = fopen (CONFIG_FILE, "r");
+
+ if (f) {
+ char buffer[256];
+ int section = 0;
+
+ while (fgets (buffer, sizeof (buffer) - 1, f)) {
+ char c = buffer[0];
+ char *p;
+
+ lc++;
+
+ p = strchr (buffer, '#');
+ if (p)
+ *p = 0;
+ p = buffer + bb_strlen (buffer);
+ while ((p > buffer) && isspace (*--p))
+ *p = 0;
+
+ if (p == buffer)
+ continue;
+
+ if (c == '[') {
+ p = strchr (buffer, ']');
+
+ if (!p || (p == (buffer + 1))) /* no matching ] or empty [] */
+ parse_error ("malformed section header");
+
+ *p = 0;
+
+ if (strcasecmp (buffer + 1, "SUID") == 0)
+ section = 1;
+ else
+ section = -1; /* unknown section - just skip */
+ } else if (section) {
+ switch (section) {
+ case 1:{ /* SUID */
+ int l;
+ struct BB_applet *applet;
+
+ p = strchr (buffer, '='); /* <key>[::space::]*=[::space::]*<value> */
+
+ if (!p || (p == (buffer + 1))) /* no = or key is empty */
+ parse_error ("malformed keyword");
+
+ l = p - buffer;
+ while (isspace (buffer[--l])) {
+ /* skip whitespace */
+ }
+
+ buffer[l + 1] = 0;
+
+ if ((applet = find_applet_by_name (buffer))) {
+ struct BB_suid_config *sct =
+ xmalloc (sizeof (struct BB_suid_config));
+
+ sct->m_applet = applet;
+ sct->m_next = suid_config;
+ suid_config = sct;
+
+ while (isspace (*++p)) {
+ /* skip whitespace */
+ }
+
+ sct->m_mode = 0;
+
+ switch (*p++) {
+ case 'S':
+ sct->m_mode |= S_ISUID;
+ break;
+ case 's':
+ sct->m_mode |= S_ISUID;
+ /* no break */
+ case 'x':
+ sct->m_mode |= S_IXUSR;
+ break;
+ case '-':
+ break;
+ default:
+ parse_error ("invalid user mode");
+ }
+
+ switch (*p++) {
+ case 's':
+ sct->m_mode |= S_ISGID;
+ /* no break */
+ case 'x':
+ sct->m_mode |= S_IXGRP;
+ break;
+ case 'S':
+ break;
+ case '-':
+ break;
+ default:
+ parse_error ("invalid group mode");
+ }
+
+ switch (*p) {
+ case 't':
+ case 'x':
+ sct->m_mode |= S_IXOTH;
+ break;
+ case 'T':
+ case '-':
+ break;
+ default:
+ parse_error ("invalid other mode");
+ }
+
+ while (isspace (*++p)) {
+ /* skip whitespace */
+ }
+
+ if (isdigit (*p)) {
+ sct->m_uid = strtol (p, &p, 10);
+ if (*p++ != '.')
+ parse_error ("parsing <uid>.<gid>");
+ } else {
+ struct passwd *pwd;
+ char *p2 = strchr (p, '.');
+
+ if (!p2)
+ parse_error ("parsing <uid>.<gid>");
+
+ *p2 = 0;
+ pwd = getpwnam (p);
+
+ if (!pwd)
+ parse_error ("invalid user name");
+
+ sct->m_uid = pwd->pw_uid;
+ p = p2 + 1;
+ }
+ if (isdigit (*p))
+ sct->m_gid = strtol (p, &p, 10);
+ else {
+ struct group *grp = getgrnam (p);
+
+ if (!grp)
+ parse_error ("invalid group name");
+
+ sct->m_gid = grp->gr_gid;
+ }
+ }
+ break;
+ }
+ default: /* unknown - skip */
+ break;
+ }
+ } else
+ parse_error ("keyword not within section");
+ }
+ fclose (f);
+ return 1;
+ }
}
+ }
+ return 0; /* no config file or not readable (not an error) */
+
+pe_label:
+ fprintf (stderr, "Parse error in %s, line %d: %s\n", CONFIG_FILE, lc, err);
+
+ if (f)
+ fclose (f);
+ return 0;
}
+#endif
+
+#endif
/* END CODE */
/*
projects / oweals / busybox.git / blobdiff