chiark / gitweb /
execute: implement privilige dropping properly
authorLennart Poettering <lennart@poettering.net>
Sun, 14 Feb 2010 21:43:08 +0000 (22:43 +0100)
committerLennart Poettering <lennart@poettering.net>
Sun, 14 Feb 2010 21:43:08 +0000 (22:43 +0100)
execute.c
execute.h
load-fragment.c
service.c
service.h
socket.c

index 4c6aa4e..bdb0f92 100644 (file)
--- a/execute.c
+++ b/execute.c
@@ -32,6 +32,8 @@
 #include <linux/sched.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <grp.h>
+#include <pwd.h>
 
 #include "execute.h"
 #include "strv.h"
@@ -293,7 +295,217 @@ static int setup_input(const ExecContext *context) {
         }
 }
 
-int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds, unsigned n_fds, pid_t *ret) {
+static int get_group_creds(const char *groupname, gid_t *gid) {
+        struct group *g;
+        unsigned long lu;
+
+        assert(groupname);
+        assert(gid);
+
+        /* We enforce some special rules for gid=0: in order to avoid
+         * NSS lookups for root we hardcode its data. */
+
+        if (streq(groupname, "root") || streq(groupname, "0")) {
+                *gid = 0;
+                return 0;
+        }
+
+        if (safe_atolu(groupname, &lu) >= 0) {
+                errno = 0;
+                g = getgrgid((gid_t) lu);
+        } else {
+                errno = 0;
+                g = getgrnam(groupname);
+        }
+
+        if (!g)
+                return errno != 0 ? -errno : -ESRCH;
+
+        *gid = g->gr_gid;
+        return 0;
+}
+
+static int get_user_creds(const char **username, uid_t *uid, gid_t *gid, const char **home) {
+        struct passwd *p;
+        unsigned long lu;
+
+        assert(username);
+        assert(*username);
+        assert(uid);
+        assert(gid);
+        assert(home);
+
+        /* We enforce some special rules for uid=0: in order to avoid
+         * NSS lookups for root we hardcode its data. */
+
+        if (streq(*username, "root") || streq(*username, "0")) {
+                *username = "root";
+                *uid = 0;
+                *gid = 0;
+                *home = "/root";
+                return 0;
+        }
+
+        if (safe_atolu(*username, &lu) >= 0) {
+                errno = 0;
+                p = getpwuid((uid_t) lu);
+
+                /* If there are multiple users with the same id, make
+                 * sure to leave $USER to the configured value instead
+                 * of the first occurence in the database. However if
+                 * the uid was configured by a numeric uid, then let's
+                 * pick the real username from /etc/passwd. */
+                if (*username && p)
+                        *username = p->pw_name;
+        } else {
+                errno = 0;
+                p = getpwnam(*username);
+        }
+
+        if (!p)
+                return errno != 0 ? -errno : -ESRCH;
+
+        *uid = p->pw_uid;
+        *gid = p->pw_gid;
+        *home = p->pw_dir;
+        return 0;
+}
+
+static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
+        bool keep_groups = false;
+        int r;
+
+        assert(context);
+
+        /* Lookup and ser GID and supplementary group list. Here too
+         * we avoid NSS lookups for gid=0. */
+
+        if (context->group || username) {
+
+                if (context->group)
+                        if ((r = get_group_creds(context->group, &gid)) < 0)
+                                return r;
+
+                /* First step, initialize groups from /etc/groups */
+                if (username && gid != 0) {
+                        if (initgroups(username, gid) < 0)
+                                return -errno;
+
+                        keep_groups = true;
+                }
+
+                /* Second step, set our gids */
+                if (setresgid(gid, gid, gid) < 0)
+                        return -errno;
+        }
+
+        if (context->supplementary_groups) {
+                int ngroups_max, k;
+                gid_t *gids;
+                char **i;
+
+                /* Final step, initialize any manually set supplementary groups */
+                ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
+
+                if (!(gids = new(gid_t, ngroups_max)))
+                        return -ENOMEM;
+
+                if (keep_groups) {
+                        if ((k = getgroups(ngroups_max, gids)) < 0) {
+                                free(gids);
+                                return -errno;
+                        }
+                } else
+                        k = 0;
+
+                STRV_FOREACH(i, context->supplementary_groups) {
+
+                        if (k >= ngroups_max) {
+                                free(gids);
+                                return -E2BIG;
+                        }
+
+                        if ((r = get_group_creds(*i, gids+k)) < 0) {
+                                free(gids);
+                                return r;
+                        }
+
+                        k++;
+                }
+
+                if (setgroups(k, gids) < 0) {
+                        free(gids);
+                        return -errno;
+                }
+
+                free(gids);
+        }
+
+        return 0;
+}
+
+static int enforce_user(const ExecContext *context, uid_t uid) {
+        int r;
+        assert(context);
+
+        /* Sets (but doesn't lookup) the uid and make sure we keep the
+         * capabilities while doing so. */
+
+        if (context->capabilities) {
+                cap_t d;
+                static const cap_value_t bits[] = {
+                        CAP_SETUID,   /* Necessary so that we can run setresuid() below */
+                        CAP_SETPCAP   /* Necessary so that we can set PR_SET_SECUREBITS later on */
+                };
+
+                /* First step: If we need to keep capabilities but
+                 * drop privileges we need to make sure we keep our
+                 * caps, whiel we drop priviliges. */
+                if (uid != 0)
+                        if (prctl(PR_SET_SECUREBITS, context->secure_bits|SECURE_KEEP_CAPS) < 0)
+                                return -errno;
+
+                /* Second step: set the capabilites. This will reduce
+                 * the capabilities to the minimum we need. */
+
+                if (!(d = cap_dup(context->capabilities)))
+                        return -errno;
+
+                if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
+                    cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
+                        r = -errno;
+                        cap_free(d);
+                        return r;
+                }
+
+                if (cap_set_proc(d) < 0) {
+                        r = -errno;
+                        cap_free(d);
+                        return r;
+                }
+
+                cap_free(d);
+        }
+
+        /* Third step: actually set the uids */
+        if (setresuid(uid, uid, uid) < 0)
+                return -errno;
+
+        /* At this point we should have all necessary capabilities but
+           are otherwise a normal user. However, the caps might got
+           corrupted due to the setresuid() so we need clean them up
+           later. This is done outside of this call. */
+
+        return 0;
+}
+
+int exec_spawn(const ExecCommand *command,
+               const ExecContext *context,
+               int *fds, unsigned n_fds,
+               bool apply_permissions,
+               bool apply_chroot,
+               pid_t *ret) {
+
         pid_t pid;
 
         assert(command);
@@ -301,15 +513,19 @@ int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds,
         assert(ret);
         assert(fds || n_fds <= 0);
 
-        log_debug("about to execute %s", command->path);
+        log_debug("About to execute %s", command->path);
 
         if ((pid = fork()) < 0)
                 return -errno;
 
         if (pid == 0) {
-                char **e, **f = NULL;
                 int i, r;
                 sigset_t ss;
+                const char *username = NULL, *home = NULL;
+                uid_t uid = (uid_t) -1;
+                gid_t gid = (gid_t) -1;
+                char **our_env = NULL, **final_env = NULL;
+                unsigned n_env = 0;
 
                 /* child */
 
@@ -348,17 +564,6 @@ int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds,
                         }
                 }
 
-                if (context->root_directory)
-                        if (chroot(context->root_directory) < 0) {
-                                r = EXIT_CHROOT;
-                                goto fail;
-                        }
-
-                if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
-                        r = EXIT_CHDIR;
-                        goto fail;
-                }
-
                 if (context->nice_set)
                         if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
                                 r = EXIT_NICE;
@@ -396,6 +601,51 @@ int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds,
                                 goto fail;
                         }
 
+                if (context->user) {
+                        username = context->user;
+                        if (get_user_creds(&username, &uid, &gid, &home) < 0) {
+                                r = EXIT_USER;
+                                goto fail;
+                        }
+                }
+
+                if (apply_permissions)
+                        if (enforce_groups(context, username, uid) < 0) {
+                                r = EXIT_GROUP;
+                                goto fail;
+                        }
+
+                if (apply_chroot) {
+                        if (context->root_directory)
+                                if (chroot(context->root_directory) < 0) {
+                                        r = EXIT_CHROOT;
+                                        goto fail;
+                                }
+
+                        if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
+                                r = EXIT_CHDIR;
+                                goto fail;
+                        }
+                } else {
+
+                        char *d;
+
+                        if (asprintf(&d, "%s/%s",
+                                     context->root_directory ? context->root_directory : "",
+                                     context->working_directory ? context->working_directory : "") < 0) {
+                                r = EXIT_MEMORY;
+                                goto fail;
+                        }
+
+                        if (chdir(d) < 0) {
+                                free(d);
+                                r = EXIT_CHDIR;
+                                goto fail;
+                        }
+
+                        free(d);
+                }
+
                 if (close_fds(fds, n_fds) < 0 ||
                     shift_fds(fds, n_fds) < 0 ||
                     flags_fds(fds, n_fds, context->non_blocking) < 0) {
@@ -403,59 +653,78 @@ int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds,
                         goto fail;
                 }
 
-                for (i = 0; i < RLIMIT_NLIMITS; i++) {
-                        if (!context->rlimit[i])
-                                continue;
+                if (apply_permissions) {
 
-                        if (setrlimit(i, context->rlimit[i]) < 0) {
-                                r = EXIT_LIMITS;
-                                goto fail;
+                        for (i = 0; i < RLIMIT_NLIMITS; i++) {
+                                if (!context->rlimit[i])
+                                        continue;
+
+                                if (setrlimit(i, context->rlimit[i]) < 0) {
+                                        r = EXIT_LIMITS;
+                                        goto fail;
+                                }
                         }
-                }
 
-                if (context->secure_bits) {
+                        if (context->user)
+                                if (enforce_user(context, uid) < 0) {
+                                        r = EXIT_USER;
+                                        goto fail;
+                                }
+
                         if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
                                 r = EXIT_SECUREBITS;
                                 goto fail;
                         }
+
+                        if (context->capabilities)
+                                if (cap_set_proc(context->capabilities) < 0) {
+                                        r = EXIT_CAPABILITIES;
+                                        goto fail;
+                                }
                 }
 
-                if (n_fds > 0) {
-                        char a[64], b[64];
-                        char *listen_env[3] = {
-                                a,
-                                b,
-                                NULL
-                        };
+                if (!(our_env = new0(char*, 6))) {
+                        r = EXIT_MEMORY;
+                        goto fail;
+                }
 
-                        snprintf(a, sizeof(a), "LISTEN_PID=%llu", (unsigned long long) getpid());
-                        snprintf(b, sizeof(b), "LISTEN_FDS=%u", n_fds);
+                if (n_fds > 0)
+                        if (asprintf(our_env + n_env++, "LISTEN_PID=%llu", (unsigned long long) getpid()) < 0 ||
+                            asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) {
+                                r = EXIT_MEMORY;
+                                goto fail;
+                        }
 
-                        a[sizeof(a)-1] = 0;
-                        b[sizeof(b)-1] = 0;
+                if (home)
+                        if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) {
+                                r = EXIT_MEMORY;
+                                goto fail;
+                        }
 
-                        if (context->environment) {
-                                if (!(f = strv_merge(listen_env, context->environment))) {
-                                        r = EXIT_MEMORY;
-                                        goto fail;
-                                }
-                                e = f;
-                        } else
-                                e = listen_env;
+                if (username)
+                        if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 ||
+                            asprintf(our_env + n_env++, "USER=%s", username) < 0) {
+                                r = EXIT_MEMORY;
+                                goto fail;
+                        }
 
-                } else
-                        e = context->environment;
+                if (!(final_env = strv_env_merge(environ, our_env, context->environment, NULL))) {
+                        r = EXIT_MEMORY;
+                        goto fail;
+                }
 
-                execve(command->path, command->argv, e);
+                execve(command->path, command->argv, final_env);
                 r = EXIT_EXEC;
 
         fail:
-                strv_free(f);
+                strv_free(our_env);
+                strv_free(final_env);
+
                 _exit(r);
         }
 
 
-        log_debug("executed %s as %llu", command->path, (unsigned long long) pid);
+        log_debug("Forked %s as %llu", command->path, (unsigned long long) pid);
 
         *ret = pid;
         return 0;
index 3e33210..d64111b 100644 (file)
--- a/execute.h
+++ b/execute.h
@@ -97,7 +97,6 @@ struct ExecContext {
         int syslog_priority;
         char *syslog_identifier;
 
-        /* FIXME: all privs related settings need to be enforced */
         cap_t capabilities;
         int secure_bits;
         uint64_t capability_bounding_set_drop;
@@ -137,16 +136,24 @@ typedef enum ExitStatus {
         EXIT_SIGNAL_MASK,
         EXIT_INPUT,
         EXIT_OUTPUT,
-        EXIT_CHROOT,
+        EXIT_CHROOT,   /* 210 */
         EXIT_PGID,
         EXIT_IOPRIO,
         EXIT_TIMERSLACK,
         EXIT_SECUREBITS,
         EXIT_SETSCHEDULER,
-        EXIT_CPUAFFINITY
+        EXIT_CPUAFFINITY,
+        EXIT_GROUP,
+        EXIT_USER,
+        EXIT_CAPABILITIES
 } ExitStatus;
 
-int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds, unsigned n_fds, pid_t *ret);
+int exec_spawn(const ExecCommand *command,
+               const ExecContext *context,
+               int *fds, unsigned n_fds,
+               bool apply_permissions,
+               bool apply_chroot,
+               pid_t *ret);
 
 void exec_command_free_list(ExecCommand *c);
 void exec_command_free_array(ExecCommand **c, unsigned n);
index e002bf5..1e98004 100644 (file)
@@ -1094,6 +1094,8 @@ static int load_from_path(Unit *u, const char *path) {
                 { "TimeoutSec",             config_parse_usec,            &u->service.timeout_usec,                        "Service" },
                 { "Type",                   config_parse_service_type,    &u->service,                                     "Service" },
                 { "Restart",                config_parse_service_restart, &u->service,                                     "Service" },
+                { "PermissionsStartOnly",   config_parse_bool,            &u->service.permissions_start_only,              "Service" },
+                { "RootDirectoryStartOnly", config_parse_bool,            &u->service.root_directory_start_only,           "Service" },
                 EXEC_CONTEXT_CONFIG_ITEMS(u->service.exec_context, "Service"),
 
                 { "ListenStream",           config_parse_listen,          &u->socket,                                      "Socket"  },
@@ -1250,7 +1252,9 @@ int unit_load_fragment(Unit *u) {
                 else
                         c = NULL;
 
-                if (c && (c->output == EXEC_OUTPUT_KERNEL || c->output == EXEC_OUTPUT_SYSLOG)) {
+                if (c &&
+                    (c->output == EXEC_OUTPUT_KERNEL || c->output == EXEC_OUTPUT_SYSLOG) &&
+                    u->meta.manager->running_as != MANAGER_SESSION) {
                         int k;
 
                         /* If syslog or kernel logging is requested, make sure
index a983e0d..ca6e045 100644 (file)
--- a/service.c
+++ b/service.c
@@ -557,6 +557,8 @@ static int service_init(Unit *u) {
         s->state = SERVICE_DEAD;
 
         s->sysv_start_priority = -1;
+        s->permissions_start_only = false;
+        s->root_directory_start_only = false;
 
         RATELIMIT_INIT(s->ratelimit, 10*USEC_PER_SEC, 5);
 
@@ -595,8 +597,12 @@ static void service_dump(Unit *u, FILE *f, const char *prefix) {
         prefix2 = p2 ? p2 : prefix;
 
         fprintf(f,
-                "%sService State: %s\n",
-                prefix, service_state_to_string(s->state));
+                "%sService State: %s\n"
+                "%sPermissionsStartOnly: %s\n"
+                "%sRootDirectoryStartOnly: %s\n",
+                prefix, service_state_to_string(s->state),
+                prefix, yes_no(s->permissions_start_only),
+                prefix, yes_no(s->root_directory_start_only));
 
         if (s->pid_file)
                 fprintf(f,
@@ -859,7 +865,15 @@ fail:
         return r;
 }
 
-static int service_spawn(Service *s, ExecCommand *c, bool timeout, bool pass_fds, pid_t *_pid) {
+static int service_spawn(
+                Service *s,
+                ExecCommand *c,
+                bool timeout,
+                bool pass_fds,
+                bool apply_permissions,
+                bool apply_chroot,
+                pid_t *_pid) {
+
         pid_t pid;
         int r;
         int *fds = NULL;
@@ -879,7 +893,12 @@ static int service_spawn(Service *s, ExecCommand *c, bool timeout, bool pass_fds
         } else
                 unit_unwatch_timer(UNIT(s), &s->timer_watch);
 
-        if ((r = exec_spawn(c, &s->exec_context, fds, n_fds, &pid)) < 0)
+        if ((r = exec_spawn(c,
+                            &s->exec_context,
+                            fds, n_fds,
+                            apply_permissions,
+                            apply_chroot,
+                            &pid)) < 0)
                 goto fail;
 
         if ((r = unit_watch_pid(UNIT(s), pid)) < 0)
@@ -935,7 +954,13 @@ static void service_enter_stop_post(Service *s, bool success) {
                 s->failure = true;
 
         if ((s->control_command = s->exec_command[SERVICE_EXEC_STOP_POST]))
-                if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0)
+                if ((r = service_spawn(s,
+                                       s->control_command,
+                                       true,
+                                       false,
+                                       !s->permissions_start_only,
+                                       !s->root_directory_start_only,
+                                       &s->control_pid)) < 0)
                         goto fail;
 
 
@@ -1011,7 +1036,13 @@ static void service_enter_stop(Service *s, bool success) {
                 s->failure = true;
 
         if ((s->control_command = s->exec_command[SERVICE_EXEC_STOP]))
-                if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0)
+                if ((r = service_spawn(s,
+                                       s->control_command,
+                                       true,
+                                       false,
+                                       !s->permissions_start_only,
+                                       !s->root_directory_start_only,
+                                       &s->control_pid)) < 0)
                         goto fail;
 
         service_set_state(s, SERVICE_STOP);
@@ -1031,7 +1062,13 @@ static void service_enter_start_post(Service *s) {
         assert(s);
 
         if ((s->control_command = s->exec_command[SERVICE_EXEC_START_POST]))
-                if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0)
+                if ((r = service_spawn(s,
+                                       s->control_command,
+                                       true,
+                                       false,
+                                       !s->permissions_start_only,
+                                       !s->root_directory_start_only,
+                                       &s->control_pid)) < 0)
                         goto fail;
 
 
@@ -1056,7 +1093,13 @@ static void service_enter_start(Service *s) {
         assert(s->exec_command[SERVICE_EXEC_START]);
         assert(!s->exec_command[SERVICE_EXEC_START]->command_next);
 
-        if ((r = service_spawn(s, s->exec_command[SERVICE_EXEC_START], s->type == SERVICE_FORKING, true, &pid)) < 0)
+        if ((r = service_spawn(s,
+                               s->exec_command[SERVICE_EXEC_START],
+                               s->type == SERVICE_FORKING,
+                               true,
+                               true,
+                               true,
+                               &pid)) < 0)
                 goto fail;
 
         service_set_state(s, SERVICE_START);
@@ -1099,7 +1142,13 @@ static void service_enter_start_pre(Service *s) {
         assert(s);
 
         if ((s->control_command = s->exec_command[SERVICE_EXEC_START_PRE]))
-                if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0)
+                if ((r = service_spawn(s,
+                                       s->control_command,
+                                       true,
+                                       false,
+                                       !s->permissions_start_only,
+                                       !s->root_directory_start_only,
+                                       &s->control_pid)) < 0)
                         goto fail;
 
         service_set_state(s, SERVICE_START_PRE);
@@ -1137,7 +1186,13 @@ static void service_enter_reload(Service *s) {
         assert(s);
 
         if ((s->control_command = s->exec_command[SERVICE_EXEC_RELOAD]))
-                if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0)
+                if ((r = service_spawn(s,
+                                       s->control_command,
+                                       true,
+                                       false,
+                                       !s->permissions_start_only,
+                                       !s->root_directory_start_only,
+                                       &s->control_pid)) < 0)
                         goto fail;
 
         service_set_state(s, SERVICE_RELOAD);
@@ -1164,7 +1219,13 @@ static void service_run_next(Service *s, bool success) {
 
         s->control_command = s->control_command->command_next;
 
-        if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0)
+        if ((r = service_spawn(s,
+                               s->control_command,
+                               true,
+                               false,
+                               !s->permissions_start_only,
+                               !s->root_directory_start_only,
+                               &s->control_pid)) < 0)
                 goto fail;
 
         return;
index 0c0850a..632e5ea 100644 (file)
--- a/service.h
+++ b/service.h
@@ -88,6 +88,9 @@ struct Service {
         ExecCommand* exec_command[_SERVICE_EXEC_MAX];
         ExecContext exec_context;
 
+        bool permissions_start_only;
+        bool root_directory_start_only;
+
         ServiceState state;
 
         ExecStatus main_exec_status;
index b979e58..aec0d39 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -394,7 +394,7 @@ static int socket_spawn(Socket *s, ExecCommand *c, bool timeout, pid_t *_pid) {
         } else
                 unit_unwatch_timer(UNIT(s), &s->timer_watch);
 
-        if ((r = exec_spawn(c, &s->exec_context, NULL, 0, &pid)) < 0)
+        if ((r = exec_spawn(c, &s->exec_context, NULL, 0, true, true, &pid)) < 0)
                 goto fail;
 
         if ((r = unit_watch_pid(UNIT(s), pid)) < 0)