From: Lennart Poettering Date: Sun, 14 Feb 2010 21:43:08 +0000 (+0100) Subject: execute: implement privilige dropping properly X-Git-Tag: v1~687 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=81a2b7ceda7100fbc0dd8ce423b9599e03656851 execute: implement privilige dropping properly --- diff --git a/execute.c b/execute.c index 4c6aa4eea..bdb0f9217 100644 --- a/execute.c +++ b/execute.c @@ -32,6 +32,8 @@ #include #include #include +#include +#include #include "execute.h" #include "strv.h" @@ -293,7 +295,217 @@ static int setup_input(const ExecContext *context) { } } -int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds, unsigned n_fds, pid_t *ret) { +static int get_group_creds(const char *groupname, gid_t *gid) { + struct group *g; + unsigned long lu; + + assert(groupname); + assert(gid); + + /* We enforce some special rules for gid=0: in order to avoid + * NSS lookups for root we hardcode its data. */ + + if (streq(groupname, "root") || streq(groupname, "0")) { + *gid = 0; + return 0; + } + + if (safe_atolu(groupname, &lu) >= 0) { + errno = 0; + g = getgrgid((gid_t) lu); + } else { + errno = 0; + g = getgrnam(groupname); + } + + if (!g) + return errno != 0 ? -errno : -ESRCH; + + *gid = g->gr_gid; + return 0; +} + +static int get_user_creds(const char **username, uid_t *uid, gid_t *gid, const char **home) { + struct passwd *p; + unsigned long lu; + + assert(username); + assert(*username); + assert(uid); + assert(gid); + assert(home); + + /* We enforce some special rules for uid=0: in order to avoid + * NSS lookups for root we hardcode its data. */ + + if (streq(*username, "root") || streq(*username, "0")) { + *username = "root"; + *uid = 0; + *gid = 0; + *home = "/root"; + return 0; + } + + if (safe_atolu(*username, &lu) >= 0) { + errno = 0; + p = getpwuid((uid_t) lu); + + /* If there are multiple users with the same id, make + * sure to leave $USER to the configured value instead + * of the first occurence in the database. However if + * the uid was configured by a numeric uid, then let's + * pick the real username from /etc/passwd. */ + if (*username && p) + *username = p->pw_name; + } else { + errno = 0; + p = getpwnam(*username); + } + + if (!p) + return errno != 0 ? -errno : -ESRCH; + + *uid = p->pw_uid; + *gid = p->pw_gid; + *home = p->pw_dir; + return 0; +} + +static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) { + bool keep_groups = false; + int r; + + assert(context); + + /* Lookup and ser GID and supplementary group list. Here too + * we avoid NSS lookups for gid=0. */ + + if (context->group || username) { + + if (context->group) + if ((r = get_group_creds(context->group, &gid)) < 0) + return r; + + /* First step, initialize groups from /etc/groups */ + if (username && gid != 0) { + if (initgroups(username, gid) < 0) + return -errno; + + keep_groups = true; + } + + /* Second step, set our gids */ + if (setresgid(gid, gid, gid) < 0) + return -errno; + } + + if (context->supplementary_groups) { + int ngroups_max, k; + gid_t *gids; + char **i; + + /* Final step, initialize any manually set supplementary groups */ + ngroups_max = (int) sysconf(_SC_NGROUPS_MAX); + + if (!(gids = new(gid_t, ngroups_max))) + return -ENOMEM; + + if (keep_groups) { + if ((k = getgroups(ngroups_max, gids)) < 0) { + free(gids); + return -errno; + } + } else + k = 0; + + STRV_FOREACH(i, context->supplementary_groups) { + + if (k >= ngroups_max) { + free(gids); + return -E2BIG; + } + + if ((r = get_group_creds(*i, gids+k)) < 0) { + free(gids); + return r; + } + + k++; + } + + if (setgroups(k, gids) < 0) { + free(gids); + return -errno; + } + + free(gids); + } + + return 0; +} + +static int enforce_user(const ExecContext *context, uid_t uid) { + int r; + assert(context); + + /* Sets (but doesn't lookup) the uid and make sure we keep the + * capabilities while doing so. */ + + if (context->capabilities) { + cap_t d; + static const cap_value_t bits[] = { + CAP_SETUID, /* Necessary so that we can run setresuid() below */ + CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */ + }; + + /* First step: If we need to keep capabilities but + * drop privileges we need to make sure we keep our + * caps, whiel we drop priviliges. */ + if (uid != 0) + if (prctl(PR_SET_SECUREBITS, context->secure_bits|SECURE_KEEP_CAPS) < 0) + return -errno; + + /* Second step: set the capabilites. This will reduce + * the capabilities to the minimum we need. */ + + if (!(d = cap_dup(context->capabilities))) + return -errno; + + if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 || + cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) { + r = -errno; + cap_free(d); + return r; + } + + if (cap_set_proc(d) < 0) { + r = -errno; + cap_free(d); + return r; + } + + cap_free(d); + } + + /* Third step: actually set the uids */ + if (setresuid(uid, uid, uid) < 0) + return -errno; + + /* At this point we should have all necessary capabilities but + are otherwise a normal user. However, the caps might got + corrupted due to the setresuid() so we need clean them up + later. This is done outside of this call. */ + + return 0; +} + +int exec_spawn(const ExecCommand *command, + const ExecContext *context, + int *fds, unsigned n_fds, + bool apply_permissions, + bool apply_chroot, + pid_t *ret) { + pid_t pid; assert(command); @@ -301,15 +513,19 @@ int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds, assert(ret); assert(fds || n_fds <= 0); - log_debug("about to execute %s", command->path); + log_debug("About to execute %s", command->path); if ((pid = fork()) < 0) return -errno; if (pid == 0) { - char **e, **f = NULL; int i, r; sigset_t ss; + const char *username = NULL, *home = NULL; + uid_t uid = (uid_t) -1; + gid_t gid = (gid_t) -1; + char **our_env = NULL, **final_env = NULL; + unsigned n_env = 0; /* child */ @@ -348,17 +564,6 @@ int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds, } } - if (context->root_directory) - if (chroot(context->root_directory) < 0) { - r = EXIT_CHROOT; - goto fail; - } - - if (chdir(context->working_directory ? context->working_directory : "/") < 0) { - r = EXIT_CHDIR; - goto fail; - } - if (context->nice_set) if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) { r = EXIT_NICE; @@ -396,6 +601,51 @@ int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds, goto fail; } + if (context->user) { + username = context->user; + if (get_user_creds(&username, &uid, &gid, &home) < 0) { + r = EXIT_USER; + goto fail; + } + } + + if (apply_permissions) + if (enforce_groups(context, username, uid) < 0) { + r = EXIT_GROUP; + goto fail; + } + + if (apply_chroot) { + if (context->root_directory) + if (chroot(context->root_directory) < 0) { + r = EXIT_CHROOT; + goto fail; + } + + if (chdir(context->working_directory ? context->working_directory : "/") < 0) { + r = EXIT_CHDIR; + goto fail; + } + } else { + + char *d; + + if (asprintf(&d, "%s/%s", + context->root_directory ? context->root_directory : "", + context->working_directory ? context->working_directory : "") < 0) { + r = EXIT_MEMORY; + goto fail; + } + + if (chdir(d) < 0) { + free(d); + r = EXIT_CHDIR; + goto fail; + } + + free(d); + } + if (close_fds(fds, n_fds) < 0 || shift_fds(fds, n_fds) < 0 || flags_fds(fds, n_fds, context->non_blocking) < 0) { @@ -403,59 +653,78 @@ int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds, goto fail; } - for (i = 0; i < RLIMIT_NLIMITS; i++) { - if (!context->rlimit[i]) - continue; + if (apply_permissions) { - if (setrlimit(i, context->rlimit[i]) < 0) { - r = EXIT_LIMITS; - goto fail; + for (i = 0; i < RLIMIT_NLIMITS; i++) { + if (!context->rlimit[i]) + continue; + + if (setrlimit(i, context->rlimit[i]) < 0) { + r = EXIT_LIMITS; + goto fail; + } } - } - if (context->secure_bits) { + if (context->user) + if (enforce_user(context, uid) < 0) { + r = EXIT_USER; + goto fail; + } + if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) { r = EXIT_SECUREBITS; goto fail; } + + if (context->capabilities) + if (cap_set_proc(context->capabilities) < 0) { + r = EXIT_CAPABILITIES; + goto fail; + } } - if (n_fds > 0) { - char a[64], b[64]; - char *listen_env[3] = { - a, - b, - NULL - }; + if (!(our_env = new0(char*, 6))) { + r = EXIT_MEMORY; + goto fail; + } - snprintf(a, sizeof(a), "LISTEN_PID=%llu", (unsigned long long) getpid()); - snprintf(b, sizeof(b), "LISTEN_FDS=%u", n_fds); + if (n_fds > 0) + if (asprintf(our_env + n_env++, "LISTEN_PID=%llu", (unsigned long long) getpid()) < 0 || + asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) { + r = EXIT_MEMORY; + goto fail; + } - a[sizeof(a)-1] = 0; - b[sizeof(b)-1] = 0; + if (home) + if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) { + r = EXIT_MEMORY; + goto fail; + } - if (context->environment) { - if (!(f = strv_merge(listen_env, context->environment))) { - r = EXIT_MEMORY; - goto fail; - } - e = f; - } else - e = listen_env; + if (username) + if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 || + asprintf(our_env + n_env++, "USER=%s", username) < 0) { + r = EXIT_MEMORY; + goto fail; + } - } else - e = context->environment; + if (!(final_env = strv_env_merge(environ, our_env, context->environment, NULL))) { + r = EXIT_MEMORY; + goto fail; + } - execve(command->path, command->argv, e); + execve(command->path, command->argv, final_env); r = EXIT_EXEC; fail: - strv_free(f); + strv_free(our_env); + strv_free(final_env); + _exit(r); } - log_debug("executed %s as %llu", command->path, (unsigned long long) pid); + log_debug("Forked %s as %llu", command->path, (unsigned long long) pid); *ret = pid; return 0; diff --git a/execute.h b/execute.h index 3e332105c..d64111b15 100644 --- a/execute.h +++ b/execute.h @@ -97,7 +97,6 @@ struct ExecContext { int syslog_priority; char *syslog_identifier; - /* FIXME: all privs related settings need to be enforced */ cap_t capabilities; int secure_bits; uint64_t capability_bounding_set_drop; @@ -137,16 +136,24 @@ typedef enum ExitStatus { EXIT_SIGNAL_MASK, EXIT_INPUT, EXIT_OUTPUT, - EXIT_CHROOT, + EXIT_CHROOT, /* 210 */ EXIT_PGID, EXIT_IOPRIO, EXIT_TIMERSLACK, EXIT_SECUREBITS, EXIT_SETSCHEDULER, - EXIT_CPUAFFINITY + EXIT_CPUAFFINITY, + EXIT_GROUP, + EXIT_USER, + EXIT_CAPABILITIES } ExitStatus; -int exec_spawn(const ExecCommand *command, const ExecContext *context, int *fds, unsigned n_fds, pid_t *ret); +int exec_spawn(const ExecCommand *command, + const ExecContext *context, + int *fds, unsigned n_fds, + bool apply_permissions, + bool apply_chroot, + pid_t *ret); void exec_command_free_list(ExecCommand *c); void exec_command_free_array(ExecCommand **c, unsigned n); diff --git a/load-fragment.c b/load-fragment.c index e002bf5ad..1e98004c3 100644 --- a/load-fragment.c +++ b/load-fragment.c @@ -1094,6 +1094,8 @@ static int load_from_path(Unit *u, const char *path) { { "TimeoutSec", config_parse_usec, &u->service.timeout_usec, "Service" }, { "Type", config_parse_service_type, &u->service, "Service" }, { "Restart", config_parse_service_restart, &u->service, "Service" }, + { "PermissionsStartOnly", config_parse_bool, &u->service.permissions_start_only, "Service" }, + { "RootDirectoryStartOnly", config_parse_bool, &u->service.root_directory_start_only, "Service" }, EXEC_CONTEXT_CONFIG_ITEMS(u->service.exec_context, "Service"), { "ListenStream", config_parse_listen, &u->socket, "Socket" }, @@ -1250,7 +1252,9 @@ int unit_load_fragment(Unit *u) { else c = NULL; - if (c && (c->output == EXEC_OUTPUT_KERNEL || c->output == EXEC_OUTPUT_SYSLOG)) { + if (c && + (c->output == EXEC_OUTPUT_KERNEL || c->output == EXEC_OUTPUT_SYSLOG) && + u->meta.manager->running_as != MANAGER_SESSION) { int k; /* If syslog or kernel logging is requested, make sure diff --git a/service.c b/service.c index a983e0db9..ca6e04500 100644 --- a/service.c +++ b/service.c @@ -557,6 +557,8 @@ static int service_init(Unit *u) { s->state = SERVICE_DEAD; s->sysv_start_priority = -1; + s->permissions_start_only = false; + s->root_directory_start_only = false; RATELIMIT_INIT(s->ratelimit, 10*USEC_PER_SEC, 5); @@ -595,8 +597,12 @@ static void service_dump(Unit *u, FILE *f, const char *prefix) { prefix2 = p2 ? p2 : prefix; fprintf(f, - "%sService State: %s\n", - prefix, service_state_to_string(s->state)); + "%sService State: %s\n" + "%sPermissionsStartOnly: %s\n" + "%sRootDirectoryStartOnly: %s\n", + prefix, service_state_to_string(s->state), + prefix, yes_no(s->permissions_start_only), + prefix, yes_no(s->root_directory_start_only)); if (s->pid_file) fprintf(f, @@ -859,7 +865,15 @@ fail: return r; } -static int service_spawn(Service *s, ExecCommand *c, bool timeout, bool pass_fds, pid_t *_pid) { +static int service_spawn( + Service *s, + ExecCommand *c, + bool timeout, + bool pass_fds, + bool apply_permissions, + bool apply_chroot, + pid_t *_pid) { + pid_t pid; int r; int *fds = NULL; @@ -879,7 +893,12 @@ static int service_spawn(Service *s, ExecCommand *c, bool timeout, bool pass_fds } else unit_unwatch_timer(UNIT(s), &s->timer_watch); - if ((r = exec_spawn(c, &s->exec_context, fds, n_fds, &pid)) < 0) + if ((r = exec_spawn(c, + &s->exec_context, + fds, n_fds, + apply_permissions, + apply_chroot, + &pid)) < 0) goto fail; if ((r = unit_watch_pid(UNIT(s), pid)) < 0) @@ -935,7 +954,13 @@ static void service_enter_stop_post(Service *s, bool success) { s->failure = true; if ((s->control_command = s->exec_command[SERVICE_EXEC_STOP_POST])) - if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0) + if ((r = service_spawn(s, + s->control_command, + true, + false, + !s->permissions_start_only, + !s->root_directory_start_only, + &s->control_pid)) < 0) goto fail; @@ -1011,7 +1036,13 @@ static void service_enter_stop(Service *s, bool success) { s->failure = true; if ((s->control_command = s->exec_command[SERVICE_EXEC_STOP])) - if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0) + if ((r = service_spawn(s, + s->control_command, + true, + false, + !s->permissions_start_only, + !s->root_directory_start_only, + &s->control_pid)) < 0) goto fail; service_set_state(s, SERVICE_STOP); @@ -1031,7 +1062,13 @@ static void service_enter_start_post(Service *s) { assert(s); if ((s->control_command = s->exec_command[SERVICE_EXEC_START_POST])) - if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0) + if ((r = service_spawn(s, + s->control_command, + true, + false, + !s->permissions_start_only, + !s->root_directory_start_only, + &s->control_pid)) < 0) goto fail; @@ -1056,7 +1093,13 @@ static void service_enter_start(Service *s) { assert(s->exec_command[SERVICE_EXEC_START]); assert(!s->exec_command[SERVICE_EXEC_START]->command_next); - if ((r = service_spawn(s, s->exec_command[SERVICE_EXEC_START], s->type == SERVICE_FORKING, true, &pid)) < 0) + if ((r = service_spawn(s, + s->exec_command[SERVICE_EXEC_START], + s->type == SERVICE_FORKING, + true, + true, + true, + &pid)) < 0) goto fail; service_set_state(s, SERVICE_START); @@ -1099,7 +1142,13 @@ static void service_enter_start_pre(Service *s) { assert(s); if ((s->control_command = s->exec_command[SERVICE_EXEC_START_PRE])) - if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0) + if ((r = service_spawn(s, + s->control_command, + true, + false, + !s->permissions_start_only, + !s->root_directory_start_only, + &s->control_pid)) < 0) goto fail; service_set_state(s, SERVICE_START_PRE); @@ -1137,7 +1186,13 @@ static void service_enter_reload(Service *s) { assert(s); if ((s->control_command = s->exec_command[SERVICE_EXEC_RELOAD])) - if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0) + if ((r = service_spawn(s, + s->control_command, + true, + false, + !s->permissions_start_only, + !s->root_directory_start_only, + &s->control_pid)) < 0) goto fail; service_set_state(s, SERVICE_RELOAD); @@ -1164,7 +1219,13 @@ static void service_run_next(Service *s, bool success) { s->control_command = s->control_command->command_next; - if ((r = service_spawn(s, s->control_command, true, false, &s->control_pid)) < 0) + if ((r = service_spawn(s, + s->control_command, + true, + false, + !s->permissions_start_only, + !s->root_directory_start_only, + &s->control_pid)) < 0) goto fail; return; diff --git a/service.h b/service.h index 0c0850a81..632e5eae4 100644 --- a/service.h +++ b/service.h @@ -88,6 +88,9 @@ struct Service { ExecCommand* exec_command[_SERVICE_EXEC_MAX]; ExecContext exec_context; + bool permissions_start_only; + bool root_directory_start_only; + ServiceState state; ExecStatus main_exec_status; diff --git a/socket.c b/socket.c index b979e58d3..aec0d392a 100644 --- a/socket.c +++ b/socket.c @@ -394,7 +394,7 @@ static int socket_spawn(Socket *s, ExecCommand *c, bool timeout, pid_t *_pid) { } else unit_unwatch_timer(UNIT(s), &s->timer_watch); - if ((r = exec_spawn(c, &s->exec_context, NULL, 0, &pid)) < 0) + if ((r = exec_spawn(c, &s->exec_context, NULL, 0, true, true, &pid)) < 0) goto fail; if ((r = unit_watch_pid(UNIT(s), pid)) < 0)