stbuehler
/
execwrap
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add syslog logging

Browse Source
master
Oliver Sturm 13 years ago committed by Stefan Bühler
parent b471b98d5c
commit a65ce431b9
3 changed files with 106 additions and 18 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 11
      README
  2. 110
      execwrap.c
  3. 3
      execwrap_config.h

11
README
Unescape View File

@ -70,11 +70,13 @@ DEFAULT_UID The default (numeric) UID to become, if no UID is given vi
DEFAULT_GID The same as DEFAULT_UID, but for the GID. The same reasons and
restrictions apply.
REQUIRE_PWENT If set, target users are reuired to have passwd-entries. These are
used to set the supplementary group access list. Defaults to 0.
REQUIRE_PWENT If set, target users are reuired to have passwd-entries. These are
used to set the supplementary group access list. Defaults to 0.
ALLOW_CHECKGID If set, enabled the CHECK_GID feature, q.v. Defaults to 1.
ALLOW_CHECKGID If set, enabled the CHECK_GID feature, q.v. Defaults to 1.
USE_SYSLOG If set, log errors and (if enabled) debug messages to syslog.
Defaults to 1.
The following configuration parameters shouldn't normally be changed. In case you have a
clash with some other ENV arguments to the target program, they can be changed, however.
@ -99,6 +101,8 @@ ENV_CHECK_GID The same as ENV_UID, but controls the name of the CHECK_GI
ENV_NON_RESIDENT The same as ENV_UID, but controls the name of the NON_RESIDENT
parameter. Defaults to "NON_RESIDENT=".
ENV_DEBUG Controls the name of environment variable used to enable debug
output to syslog (depends on USE_SYSLOG)
---------------------
COMPILE AND INSTALL
@ -161,6 +165,7 @@ NON_RESIDENT If set (to anything), the wrapper will drop privileges and
web-server) to terminate the target process, and thus prevents it
from effectively managing it.
DEBUG If set to anything, debug output to syslog is enabled.
-----------------------------------
SECURITY CHECKS AND THEIR REASONS

110
execwrap.c
Unescape View File

@ -63,6 +63,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define ENV_TARGET "TARGET="
#define ENV_CHECK_GID "CHECK_GID="
#define ENV_NON_RESIDENT "NON_RESIDENT="
#define ENV_DEBUG "DEBUG"
/* Return values for various errors. */
@ -126,6 +127,26 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include <sys/types.h>
#include <grp.h>
#if USE_SYSLOG
# include <syslog.h>
# include <errno.h>
#else /* USE_SYSLOG */
/* this should be after all includes */
# undef SKIP
# undef openlog
# undef setlogmask
# undef syslog
# define SKIP do { } while (0)
# define openlog(...) SKIP
# define setlogmask(...) SKIP
# define syslog(...) SKIP
#endif /* USE_SYSLOG */
/* The global child PID and previous SIGTERM handler. */
int pid;
void (*oldHandler)(int);
@ -147,9 +168,15 @@ void sigTermHandler(int signal)
/* Down to business. */
int main(int argc, char* argv[], char* envp[])
{
openlog("execwrap", LOG_PID, LOG_AUTHPRIV);
setlogmask(LOG_UPTO(LOG_NOTICE));
/* Verify parent UID. Only the super user and PARENT_UID are allowed. */
if(getuid() != 0 && getuid() != PARENT_UID) return RC_CALLER_UID;
int myuid = getuid();
if(myuid != 0 && myuid != PARENT_UID) {
syslog(LOG_ERR, "exiting with RC_CALLER_UID, UID=%d", myuid);
return RC_CALLER_UID;
}
/* Command line options. */
if(argc > 1)
@ -176,6 +203,13 @@ int main(int argc, char* argv[], char* envp[])
return RC_BAD_OPTION;
}
/* we need this check before the loop over the environment,
as we cannot rely on it to be the first env var we find */
if (NULL != getenv(ENV_DEBUG)) {
setlogmask(LOG_UPTO(LOG_DEBUG));
syslog(LOG_DEBUG, "activated debug output");
}
/* Grab stuff from environment, and set defaults. */
uid_t uid = DEFAULT_UID;
gid_t gid = DEFAULT_GID;
@ -186,19 +220,26 @@ int main(int argc, char* argv[], char* envp[])
char* s;
while(NULL != (s = *p++))
{
/* Target UID. */
if(!strncmp(ENV_UID, s, ENV_UID_LEN))
{
uid = atoi(s + ENV_UID_LEN);
if(uid < TARGET_MIN_UID) return RC_TARGET_UID;
if(uid < TARGET_MIN_UID) {
syslog(LOG_ERR, "exiting with RC_TARGET_UID, UID=%d", uid);
return RC_TARGET_UID;
}
syslog(LOG_DEBUG, "target UID is %d", uid);
}
/* Target GID. */
if(!strncmp(ENV_GID, s, ENV_GID_LEN))
{
gid = atoi(s + ENV_GID_LEN);
if(gid < TARGET_MIN_GID) return RC_TARGET_GID;
if(gid < TARGET_MIN_GID) {
syslog(LOG_ERR, "exiting with RC_TARGET_GID, GID=%d", gid);
return RC_TARGET_GID;
}
syslog(LOG_DEBUG, "target GID is %d", gid);
}
/* Target script. */
@ -206,7 +247,11 @@ int main(int argc, char* argv[], char* envp[])
{
target = s + ENV_TARGET_LEN;
if((target[0] != '/') || strchr(target, '~') || strstr(target, "..") ||
strncmp(TARGET_PATH_PREFIX, target, TARGET_PATH_PREFIX_LEN)) return RC_TARGET;
strncmp(TARGET_PATH_PREFIX, target, TARGET_PATH_PREFIX_LEN)) {
syslog(LOG_ERR, "exiting with RC_TARGET, target=%s", target);
return RC_TARGET;
}
syslog(LOG_DEBUG, "TARGET is %s", target);
}
/* Check GID instead of UID. */
@ -226,14 +271,24 @@ int main(int argc, char* argv[], char* envp[])
}
/* See if we got all we need. */
if(!target) return RC_MISSING_CONFIG;
if(!target) {
syslog(LOG_ERR, "exiting with RC_MISSING_CONFIG, no TARGET");
return RC_MISSING_CONFIG;
}
/* Fetch user information from passwd. */
struct passwd *pwent = getpwuid(uid);
#if REQUIRE_PWENT
if(!pwent) return RC_MISSING_PWENT;
if(!pwent) {
syslog(LOG_ERR, "exiting with RC_MISSING_PWENT, pwent required by config, but not found");
return RC_MISSING_PWENT;
}
#endif
if (pwent) {
syslog(LOG_DEBUG, "pwent found, pw_name=%s", pwent->pw_name);
}
/* Install the SIGTERM handler. */
if(!non_resident)
{
@ -246,23 +301,41 @@ int main(int argc, char* argv[], char* envp[])
{
/* We're in the child. Drop privileges and set the group list. */
if(pwent && initgroups(pwent->pw_name, gid)) return RC_SETGID;
if(setgid(gid)) return RC_SETGID;
if(setuid(uid)) return RC_SETUID;
if(pwent && initgroups(pwent->pw_name, gid)) {
syslog(LOG_ERR, "exiting with RC_SETGID, initgroup failed, errno=%d", errno);
return RC_SETGID;
}
if(setgid(gid)) {
syslog(LOG_ERR, "exiting with RC_SETGID, setgid failed, errno=%d", errno);
return RC_SETGID;
}
if(setuid(uid)) {
syslog(LOG_ERR, "exiting with RC_SETUID, setuid failed, errno=%d", errno);
return RC_SETUID;
}
/* Stat the target script. */
char uid_ok = 1;
struct stat stat_buf;
if(stat(target, &stat_buf)) return RC_STAT;
if(stat(target, &stat_buf)) {
syslog(LOG_ERR, "exiting with RC_STAT, stat failed, errno=%d", errno);
return RC_STAT;
}
int modes = stat_buf.st_mode;
/* Never allow world-write. */
if(modes & S_IWOTH) return RC_WORLD_WRITE;
if(modes & S_IWOTH) {
syslog(LOG_ERR, "exiting with RC_WORLD_WRITE, modes=%d", modes);
return RC_WORLD_WRITE;
}
/* Only allow user miss-match if check_gid is set. */
if(uid != stat_buf.st_uid)
{
if(!check_gid) return RC_WRONG_USER;
if(!check_gid) {
syslog(LOG_ERR, "exiting with RC_WRONG_USER");
return RC_WRONG_USER;
}
uid_ok = 0;
}
@ -270,11 +343,18 @@ int main(int argc, char* argv[], char* envp[])
Also, don't allow if neither user or group match. */
if(gid != stat_buf.st_gid)
{
if(modes & S_IWGRP) return RC_GROUP_WRITE;
if(!uid_ok) return RC_WRONG_GROUP;
if(modes & S_IWGRP) {
syslog(LOG_ERR, "exiting with RC_GROUP_WRITE, modes=%d", modes);
return RC_GROUP_WRITE;
}
if(!uid_ok) {
syslog(LOG_ERR, "exiting with RC_WRONG_GROUP");
return RC_WRONG_GROUP;
}
}
/* All checks passed, let's become the target! */
syslog(LOG_NOTICE, "executing target=%s, UID=%d, GID=%d", target, uid, gid);
execl(target, target, NULL);
return RC_EXEC;

3
execwrap_config.h
Unescape View File

@ -32,3 +32,6 @@ See the README for documentation.
/* Allow use of the CHECK_GID mode? */
#define ALLOW_CHECKGID 1
/* Use syslog to report errors */
#define USE_SYSLOG 1

Write Preview
Loading…
Cancel
Save