-// $Id: capchroot.c,v 1.1.4.2 2003/11/28 23:08:43 ensc Exp $
+// $Id: capchroot.c 2403 2006-11-24 23:06:08Z dhozac $
// Copyright (C) 2003 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
// based on capchroot.cc by Jacques Gelinas
system call is executed, it (option) remove the CAP_SYS_CHROOT
capability. Then it executes its argument
*/
+
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
-#include "compat.h"
+
+#include "vserver.h"
+#include "util.h"
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdbool.h>
#include <stdlib.h>
+#include <getopt.h>
+#include <libgen.h>
-#include "linuxcaps.h"
-#include "vserver.h"
+#define ENSC_WRAPPERS_PREFIX "capchroot: "
+#define ENSC_WRAPPERS_UNISTD 1
+#define ENSC_WRAPPERS_VSERVER 1
+#include <wrappers.h>
-int main (int argc, char *argv[])
+#define CMD_HELP 0x1000
+#define CMD_VERSION 0x1001
+#define CMD_NOCHROOT 0x2000
+#define CMD_SUID 0x2001
+
+int wrapper_exit_code = 255;
+
+static struct option const
+CMDLINE_OPTIONS[] = {
+ { "help", no_argument, 0, CMD_HELP },
+ { "version", no_argument, 0, CMD_VERSION },
+ { "nochroot", no_argument, 0, CMD_NOCHROOT },
+ { "suid", required_argument, 0, CMD_SUID },
+ {0,0,0,0}
+};
+
+static void
+showHelp(int fd, char const *cmd, int res)
+{
+ VSERVER_DECLARE_CMD(cmd);
+
+#if !defined(VC_ENABLE_API_COMPAT) && !defined(VC_ENABLE_API_LEGACY)
+ WRITE_MSG(1, "ERROR: tools were built without legacy API support; capchroot will not work!\n\n");
+#endif
+
+ WRITE_MSG(fd, "Usage: ");
+ WRITE_STR(fd, cmd);
+ WRITE_MSG(fd,
+ " --nochroot [--suid <user>] [--] <directory> <command> <args>*\n"
+ "\n"
+ "Options:\n"
+ " --nochroot ... remove the CAP_SYS_CHROOT capability\n"
+ " after the chroot system call.\n"
+ " --suid <user> ... switch to a different user (in the vserver\n"
+ " context) before executing the command.\n"
+ "\n"
+ "Please report bugs to " PACKAGE_BUGREPORT "\n");
+ exit(res);
+}
+
+static void
+showVersion()
{
- if (argc < 3){
- fprintf (stderr,"capchroot version %s\n",VERSION);
- fprintf (stderr
- ,"capchroot --nochroot directory [ --suid user ] command argument\n"
- "\n"
- "--nochroot remove the CAP_SYS_CHROOT capability\n"
- " after the chroot system call.\n"
- "--suid switch to a different user (in the vserver context)\n"
- " before executing the command.\n");
- }else{
- const char *uid = NULL;
- bool nochroot = false;
- int dir;
- for (dir=1; dir<argc; dir++){
- const char *arg = argv[dir];
- if (arg[0] != '-' && arg[1] != '-'){
- break;
- }else if (strcmp(arg,"--nochroot")==0){
- nochroot = true;
- }else if (strcmp(arg,"--suid")==0){
- dir++;
- uid = argv[dir];
- }
-
- }
- // We resolve the UID before doing the chroot.
- // If we do the getpwnam after the chroot, we will end
- // up loading shared object from the vserver.
- // This is causing two kind of problem: Incompatibilities
- // and also a security flaw. The shared objects in the vserver
- // may be tweaked to get control of the root server ...
- getpwnam ("root");
- if (chroot(argv[dir]) == -1){
- fprintf (stderr,"Can't chroot to directory %s (%s)\n",argv[dir]
- ,strerror(errno));
- }else{
- struct passwd *p = NULL;
- int cmd = dir + 1;
-
- if (nochroot){
- vc_new_s_context (-2,1<<CAP_SYS_CHROOT,0);
- }
-
- if (uid != NULL && strcmp(uid,"root")!=0){
- p = getpwnam(uid);
- if (p == NULL){
- fprintf (stderr,"User not found: %s\n",uid);
- exit (-1);
- }
- }
- if (p != NULL) {
- setgroups (0,NULL);
- setgid(p->pw_gid);
- setuid(p->pw_uid);
- }
- if (cmd >= argc){
- fprintf (stderr,"capchroot: No command to execute, do nothing\n");
- }else{
- execvp (argv[cmd],argv+cmd);
- fprintf (stderr,"Can't execute %s (%s)\n",argv[cmd]
- ,strerror(errno));
- }
- }
- }
- return -1;
+ WRITE_MSG(1,
+ "capchroot " VERSION " -- a capability aware chroot\n"
+ "This program is part of " PACKAGE_STRING "\n\n"
+ "Copyright (C) 2004 Enrico Scholz\n"
+ VERSION_COPYRIGHT_DISCLAIMER);
+ exit(0);
}
+static UNUSED void
+setUser(char const *user)
+{
+ struct passwd *p = 0;
+ if (user!=0 && strcmp(user, "root")!=0 && strcmp(user, "0")!=0) {
+ errno = 0;
+ p = getpwnam(user);
+ if (p==0) {
+ if (errno==0) errno = ENOENT;
+ PERROR_Q(ENSC_WRAPPERS_PREFIX "getpwnam", user);
+ exit(wrapper_exit_code);
+ }
+ }
+
+ if (p!=0) {
+ Esetgroups(1, &p->pw_gid);
+ Esetgid(p->pw_gid);
+ Esetuid(p->pw_uid);
+ if (getuid()!=p->pw_uid || getgid()!=p->pw_gid) {
+ WRITE_MSG(2, ENSC_WRAPPERS_PREFIX "Something went wrong while changing uid; expected uid/gid do not match the actual one\n");
+ exit(wrapper_exit_code);
+ }
+ }
+}
+
+int main (int argc, char *argv[])
+{
+ bool nochroot = false;
+ char const * suid_user = 0;
+
+ while (1) {
+ int c = getopt_long(argc, argv, "+", CMDLINE_OPTIONS, 0);
+ if (c==-1) break;
+
+ switch (c) {
+ case CMD_HELP : showHelp(1, argv[0], 0);
+ case CMD_VERSION : showVersion();
+ case CMD_NOCHROOT : nochroot = true; break;
+ case CMD_SUID : suid_user = optarg; break;
+ default :
+ WRITE_MSG(2, "Try '");
+ WRITE_STR(2, argv[0]);
+ WRITE_MSG(2, " --help' for more information.\n");
+ return EXIT_FAILURE;
+ break;
+ }
+ }
+
+#if defined(VC_ENABLE_API_COMPAT) || defined(VC_ENABLE_API_LEGACY)
+ if (optind==argc)
+ WRITE_MSG(2, "No directory specified; try '--help' for more information\n");
+ else if (optind+1==argc)
+ WRITE_MSG(2, "No command specified; try '--help' for more information\n");
+ else {
+ // We resolve the UID before doing the chroot.
+ // If we do the getpwnam after the chroot, we will end
+ // up loading shared object from the vserver.
+ // This is causing two kind of problem: Incompatibilities
+ // and also a security flaw. The shared objects in the vserver
+ // may be tweaked to get control of the root server ...
+ getpwnam("root");
+ Echroot(argv[optind]);
+ if (nochroot)
+ Evc_new_s_context(VC_SAMECTX, 1<<VC_CAP_SYS_CHROOT,0);
+ setUser(suid_user);
+ EexecvpD(argv[optind+1], argv+optind+1);
+ }
+#else
+ WRITE_MSG(2, "capchroot: tools were built without legacy API support; can not continue\n");
+#endif
+
+ return EXIT_FAILURE;
+}