1243730Srwatson/*- 2243730Srwatson * Copyright (c) 2012 The FreeBSD Foundation 3243730Srwatson * All rights reserved. 4243730Srwatson * 5243730Srwatson * This software was developed by Pawel Jakub Dawidek under sponsorship from 6243730Srwatson * the FreeBSD Foundation. 7243730Srwatson * 8243730Srwatson * Redistribution and use in source and binary forms, with or without 9243730Srwatson * modification, are permitted provided that the following conditions 10243730Srwatson * are met: 11243730Srwatson * 1. Redistributions of source code must retain the above copyright 12243730Srwatson * notice, this list of conditions and the following disclaimer. 13243730Srwatson * 2. Redistributions in binary form must reproduce the above copyright 14243730Srwatson * notice, this list of conditions and the following disclaimer in the 15243730Srwatson * documentation and/or other materials provided with the distribution. 16243730Srwatson * 17243730Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 18243730Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19243730Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20243730Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 21243730Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22243730Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23243730Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24243730Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25243730Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26243730Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27243730Srwatson * SUCH DAMAGE. 28243730Srwatson */ 29243730Srwatson 30243734Srwatson#include <config/config.h> 31243730Srwatson 32243730Srwatson#include <sys/param.h> 33243730Srwatson#ifdef HAVE_JAIL 34243730Srwatson#include <sys/jail.h> 35243730Srwatson#endif 36243730Srwatson#ifdef HAVE_CAP_ENTER 37340178Semaste#include <sys/capsicum.h> 38243730Srwatson#endif 39243730Srwatson 40243730Srwatson#include <errno.h> 41243730Srwatson#include <pwd.h> 42243730Srwatson#include <stdarg.h> 43243730Srwatson#include <stdbool.h> 44243730Srwatson#include <stdio.h> 45243730Srwatson#include <stdlib.h> 46243730Srwatson#include <strings.h> 47243730Srwatson#include <unistd.h> 48243730Srwatson 49243734Srwatson#include "pjdlog.h" 50243730Srwatson#include "sandbox.h" 51243730Srwatson 52243730Srwatsonstatic int 53243730Srwatsongroups_compare(const void *grp0, const void *grp1) 54243730Srwatson{ 55243730Srwatson gid_t gr0 = *(const gid_t *)grp0; 56243730Srwatson gid_t gr1 = *(const gid_t *)grp1; 57243730Srwatson 58243730Srwatson return (gr0 <= gr1 ? (gr0 < gr1 ? -1 : 0) : 1); 59243730Srwatson 60243730Srwatson} 61243730Srwatson 62243730Srwatsonint 63243730Srwatsonsandbox(const char *user, bool capsicum, const char *fmt, ...) 64243730Srwatson{ 65243730Srwatson#ifdef HAVE_JAIL 66243730Srwatson struct jail jailst; 67243730Srwatson char *jailhost; 68243730Srwatson va_list ap; 69243730Srwatson#endif 70243730Srwatson struct passwd *pw; 71243730Srwatson uid_t ruid, euid; 72243730Srwatson gid_t rgid, egid; 73243730Srwatson#ifdef HAVE_GETRESUID 74243730Srwatson uid_t suid; 75243730Srwatson#endif 76243730Srwatson#ifdef HAVE_GETRESGID 77243730Srwatson gid_t sgid; 78243730Srwatson#endif 79243730Srwatson gid_t *groups, *ggroups; 80243730Srwatson bool jailed; 81243730Srwatson int ngroups, ret; 82243730Srwatson 83243730Srwatson PJDLOG_ASSERT(user != NULL); 84243730Srwatson PJDLOG_ASSERT(fmt != NULL); 85243730Srwatson 86243730Srwatson ret = -1; 87243730Srwatson groups = NULL; 88243730Srwatson ggroups = NULL; 89243730Srwatson 90243730Srwatson /* 91243730Srwatson * According to getpwnam(3) we have to clear errno before calling the 92243730Srwatson * function to be able to distinguish between an error and missing 93243730Srwatson * entry (with is not treated as error by getpwnam(3)). 94243730Srwatson */ 95243730Srwatson errno = 0; 96243730Srwatson pw = getpwnam(user); 97243730Srwatson if (pw == NULL) { 98243730Srwatson if (errno != 0) { 99243730Srwatson pjdlog_errno(LOG_ERR, 100243730Srwatson "Unable to find info about '%s' user", user); 101243730Srwatson goto out; 102243730Srwatson } else { 103243730Srwatson pjdlog_error("'%s' user doesn't exist.", user); 104243730Srwatson errno = ENOENT; 105243730Srwatson goto out; 106243730Srwatson } 107243730Srwatson } 108243730Srwatson 109243730Srwatson ngroups = sysconf(_SC_NGROUPS_MAX); 110243730Srwatson if (ngroups == -1) { 111243730Srwatson pjdlog_errno(LOG_WARNING, 112243730Srwatson "Unable to obtain maximum number of groups"); 113243730Srwatson ngroups = NGROUPS_MAX; 114243730Srwatson } 115243730Srwatson ngroups++; /* For base gid. */ 116243730Srwatson groups = malloc(sizeof(groups[0]) * ngroups); 117243730Srwatson if (groups == NULL) { 118243730Srwatson pjdlog_error("Unable to allocate memory for %d groups.", 119243730Srwatson ngroups); 120243730Srwatson goto out; 121243730Srwatson } 122243730Srwatson if (getgrouplist(user, pw->pw_gid, groups, &ngroups) == -1) { 123243730Srwatson pjdlog_error("Unable to obtain groups of user %s.", user); 124243730Srwatson goto out; 125243730Srwatson } 126243730Srwatson 127243730Srwatson#ifdef HAVE_JAIL 128243730Srwatson va_start(ap, fmt); 129243730Srwatson (void)vasprintf(&jailhost, fmt, ap); 130243730Srwatson va_end(ap); 131243730Srwatson if (jailhost == NULL) { 132243730Srwatson pjdlog_error("Unable to allocate memory for jail host name."); 133243730Srwatson goto out; 134243730Srwatson } 135243730Srwatson bzero(&jailst, sizeof(jailst)); 136243730Srwatson jailst.version = JAIL_API_VERSION; 137243730Srwatson jailst.path = pw->pw_dir; 138243730Srwatson jailst.hostname = jailhost; 139243730Srwatson if (jail(&jailst) >= 0) { 140243730Srwatson jailed = true; 141243730Srwatson } else { 142243730Srwatson jailed = false; 143243730Srwatson pjdlog_errno(LOG_WARNING, 144243730Srwatson "Unable to jail to directory %s", pw->pw_dir); 145243730Srwatson } 146243730Srwatson free(jailhost); 147243730Srwatson#else /* !HAVE_JAIL */ 148243730Srwatson jailed = false; 149243730Srwatson#endif /* !HAVE_JAIL */ 150243730Srwatson 151243730Srwatson if (!jailed) { 152243730Srwatson if (chroot(pw->pw_dir) == -1) { 153243730Srwatson pjdlog_errno(LOG_ERR, 154243730Srwatson "Unable to change root directory to %s", 155243730Srwatson pw->pw_dir); 156243730Srwatson goto out; 157243730Srwatson } 158243730Srwatson } 159243730Srwatson PJDLOG_VERIFY(chdir("/") == 0); 160243730Srwatson 161243730Srwatson if (setgroups(ngroups, groups) == -1) { 162243730Srwatson pjdlog_errno(LOG_ERR, "Unable to set groups"); 163243730Srwatson goto out; 164243730Srwatson } 165243730Srwatson if (setgid(pw->pw_gid) == -1) { 166243730Srwatson pjdlog_errno(LOG_ERR, "Unable to set gid to %u", 167243730Srwatson (unsigned int)pw->pw_gid); 168243730Srwatson goto out; 169243730Srwatson } 170243730Srwatson if (setuid(pw->pw_uid) == -1) { 171243730Srwatson pjdlog_errno(LOG_ERR, "Unable to set uid to %u", 172243730Srwatson (unsigned int)pw->pw_uid); 173243730Srwatson goto out; 174243730Srwatson } 175243730Srwatson 176243730Srwatson#ifdef HAVE_CAP_ENTER 177243730Srwatson if (capsicum) { 178243730Srwatson capsicum = (cap_enter() == 0); 179243730Srwatson if (!capsicum) { 180243730Srwatson pjdlog_common(LOG_DEBUG, 1, errno, 181243730Srwatson "Unable to sandbox using capsicum"); 182243730Srwatson } 183243730Srwatson } 184243730Srwatson#else /* !HAVE_CAP_ENTER */ 185243730Srwatson capsicum = false; 186243730Srwatson#endif /* !HAVE_CAP_ENTER */ 187243730Srwatson 188243730Srwatson /* 189243730Srwatson * Better be sure that everything succeeded. 190243730Srwatson */ 191243730Srwatson#ifdef HAVE_GETRESUID 192243730Srwatson PJDLOG_VERIFY(getresuid(&ruid, &euid, &suid) == 0); 193243730Srwatson PJDLOG_VERIFY(suid == pw->pw_uid); 194243730Srwatson#else 195243730Srwatson ruid = getuid(); 196243730Srwatson euid = geteuid(); 197243730Srwatson#endif 198243730Srwatson PJDLOG_VERIFY(ruid == pw->pw_uid); 199243730Srwatson PJDLOG_VERIFY(euid == pw->pw_uid); 200243730Srwatson#ifdef HAVE_GETRESGID 201243730Srwatson PJDLOG_VERIFY(getresgid(&rgid, &egid, &sgid) == 0); 202243730Srwatson PJDLOG_VERIFY(sgid == pw->pw_gid); 203243730Srwatson#else 204243730Srwatson rgid = getgid(); 205243730Srwatson egid = getegid(); 206243730Srwatson#endif 207243730Srwatson PJDLOG_VERIFY(rgid == pw->pw_gid); 208243730Srwatson PJDLOG_VERIFY(egid == pw->pw_gid); 209243730Srwatson PJDLOG_VERIFY(getgroups(0, NULL) == ngroups); 210243730Srwatson ggroups = malloc(sizeof(ggroups[0]) * ngroups); 211243730Srwatson if (ggroups == NULL) { 212243730Srwatson pjdlog_error("Unable to allocate memory for %d groups.", 213243730Srwatson ngroups); 214243730Srwatson goto out; 215243730Srwatson } 216243730Srwatson PJDLOG_VERIFY(getgroups(ngroups, ggroups) == ngroups); 217243730Srwatson qsort(groups, (size_t)ngroups, sizeof(groups[0]), groups_compare); 218243730Srwatson qsort(ggroups, (size_t)ngroups, sizeof(ggroups[0]), groups_compare); 219243730Srwatson PJDLOG_VERIFY(bcmp(groups, ggroups, sizeof(groups[0]) * ngroups) == 0); 220243730Srwatson 221243730Srwatson pjdlog_debug(1, 222243730Srwatson "Privileges successfully dropped using %s%s+setgid+setuid.", 223243730Srwatson capsicum ? "capsicum+" : "", jailed ? "jail" : "chroot"); 224243730Srwatson 225243730Srwatson ret = 0; 226243730Srwatsonout: 227243730Srwatson if (groups != NULL) 228243730Srwatson free(groups); 229243730Srwatson if (ggroups != NULL) 230243730Srwatson free(ggroups); 231243730Srwatson return (ret); 232243730Srwatson} 233