1243730Srwatson/*-
2243730Srwatson * Copyright (c) 2012 The FreeBSD Foundation
3243730Srwatson * All rights reserved.
4243730Srwatson *
5243730Srwatson * This software was developed by Pawel Jakub Dawidek under sponsorship from
6243730Srwatson * the FreeBSD Foundation.
7243730Srwatson *
8243730Srwatson * Redistribution and use in source and binary forms, with or without
9243730Srwatson * modification, are permitted provided that the following conditions
10243730Srwatson * are met:
11243730Srwatson * 1. Redistributions of source code must retain the above copyright
12243730Srwatson *    notice, this list of conditions and the following disclaimer.
13243730Srwatson * 2. Redistributions in binary form must reproduce the above copyright
14243730Srwatson *    notice, this list of conditions and the following disclaimer in the
15243730Srwatson *    documentation and/or other materials provided with the distribution.
16243730Srwatson *
17243730Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
18243730Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19243730Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20243730Srwatson * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
21243730Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22243730Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23243730Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24243730Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25243730Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26243730Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27243730Srwatson * SUCH DAMAGE.
28243730Srwatson */
29243730Srwatson
30243734Srwatson#include <config/config.h>
31243730Srwatson
32243730Srwatson#include <sys/param.h>
33243730Srwatson#ifdef HAVE_JAIL
34243730Srwatson#include <sys/jail.h>
35243730Srwatson#endif
36243730Srwatson#ifdef HAVE_CAP_ENTER
37340178Semaste#include <sys/capsicum.h>
38243730Srwatson#endif
39243730Srwatson
40243730Srwatson#include <errno.h>
41243730Srwatson#include <pwd.h>
42243730Srwatson#include <stdarg.h>
43243730Srwatson#include <stdbool.h>
44243730Srwatson#include <stdio.h>
45243730Srwatson#include <stdlib.h>
46243730Srwatson#include <strings.h>
47243730Srwatson#include <unistd.h>
48243730Srwatson
49243734Srwatson#include "pjdlog.h"
50243730Srwatson#include "sandbox.h"
51243730Srwatson
52243730Srwatsonstatic int
53243730Srwatsongroups_compare(const void *grp0, const void *grp1)
54243730Srwatson{
55243730Srwatson	gid_t gr0 = *(const gid_t *)grp0;
56243730Srwatson	gid_t gr1 = *(const gid_t *)grp1;
57243730Srwatson
58243730Srwatson	return (gr0 <= gr1 ? (gr0 < gr1 ? -1 : 0) : 1);
59243730Srwatson
60243730Srwatson}
61243730Srwatson
62243730Srwatsonint
63243730Srwatsonsandbox(const char *user, bool capsicum, const char *fmt, ...)
64243730Srwatson{
65243730Srwatson#ifdef HAVE_JAIL
66243730Srwatson	struct jail jailst;
67243730Srwatson	char *jailhost;
68243730Srwatson	va_list ap;
69243730Srwatson#endif
70243730Srwatson	struct passwd *pw;
71243730Srwatson	uid_t ruid, euid;
72243730Srwatson	gid_t rgid, egid;
73243730Srwatson#ifdef HAVE_GETRESUID
74243730Srwatson	uid_t suid;
75243730Srwatson#endif
76243730Srwatson#ifdef HAVE_GETRESGID
77243730Srwatson	gid_t sgid;
78243730Srwatson#endif
79243730Srwatson	gid_t *groups, *ggroups;
80243730Srwatson	bool jailed;
81243730Srwatson	int ngroups, ret;
82243730Srwatson
83243730Srwatson	PJDLOG_ASSERT(user != NULL);
84243730Srwatson	PJDLOG_ASSERT(fmt != NULL);
85243730Srwatson
86243730Srwatson	ret = -1;
87243730Srwatson	groups = NULL;
88243730Srwatson	ggroups = NULL;
89243730Srwatson
90243730Srwatson	/*
91243730Srwatson	 * According to getpwnam(3) we have to clear errno before calling the
92243730Srwatson	 * function to be able to distinguish between an error and missing
93243730Srwatson	 * entry (with is not treated as error by getpwnam(3)).
94243730Srwatson	 */
95243730Srwatson	errno = 0;
96243730Srwatson	pw = getpwnam(user);
97243730Srwatson	if (pw == NULL) {
98243730Srwatson		if (errno != 0) {
99243730Srwatson			pjdlog_errno(LOG_ERR,
100243730Srwatson			    "Unable to find info about '%s' user", user);
101243730Srwatson			goto out;
102243730Srwatson		} else {
103243730Srwatson			pjdlog_error("'%s' user doesn't exist.", user);
104243730Srwatson			errno = ENOENT;
105243730Srwatson			goto out;
106243730Srwatson		}
107243730Srwatson	}
108243730Srwatson
109243730Srwatson	ngroups = sysconf(_SC_NGROUPS_MAX);
110243730Srwatson	if (ngroups == -1) {
111243730Srwatson		pjdlog_errno(LOG_WARNING,
112243730Srwatson		    "Unable to obtain maximum number of groups");
113243730Srwatson		ngroups = NGROUPS_MAX;
114243730Srwatson	}
115243730Srwatson	ngroups++;	/* For base gid. */
116243730Srwatson	groups = malloc(sizeof(groups[0]) * ngroups);
117243730Srwatson	if (groups == NULL) {
118243730Srwatson		pjdlog_error("Unable to allocate memory for %d groups.",
119243730Srwatson		    ngroups);
120243730Srwatson		goto out;
121243730Srwatson	}
122243730Srwatson	if (getgrouplist(user, pw->pw_gid, groups, &ngroups) == -1) {
123243730Srwatson		pjdlog_error("Unable to obtain groups of user %s.", user);
124243730Srwatson		goto out;
125243730Srwatson	}
126243730Srwatson
127243730Srwatson#ifdef HAVE_JAIL
128243730Srwatson	va_start(ap, fmt);
129243730Srwatson	(void)vasprintf(&jailhost, fmt, ap);
130243730Srwatson	va_end(ap);
131243730Srwatson	if (jailhost == NULL) {
132243730Srwatson		pjdlog_error("Unable to allocate memory for jail host name.");
133243730Srwatson		goto out;
134243730Srwatson	}
135243730Srwatson	bzero(&jailst, sizeof(jailst));
136243730Srwatson	jailst.version = JAIL_API_VERSION;
137243730Srwatson	jailst.path = pw->pw_dir;
138243730Srwatson	jailst.hostname = jailhost;
139243730Srwatson	if (jail(&jailst) >= 0) {
140243730Srwatson		jailed = true;
141243730Srwatson	} else {
142243730Srwatson		jailed = false;
143243730Srwatson		pjdlog_errno(LOG_WARNING,
144243730Srwatson		    "Unable to jail to directory %s", pw->pw_dir);
145243730Srwatson	}
146243730Srwatson	free(jailhost);
147243730Srwatson#else	/* !HAVE_JAIL */
148243730Srwatson	jailed = false;
149243730Srwatson#endif	/* !HAVE_JAIL */
150243730Srwatson
151243730Srwatson	if (!jailed) {
152243730Srwatson		if (chroot(pw->pw_dir) == -1) {
153243730Srwatson			pjdlog_errno(LOG_ERR,
154243730Srwatson			    "Unable to change root directory to %s",
155243730Srwatson			    pw->pw_dir);
156243730Srwatson			goto out;
157243730Srwatson		}
158243730Srwatson	}
159243730Srwatson	PJDLOG_VERIFY(chdir("/") == 0);
160243730Srwatson
161243730Srwatson	if (setgroups(ngroups, groups) == -1) {
162243730Srwatson		pjdlog_errno(LOG_ERR, "Unable to set groups");
163243730Srwatson		goto out;
164243730Srwatson	}
165243730Srwatson	if (setgid(pw->pw_gid) == -1) {
166243730Srwatson		pjdlog_errno(LOG_ERR, "Unable to set gid to %u",
167243730Srwatson		    (unsigned int)pw->pw_gid);
168243730Srwatson		goto out;
169243730Srwatson	}
170243730Srwatson	if (setuid(pw->pw_uid) == -1) {
171243730Srwatson		pjdlog_errno(LOG_ERR, "Unable to set uid to %u",
172243730Srwatson		    (unsigned int)pw->pw_uid);
173243730Srwatson		goto out;
174243730Srwatson	}
175243730Srwatson
176243730Srwatson#ifdef HAVE_CAP_ENTER
177243730Srwatson	if (capsicum) {
178243730Srwatson		capsicum = (cap_enter() == 0);
179243730Srwatson		if (!capsicum) {
180243730Srwatson			pjdlog_common(LOG_DEBUG, 1, errno,
181243730Srwatson			    "Unable to sandbox using capsicum");
182243730Srwatson		}
183243730Srwatson	}
184243730Srwatson#else	/* !HAVE_CAP_ENTER */
185243730Srwatson	capsicum = false;
186243730Srwatson#endif	/* !HAVE_CAP_ENTER */
187243730Srwatson
188243730Srwatson	/*
189243730Srwatson	 * Better be sure that everything succeeded.
190243730Srwatson	 */
191243730Srwatson#ifdef HAVE_GETRESUID
192243730Srwatson	PJDLOG_VERIFY(getresuid(&ruid, &euid, &suid) == 0);
193243730Srwatson	PJDLOG_VERIFY(suid == pw->pw_uid);
194243730Srwatson#else
195243730Srwatson	ruid = getuid();
196243730Srwatson	euid = geteuid();
197243730Srwatson#endif
198243730Srwatson	PJDLOG_VERIFY(ruid == pw->pw_uid);
199243730Srwatson	PJDLOG_VERIFY(euid == pw->pw_uid);
200243730Srwatson#ifdef HAVE_GETRESGID
201243730Srwatson	PJDLOG_VERIFY(getresgid(&rgid, &egid, &sgid) == 0);
202243730Srwatson	PJDLOG_VERIFY(sgid == pw->pw_gid);
203243730Srwatson#else
204243730Srwatson	rgid = getgid();
205243730Srwatson	egid = getegid();
206243730Srwatson#endif
207243730Srwatson	PJDLOG_VERIFY(rgid == pw->pw_gid);
208243730Srwatson	PJDLOG_VERIFY(egid == pw->pw_gid);
209243730Srwatson	PJDLOG_VERIFY(getgroups(0, NULL) == ngroups);
210243730Srwatson	ggroups = malloc(sizeof(ggroups[0]) * ngroups);
211243730Srwatson	if (ggroups == NULL) {
212243730Srwatson		pjdlog_error("Unable to allocate memory for %d groups.",
213243730Srwatson		    ngroups);
214243730Srwatson		goto out;
215243730Srwatson	}
216243730Srwatson	PJDLOG_VERIFY(getgroups(ngroups, ggroups) == ngroups);
217243730Srwatson	qsort(groups, (size_t)ngroups, sizeof(groups[0]), groups_compare);
218243730Srwatson	qsort(ggroups, (size_t)ngroups, sizeof(ggroups[0]), groups_compare);
219243730Srwatson	PJDLOG_VERIFY(bcmp(groups, ggroups, sizeof(groups[0]) * ngroups) == 0);
220243730Srwatson
221243730Srwatson	pjdlog_debug(1,
222243730Srwatson	    "Privileges successfully dropped using %s%s+setgid+setuid.",
223243730Srwatson	    capsicum ? "capsicum+" : "", jailed ? "jail" : "chroot");
224243730Srwatson
225243730Srwatson	ret = 0;
226243730Srwatsonout:
227243730Srwatson	if (groups != NULL)
228243730Srwatson		free(groups);
229243730Srwatson	if (ggroups != NULL)
230243730Srwatson		free(ggroups);
231243730Srwatson	return (ret);
232243730Srwatson}
233