r26364: Branch Samba 4.0 for an alpha2 release.

Andrew Bartlett
(This used to be commit 7a891215d0779affa606e360608388950c82d6ce)

5 files changed, 349 insertions, 8 deletions

diff --git a/source4/lib/util/smbrun.c b/source4/lib/util/smbrun.c
new file mode 100644
index 0000000000..26330ab992
--- /dev/null
+++ b/source4/lib/util/smbrun.c
@@ -0,0 +1,341 @@
+/*
+   Unix SMB/CIFS implementation.
+   run a command as a specified user
+   Copyright (C) Andrew Tridgell 1992-1998
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* need to move this from here!! need some sleep ... */
+struct current_user current_user;
+
+/****************************************************************************
+This is a utility function of smbrun().
+****************************************************************************/
+
+static int setup_out_fd(void)
+{
+	int fd;
+	TALLOC_CTX *ctx = talloc_stackframe();
+	char *path = NULL;
+
+	path = talloc_asprintf(ctx,
+				"%s/smb.XXXXXX",
+				tmpdir());
+	if (!path) {
+		TALLOC_FREE(ctx);
+		errno = ENOMEM;
+		return -1;
+	}
+
+	/* now create the file */
+	fd = smb_mkstemp(path);
+
+	if (fd == -1) {
+		DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
+			path, strerror(errno) ));
+		TALLOC_FREE(ctx);
+		return -1;
+	}
+
+	DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
+
+	/* Ensure file only kept around by open fd. */
+	unlink(path);
+	TALLOC_FREE(ctx);
+	return fd;
+}
+
+/****************************************************************************
+run a command being careful about uid/gid handling and putting the output in
+outfd (or discard it if outfd is NULL).
+****************************************************************************/
+
+static int smbrun_internal(const char *cmd, int *outfd, BOOL sanitize)
+{
+	pid_t pid;
+	uid_t uid = current_user.ut.uid;
+	gid_t gid = current_user.ut.gid;
+
+	/*
+	 * Lose any elevated privileges.
+	 */
+	drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
+	drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
+
+	/* point our stdout at the file we want output to go into */
+
+	if (outfd && ((*outfd = setup_out_fd()) == -1)) {
+		return -1;
+	}
+
+	/* in this method we will exec /bin/sh with the correct
+	   arguments, after first setting stdout to point at the file */
+
+	/*
+	 * We need to temporarily stop CatchChild from eating
+	 * SIGCLD signals as it also eats the exit status code. JRA.
+	 */
+
+	CatchChildLeaveStatus();
+                                   	
+	if ((pid=sys_fork()) < 0) {
+		DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
+		CatchChild(); 
+		if (outfd) {
+			close(*outfd);
+			*outfd = -1;
+		}
+		return errno;
+	}
+
+	if (pid) {
+		/*
+		 * Parent.
+		 */
+		int status=0;
+		pid_t wpid;
+
+		
+		/* the parent just waits for the child to exit */
+		while((wpid = sys_waitpid(pid,&status,0)) < 0) {
+			if(errno == EINTR) {
+				errno = 0;
+				continue;
+			}
+			break;
+		}
+
+		CatchChild(); 
+
+		if (wpid != pid) {
+			DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
+			if (outfd) {
+				close(*outfd);
+				*outfd = -1;
+			}
+			return -1;
+		}
+
+		/* Reset the seek pointer. */
+		if (outfd) {
+			sys_lseek(*outfd, 0, SEEK_SET);
+		}
+
+#if defined(WIFEXITED) && defined(WEXITSTATUS)
+		if (WIFEXITED(status)) {
+			return WEXITSTATUS(status);
+		}
+#endif
+
+		return status;
+	}
+	
+	CatchChild(); 
+	
+	/* we are in the child. we exec /bin/sh to do the work for us. we
+	   don't directly exec the command we want because it may be a
+	   pipeline or anything else the config file specifies */
+	
+	/* point our stdout at the file we want output to go into */
+	if (outfd) {
+		close(1);
+		if (sys_dup2(*outfd,1) != 1) {
+			DEBUG(2,("Failed to create stdout file descriptor\n"));
+			close(*outfd);
+			exit(80);
+		}
+	}
+
+	/* now completely lose our privileges. This is a fairly paranoid
+	   way of doing it, but it does work on all systems that I know of */
+
+	become_user_permanently(uid, gid);
+
+	if (getuid() != uid || geteuid() != uid ||
+	    getgid() != gid || getegid() != gid) {
+		/* we failed to lose our privileges - do not execute
+                   the command */
+		exit(81); /* we can't print stuff at this stage,
+			     instead use exit codes for debugging */
+	}
+	
+#ifndef __INSURE__
+	/* close all other file descriptors, leaving only 0, 1 and 2. 0 and
+	   2 point to /dev/null from the startup code */
+	{
+	int fd;
+	for (fd=3;fd<256;fd++) close(fd);
+	}
+#endif
+
+	{
+		const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
+		if (!newcmd) {
+			exit(82);
+		}
+		execl("/bin/sh","sh","-c",newcmd,NULL);  
+	}
+	
+	/* not reached */
+	exit(83);
+	return 1;
+}
+
+/****************************************************************************
+ Use only in known safe shell calls (printing).
+****************************************************************************/
+
+int smbrun_no_sanitize(const char *cmd, int *outfd)
+{
+	return smbrun_internal(cmd, outfd, False);
+}
+
+/****************************************************************************
+ By default this now sanitizes shell expansion.
+****************************************************************************/
+
+int smbrun(const char *cmd, int *outfd)
+{
+	return smbrun_internal(cmd, outfd, True);
+}
+
+/****************************************************************************
+run a command being careful about uid/gid handling and putting the output in
+outfd (or discard it if outfd is NULL).
+sends the provided secret to the child stdin.
+****************************************************************************/
+
+int smbrunsecret(const char *cmd, const char *secret)
+{
+	pid_t pid;
+	uid_t uid = current_user.ut.uid;
+	gid_t gid = current_user.ut.gid;
+	int ifd[2];
+	
+	/*
+	 * Lose any elevated privileges.
+	 */
+	drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
+	drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
+
+	/* build up an input pipe */
+	if(pipe(ifd)) {
+		return -1;
+	}
+
+	/* in this method we will exec /bin/sh with the correct
+	   arguments, after first setting stdout to point at the file */
+
+	/*
+	 * We need to temporarily stop CatchChild from eating
+	 * SIGCLD signals as it also eats the exit status code. JRA.
+	 */
+
+	CatchChildLeaveStatus();
+                                   	
+	if ((pid=sys_fork()) < 0) {
+		DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
+		CatchChild(); 
+		return errno;
+    	}
+
+	if (pid) {
+		/*
+		 * Parent.
+		 */
+		int status = 0;
+		pid_t wpid;
+		size_t towrite;
+		ssize_t wrote;
+		
+		close(ifd[0]);
+		/* send the secret */
+		towrite = strlen(secret);
+		wrote = write(ifd[1], secret, towrite);
+		if ( wrote != towrite ) {
+		    DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
+		}
+		fsync(ifd[1]);
+		close(ifd[1]);
+
+		/* the parent just waits for the child to exit */
+		while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
+			if(errno == EINTR) {
+				errno = 0;
+				continue;
+			}
+			break;
+		}
+
+		CatchChild(); 
+
+		if (wpid != pid) {
+			DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
+			return -1;
+		}
+
+#if defined(WIFEXITED) && defined(WEXITSTATUS)
+		if (WIFEXITED(status)) {
+			return WEXITSTATUS(status);
+		}
+#endif
+
+		return status;
+	}
+	
+	CatchChild(); 
+	
+	/* we are in the child. we exec /bin/sh to do the work for us. we
+	   don't directly exec the command we want because it may be a
+	   pipeline or anything else the config file specifies */
+	
+	close(ifd[1]);
+	close(0);
+	if (sys_dup2(ifd[0], 0) != 0) {
+		DEBUG(2,("Failed to create stdin file descriptor\n"));
+		close(ifd[0]);
+		exit(80);
+	}
+
+	/* now completely lose our privileges. This is a fairly paranoid
+	   way of doing it, but it does work on all systems that I know of */
+
+	become_user_permanently(uid, gid);
+
+	if (getuid() != uid || geteuid() != uid ||
+	    getgid() != gid || getegid() != gid) {
+		/* we failed to lose our privileges - do not execute
+                   the command */
+		exit(81); /* we can't print stuff at this stage,
+			     instead use exit codes for debugging */
+	}
+	
+#ifndef __INSURE__
+	/* close all other file descriptors, leaving only 0, 1 and 2. 0 and
+	   2 point to /dev/null from the startup code */
+	{
+		int fd;
+		for (fd = 3; fd < 256; fd++) close(fd);
+	}
+#endif
+
+	execl("/bin/sh", "sh", "-c", cmd, NULL);  
+
+	/* not reached */
+	exit(82);
+	return 1;
+}
diff --git a/swat/install/index.esp b/swat/install/index.esp
index 73b7ea24d5..4ba581c1fd 100644
--- a/swat/install/index.esp
+++ b/swat/install/index.esp
@@ -1,7 +1,7 @@
 <% page_header("columns", "Server Installation", "install"); 
 
-if (session.authinfo.user_class == "ADMINISTRATOR"
-	 || session.authinfo.user_class == "SYSTEM") {
+if ((session.authinfo.user_class == "ADMINISTRATOR")
+	 || (session.authinfo.user_class == "SYSTEM")) {
 
 %>
 
diff --git a/swat/install/provision.esp b/swat/install/provision.esp
index 6183722cb4..0b0a83fba6 100644
--- a/swat/install/provision.esp
+++ b/swat/install/provision.esp
@@ -12,8 +12,8 @@ var f = FormObj("Provisioning", 0, 2);
 var i;
 var lp = loadparm_init();
 
-if (session.authinfo.user_class == "ADMINISTRATOR"
-	 || session.authinfo.user_class == "SYSTEM") {
+if ((session.authinfo.user_class == "ADMINISTRATOR")
+	 || (session.authinfo.user_class == "SYSTEM")) {
 
 	if (lp.get("realm") == "") {
 		lp.set("realm", lp.get("workgroup") + ".example.com");
diff --git a/swat/install/samba3.esp b/swat/install/samba3.esp
index c6fc9f1418..4de942f972 100644
--- a/swat/install/samba3.esp
+++ b/swat/install/samba3.esp
@@ -15,8 +15,8 @@
 <h1>Import from Samba3</h1>
 
 <%
-if (session.authinfo.user_class == "ADMINISTRATOR"
-    || session.authinfo.user_class == "SYSTEM") {
+if ((session.authinfo.user_class == "ADMINISTRATOR")
+	 || (session.authinfo.user_class == "SYSTEM")) {
 
 	if (form['submit'] == "Cancel") {
 		redirect("/");
diff --git a/swat/install/vampire.esp b/swat/install/vampire.esp
index d5b7a73c53..93971c1216 100644
--- a/swat/install/vampire.esp
+++ b/swat/install/vampire.esp
@@ -14,8 +14,8 @@ var f = FormObj("Provisioning", 0, 2);
 var i;
 var lp = loadparm_init();
 
-if (session.authinfo.user_class == "ADMINISTRATOR"
-	 || session.authinfo.user_class == "SYSTEM") {
+if ((session.authinfo.user_class == "ADMINISTRATOR")
+	 || (session.authinfo.user_class == "SYSTEM")) {
 
 	if (lp.get("realm") == "") {
 		lp.set("realm", lp.get("workgroup") + ".example.com");