From b9623ab59e813131b1ed3f51616a46e719d59c21 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 14 Aug 1998 17:38:29 +0000 Subject: this is the bug change to using connection_struct* instead of cnum. Connections[] is now a local array in server.c I might have broken something with this change. In particular the oplock code is suspect and some .dll files aren't being oplocked when I expected them to be. I'll look at it after I've got some sleep. (This used to be commit c7ee025ead4a85b6fa44a832047b878451845fb6) --- source3/lib/smbrun.c | 173 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 173 insertions(+) create mode 100644 source3/lib/smbrun.c (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c new file mode 100644 index 0000000000..0388b3f1bd --- /dev/null +++ b/source3/lib/smbrun.c @@ -0,0 +1,173 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + run a command as a specified user + Copyright (C) Andrew Tridgell 1992-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* need to move this from here!! need some sleep ... */ +struct current_user current_user; + +extern int DEBUGLEVEL; + +/**************************************************************************** +This is a utility function of smbrun(). It must be called only from +the child as it may leave the caller in a privilaged state. +****************************************************************************/ +static BOOL setup_stdout_file(char *outfile,BOOL shared) +{ + int fd; + struct stat st; + mode_t mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH; + int flags = O_RDWR|O_CREAT|O_TRUNC|O_EXCL; + + close(1); + + if (shared) { + /* become root - unprivilaged users can't delete these files */ +#ifdef HAVE_SETRESUID + setresgid(0,0,0); + setresuid(0,0,0); +#else + setuid(0); + seteuid(0); +#endif + } + + if(stat(outfile, &st) == 0) { + /* Check we're not deleting a device file. */ + if(st.st_mode & S_IFREG) + unlink(outfile); + else + flags = O_RDWR; + } + /* now create the file */ + fd = open(outfile,flags,mode); + + if (fd == -1) return False; + + if (fd != 1) { + if (dup2(fd,1) != 0) { + DEBUG(2,("Failed to create stdout file descriptor\n")); + close(fd); + return False; + } + close(fd); + } + return True; +} + + +/**************************************************************************** +run a command being careful about uid/gid handling and putting the output in +outfile (or discard it if outfile is NULL). + +if shared is True then ensure the file will be writeable by all users +but created such that its owned by root. This overcomes a security hole. + +if shared is not set then open the file with O_EXCL set +****************************************************************************/ +int smbrun(char *cmd,char *outfile,BOOL shared) +{ + extern struct current_user current_user; + int fd,pid; + int uid = current_user.uid; + int gid = current_user.gid; + +#ifndef HAVE_EXECL + int ret; + pstring syscmd; + char *path = lp_smbrun(); + + /* in the old method we use system() to execute smbrun which then + executes the command (using system() again!). This involves lots + of shell launches and is very slow. It also suffers from a + potential security hole */ + if (!file_exist(path,NULL)) { + DEBUG(0,("SMBRUN ERROR: Can't find %s. Installation problem?\n",path)); + return(1); + } + + slprintf(syscmd,sizeof(syscmd)-1,"%s %d %d \"(%s 2>&1) > %s\"", + path,uid,gid,cmd, + outfile?outfile:"/dev/null"); + + DEBUG(5,("smbrun - running %s ",syscmd)); + ret = system(syscmd); + DEBUG(5,("gave %d\n",ret)); + return(ret); +#else + /* in this newer method we will exec /bin/sh with the correct + arguments, after first setting stdout to point at the file */ + + if ((pid=fork())) { + int status=0; + /* the parent just waits for the child to exit */ + if (sys_waitpid(pid,&status,0) != pid) { + DEBUG(2,("waitpid(%d) : %s\n",pid,strerror(errno))); + return -1; + } + return status; + } + + + /* we are in the child. we exec /bin/sh to do the work for us. we + don't directly exec the command we want because it may be a + pipeline or anything else the config file specifies */ + + /* point our stdout at the file we want output to go into */ + if (outfile && !setup_stdout_file(outfile,shared)) { + exit(80); + } + + /* now completely lose our privilages. This is a fairly paranoid + way of doing it, but it does work on all systems that I know of */ +#ifdef HAVE_SETRESUID + setresgid(0,0,0); + setresuid(0,0,0); + setresgid(gid,gid,gid); + setresuid(uid,uid,uid); +#else + setuid(0); + seteuid(0); + setgid(gid); + setegid(gid); + setuid(uid); + seteuid(uid); +#endif + + if (getuid() != uid || geteuid() != uid || + getgid() != gid || getegid() != gid) { + /* we failed to lose our privilages - do not execute + the command */ + exit(81); /* we can't print stuff at this stage, + instead use exit codes for debugging */ + } + + /* close all other file descriptors, leaving only 0, 1 and 2. 0 and + 2 point to /dev/null from the startup code */ + for (fd=3;fd<256;fd++) close(fd); + + execl("/bin/sh","sh","-c",cmd,NULL); + + /* not reached */ + exit(82); +#endif + return 1; +} -- cgit From e13aeea928dd89373cfaf3916c96f853c1227884 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 15 Aug 1998 01:19:26 +0000 Subject: configure: Changes for extra headers. configure.in: Source for header changes. client/clitar.c: Fixed isXXX macros & debugs for gcc pedantic compile. include/config.h.in: Added MEMSET, BZERO, MEMORY, RPCSVC_YPCLNT, STRINGS headers. include/includes.h: Headers for the above. include/smb.h: Made SIGNAL_CAST POSIX by default void (*)(int). lib/access.c: Fixed isXXX macros & debugs for gcc pedantic compile. lib/charset.c: Fixed isXXX macros & debugs for gcc pedantic compile. lib/debug.c: Fixed signal functs. lib/kanji.c: Fixed isXXX macros & debugs for gcc pedantic compile. lib/smbrun.c: Fixed isXXX macros & debugs for gcc pedantic compile. lib/util.c: Fixed isXXX macros & debugs for gcc pedantic compile. libsmb/namequery.c: Fixed isXXX macros & debugs for gcc pedantic compile. locking/shmem.c: Fixed isXXX macros & debugs for gcc pedantic compile. locking/shmem_sysv.c: Fixed error messages in sysV stuff. nmbd/asyncdns.c: Fixed signal functs. nmbd/nmbd.c: Fixed isXXX macros & debugs for gcc pedantic compile. passdb/passdb.c: Fixed isXXX macros & debugs for gcc pedantic compile. passdb/smbpassfile.c: Fixed isXXX macros & debugs for gcc pedantic compile. smbd/chgpasswd.c: Fixed isXXX macros & debugs for gcc pedantic compile. smbd/ipc.c: Fixed isXXX macros & debugs for gcc pedantic compile. smbd/nttrans.c: Fixed fsp code path. smbd/password.c: fixed HAVE_YP_GET_DEFAULT_DOMAIN problem. smbd/printing.c: Fixed isXXX macros & debugs for gcc pedantic compile. smbd/reply.c: Fixed isXXX macros & debugs for gcc pedantic compile. smbd/server.c: Fixed isXXX macros & debugs for gcc pedantic compile. smbd/trans2.c: Fixed core dump bug. smbd/uid.c: Fixed isXXX macros & debugs for gcc pedantic compile. Jeremy. (This used to be commit 1b9cbcd02e575dc0a95fa589f720df30a4acc46b) --- source3/lib/smbrun.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 0388b3f1bd..fcb14378a0 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -85,7 +85,6 @@ if shared is not set then open the file with O_EXCL set ****************************************************************************/ int smbrun(char *cmd,char *outfile,BOOL shared) { - extern struct current_user current_user; int fd,pid; int uid = current_user.uid; int gid = current_user.gid; -- cgit From 18556274139cc5a00593471bd745354d98a35303 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 1 Sep 1998 20:11:54 +0000 Subject: More abstraction of file system data types, to move to a 64 bit file interface for the NT SMB's. Created a new define, SMB_STRUCT_STAT that currently is defined to be struct stat - this wil change to a user defined type containing 64 bit info when the correct wrappers are written for 64 bit stat(), fstat() and lstat() calls. Also changed all sys_xxxx() calls that were previously just wrappers to the same call prefixed by a dos_to_unix() call into dos_xxxx() calls. This makes it explicit when a pathname translation is being done, and when it is not. Now, all sys_xxx() calls are meant to be wrappers to mask OS differences, and not silently converting filenames on the fly. Jeremy. (This used to be commit 28aa182dbffaa4ffd86047e608400de4b26e80eb) --- source3/lib/smbrun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index fcb14378a0..56fcd68ec1 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -33,7 +33,7 @@ the child as it may leave the caller in a privilaged state. static BOOL setup_stdout_file(char *outfile,BOOL shared) { int fd; - struct stat st; + SMB_STRUCT_STAT st; mode_t mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH; int flags = O_RDWR|O_CREAT|O_TRUNC|O_EXCL; -- cgit From 7bb86c1b132bce31a006ea9768a54db7a45fe1a5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Sep 1998 18:40:31 +0000 Subject: Ok - this is the 64 bit widening check in. It changes the configure to check for stat64 and friends, and then changes much of Samba to use the data type SMB_OFF_T for file size information. stat/fstat/lstat/lseek/ftruncate have now become sys_stat etc. to hide the 64 bit calls if needed. Note that this still does not expose 64 bit functionality to the client, as the changes to the reply_xxx smb's are not yet done. This code change should make these changes possible. Still to do before full 64 bit-ness to the client: fcntl lock code. statfs code widening of dev_t and ino_t (now possible due to SMB_DEV_T and SMB_OFF_T types being in place). Let me know if wierd things happen after this check-in and I'll fix them :-). Jeremy. (This used to be commit 14500936c321d15995c963766aac67bf1f4e3824) --- source3/lib/smbrun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 56fcd68ec1..d2abf0e952 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -50,7 +50,7 @@ static BOOL setup_stdout_file(char *outfile,BOOL shared) #endif } - if(stat(outfile, &st) == 0) { + if(sys_stat(outfile, &st) == 0) { /* Check we're not deleting a device file. */ if(st.st_mode & S_IFREG) unlink(outfile); -- cgit From 5f7ee360567a6b4e1a6f43ff01da057d2998fef8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 25 Sep 1998 23:40:49 +0000 Subject: Makefile.in: Fixed bug with continuation line causing proto to fail. Added $(PROGS) $(SPROGS) as targets for make clean. acconfig.h: Added HAVE_IRIX_SPECIFIC_CAPABILITIES. configure.in: Added sys/capability.h header check. Added function checks for srandom random srand rand. Added HAVE_IRIX_SPECIFIC_CAPABILITIES test. includes.h: Added #include . ntdomain.h: Moved struct acct_info into here from smb.h smb.h: Added KERNEL_OPLOCK_CAPABILITY define. Moved enum action_type into rpcclient.h Moved struct cli_state into client.h Moved struct nt_client_info, struct tar_client_info, struct client_info into rpcclient.h lib/genrand.c: Changed to use sys_random() & friends. lib/smbrun.c: Lose capabilities after fork. lib/system.c: Added set_process_capability(), set_inherited_process_capability() sys_random(), sys_srandom(). lib/util.c: Added Ander's EFBIG lock check to fcntl_lock for 64 bit access to an 32 bit mounted NFS filesystem. nmbd/nmbd.c: Changed to use sys_random() & friends. nmbd/nmbd_browsesync.c: Changed to use sys_random() & friends. passdb/ldap.c: Missed one pdb_encode_acct_ctrl call. passdb/passdb.c: Changed to Ander's code for ' ' characters. passdb/smbpass.c: Added Ander's code to reset ACB_PWNOTREQ. script/mkproto.awk: Added 'long' to prototypes. smbd/chgpasswd.c: Lose capabilities after fork. smbd/open.c: Do the mmap *after* the kernel oplock. smbd/oplock.c: Removed stub code from kernel oplock path. Added set_process_capability(), set_inherited_process_capability() calls. smbd/reply.c: Initialize count = 0, offset = 0. smbd/server.c: Added set_process_capability(), set_inherited_process_capability() calls. tests/summary.c: Ensure we have RANDOM or RAND. utils/smbpasswd.c: Added Ander's code to reset ACB_PWNOTREQ. utils/torture.c: Changed to use sys_random() & friends. Jeremy. (This used to be commit e8be306f23963ac00b1a383ebe0cc1421529fb02) --- source3/lib/smbrun.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index d2abf0e952..86d7cf9e03 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -89,6 +89,12 @@ int smbrun(char *cmd,char *outfile,BOOL shared) int uid = current_user.uid; int gid = current_user.gid; + /* + * Lose any kernel oplock capabilities we may have. + */ + set_process_capability(KERNEL_OPLOCK_CAPABILITY, False); + set_inherited_process_capability(KERNEL_OPLOCK_CAPABILITY, False); + #ifndef HAVE_EXECL int ret; pstring syscmd; -- cgit From 768761820e8d7481c586c4e0ab4ac7cb36d18c4b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 17 Nov 1998 20:50:07 +0000 Subject: Added the same open()/fopen()/creat()/mmap() -> sys_XXX calls. Tidied up some of the mess (no other word for it). Still doesn't compile cleanly. There are calls with incorrect parameters that don't seem to be doing the right thing. This code still needs surgery :-(. Jeremy. (This used to be commit 18ff93a9abbf68ee8c59c0af3e57c63e4a015dac) --- source3/lib/smbrun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 86d7cf9e03..da7632a67a 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -58,7 +58,7 @@ static BOOL setup_stdout_file(char *outfile,BOOL shared) flags = O_RDWR; } /* now create the file */ - fd = open(outfile,flags,mode); + fd = sys_open(outfile,flags,mode); if (fd == -1) return False; -- cgit From 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 13 Dec 1999 13:27:58 +0000 Subject: first pass at updating head branch to be to be the same as the SAMBA_2_0 branch (This used to be commit 453a822a76780063dff23526c35408866d0c0154) --- source3/lib/smbrun.c | 86 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 53 insertions(+), 33 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index da7632a67a..5a016cd5cd 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -28,7 +28,7 @@ extern int DEBUGLEVEL; /**************************************************************************** This is a utility function of smbrun(). It must be called only from -the child as it may leave the caller in a privilaged state. +the child as it may leave the caller in a privileged state. ****************************************************************************/ static BOOL setup_stdout_file(char *outfile,BOOL shared) { @@ -40,14 +40,9 @@ static BOOL setup_stdout_file(char *outfile,BOOL shared) close(1); if (shared) { - /* become root - unprivilaged users can't delete these files */ -#ifdef HAVE_SETRESUID - setresgid(0,0,0); - setresuid(0,0,0); -#else - setuid(0); - seteuid(0); -#endif + /* become root - unprivileged users can't delete these files */ + gain_root_privilege(); + gain_root_group_privilege(); } if(sys_stat(outfile, &st) == 0) { @@ -85,9 +80,10 @@ if shared is not set then open the file with O_EXCL set ****************************************************************************/ int smbrun(char *cmd,char *outfile,BOOL shared) { - int fd,pid; - int uid = current_user.uid; - int gid = current_user.gid; + int fd; + pid_t pid; + uid_t uid = current_user.uid; + gid_t gid = current_user.gid; /* * Lose any kernel oplock capabilities we may have. @@ -110,7 +106,7 @@ int smbrun(char *cmd,char *outfile,BOOL shared) } slprintf(syscmd,sizeof(syscmd)-1,"%s %d %d \"(%s 2>&1) > %s\"", - path,uid,gid,cmd, + path,(int)uid,(int)gid,cmd, outfile?outfile:"/dev/null"); DEBUG(5,("smbrun - running %s ",syscmd)); @@ -120,17 +116,52 @@ int smbrun(char *cmd,char *outfile,BOOL shared) #else /* in this newer method we will exec /bin/sh with the correct arguments, after first setting stdout to point at the file */ - - if ((pid=fork())) { + + /* + * We need to temporarily stop CatchChild from eating + * SIGCLD signals as it also eats the exit status code. JRA. + */ + + CatchChildLeaveStatus(); + + if ((pid=fork()) < 0) { + DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) )); + CatchChild(); + return errno; + } + + if (pid) { + /* + * Parent. + */ int status=0; + pid_t wpid; + + /* the parent just waits for the child to exit */ - if (sys_waitpid(pid,&status,0) != pid) { - DEBUG(2,("waitpid(%d) : %s\n",pid,strerror(errno))); + while((wpid = sys_waitpid(pid,&status,0)) < 0) { + if(errno == EINTR) { + errno = 0; + continue; + } + break; + } + + CatchChild(); + + if (wpid != pid) { + DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno))); return -1; } +#if defined(WIFEXITED) && defined(WEXITSTATUS) + if (WIFEXITED(status)) { + return WEXITSTATUS(status); + } +#endif return status; } + CatchChild(); /* we are in the child. we exec /bin/sh to do the work for us. we don't directly exec the command we want because it may be a @@ -141,25 +172,14 @@ int smbrun(char *cmd,char *outfile,BOOL shared) exit(80); } - /* now completely lose our privilages. This is a fairly paranoid + /* now completely lose our privileges. This is a fairly paranoid way of doing it, but it does work on all systems that I know of */ -#ifdef HAVE_SETRESUID - setresgid(0,0,0); - setresuid(0,0,0); - setresgid(gid,gid,gid); - setresuid(uid,uid,uid); -#else - setuid(0); - seteuid(0); - setgid(gid); - setegid(gid); - setuid(uid); - seteuid(uid); -#endif - + + become_user_permanently(uid, gid); + if (getuid() != uid || geteuid() != uid || getgid() != gid || getegid() != gid) { - /* we failed to lose our privilages - do not execute + /* we failed to lose our privileges - do not execute the command */ exit(81); /* we can't print stuff at this stage, instead use exit codes for debugging */ -- cgit From 2d96983c7c95e6678ce0851af697535b7a100b09 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 23 Apr 2000 08:45:21 +0000 Subject: don't close high fd's in smbrun when using insure (prevents closing error fd) (This used to be commit defbedd198f02f7bb9af70436f5a25ab754b5fb6) --- source3/lib/smbrun.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 5a016cd5cd..8d666980b3 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -185,10 +185,12 @@ int smbrun(char *cmd,char *outfile,BOOL shared) instead use exit codes for debugging */ } +#ifndef __INSURE__ /* close all other file descriptors, leaving only 0, 1 and 2. 0 and 2 point to /dev/null from the startup code */ for (fd=3;fd<256;fd++) close(fd); - +#endif + execl("/bin/sh","sh","-c",cmd,NULL); /* not reached */ -- cgit From 693ffb8466ada58ecc59fde754ba79fc6f51528d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 May 2000 02:23:41 +0000 Subject: Added sys_fork() and sys_getpid() functions to stop the overhead of doing a system call every time we want to just get our pid. Jeremy. (This used to be commit 148628b616b5c29ba6340d65fc3ddbcabba6e67a) --- source3/lib/smbrun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 8d666980b3..81dfc10dfb 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -124,7 +124,7 @@ int smbrun(char *cmd,char *outfile,BOOL shared) CatchChildLeaveStatus(); - if ((pid=fork()) < 0) { + if ((pid=sys_fork()) < 0) { DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) )); CatchChild(); return errno; -- cgit From c33b0a6074d62ba028b5cd501e00394ad3acd9c5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 8 May 2000 18:24:26 +0000 Subject: Fix for VMS platforms from "John E. Malmberg" Jeremy. (This used to be commit eb281324fa409296bb3f29c9b7c59b2337fadc0d) --- source3/lib/smbrun.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 81dfc10dfb..89c924260f 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -92,6 +92,7 @@ int smbrun(char *cmd,char *outfile,BOOL shared) set_inherited_process_capability(KERNEL_OPLOCK_CAPABILITY, False); #ifndef HAVE_EXECL + { int ret; pstring syscmd; char *path = lp_smbrun(); @@ -113,6 +114,7 @@ int smbrun(char *cmd,char *outfile,BOOL shared) ret = system(syscmd); DEBUG(5,("gave %d\n",ret)); return(ret); + } #else /* in this newer method we will exec /bin/sh with the correct arguments, after first setting stdout to point at the file */ -- cgit From 15cf0e847009faf7fb90bd7e9e27db6999c88eef Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 9 Jun 2000 06:58:06 +0000 Subject: clean up oplock capability code ready for Linux code (This used to be commit 70dcc791b45ac64fc536ef449e4e6b53b2b68fd4) --- source3/lib/smbrun.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 89c924260f..0642c30a75 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -84,12 +84,11 @@ int smbrun(char *cmd,char *outfile,BOOL shared) pid_t pid; uid_t uid = current_user.uid; gid_t gid = current_user.gid; - - /* - * Lose any kernel oplock capabilities we may have. - */ - set_process_capability(KERNEL_OPLOCK_CAPABILITY, False); - set_inherited_process_capability(KERNEL_OPLOCK_CAPABILITY, False); + + /* + * Lose any kernel oplock capabilities we may have. + */ + oplock_set_capability(False, False); #ifndef HAVE_EXECL { -- cgit From 234792321c07aa59103fb7502534e6dba0ca4c08 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 28 Oct 2000 19:30:21 +0000 Subject: Fixed silly bug in dup2 code found by Kenichi Okuyama@Tokyo Research Lab. IBM-Japan. Co. Jp. Jeremy. (This used to be commit 9c2272e056aef741c4b86f9a247c3534944d9eff) --- source3/lib/smbrun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 0642c30a75..5b05c64bf0 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -58,7 +58,7 @@ static BOOL setup_stdout_file(char *outfile,BOOL shared) if (fd == -1) return False; if (fd != 1) { - if (dup2(fd,1) != 0) { + if (dup2(fd,1) != 1) { DEBUG(2,("Failed to create stdout file descriptor\n")); close(fd); return False; -- cgit From 730791a6a864268c6f7033a498a151ecf31ca31c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Apr 2001 19:17:54 +0000 Subject: Tidy up tmp file handling. Jeremy. (This used to be commit 1751a6316af91d5d2e31c3a7e8de2841aae033c7) --- source3/lib/smbrun.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 5b05c64bf0..983c61f862 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -45,13 +45,8 @@ static BOOL setup_stdout_file(char *outfile,BOOL shared) gain_root_group_privilege(); } - if(sys_stat(outfile, &st) == 0) { - /* Check we're not deleting a device file. */ - if(st.st_mode & S_IFREG) - unlink(outfile); - else - flags = O_RDWR; - } + unlink(outfile); + /* now create the file */ fd = sys_open(outfile,flags,mode); -- cgit From 45646e88188b5d175f7755bc64f186cd59ed4c80 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Apr 2001 20:52:02 +0000 Subject: Fix from Michael Davidson to merge Solaris and UnixWare ACLs. Jeremy. (This used to be commit ffa800e980bfed3d82ec7b0a037085c4558f8f0f) --- source3/lib/smbrun.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 983c61f862..2b7d141834 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -33,7 +33,6 @@ the child as it may leave the caller in a privileged state. static BOOL setup_stdout_file(char *outfile,BOOL shared) { int fd; - SMB_STRUCT_STAT st; mode_t mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH; int flags = O_RDWR|O_CREAT|O_TRUNC|O_EXCL; -- cgit From 6578fd874283ee97c2896bcf7257db7f3e37c2ec Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 11 Apr 2001 23:19:08 +0000 Subject: To stop people complaining about the mktemp call, move it into lib/util.c. Thanks to Andrew for all this code. Fixed extra line in lib/sysacls.c that broke XFS ACL code. Jeremy. (This used to be commit 9b32b8a8cfc8ddb93c14d5581f433d2e93f89ed2) --- source3/lib/smbrun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 2b7d141834..e039f222fc 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -34,7 +34,7 @@ static BOOL setup_stdout_file(char *outfile,BOOL shared) { int fd; mode_t mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH; - int flags = O_RDWR|O_CREAT|O_TRUNC|O_EXCL; + int flags = O_RDWR|O_CREAT|O_EXCL; close(1); -- cgit From 50e78a9ac8cf0949c2471fafde844c674f97d73d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 13 Apr 2001 00:37:00 +0000 Subject: As Andrew suggested, make smbrun return a fd for a deleted file which can then be read. Jeremy. (This used to be commit e7d59d6de89a5fdd201e4b5c6072dab08b1519db) --- source3/lib/smbrun.c | 116 +++++++++++++++++++++++---------------------------- 1 file changed, 53 insertions(+), 63 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index e039f222fc..a543ff5eee 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -27,54 +27,41 @@ struct current_user current_user; extern int DEBUGLEVEL; /**************************************************************************** -This is a utility function of smbrun(). It must be called only from -the child as it may leave the caller in a privileged state. +This is a utility function of smbrun(). ****************************************************************************/ -static BOOL setup_stdout_file(char *outfile,BOOL shared) -{ - int fd; - mode_t mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH; - int flags = O_RDWR|O_CREAT|O_EXCL; - close(1); +static BOOL setup_out_fd(char *template) +{ + int fd; + pstring path; - if (shared) { - /* become root - unprivileged users can't delete these files */ - gain_root_privilege(); - gain_root_group_privilege(); - } + pstrcpy( path, template); + pstrcat( path, generate_random_str(17)); + pstrcat( path, ".XXXXXX"); - unlink(outfile); + /* now create the file */ + fd = smb_mkstemp(path); - /* now create the file */ - fd = sys_open(outfile,flags,mode); + if (fd == -1) { + DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n", + path, strerror(errno) )); + return -1; + } - if (fd == -1) return False; + DEBUG(10,("setup_out_fd: Created tmp file %s\n", path )); - if (fd != 1) { - if (dup2(fd,1) != 1) { - DEBUG(2,("Failed to create stdout file descriptor\n")); - close(fd); - return False; - } - close(fd); - } - return True; + /* Ensure file only kept around by open fd. */ + unlink(path); + return fd; } - /**************************************************************************** run a command being careful about uid/gid handling and putting the output in -outfile (or discard it if outfile is NULL). - -if shared is True then ensure the file will be writeable by all users -but created such that its owned by root. This overcomes a security hole. - -if shared is not set then open the file with O_EXCL set +outfd (or discard it if outfd is NULL). ****************************************************************************/ -int smbrun(char *cmd,char *outfile,BOOL shared) + +int smbrun(char *cmd, int *outfd, char *template) { - int fd; pid_t pid; uid_t uid = current_user.uid; gid_t gid = current_user.gid; @@ -84,32 +71,13 @@ int smbrun(char *cmd,char *outfile,BOOL shared) */ oplock_set_capability(False, False); -#ifndef HAVE_EXECL - { - int ret; - pstring syscmd; - char *path = lp_smbrun(); - - /* in the old method we use system() to execute smbrun which then - executes the command (using system() again!). This involves lots - of shell launches and is very slow. It also suffers from a - potential security hole */ - if (!file_exist(path,NULL)) { - DEBUG(0,("SMBRUN ERROR: Can't find %s. Installation problem?\n",path)); - return(1); - } + /* point our stdout at the file we want output to go into */ - slprintf(syscmd,sizeof(syscmd)-1,"%s %d %d \"(%s 2>&1) > %s\"", - path,(int)uid,(int)gid,cmd, - outfile?outfile:"/dev/null"); - - DEBUG(5,("smbrun - running %s ",syscmd)); - ret = system(syscmd); - DEBUG(5,("gave %d\n",ret)); - return(ret); + if (outfd && ((*outfd = setup_out_fd(template)) == -1)) { + return -1; } -#else - /* in this newer method we will exec /bin/sh with the correct + + /* in this method we will exec /bin/sh with the correct arguments, after first setting stdout to point at the file */ /* @@ -122,6 +90,10 @@ int smbrun(char *cmd,char *outfile,BOOL shared) if ((pid=sys_fork()) < 0) { DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) )); CatchChild(); + if (outfd) { + close(*outfd); + *outfd = -1; + } return errno; } @@ -146,13 +118,24 @@ int smbrun(char *cmd,char *outfile,BOOL shared) if (wpid != pid) { DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno))); + if (outfd) { + close(*outfd); + *outfd = -1; + } return -1; } + + /* Reset the seek pointer. */ + if (outfd) { + sys_lseek(*outfd, 0, SEEK_SET); + } + #if defined(WIFEXITED) && defined(WEXITSTATUS) if (WIFEXITED(status)) { return WEXITSTATUS(status); } #endif + return status; } @@ -163,10 +146,15 @@ int smbrun(char *cmd,char *outfile,BOOL shared) pipeline or anything else the config file specifies */ /* point our stdout at the file we want output to go into */ - if (outfile && !setup_stdout_file(outfile,shared)) { - exit(80); + if (outfd) { + close(1); + if (dup2(*outfd,1) != 1) { + DEBUG(2,("Failed to create stdout file descriptor\n")); + close(*outfd); + exit(80); + } } - + /* now completely lose our privileges. This is a fairly paranoid way of doing it, but it does work on all systems that I know of */ @@ -183,13 +171,15 @@ int smbrun(char *cmd,char *outfile,BOOL shared) #ifndef __INSURE__ /* close all other file descriptors, leaving only 0, 1 and 2. 0 and 2 point to /dev/null from the startup code */ + { + int fd; for (fd=3;fd<256;fd++) close(fd); + } #endif execl("/bin/sh","sh","-c",cmd,NULL); /* not reached */ exit(82); -#endif return 1; } -- cgit From 2ef68c7e92d4661664f0410509f7cb551e74a198 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 13 Apr 2001 19:12:06 +0000 Subject: Merge of Andrew's changes in 2.2. Jeremy. (This used to be commit fc76681812b1469208ad6c8847afdfc68bc6db49) --- source3/lib/smbrun.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index a543ff5eee..62378503e0 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -30,14 +30,12 @@ extern int DEBUGLEVEL; This is a utility function of smbrun(). ****************************************************************************/ -static BOOL setup_out_fd(char *template) +static int setup_out_fd(void) { int fd; pstring path; - pstrcpy( path, template); - pstrcat( path, generate_random_str(17)); - pstrcat( path, ".XXXXXX"); + slprintf(path, sizeof(path)-1, "%s/smb.XXXXXX", tmpdir()); /* now create the file */ fd = smb_mkstemp(path); @@ -60,7 +58,7 @@ run a command being careful about uid/gid handling and putting the output in outfd (or discard it if outfd is NULL). ****************************************************************************/ -int smbrun(char *cmd, int *outfd, char *template) +int smbrun(char *cmd, int *outfd) { pid_t pid; uid_t uid = current_user.uid; @@ -73,7 +71,7 @@ int smbrun(char *cmd, int *outfd, char *template) /* point our stdout at the file we want output to go into */ - if (outfd && ((*outfd = setup_out_fd(template)) == -1)) { + if (outfd && ((*outfd = setup_out_fd()) == -1)) { return -1; } -- cgit From dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Oct 2001 04:29:50 +0000 Subject: Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header. (This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e) --- source3/lib/smbrun.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 62378503e0..1ace6e3a99 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -24,8 +24,6 @@ /* need to move this from here!! need some sleep ... */ struct current_user current_user; -extern int DEBUGLEVEL; - /**************************************************************************** This is a utility function of smbrun(). ****************************************************************************/ -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/lib/smbrun.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 1ace6e3a99..67f82ed0ad 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 1.9. + Unix SMB/CIFS implementation. run a command as a specified user Copyright (C) Andrew Tridgell 1992-1998 -- cgit From b2edf254eda92f775e7d3d9b6793b4d77f9000b6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 17:00:51 +0000 Subject: sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290) --- source3/lib/smbrun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 67f82ed0ad..592543bc43 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -143,7 +143,7 @@ int smbrun(char *cmd, int *outfd) /* point our stdout at the file we want output to go into */ if (outfd) { close(1); - if (dup2(*outfd,1) != 1) { + if (sys_dup2(*outfd,1) != 1) { DEBUG(2,("Failed to create stdout file descriptor\n")); close(*outfd); exit(80); -- cgit From 410a6c72eafbb7fb1ecc9bf89310842ea8027494 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 14 Sep 2004 00:21:11 +0000 Subject: r2331: check password script code and example from trunk (This used to be commit f836be323a233f3a28cbaa04c532e83ea98ead89) --- source3/lib/smbrun.c | 123 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 122 insertions(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 592543bc43..43cb209174 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -90,7 +90,7 @@ int smbrun(char *cmd, int *outfd) *outfd = -1; } return errno; - } + } if (pid) { /* @@ -178,3 +178,124 @@ int smbrun(char *cmd, int *outfd) exit(82); return 1; } + + +/**************************************************************************** +run a command being careful about uid/gid handling and putting the output in +outfd (or discard it if outfd is NULL). +sends the provided secret to the child stdin. +****************************************************************************/ + +int smbrunsecret(char *cmd, char *secret) +{ + pid_t pid; + uid_t uid = current_user.uid; + gid_t gid = current_user.gid; + int ifd[2]; + + /* + * Lose any kernel oplock capabilities we may have. + */ + oplock_set_capability(False, False); + + /* build up an input pipe */ + if(pipe(ifd)) { + return -1; + } + + /* in this method we will exec /bin/sh with the correct + arguments, after first setting stdout to point at the file */ + + /* + * We need to temporarily stop CatchChild from eating + * SIGCLD signals as it also eats the exit status code. JRA. + */ + + CatchChildLeaveStatus(); + + if ((pid=sys_fork()) < 0) { + DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno))); + CatchChild(); + return errno; + } + + if (pid) { + /* + * Parent. + */ + int status = 0; + pid_t wpid; + + close(ifd[0]); + /* send the secret */ + write(ifd[1], secret, strlen(secret)); + fsync(ifd[1]); + close(ifd[1]); + + /* the parent just waits for the child to exit */ + while((wpid = sys_waitpid(pid, &status, 0)) < 0) { + if(errno == EINTR) { + errno = 0; + continue; + } + break; + } + + CatchChild(); + + if (wpid != pid) { + DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno))); + return -1; + } + +#if defined(WIFEXITED) && defined(WEXITSTATUS) + if (WIFEXITED(status)) { + return WEXITSTATUS(status); + } +#endif + + return status; + } + + CatchChild(); + + /* we are in the child. we exec /bin/sh to do the work for us. we + don't directly exec the command we want because it may be a + pipeline or anything else the config file specifies */ + + close(ifd[1]); + close(0); + if (sys_dup2(ifd[0], 0) != 0) { + DEBUG(2,("Failed to create stdin file descriptor\n")); + close(ifd[0]); + exit(80); + } + + /* now completely lose our privileges. This is a fairly paranoid + way of doing it, but it does work on all systems that I know of */ + + become_user_permanently(uid, gid); + + if (getuid() != uid || geteuid() != uid || + getgid() != gid || getegid() != gid) { + /* we failed to lose our privileges - do not execute + the command */ + exit(81); /* we can't print stuff at this stage, + instead use exit codes for debugging */ + } + +#ifndef __INSURE__ + /* close all other file descriptors, leaving only 0, 1 and 2. 0 and + 2 point to /dev/null from the startup code */ + { + int fd; + for (fd = 3; fd < 256; fd++) close(fd); + } +#endif + + execl("/bin/sh", "sh", "-c", cmd, NULL); + + /* not reached */ + exit(82); + return 1; +} -- cgit From 418e92d06da0638d92c48ffd310a409c89e2fa48 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Sep 2005 23:58:14 +0000 Subject: r10234: Add new auth module "auth_script" to allow valid users to be provisioned on demand - calls script with domain, username, challenge and LM and NT responses - passing the info through a pipe. Jeremy. (This used to be commit 67be4ee41cd244bcc0445cac7c9e1e2d40e93c9b) --- source3/lib/smbrun.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 43cb209174..13e330dd97 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -55,7 +55,7 @@ run a command being careful about uid/gid handling and putting the output in outfd (or discard it if outfd is NULL). ****************************************************************************/ -int smbrun(char *cmd, int *outfd) +int smbrun(const char *cmd, int *outfd) { pid_t pid; uid_t uid = current_user.uid; @@ -186,7 +186,7 @@ outfd (or discard it if outfd is NULL). sends the provided secret to the child stdin. ****************************************************************************/ -int smbrunsecret(char *cmd, char *secret) +int smbrunsecret(const char *cmd, const char *secret) { pid_t pid; uid_t uid = current_user.uid; -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/lib/smbrun.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 13e330dd97..6d6d7817f1 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -225,10 +225,16 @@ int smbrunsecret(const char *cmd, const char *secret) */ int status = 0; pid_t wpid; + size_t towrite; + ssize_t wrote; close(ifd[0]); /* send the secret */ - write(ifd[1], secret, strlen(secret)); + towrite = strlen(secret); + wrote = write(ifd[1], secret, towrite); + if ( wrote != towrite ) { + DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite)); + } fsync(ifd[1]); close(ifd[1]); -- cgit From d14af63e6ab600eb3ac705f2f425c860e927553a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 2 Feb 2006 20:44:50 +0000 Subject: r13293: Rather a big patch I'm afraid, but this should fix bug #3347 by saving the UNIX token used to set a delete on close flag, and using it when doing the delete. libsmbsharemodes.so still needs updating to cope with this change. Samba4 torture tests to follow. Jeremy. (This used to be commit 23f16cbc2e8cde97c486831e26bcafd4ab4a9654) --- source3/lib/smbrun.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 6d6d7817f1..4f5525039f 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -58,8 +58,8 @@ outfd (or discard it if outfd is NULL). int smbrun(const char *cmd, int *outfd) { pid_t pid; - uid_t uid = current_user.uid; - gid_t gid = current_user.gid; + uid_t uid = current_user.ut.uid; + gid_t gid = current_user.ut.gid; /* * Lose any kernel oplock capabilities we may have. @@ -189,8 +189,8 @@ sends the provided secret to the child stdin. int smbrunsecret(const char *cmd, const char *secret) { pid_t pid; - uid_t uid = current_user.uid; - gid_t gid = current_user.gid; + uid_t uid = current_user.ut.uid; + gid_t gid = current_user.ut.gid; int ifd[2]; /* -- cgit From 97ee5b1afa342eea40f973f5370c9f620c63bd01 Mon Sep 17 00:00:00 2001 From: James Peach Date: Tue, 21 Mar 2006 02:56:49 +0000 Subject: r14600: Refactor capability interface from being IRIX-specific to using only the POSIX interface. Note that this removes support for inherited capabilities. This wasn't used, and probably should not be. (This used to be commit 763f4c01488a96aec000c18bca313da37ed1df1b) --- source3/lib/smbrun.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 4f5525039f..521b1bf761 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -64,7 +64,7 @@ int smbrun(const char *cmd, int *outfd) /* * Lose any kernel oplock capabilities we may have. */ - oplock_set_capability(False, False); + drop_effective_capability(KERNEL_OPLOCK_CAPABILITY); /* point our stdout at the file we want output to go into */ @@ -196,7 +196,7 @@ int smbrunsecret(const char *cmd, const char *secret) /* * Lose any kernel oplock capabilities we may have. */ - oplock_set_capability(False, False); + drop_effective_capability(KERNEL_OPLOCK_CAPABILITY); /* build up an input pipe */ if(pipe(ifd)) { -- cgit From 40d0707827ee154bcb03013abe6f72f1026a70c9 Mon Sep 17 00:00:00 2001 From: James Peach Date: Wed, 22 Mar 2006 23:49:09 +0000 Subject: r14668: Set the FILE_STATUS_OFFLINE bit by observing the events a DMAPI-based HSM is interested in. Tested on both IRIX and SLES9. (This used to be commit 514a767c57f8194547e5b708ad2573ab9a0719c6) --- source3/lib/smbrun.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 521b1bf761..4400aeb443 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -62,9 +62,10 @@ int smbrun(const char *cmd, int *outfd) gid_t gid = current_user.ut.gid; /* - * Lose any kernel oplock capabilities we may have. + * Lose any elevated privileges. */ drop_effective_capability(KERNEL_OPLOCK_CAPABILITY); + drop_effective_capability(DMAPI_ACCESS_CAPABILITY); /* point our stdout at the file we want output to go into */ @@ -194,9 +195,10 @@ int smbrunsecret(const char *cmd, const char *secret) int ifd[2]; /* - * Lose any kernel oplock capabilities we may have. + * Lose any elevated privileges. */ drop_effective_capability(KERNEL_OPLOCK_CAPABILITY); + drop_effective_capability(DMAPI_ACCESS_CAPABILITY); /* build up an input pipe */ if(pipe(ifd)) { -- cgit From d34f6bb969092166c961e328229b1b05a30f6930 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 14 May 2007 14:23:51 +0000 Subject: r22852: merge fixes for CVE-2007-2446 and CVE-2007-2447 to all branches (This used to be commit f65214be68c1a59d9598bfb9f3b19e71cc3fa07b) --- source3/lib/smbrun.c | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 4400aeb443..e81224b5af 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -55,7 +55,7 @@ run a command being careful about uid/gid handling and putting the output in outfd (or discard it if outfd is NULL). ****************************************************************************/ -int smbrun(const char *cmd, int *outfd) +static int smbrun_internal(const char *cmd, int *outfd, BOOL sanitize) { pid_t pid; uid_t uid = current_user.ut.uid; @@ -173,13 +173,36 @@ int smbrun(const char *cmd, int *outfd) } #endif - execl("/bin/sh","sh","-c",cmd,NULL); + { + const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd; + if (!newcmd) { + exit(82); + } + execl("/bin/sh","sh","-c",newcmd,NULL); + } /* not reached */ - exit(82); + exit(83); return 1; } +/**************************************************************************** + Use only in known safe shell calls (printing). +****************************************************************************/ + +int smbrun_no_sanitize(const char *cmd, int *outfd) +{ + return smbrun_internal(cmd, outfd, False); +} + +/**************************************************************************** + By default this now sanitizes shell expansion. +****************************************************************************/ + +int smbrun(const char *cmd, int *outfd) +{ + return smbrun_internal(cmd, outfd, True); +} /**************************************************************************** run a command being careful about uid/gid handling and putting the output in @@ -302,7 +325,7 @@ int smbrunsecret(const char *cmd, const char *secret) #endif execl("/bin/sh", "sh", "-c", cmd, NULL); - + /* not reached */ exit(82); return 1; -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/lib/smbrun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index e81224b5af..29d03d7ee9 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -5,7 +5,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/lib/smbrun.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 29d03d7ee9..b656822321 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -14,8 +14,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From db31df8186eafabd9a997a89e33779cf10ce5a9b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 14 Sep 2007 22:14:39 +0000 Subject: r25171: More pstring removal. Jeremy. (This used to be commit 4748d2639796e8caa67fae44d1cf660d49d82663) --- source3/lib/smbrun.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index b656822321..26330ab992 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -1,18 +1,18 @@ -/* +/* Unix SMB/CIFS implementation. run a command as a specified user Copyright (C) Andrew Tridgell 1992-1998 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ @@ -27,11 +27,19 @@ This is a utility function of smbrun(). ****************************************************************************/ static int setup_out_fd(void) -{ +{ int fd; - pstring path; - - slprintf(path, sizeof(path)-1, "%s/smb.XXXXXX", tmpdir()); + TALLOC_CTX *ctx = talloc_stackframe(); + char *path = NULL; + + path = talloc_asprintf(ctx, + "%s/smb.XXXXXX", + tmpdir()); + if (!path) { + TALLOC_FREE(ctx); + errno = ENOMEM; + return -1; + } /* now create the file */ fd = smb_mkstemp(path); @@ -39,6 +47,7 @@ static int setup_out_fd(void) if (fd == -1) { DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n", path, strerror(errno) )); + TALLOC_FREE(ctx); return -1; } @@ -46,6 +55,7 @@ static int setup_out_fd(void) /* Ensure file only kept around by open fd. */ unlink(path); + TALLOC_FREE(ctx); return fd; } @@ -59,7 +69,7 @@ static int smbrun_internal(const char *cmd, int *outfd, BOOL sanitize) pid_t pid; uid_t uid = current_user.ut.uid; gid_t gid = current_user.ut.gid; - + /* * Lose any elevated privileges. */ -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/lib/smbrun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/smbrun.c') diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c index 26330ab992..515fcd75c2 100644 --- a/source3/lib/smbrun.c +++ b/source3/lib/smbrun.c @@ -64,7 +64,7 @@ run a command being careful about uid/gid handling and putting the output in outfd (or discard it if outfd is NULL). ****************************************************************************/ -static int smbrun_internal(const char *cmd, int *outfd, BOOL sanitize) +static int smbrun_internal(const char *cmd, int *outfd, bool sanitize) { pid_t pid; uid_t uid = current_user.ut.uid; -- cgit