File: rssh_chroot_helper.c

package info (click to toggle)
rssh 2.3.4-5+deb9u4
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 1,036 kB
  • sloc: ansic: 4,437; sh: 1,069; makefile: 62; awk: 19
file content (279 lines) | stat: -rw-r--r-- 8,331 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
/*
 * chroot_helper.c - functions to deal with chrooting rssh
 * 
 * Copyright 2003-2005 Derek D. Martin ( code at pizzashack dot org ).
 *
 * This program is licensed under a BSD-style license, as follows: 
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *	notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *	notice, this list of conditions and the following disclaimer in the
 *	documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */

/* SYSTEM INCLUDES */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif /* HAVE_CONFIG_H */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif /* HAVE_CONFIG_H */
#include <stdio.h>
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#ifdef HAVE_ERRNO_H 
#include <errno.h>
#endif /* HAVE_ERRNO_H */
#ifdef HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#ifdef HAVE_LIBGEN_H
#include <libgen.h>
#endif /* HAVE_LIBGEN_H */
#ifdef HAVE_SYSLOG_H
#include <syslog.h>
#endif /* HAVE_SYSLOG_H */ 
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif /* HAVE_PWD_H */
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif /* HAVE_SYS_TYPES_H */
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif /* HAVE_SYS_STAT_H */


/* LOCAL INCLUDES */
#include "rssh.h"
#include "rsshconf.h"
#include "pathnames.h"
#include "log.h"
#include "util.h"
#include "argvec.h"

/* GLOBAL VARIABLES */
extern int errno;
char *progname;
char *username;

/* FILE SCOPE VARIABLES */
static int  log_init = 0;

/* FILE SCOPE FUNCTIONS */


void ch_start_logging( void )
{
	/* set up logging - username should be set before this is called */
	if ( log_init ) return;
	log_set_facility(LOG_USER);
	log_set_priority(LOG_INFO);
	log_open();
	log_msg("new session for %s, UID=%d", username, getuid());
	/* all log messages from this point on are errors */
	log_set_priority(LOG_ERR);
	log_init = 1;
}

void ch_fatal_error( char *func, char *arg, char *strerr )
{

	/* drop privileges */
	if ( !geteuid() ) setuid(getuid());
	ch_start_logging();

	/* log error */
	log_msg("%s failed, %s: %s", func, arg, strerr);
	log_close();
	exit(1);
}


/* MAIN PROGRAM */
int main( int argc, char **argv )
{
	struct stat	s;
	ShellOptions_t	opts;
	long int	cmd;
	char		*conv;
	char		**argvec;
	char		*cmd_path;
	char		*homedir;
	struct passwd	uinfo;
	struct passwd	*temp;

	/* 
	 * Unfortunately, in order to maintain security, a lot of the code
	 * from the rssh main program must be duplicated.  Specifically, the
	 * config file must be parsed to get the chroot path, in order to
	 * prevent a user from being able to chroot() arbitrarily, which leads
	 * to easy root compromise if a user has shell access to the system.
	 * build_arg_vector() must be done here instead of in the main
	 * program, in order to prevent a directory transversal attack.
	 */ 

	/*
	 * As a possible future security enhancement, it should be possible to
	 * have rssh_chroot_helper authenticate cryptographically that it was
	 * exec()'d by rssh.  If rssh is SGID to some rssh-users group, it
	 * could store the public key for rssh_chroot_helper in a file which
	 * is only readable by that group.  Since rssh_chroot_helper is
	 * already SUID root, it could store its private key in some file that
	 * is only readable by root.  Obviously, care should be taken that no
	 * user who has shell access to the system can become a member of the
	 * rssh-users group.  The only thing stopping me from coding that now
	 * is my lack of knowledge of cryptographic programming.  
	 *
	 * As a further precaution, all users whose accounts will be protected
	 * by rssh should be in the rssh-users group, and both rssh and
	 * rssh_chroot_helper should be executable only by that group.  This
	 * can be done now, even without any cryptography.
	 */

	/* THIS CODE IS EXPOSED AS ROOT! */

	/* initialize variables to defaults */
	opts.rssh_umask = 022;
	opts.shell_flags = 0;
	opts.chroot_path = NULL;

	/* figure out our name, and give it to the log module */
	progname = strdup(log_make_ident(basename(argv[0])));

	/* get user's passwd info */
	if ( (temp = getpwuid(getuid())) ){
		uinfo = *temp;
		username = uinfo.pw_name;
	}
	else
		/* this probably should never happen */
		username = "unknown user!";

	/* make sure we have enough arguments, or exit with error */
	if ( argc != 3 ) ch_fatal_error(progname, "invalid arguments", 
	                                "wrong number of arguments");

	/* process the config file, don't log */
	if ( !(read_shell_config(&opts, PATH_RSSH_CONFIG, 0)) ){
		ch_fatal_error("read_shell_config()", PATH_RSSH_CONFIG,
				"errors processing configuration file!");
	}

	/* 
	 * opts.chroot_path is directory to chroot to.  Check to make sure it
	 * exists.  If it does, chroot and drop privileges, and cd to it.
	 */

	if ( stat(opts.chroot_path, &s) == -1 )
		ch_fatal_error("stat()", argv[1], strerror(errno));
	if ( chroot(opts.chroot_path) == -1 )
		ch_fatal_error("chroot()", argv[1], strerror(errno));

	/* END OF CODE EXPOSED AS ROOT! */

	setuid(getuid());
	ch_start_logging();

	log_msg("user's home dir is %s", uinfo.pw_dir);

	/* get the user's home dir */ 
	if ( !(homedir = extract_root(opts.chroot_path, uinfo.pw_dir)) ){
		log_msg("couldn't find %s in chroot jail", uinfo.pw_dir);
		homedir = strdup("/");
	}

	log_msg("chrooted to %s", opts.chroot_path);
	log_msg("changing working directory to %s (inside jail)", homedir);

	/* cd into / to avoid possibility of breaking out of the jail */
	if ( chdir("/") )
		ch_fatal_error("chdir()", "/", strerror(errno));

	/* make sure we can change directory to the user's dir */
	if ( chdir(homedir) == -1 )
		log_msg("could not cd to user's home dir: %s", homedir);

	if ( !(argvec = build_arg_vector(argv[2], 0)) )
		ch_fatal_error("build_arg_vector()", argv[2],
				"bad expansion");

	/* check the command for safety */
	if ( !check_command_line(argvec, &opts) ){
		fprintf(stderr, "\n");
		exit(1);
	}

	/* 
	 * This is the old way to figure out what program to run.  Since we're
	 * re-parsing the config file in rssh_chroot helper, we could get rid
	 * of this and redetermine it from the command line, and re-parse
	 * whether or not it's ok to run that command.  But, I don't think
	 * that's really necessary, nor worth the effort.  A user who is
	 * restricted by rssh will not be able to gain access to manipulate
	 * this on the command line, and a user who has full shell access
	 * can't gain anything they couldn't already do by manipulating it...
	 * so it seems OK to leave as is.
	 */

	/* argv[1] is "1" if scp, "2" if sftp, ... */
	cmd = strtol(argv[1], &conv, 10);
	if ( *conv ){
		log_msg("command identifier contained invalid chars");
		exit(2);
	}
	
	/* ok... what were we supposed to run? */
	switch (cmd){
	case 1:
		cmd_path = PATH_SCP;
		break;
	case 2:
		cmd_path = PATH_SFTP_SERVER;
		break;
	case 3:
		cmd_path = PATH_CVS;
		break;
	case 4:
		cmd_path = PATH_RDIST;
		break;
	case 5:
		cmd_path = PATH_RSYNC;
		break;
	case 6:
		cmd_path = PATH_SVNSERVE;
		break;
	default:
		log_msg("invalid command specified");
		exit(2);
	}

	/* now run it */
	execv(cmd_path, argvec);

	/* we only get here if the exec fails */
	ch_fatal_error("execv()", cmd_path, strerror(errno));
	/* and we never get here, but it shuts gcc up */
	exit(1);
}