* Run the login shell or command as the given user in a new pty to prevent
* terminal injection attacks.
*
- * Copyright (C) 2016 Simon Ruderich
+ * Copyright (C) 2016-2021 Simon Ruderich
*
* This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
+ * it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * GNU Affero General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#define _GNU_SOURCE
#include <termios.h>
#include <unistd.h>
+/* Default PATH for new process.*/
+#ifndef PTYAS_DEFAULT_PATH
+/* Default user PATH from Debian's /etc/profile, change as needed. */
+# define PTYAS_DEFAULT_PATH "/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
+#endif
+
static void die(const char *s) {
perror(s);
if (*pty_slave == -1) {
die("open slave tty");
}
- /* The user must be able to write to the new TTY. Normally grantpt() would
+ /*
+ * The user must be able to write to the new TTY. Normally grantpt() would
* do this for us, but we don't trust the user and thus don't want to pass
- * the pty_master to a process running under that uid. */
- // TODO: is this a problem?
+ * the pty_master to a process running under that uid.
+ */
if (chown(slave_path, uid, (gid_t)-1) != 0) {
die("chown slave tty");
}
static void drop_privileges_or_die(uid_t uid, gid_t gid) {
/* Drop all supplementary group IDs. */
+#ifdef __FreeBSD__
+ {
+ /* FreeBSD uses the first gid to set the egid of the process. */
+ gid_t egid = gid;
+ if (setgroups(1, &egid) != 0) {
+ die("setgroups");
+ }
+ if (getgroups(1, &egid) != 1) {
+ die_fmt("failed to drop all supplementary groups\n");
+ }
+ if (egid != gid) {
+ die_fmt("failed to drop all supplementary groups (egid): %d %d\n",
+ egid, gid);
+ }
+ }
+#else
if (setgroups(0, NULL) != 0) {
die("setgroups");
}
if (getgroups(0, NULL) != 0) {
- die_fmt("failed to drop all groups");
+ die_fmt("failed to drop all supplementary groups\n");
}
+#endif
/* Dropping groups may require privileges, do that first. */
if (setresgid(gid, gid, gid) != 0) {
}
if ( uid != ruid || uid != euid || uid != suid
|| gid != rgid || gid != egid || gid != sgid) {
- die_fmt("failed to drop privileges");
+ die_fmt("failed to drop privileges\n");
}
}
/* Just to be safe. */
if (setuid(0) != -1) {
- die_fmt("failed to drop privileges (setuid)");
+ die_fmt("failed to drop privileges (setuid)\n");
}
}
while (*pid_to_wait_for != 0) {
/*
* If a signal happens here _and_ the child hasn't closed pty_slave,
- * we will hang in poll(); therefore ppoll() is requred.
+ * we would hang in poll(); therefore ppoll() is necessary.
*/
nfds_t nfds = sizeof(fds)/sizeof(*fds);
if (ppoll(fds, nfds, NULL /* no timeout */, &sigset_old) == -1) {
if (errno == EAGAIN || errno == EINTR) {
continue;
- } else {
- perror("poll");
}
+ perror("poll");
break;
}
- /* Handle errors first. */
+ /*
+ * Handle errors first. (Data available before the error occurred
+ * might be dropped, but shouldn't matter here.)
+ */
if (fds[0].revents & (POLLERR | POLLNVAL)) {
fprintf(stderr, "poll: error on master: %d\n", fds[0].revents);
break;
break;
}
- /* Then read data if available. */
+ /* Read data if available. */
if (fds[0].revents & POLLIN) {
if (!read_from_write_to(pty_master, ctty)) {
perror("read from master write to ctty");
}
-/* Not sig_atomic_t but I don't know how to do that any other way. */
+/*
+ * Not sig_atomic_t (as required by POSIX) but I don't know how to do that any
+ * other way.
+ */
static volatile pid_t pid_to_wait_for;
static int pid_to_wait_for_status;
-static void sigchld_handler() {
+static void sigchld_handler(int signal) {
int status;
pid_t pid;
+ (void)signal;
+
while ((pid = waitpid(-1, &status, WNOHANG)) > 0) {
if (pid == pid_to_wait_for) {
/* Mark that our child has died and we should exit as well. */
}
}
+/*
+ * SIGWINCH handler to handle resizes of the outer terminal.
+ *
+ * Errors are ignored without message because printing in signal handlers is
+ * problematic (no FILE * usable due to locks) and there's not much we can do
+ * at this point.
+ */
+static int sigwinch_ctty = -1;
+static int sigwinch_slave = -1;
+
+static void sigwinch_handler(int signal) {
+ (void)signal;
+
+ struct winsize size;
+ if (ioctl(sigwinch_ctty, TIOCGWINSZ, &size) == -1) {
+ return;
+ }
+ if (ioctl(sigwinch_slave, TIOCSWINSZ, &size) == -1) {
+ return;
+ }
+}
+
int main(int argc, char **argv) {
char *exec_argv_shell[] = { NULL, NULL }; /* filled below */
if (pid == -1) {
die("fork parent");
} else if (pid == 0) {
+ /* child, will become a session leader */
+
if (sigprocmask(SIG_SETMASK, &sigset_old, NULL) != 0) {
die("sigprocmask setmask child");
}
if (pid == -1) {
die("fork child");
} else if (pid == 0) {
+ /*
+ * Drop the privileges just now so that the other user doesn't get
+ * access to the master TTY or the session leader (which might
+ * have additional privileges).
+ */
drop_privileges_or_die(uid, gid);
dup2_or_die(pty_slave, STDIN_FILENO);
}
const char *home = passwd->pw_dir;
+ /*
+ * Ignore errors here as we don't want to die on non-existent home
+ * directories to allow running as any user (think "/nonexistent"
+ * as home) and an error message will be annoying to ignore when
+ * running this command in scripts.
+ */
+ chdir(home);
+
char envp_user[strlen("USER=") + strlen(user) + 1];
char envp_home[strlen("HOME=") + strlen(home) + 1];
char envp_term[strlen("TERM=") + strlen(term) + 1];
snprintf_or_assert(envp_term, sizeof(envp_term), "TERM=%s", term);
char *exec_envp[] = {
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "PATH=" PTYAS_DEFAULT_PATH,
envp_user,
envp_home,
term_orig ? envp_term : NULL,
close_or_die(STDOUT_FILENO);
close_or_die(STDERR_FILENO);
- // TODO: EINTR?
+ /* TODO: EINTR? */
int status;
if (waitpid(pid, &status, 0) <= 0) {
die("waitpid child");
}
quit_with_matching_code(status);
}
- close_or_die(pty_slave);
+ /* Don't close pty_slave here as it's used in sigwinch_handler(). */
+
+ sigwinch_ctty = ctty;
+ sigwinch_slave = pty_slave;
+
+ struct sigaction action_sigwinch = {
+ .sa_handler = sigwinch_handler,
+ };
+ sigemptyset(&action_sigwinch.sa_mask);
+ if (sigaction(SIGWINCH, &action_sigwinch, NULL) != 0) {
+ die("sigaction SIGWINCH");
+ }
pid_to_wait_for = pid;
- struct sigaction action = {
+ struct sigaction action_sigchld = {
.sa_handler = sigchld_handler,
};
- if (sigaction(SIGCHLD, &action, NULL) != 0) {
- die("sigaction");
+ sigemptyset(&action_sigchld.sa_mask);
+ if (sigaction(SIGCHLD, &action_sigchld, NULL) != 0) {
+ die("sigaction SIGCHLD");
}
if (sigprocmask(SIG_SETMASK, &sigset_old, NULL) != 0) {
die("tcgetattr");
}
term = old_term;
- /* From man 3 cfmakeraw which is non-standard. */
+ /* From man 3 cfmakeraw; cfmakeraw is non-standard so set it manually. */
term.c_iflag &= ~(tcflag_t)(IGNBRK | BRKINT | PARMRK | ISTRIP | INLCR | IGNCR | ICRNL | IXON);
term.c_oflag &= ~(tcflag_t)(OPOST);
term.c_lflag &= ~(tcflag_t)(ECHO | ECHONL | ICANON | ISIG | IEXTEN);
die("tcsetattr restore");
}
- /* Wait until we got the status code from our child. poll() might also
- * exit after POLLHUP while we haven't collected the child yet. */
+ /*
+ * Wait until we got the status code from our child. poll() might already
+ * exit after POLLHUP while we haven't collected the child yet.
+ */
if (sigprocmask(SIG_BLOCK, &sigset, &sigset_old) != 0) {
die("sigprocmask block sigchld loop");
}