X-Git-Url: https://ruderich.org/simon/gitweb/?p=ptyas%2Fptyas.git;a=blobdiff_plain;f=ptyas.c;h=4b7b208856e88f53a43abc833ea4dde6a7c5bcdb;hp=ab99f8ede71cf352d4d7aa2ef9c2af83a5b4ef06;hb=558cfda92d46baf905c1fad7814b1c92d1ce752f;hpb=c8ffdb4777654018284c63d7824efca50e5d65b7 diff --git a/ptyas.c b/ptyas.c index ab99f8e..4b7b208 100644 --- a/ptyas.c +++ b/ptyas.c @@ -2,7 +2,7 @@ * Run the login shell or command as the given user in a new pty to prevent * terminal injection attacks. * - * Copyright (C) 2016-2017 Simon Ruderich + * Copyright (C) 2016-2018 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -82,9 +82,11 @@ static void open_pty_or_die(int *pty_master, int *pty_slave, uid_t uid) { if (*pty_slave == -1) { die("open slave tty"); } - /* The user must be able to write to the new TTY. Normally grantpt() would + /* + * The user must be able to write to the new TTY. Normally grantpt() would * do this for us, but we don't trust the user and thus don't want to pass - * the pty_master to a process running under that uid. */ + * the pty_master to a process running under that uid. + */ if (chown(slave_path, uid, (gid_t)-1) != 0) { die("chown slave tty"); } @@ -217,14 +219,15 @@ static void proxy_input_between_ttys(int pty_master, int ctty, volatile pid_t *p if (ppoll(fds, nfds, NULL /* no timeout */, &sigset_old) == -1) { if (errno == EAGAIN || errno == EINTR) { continue; - } else { - perror("poll"); } + perror("poll"); break; } - /* Handle errors first. (Data available before the error occurred - * might be skipped, but shouldn't matter here.) */ + /* + * Handle errors first. (Data available before the error occurred + * might be dropped, but shouldn't matter here.) + */ if (fds[0].revents & (POLLERR | POLLNVAL)) { fprintf(stderr, "poll: error on master: %d\n", fds[0].revents); break; @@ -360,6 +363,11 @@ int main(int argc, char **argv) { if (pid == -1) { die("fork child"); } else if (pid == 0) { + /* + * Drop the privileges just now so that the other user doesn't get + * access to the master TTY or the session leader (which might + * have additional privileges). + */ drop_privileges_or_die(uid, gid); dup2_or_die(pty_slave, STDIN_FILENO); @@ -374,6 +382,14 @@ int main(int argc, char **argv) { } const char *home = passwd->pw_dir; + /* + * Ignore errors here as we don't want to die on non-existent home + * directories to allow running as any user (think "/nonexistent" + * as home) and an error message will be annoying to ignore when + * running this command in scripts. + */ + chdir(home); + char envp_user[strlen("USER=") + strlen(user) + 1]; char envp_home[strlen("HOME=") + strlen(home) + 1]; char envp_term[strlen("TERM=") + strlen(term) + 1]; @@ -442,8 +458,10 @@ int main(int argc, char **argv) { die("tcsetattr restore"); } - /* Wait until we got the status code from our child. poll() might also - * exit after POLLHUP while we haven't collected the child yet. */ + /* + * Wait until we got the status code from our child. poll() might already + * exit after POLLHUP while we haven't collected the child yet. + */ if (sigprocmask(SIG_BLOCK, &sigset, &sigset_old) != 0) { die("sigprocmask block sigchld loop"); }