* Run the login shell or command as the given user in a new pty to prevent
* terminal injection attacks.
*
- * Copyright (C) 2016-2017 Simon Ruderich
+ * Copyright (C) 2016-2018 Simon Ruderich
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
if (*pty_slave == -1) {
die("open slave tty");
}
- /* The user must be able to write to the new TTY. Normally grantpt() would
+ /*
+ * The user must be able to write to the new TTY. Normally grantpt() would
* do this for us, but we don't trust the user and thus don't want to pass
- * the pty_master to a process running under that uid. */
+ * the pty_master to a process running under that uid.
+ */
if (chown(slave_path, uid, (gid_t)-1) != 0) {
die("chown slave tty");
}
break;
}
- /* Handle errors first. (Data available before the error occurred
- * might be dropped, but shouldn't matter here.) */
+ /*
+ * Handle errors first. (Data available before the error occurred
+ * might be dropped, but shouldn't matter here.)
+ */
if (fds[0].revents & (POLLERR | POLLNVAL)) {
fprintf(stderr, "poll: error on master: %d\n", fds[0].revents);
break;
static volatile pid_t pid_to_wait_for;
static int pid_to_wait_for_status;
-static void sigchld_handler() {
+static void sigchld_handler(int signal) {
int status;
pid_t pid;
+ (void)signal;
+
while ((pid = waitpid(-1, &status, WNOHANG)) > 0) {
if (pid == pid_to_wait_for) {
/* Mark that our child has died and we should exit as well. */
if (pid == -1) {
die("fork child");
} else if (pid == 0) {
- /* Drop the privileges just now so that the other user doesn't get
+ /*
+ * Drop the privileges just now so that the other user doesn't get
* access to the master TTY or the session leader (which might
- * have additional privileges). */
+ * have additional privileges).
+ */
drop_privileges_or_die(uid, gid);
dup2_or_die(pty_slave, STDIN_FILENO);
}
const char *home = passwd->pw_dir;
+ /*
+ * Ignore errors here as we don't want to die on non-existent home
+ * directories to allow running as any user (think "/nonexistent"
+ * as home) and an error message will be annoying to ignore when
+ * running this command in scripts.
+ */
+ chdir(home);
+
char envp_user[strlen("USER=") + strlen(user) + 1];
char envp_home[strlen("HOME=") + strlen(home) + 1];
char envp_term[strlen("TERM=") + strlen(term) + 1];
struct sigaction action = {
.sa_handler = sigchld_handler,
};
+ sigemptyset(&action.sa_mask);
if (sigaction(SIGCHLD, &action, NULL) != 0) {
die("sigaction");
}
die("tcsetattr restore");
}
- /* Wait until we got the status code from our child. poll() might already
- * exit after POLLHUP while we haven't collected the child yet. */
+ /*
+ * Wait until we got the status code from our child. poll() might already
+ * exit after POLLHUP while we haven't collected the child yet.
+ */
if (sigprocmask(SIG_BLOCK, &sigset, &sigset_old) != 0) {
die("sigprocmask block sigchld loop");
}