first working config file

master
Alessandro Mauri 3 years ago
parent c1050a27f9
commit d6c13b3d39
  1. 96
      config.template
  2. 267
      us.c

@ -1,96 +0,0 @@
SECURITY CONSIDERATIONS
=======================
1. commands must be given by absolute path, that's because if you do otherwise
nopassword commands could be hijacked:
in the config:
nopass badguy as root cmd zzz
in the shell:
~ $ export PATH=/home/badguy/test:$PATH
~ $ mkdir test
~ $ printf '#!/bin/sh\nrm -rf --no-preserve-root' > test/zzz
~ $ chmod +x test/zzz
~ $ us zzz #this deletes the filesystem without password!
IDEA 1
======
# this is a comment
# rules are goruped by user/group
# rules are structured somewhat like json, example:
# Only 'command' is allowed to run without a password, all the rest is blocked
ale {
allow {
command nopass
}
deny {
/.*/
}
}
IDEA 2 - THE DOAS WAY
=====================
# this is a comment
# every line is a rule
# rules are structured like this:
permit|deny [options] identity [as target] [cmd command [args ...]]
# look at doas.conf(5) for more information
IDEA 2-3
========
# reverse-doas way
-> identity permit|deny [command [args ...]] [options]
# but how would I distinguish between command and options?
-> identity [options] permit|deny [command [args ...]]
# spaces are not a very good separatow when in comes to commands
-> identity,[options],permit|deny,[command [args ...]]
#
# this is kinda similar to a crontab, basically options are required
#
# config structure:
-> identity options as action [command [args ...]]
^ ^ ^ ^
can be * | | permit, deny
can be nil (NULL) |
can be *
# permit user "ale" to execute command "shutdown" as root without password:
-> ale nopass root permit shutdown
# permit members of the wheel group to execute any comands as any user:
-> :wheel nil * permit
# deny users of the wheel group to execute commands that begin with "sys":
# this could be circumvented by having the command inside a shell script
-> :wheel nil * deny /sys.*/
# deny all users to execute all comands as any other user
-> * nil * deny
#
# let's scramble things up to make more sense
#
[action] options identity as [command [args ...]]
^ ^ ^ ^
| | can both be * (any)
| can be none, comma separated
none: permit
'!': deny (negate rule)
# allow users of the wheel group to execute any command as root:
-> none :wheel root
# deny all users to execute commands that start with "sys"
-> ! none * * /sys.*/
IDEA 3 - THE SUCKLESS WAY
=========================
configuration should happen inside a source file called config.h, to apply
changes to the configuration the program has to be recompiled

267
us.c

@ -25,6 +25,7 @@
#include <sys/types.h> #include <sys/types.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/stat.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
@ -36,6 +37,7 @@
#include <grp.h> #include <grp.h>
#include <termios.h> #include <termios.h>
#include <stdarg.h> #include <stdarg.h>
#include <ctype.h>
#if !defined(_XOPEN_CRYPT) || _XOPEN_CRYPT == -1 #if !defined(_XOPEN_CRYPT) || _XOPEN_CRYPT == -1
#include <crypt.h> #include <crypt.h>
@ -46,16 +48,37 @@
#endif #endif
#define MAX_HASH 1024 #define MAX_HASH 1024
#define CONF_FILE "/etc/us.conf"
#define CONF_LINE_MAX 1024
#define GROUPS_MAX 256
#define FLAG_PERSIST 0x1
#define FLAG_NOPASS 0x2
#define FLAG_NOLOG 0x4
struct env_elem {
char *name;
char *value;
};
struct config {
int type;
int flags;
char *who;
char *as;
struct env_elem *env;
int env_n;
};
static void *emalloc(size_t); static void *emalloc(size_t);
static char *estrdup(const char *); static char *estrdup(const char *);
void *erealloc(void *, size_t);
static void usage(void); static void usage(void);
static void die(const char *, ...); static void die(const char *, ...);
static int perm_set(struct passwd *, struct group *); static int perm_set(struct passwd *, struct group *);
static int authenticate(uid_t, char); static int authenticate(uid_t, char);
static struct passwd* user_to_passwd(const char *); static struct passwd* user_to_passwd(const char *);
static struct group* group_to_grp(const char *); static struct group* group_to_grp(const char *);
//static int execvpe(const char *, char *const *, char *const *); static int get_config(struct config **, int *);
extern char **environ; extern char **environ;
@ -104,21 +127,91 @@ int main(int argc, char *argv[])
fprintf(stderr, "getpwid: %s\n", strerror(errno)); fprintf(stderr, "getpwid: %s\n", strerror(errno));
return errno; return errno;
} }
char *my_name = estrdup(my_pw->pw_name); char *my_name = my_pw->pw_name;
gid_t my_groups[GROUPS_MAX];
int n_groups = 0;
if ((n_groups = getgroups(GROUPS_MAX, my_groups)) == -1)
die("getgroups:");
/* Get target user and group info */
t_pw = user_to_passwd(t_usr);
if (!t_pw)
die("user_to_passwd:");
t_gr = group_to_grp(t_grp);
/* From now on most actions require root */ /* From now on most actions require root */
if (setuid(0) == -1) if (setuid(0) == -1)
die("setuid:"); die("setuid:");
/* Authenticate, we will be root from now on */ /* get info from the config file and check if the action we want to
if (authenticate(my_pw->pw_uid, 0)) * do is permitted */
exit(EXIT_FAILURE); struct env_elem *env_extra = NULL;
struct config *conf = NULL;
int conf_num, conf_flags = 0, env_extra_n = 0;
if (get_config(&conf, &conf_num) == -1)
die("get_config: invalid arguments");
int here = 0;
for (int i = 0; i < conf_num; i++) {
struct passwd *who_pw, *as_pw;
struct group *who_gr, *as_gr;
int who_usr = conf[i].who[0] == ':' ? 0 : 1;
int as_usr = conf[i].as[0] == ':' ? 0 : 1;
if (who_usr) {
who_pw = user_to_passwd(conf[i].who);
if (my_pw->pw_uid != who_pw->pw_uid) {
free(who_pw);
continue;
}
} else {
who_gr = group_to_grp(conf[i].who);
gid_t w_gid = who_gr->gr_gid;
int x = 0;
for (; x < n_groups && w_gid != my_groups[x]; x++);
if (w_gid != my_groups[x]) {
free(who_gr);
continue;
}
}
/* Get target user and group info */ if (as_usr) {
t_pw = user_to_passwd(t_usr); as_pw = user_to_passwd(conf[i].as);
if (!t_pw) if (!as_pw)
die("usr_to_passwd:"); die("%s not a valid user", conf[i].as);
t_gr = group_to_grp(t_grp); if (t_pw->pw_uid != as_pw->pw_uid) {
free(as_pw);
continue;
}
} else if (t_gr) {
as_gr = group_to_grp(conf[i].as);
if (t_gr->gr_gid != as_gr->gr_gid) {
free(as_gr);
continue;
}
} else {
continue;
}
here = 1;
if (conf[i].type == 0)
die("Permission denied");
conf_flags |= conf[i].flags;
if (conf[i].env_n) {
env_extra = erealloc(env_extra,
(env_extra_n+conf[i].env_n+1)*sizeof(struct env_elem));
for (int j = env_extra_n, x = 0; j < env_extra_n + conf[i].env_n; j++, x++)
env_extra[j] = conf[i].env[x];
env_extra_n += conf[i].env_n;
env_extra[env_extra_n] = (struct env_elem){NULL,NULL};
}
}
if (!here)
die("no rule found for user %s", my_name);
/* Authenticate, we will be root from now on */
if (!(conf_flags & FLAG_NOPASS))
if (authenticate(my_pw->pw_uid, 0))
exit(EXIT_FAILURE);
/* Get target user's shell */ /* Get target user's shell */
if (!shellflag) if (!shellflag)
@ -142,11 +235,6 @@ int main(int argc, char *argv[])
} }
c_argv[c_argc] = NULL; c_argv[c_argc] = NULL;
struct env_elem {
char *name;
char *value;
};
struct env_elem env_keep[] = { struct env_elem env_keep[] = {
{"PATH", NULL}, {"PATH", NULL},
{"TERM", NULL}, {"TERM", NULL},
@ -179,20 +267,30 @@ int main(int argc, char *argv[])
} }
} }
if (envflag) { for (int i = 0; envflag &&env_keep[i].name; i++) {
for (int i = 0; env_keep[i].name; i++) { if (env_keep[i].value) {
if (env_keep[i].value) { err = setenv(env_keep[i].name, env_keep[i].value, 1);
err = setenv(env_keep[i].name, env_keep[i].value, 1); if (err == -1) {
if (err == -1) { fprintf(stderr, "setenv: %s\n", strerror(errno));
fprintf(stderr, "setenv: %s\n", strerror(errno)); goto fail_end;
goto fail_end; }
} }
}
for (int i = 0; env_extra && env_extra[i].name; i++) {
if (env_extra[i].value) {
err = setenv(env_extra[i].name, env_extra[i].value, 1);
if (err == -1) {
fprintf(stderr, "setenv: %s\n", strerror(errno));
goto fail_end;
} }
} else {
unsetenv(env_extra[i].name);
} }
} }
// do not override, we might be under more levels of 'us' // do not override, we might be under more levels of 'us'
err = setenv("US_USER", my_name, 0); err = setenv("US_USER", my_name, 0);
free(my_name);
errno = 0; errno = 0;
/* Set permissions */ /* Set permissions */
@ -386,7 +484,7 @@ static struct passwd* user_to_passwd(const char *user)
return NULL; return NULL;
} }
struct passwd* pw; struct passwd *pw, *pr;
long uid_l; long uid_l;
errno = 0; errno = 0;
if (user[0] != '#') { if (user[0] != '#') {
@ -405,8 +503,9 @@ static struct passwd* user_to_passwd(const char *user)
errno = EINVAL; errno = EINVAL;
return NULL; return NULL;
} }
pr = emalloc(sizeof(struct passwd));
return pw; memcpy(pr, pw, sizeof(struct passwd));
return pr;
} }
static struct group* group_to_grp(const char *group) static struct group* group_to_grp(const char *group)
@ -416,7 +515,7 @@ static struct group* group_to_grp(const char *group)
return NULL; return NULL;
} }
struct group* gr; struct group *gr, *rr;
long gid_l; long gid_l;
errno = 0; errno = 0;
if (group[0] != '#') { if (group[0] != '#') {
@ -435,7 +534,9 @@ static struct group* group_to_grp(const char *group)
errno = EINVAL; errno = EINVAL;
return NULL; return NULL;
} }
return gr; rr = emalloc(sizeof(struct group));
memcpy(rr, gr, sizeof(struct group));
return rr;
} }
void die(const char *fmt, ...) void die(const char *fmt, ...)
@ -460,12 +561,22 @@ void *emalloc(size_t s)
{ {
if (!s || s == (size_t)-1) if (!s || s == (size_t)-1)
die("bad malloc: invalid size"); die("bad malloc: invalid size");
void *p = malloc(s); void *p = calloc(1, s);
if (!p) if (!p)
die("bad malloc:"); die("bad malloc:");
return p; return p;
} }
void *erealloc(void *p, size_t s)
{
if (!s || s == (size_t)-1)
die("bad realloc: invalid size");
void *r = realloc(p, s);
if (!r)
die("bad realloc:");
return r;
}
char *estrdup(const char *s) char *estrdup(const char *s)
{ {
if (!s) if (!s)
@ -475,3 +586,99 @@ char *estrdup(const char *s)
die("bad strdup:"); die("bad strdup:");
return r; return r;
} }
static int get_config(struct config **conf, int *num)
{
if (!conf || !num)
return -1;
FILE *fp = fopen(CONF_FILE, "r");
if (!fp)
die("fopen:");
struct stat st;
if (fstat(fileno(fp), &st) == -1)
die("fstat:");
if (st.st_uid != 0 || st.st_gid != 0)
die("config file must be owned by root:root");
if (!S_ISREG(st.st_mode))
die("config file must be a regular file");
if (st.st_mode & S_IRWXO || st.st_mode & S_IROTH ||
st.st_mode & S_IWOTH || st.st_mode & S_IXOTH)
die("others may not modify, read or execute config file");
char line[CONF_LINE_MAX];
*num = 0;
*conf = NULL;
for (int i = 0; fgets(line, CONF_LINE_MAX, fp); i++) {
char *s, *t, *sv;
int n = 0;
for (int ll = strlen(line)-1; isspace(line[ll]); line[ll--] = '\0');
struct config c = {0};
for (s = line;; s = NULL, n++) {
int getflags = 0;
if (!(t = strtok_r(s, " ", &sv)))
break;
if (*t == '#')
break;
switch (n) {
case 0:
if (!strcmp(t, "+"))
c.type = 1;
else if (!strcmp(t, "-"))
c.type = 0;
else
die("non valid config line %d", i);
break;
case 1:
c.who = estrdup(t);
break;
case 2:
if (strcmp(t, "as"))
die("non valid config line %d", i);
break;
case 3:
c.as = estrdup(t);
break;
default:
getflags = 1;
break;
}
if (!getflags)
continue;
if (isupper(*t)) {
char *e, *se, *et;
for (e = t;; e = NULL) {
if (!(et = strtok_r(e, ",", &se)))
break;
char *sep;
int x;
if (!(sep = strchr(et, ',')))
die("invalid env at %d", i);
c.env = erealloc(c.env, (c.env_n+1)*sizeof(struct env_elem));
x = c.env_n;
*sep = '\0';
for (char *p = et; *p; p++)
if (!isupper(*p) && *p != '-'
&& *p != '_')
die("non valid"
"env at %d", i);
c.env[x].name = estrdup(et);
c.env[x].value = estrdup(sep+1);
c.env_n++;
}
} else if (!strcmp(t, "persist")) {
c.flags |= FLAG_PERSIST;
} else if (!strcmp(t, "nopass")) {
c.flags |= FLAG_NOPASS;
} else if (!strcmp(t, "nolog")) {
c.flags |= FLAG_NOLOG;
}
}
if (n < 3)
die("non valid config line %d", i);
*conf = erealloc(*conf, ((*num)+1)*sizeof(struct config));
(*conf)[(*num)] = c;
*num += 1;
}
fclose(fp);
return 0;
}

Loading…
Cancel
Save