summaryrefslogtreecommitdiff
path: root/src/radius_shell.c
blob: 5c03a377b3ad25150331c0db5607e8fc3fcd8b60 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
/*
 * Copyright (C) 2018 Cumulus Networks, Inc.
 * All rights reserved.
 * Author: Dave Olson <olson@cumulusnetworks.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program - see the file COPYING.
 */

/*
 * This program exists to set the uid of privileged radius login users.
 * Due to the limitations of the RADIUS protocol, we can't determine
 * whether a user is privileged or not until they have authenticated,
 * and by then, some of the login mechanisms (openssh, e.g.) have already
 * determined the uid.
 *
 * This program looks at the accounting uid, and if set, and not the same
 * as the uid, and the auid is >= 1000, will try to reset the uid to the auid
 * as well as the fsuid.
 *
 * For this to work, the program must be installed as setcap cap_setuid.
 * As a minor additional safeguard, the program should be installed as
 * a member of the radius_users group, and permissions 750.
 *
 * Errors are written to stderr so the user logging in will see them,
 * rather than using syslog.
 */

#define _GNU_SOURCE
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <libaudit.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
#include <sys/fsuid.h>
#include <sys/capability.h>

int main(int cnt, char **args)
{
	uid_t uid, auid, euid;
	cap_value_t capability[] = { CAP_SETUID};
	cap_t capabilities;
	char *shell = NULL, *check = NULL, execshell[64], shellenv[64+6];

	uid = getuid();
	euid = geteuid();
	auid = audit_getloginuid();

	if (uid < 1000 || auid < 1000 || auid == (uid_t)-1 ||
	    (uid == auid && uid == euid)) {
		/*  We try to be careful in what we will change  */
		goto execit;
	}

	if (setfsuid(auid) == -1)
		fprintf(stderr, "Failed to set fsuid to %u: %s\n",
			auid, strerror(errno));
	if (setresuid(auid, auid, auid))
		fprintf(stderr, "Failed to set uid to %u: %s\n",
			auid, strerror(errno));
	if (getuid() != auid || geteuid() != auid)
		fprintf(stderr, "Failed to set uid to %u but uid=%u, euid=%u\n",
			auid, getuid(), geteuid());

execit:
	/*  be paranoid, and clear our expected CAP_SETUID capability,
	 *  even though it should be cleared on exec.
	 */
	capabilities = cap_get_proc();
	if (capabilities) {
		if (!cap_set_flag(capabilities, CAP_EFFECTIVE, 1,
				   capability, CAP_CLEAR) &&
		    !cap_set_flag(capabilities, CAP_PERMITTED, 1,
					   capability, CAP_CLEAR)) {
		    if (cap_set_proc(capabilities))
			fprintf(stderr, "Failed to clear cap_setuid: %s\n",
				strerror(errno));
		    }
	}

#ifdef LATER
	/*
	 * Eventually handle this program being linked or symlinked
	 * and that the shell is one of the shells in /etc/shells
	 * Expect it to be installed as /sbin/radius/bash, etc.
	 */
	shell = strrchr(args[0], '/');
	if (!shell)
		shell = args[0];

	if (*shell == '-') {
		check = shell + 1;
	}
	else
		check = shell;

	/*  need to validate shell from basename is valid here */


	/* should really check this against /etc/shell */
	snprintf(execshell, sizeof execshell, "/bin/%s", check);
#else
	check = "vbash";
	if (*args[0] == '-')
		shell = "-vbash";
	else
		shell = "vbash";
	snprintf(execshell, sizeof execshell, "/bin/%s", check);
#endif

	args[0] = shell;
	snprintf(shellenv, sizeof shellenv, "SHELL=%s", execshell);
	putenv(shellenv);
	execv(execshell, args);
	fprintf(stderr, "Exec of shell %s failed: %s\n", execshell,
		strerror(errno));
	exit(1);
}