1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
/*
* Copyright (C) 2018 Cumulus Networks, Inc.
* All rights reserved.
* Author: Dave Olson <olson@cumulusnetworks.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program - see the file COPYING.
*/
/*
* This program exists to set the uid of privileged radius login users.
* Due to the limitations of the RADIUS protocol, we can't determine
* whether a user is privileged or not until they have authenticated,
* and by then, some of the login mechanisms (openssh, e.g.) have already
* determined the uid.
*
* This program looks at the accounting uid, and if set, and not the same
* as the uid, and the auid is >= 1000, will try to reset the uid to the auid
* as well as the fsuid.
*
* For this to work, the program must be installed as setcap cap_setuid.
* As a minor additional safeguard, the program should be installed as
* a member of the radius_users group, and permissions 750.
*
* Errors are written to stderr so the user logging in will see them,
* rather than using syslog.
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <libaudit.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
#include <sys/fsuid.h>
#include <sys/capability.h>
int main(int cnt, char **args)
{
uid_t uid, auid;
cap_value_t capability[] = { CAP_SETUID};
cap_t capabilities;
char *shell = NULL, *check = NULL, execshell[64];
uid = getuid();
auid = audit_getloginuid();
if (uid < 1000 || auid < 1000 || auid == (uid_t)-1 || uid == auid) {
/* We try to be careful in what we will change */
goto execit;
}
if (setfsuid(auid) == -1)
fprintf(stderr, "Failed to set fsuid to %u: %s\n",
auid, strerror(errno));
if (setresuid(auid, auid, auid))
fprintf(stderr, "Failed to set uid to %u: %s\n",
auid, strerror(errno));
if (getuid() != auid)
fprintf(stderr, "Failed to set uid to %u it's still %u\n",
auid, getuid());
execit:
/* be paranoid, and clear our expected CAP_SETUID capability,
* even though it should be cleared on exec.
*/
capabilities = cap_get_proc();
if (capabilities) {
if (!cap_set_flag(capabilities, CAP_EFFECTIVE, 1,
capability, CAP_CLEAR) &&
!cap_set_flag(capabilities, CAP_PERMITTED, 1,
capability, CAP_CLEAR)) {
if (cap_set_proc(capabilities))
fprintf(stderr, "Failed to clear cap_setuid: %s\n",
strerror(errno));
}
}
#ifdef LATER
/*
* Eventually handle this program being linked or symlinked
* and that the shell is one of the shells in /etc/shells
*/
shell = strrchr(args[0], '/');
if (!shell)
shell = args[0];
if (*shell == '-') {
check = shell + 1;
}
else
check = shell;
/* should really check this against /etc/shell */
snprintf(execshell, sizeof execshell, "/bin/%s", check);
#else
check = "bash";
shell = "-bash";
snprintf(execshell, sizeof execshell, "/bin/%s", check);
#endif
execl(execshell, shell, NULL);
fprintf(stderr, "Exec of shell %s failed: %s\n", execshell,
strerror(errno));
exit(1);
}
|
