summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore1
-rw-r--r--Makefile7
-rw-r--r--main.cc30
3 files changed, 37 insertions, 1 deletions
diff --git a/.gitignore b/.gitignore
index b78e996..105df7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
/insecuresuexec
+/insecuresuexec-noisy
diff --git a/Makefile b/Makefile
index 10107f0..ff256cf 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,12 @@
+default: insecuresuexec insecuresuexec-noisy
+
insecuresuexec: main.cc
clang++ -Wall -Werror -std=c++11 -Os -o $@ $+
+insecuresuexec-noisy: main.cc
+ clang++ -Wall -Werror -std=c++11 -Os -o $@ -DNOISY $+
+
clean:
- rm -f insecuresuexec
+ rm -f insecuresuexec insecuresuexec-noisy
.PHONY: clean
diff --git a/main.cc b/main.cc
index 27c7806..61946e3 100644
--- a/main.cc
+++ b/main.cc
@@ -10,17 +10,30 @@
#include <utility>
#include <vector>
+#ifdef NOISY
+# define DEBUG(...) fprintf( stderr, __VA_ARGS__ )
+#else
+# define DEBUG(...) do { } while ( 0 )
+#endif
+
uid_t parse_user( const char *user ) {
char *end;
unsigned long tmp;
+ DEBUG( "insecuresuexec parse_user( %s )\n", user );
+
tmp = strtoul( user, &end, 10 );
if ( end != user && ! *end ) {
+ DEBUG( " which is the uid %lu\n", tmp );
return tmp;
} else {
+ DEBUG( " which is a username\n" );
+ errno = 0;
struct passwd *pw = getpwnam( user );
+ assert_perror( errno );
assert( pw );
+ DEBUG( " corresponding to the uid %u\n", pw->pw_uid );
return pw->pw_uid;
};
@@ -31,12 +44,19 @@ gid_t parse_group( const char *group ) {
char *end;
unsigned long tmp;
+ DEBUG( "insecuresuexec parse_group( %s )\n", group );
+
tmp = strtoul( group, &end, 10 );
if ( end != group && ! *end ) {
+ DEBUG( " which is the gid %lu\n", tmp );
return tmp;
} else {
+ DEBUG( " which is a groupname\n" );
+ errno = 0;
struct group *gr = getgrnam( group );
+ assert_perror( errno );
assert( gr );
+ DEBUG( " corresponding to the gid %u\n", gr->gr_gid );
return gr->gr_gid;
};
@@ -174,9 +194,13 @@ int main( int argc, char *argv[] ) {
char *cmd = argv[3];
char **args = argv + 3;
+ DEBUG( "insecuresuexec user=%s group=%s cmd=%s\n", user, group, cmd );
+
uid_t uid;
gid_t gid;
+ DEBUG( "insecuresuexec is parsing the command-line user and group...\n" );
+
uid = parse_user( user );
gid = parse_group( group );
@@ -186,8 +210,12 @@ int main( int argc, char *argv[] ) {
_exit( 1 );
};
+ DEBUG( "insecuresuexec is parsing the stored permissions...\n" );
+
auto allowed = read_permissions( "/etc/insecuresuexec/permissions" );
+ DEBUG( "insecuresuexec is running the configured security checks...\n" );
+
// the configurable security checks
bool ok = false;
for ( auto i = allowed->begin( ); i != allowed->end( ); ++i ) {
@@ -199,6 +227,8 @@ int main( int argc, char *argv[] ) {
_exit( 1 );
};
+ DEBUG( "insecuresuexec is going to go ahead with the exec...\n" );
+
if ( setgroups( 0, NULL ) != 0 )
assert_perror( errno );
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 04:33:50 +0000