1 /** $MirOS: src/lib/libc/gen/login_cap.c,v 1.2 2005/03/06 20:28:40 tg Exp $ */
2 /* $OpenBSD: login_cap.c,v 1.24 2004/09/16 06:24:41 deraadt Exp $ */
3
4 /*
5 * Copyright (c) 2000-2004 Todd C. Miller <Todd.Miller@courtesan.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19 /*-
20 * Copyright (c) 1995,1997 Berkeley Software Design, Inc. All rights reserved.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the above copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * This product includes software developed by Berkeley Software Design,
33 * Inc.
34 * 4. The name of Berkeley Software Design, Inc. may not be used to endorse
35 * or promote products derived from this software without specific prior
36 * written permission.
37 *
38 * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
39 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
41 * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
42 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
43 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
44 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
46 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
47 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
48 * SUCH DAMAGE.
49 *
50 * BSDI $From: login_cap.c,v 2.16 2000/03/22 17:10:55 donn Exp $
51 */
52 #include <sys/types.h>
53 #include <sys/stat.h>
54 #include <sys/time.h>
55 #include <sys/resource.h>
56
57 #include <err.h>
58 #include <errno.h>
59 #include <fcntl.h>
60 #include <limits.h>
61 #include <login_cap.h>
62 #include <paths.h>
63 #include <pwd.h>
64 #include <stdio.h>
65 #include <stdlib.h>
66 #include <string.h>
67 #include <syslog.h>
68 #include <unistd.h>
69
70 __RCSID("$MirOS: src/lib/libc/gen/login_cap.c,v 1.2 2005/03/06 20:28:40 tg Exp $");
71
72 static char *_authtypes[] = { LOGIN_DEFSTYLE, 0 };
73 static char *expandstr(const char *, const struct passwd *, int);
74 static int login_setenv(char *, char *, const struct passwd *, int);
75 static int setuserenv(login_cap_t *lc, const struct passwd *pwd);
76 static int setuserpath(login_cap_t *, const struct passwd *pwd);
77 static u_quad_t multiply(u_quad_t, u_quad_t);
78 static u_quad_t strtolimit(char *, char **, int);
79 static u_quad_t strtosize(char *, char **, int);
80 static int gsetrl(login_cap_t *lc, int what, char *name, int type);
81
82 login_cap_t *
login_getclass(char * class)83 login_getclass(char *class)
84 {
85 char *classfiles[2];
86 login_cap_t *lc;
87 int res;
88
89 if (secure_path(_PATH_LOGIN_CONF) == 0) {
90 classfiles[0] = _PATH_LOGIN_CONF;
91 classfiles[1] = NULL;
92 } else {
93 classfiles[0] = NULL;
94 }
95
96 if ((lc = malloc(sizeof(login_cap_t))) == NULL) {
97 syslog(LOG_ERR, "%s:%d malloc: %m", __FILE__, __LINE__);
98 return (0);
99 }
100
101 lc->lc_cap = 0;
102 lc->lc_style = 0;
103
104 if (class == NULL || class[0] == '\0')
105 class = LOGIN_DEFCLASS;
106
107 if ((lc->lc_class = strdup(class)) == NULL) {
108 syslog(LOG_ERR, "%s:%d strdup: %m", __FILE__, __LINE__);
109 free(lc);
110 return (0);
111 }
112
113 /*
114 * Not having a login.conf file is not an error condition.
115 * The individual routines deal reasonably with missing
116 * capabilities and use default values.
117 */
118 if (classfiles[0] == NULL)
119 return(lc);
120
121 if ((res = cgetent(&lc->lc_cap, classfiles, lc->lc_class)) != 0) {
122 lc->lc_cap = 0;
123 switch (res) {
124 case 1:
125 syslog(LOG_ERR, "%s: couldn't resolve 'tc'",
126 lc->lc_class);
127 break;
128 case -1:
129 if ((res = open(classfiles[0], 0)) >= 0)
130 close(res);
131 if (strcmp(lc->lc_class, LOGIN_DEFCLASS) == 0 &&
132 res < 0)
133 return (lc);
134 syslog(LOG_ERR, "%s: unknown class", lc->lc_class);
135 break;
136 case -2:
137 syslog(LOG_ERR, "%s: getting class information: %m",
138 lc->lc_class);
139 break;
140 case -3:
141 syslog(LOG_ERR, "%s: 'tc' reference loop",
142 lc->lc_class);
143 break;
144 default:
145 syslog(LOG_ERR, "%s: unexpected cgetent error",
146 lc->lc_class);
147 break;
148 }
149 free(lc->lc_class);
150 free(lc);
151 return (0);
152 }
153 return (lc);
154 }
155
156 char *
login_getstyle(login_cap_t * lc,char * style,char * atype)157 login_getstyle(login_cap_t *lc, char *style, char *atype)
158 {
159 char **authtypes = _authtypes;
160 char *auths, *ta;
161 char *f1, **f2;
162 int i;
163
164 f1 = 0;
165 f2 = 0;
166
167 /* Silently convert 's/key' -> 'skey' */
168 if (style && strcmp(style, "s/key") == 0)
169 style = "skey";
170
171 if (lc->lc_style) {
172 free(lc->lc_style);
173 lc->lc_style = 0;
174 }
175
176 if (!atype || !(auths = login_getcapstr(lc, atype, NULL, NULL)))
177 auths = login_getcapstr(lc, "auth", NULL, NULL);
178
179 if (auths) {
180 f1 = ta = auths; /* auths malloced by login_getcapstr */
181 i = 2;
182 while (*ta)
183 if (*ta++ == ',')
184 ++i;
185 f2 = authtypes = malloc(sizeof(char *) * i);
186 if (!authtypes) {
187 syslog(LOG_ERR, "malloc: %m");
188 free(f1);
189 return (0);
190 }
191 i = 0;
192 while (*auths) {
193 authtypes[i] = auths;
194 while (*auths && *auths != ',')
195 ++auths;
196 if (*auths)
197 *auths++ = 0;
198 if (!*authtypes[i])
199 authtypes[i] = LOGIN_DEFSTYLE;
200 ++i;
201 }
202 authtypes[i] = 0;
203 }
204
205 if (!style)
206 style = authtypes[0];
207
208 while (*authtypes && strcmp(style, *authtypes))
209 ++authtypes;
210
211 if (*authtypes == NULL || (auths = strdup(*authtypes)) == NULL) {
212 if (f1)
213 free(f1);
214 if (f2)
215 free(f2);
216 if (*authtypes)
217 syslog(LOG_ERR, "strdup: %m");
218 return (0);
219 }
220 if (f1)
221 free(f1);
222 if (f2)
223 free(f2);
224 return (lc->lc_style = auths);
225 }
226
227 char *
login_getcapstr(login_cap_t * lc,char * cap,char * def,char * e)228 login_getcapstr(login_cap_t *lc, char *cap, char *def, char *e)
229 {
230 char *res, *str;
231 int stat;
232
233 errno = 0;
234 str = e; /* return error string by default */
235 res = NULL;
236
237 if (!lc->lc_cap)
238 return (def);
239
240 switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
241 case -1:
242 str = def;
243 break;
244 case -2:
245 syslog(LOG_ERR, "%s: getting capability %s: %m",
246 lc->lc_class, cap);
247 break;
248 default:
249 if (stat >= 0)
250 str = res;
251 else
252 syslog(LOG_ERR,
253 "%s: unexpected error with capability %s",
254 lc->lc_class, cap);
255 break;
256 }
257
258 if (res != NULL && str != res)
259 free(res);
260 return(str);
261 }
262
263 quad_t
login_getcaptime(login_cap_t * lc,char * cap,quad_t def,quad_t e)264 login_getcaptime(login_cap_t *lc, char *cap, quad_t def, quad_t e)
265 {
266 char *ep;
267 char *res, *sres;
268 int stat;
269 quad_t q, r;
270
271 errno = 0;
272 res = NULL;
273
274 if (!lc->lc_cap)
275 return (def);
276
277 switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
278 case -1:
279 if (res)
280 free(res);
281 return (def);
282 case -2:
283 if (res)
284 free(res);
285 syslog(LOG_ERR, "%s: getting capability %s: %m",
286 lc->lc_class, cap);
287 errno = ERANGE;
288 return (e);
289 default:
290 if (stat >= 0)
291 break;
292 if (res)
293 free(res);
294 syslog(LOG_ERR, "%s: unexpected error with capability %s",
295 lc->lc_class, cap);
296 errno = ERANGE;
297 return (e);
298 }
299
300 errno = 0;
301
302 if (strcasecmp(res, "infinity") == 0) {
303 free(res);
304 return (RLIM_INFINITY);
305 }
306
307 q = 0;
308 sres = res;
309 while (*res) {
310 r = strtoll(res, &ep, 0);
311 if (!ep || ep == res ||
312 ((r == QUAD_MIN || r == QUAD_MAX) && errno == ERANGE)) {
313 invalid:
314 free(sres);
315 syslog(LOG_ERR, "%s:%s=%s: invalid time",
316 lc->lc_class, cap, sres);
317 errno = ERANGE;
318 return (e);
319 }
320 switch (*ep++) {
321 case '\0':
322 --ep;
323 break;
324 case 's': case 'S':
325 break;
326 case 'm': case 'M':
327 r *= 60;
328 break;
329 case 'h': case 'H':
330 r *= 60 * 60;
331 break;
332 case 'd': case 'D':
333 r *= 60 * 60 * 24;
334 break;
335 case 'w': case 'W':
336 r *= 60 * 60 * 24 * 7;
337 break;
338 case 'y': case 'Y': /* Pretty absurd */
339 r *= 60 * 60 * 24 * 365;
340 break;
341 default:
342 goto invalid;
343 }
344 res = ep;
345 q += r;
346 }
347 free(sres);
348 return (q);
349 }
350
351 quad_t
login_getcapnum(login_cap_t * lc,char * cap,quad_t def,quad_t e)352 login_getcapnum(login_cap_t *lc, char *cap, quad_t def, quad_t e)
353 {
354 char *ep;
355 char *res;
356 int stat;
357 quad_t q;
358
359 errno = 0;
360 res = NULL;
361
362 if (!lc->lc_cap)
363 return (def);
364
365 switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
366 case -1:
367 if (res)
368 free(res);
369 return (def);
370 case -2:
371 if (res)
372 free(res);
373 syslog(LOG_ERR, "%s: getting capability %s: %m",
374 lc->lc_class, cap);
375 errno = ERANGE;
376 return (e);
377 default:
378 if (stat >= 0)
379 break;
380 if (res)
381 free(res);
382 syslog(LOG_ERR, "%s: unexpected error with capability %s",
383 lc->lc_class, cap);
384 errno = ERANGE;
385 return (e);
386 }
387
388 errno = 0;
389
390 if (strcasecmp(res, "infinity") == 0) {
391 free(res);
392 return (RLIM_INFINITY);
393 }
394
395 q = strtoll(res, &ep, 0);
396 if (!ep || ep == res || ep[0] ||
397 ((q == QUAD_MIN || q == QUAD_MAX) && errno == ERANGE)) {
398 free(res);
399 syslog(LOG_ERR, "%s:%s=%s: invalid number",
400 lc->lc_class, cap, res);
401 errno = ERANGE;
402 return (e);
403 }
404 free(res);
405 return (q);
406 }
407
408 quad_t
login_getcapsize(login_cap_t * lc,char * cap,quad_t def,quad_t e)409 login_getcapsize(login_cap_t *lc, char *cap, quad_t def, quad_t e)
410 {
411 char *ep;
412 char *res;
413 int stat;
414 quad_t q;
415
416 errno = 0;
417 res = NULL;
418
419 if (!lc->lc_cap)
420 return (def);
421
422 switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
423 case -1:
424 if (res)
425 free(res);
426 return (def);
427 case -2:
428 if (res)
429 free(res);
430 syslog(LOG_ERR, "%s: getting capability %s: %m",
431 lc->lc_class, cap);
432 errno = ERANGE;
433 return (e);
434 default:
435 if (stat >= 0)
436 break;
437 if (res)
438 free(res);
439 syslog(LOG_ERR, "%s: unexpected error with capability %s",
440 lc->lc_class, cap);
441 errno = ERANGE;
442 return (e);
443 }
444
445 errno = 0;
446 q = strtolimit(res, &ep, 0);
447 if (!ep || ep == res || (ep[0] && ep[1]) ||
448 ((q == QUAD_MIN || q == QUAD_MAX) && errno == ERANGE)) {
449 free(res);
450 syslog(LOG_ERR, "%s:%s=%s: invalid size",
451 lc->lc_class, cap, res);
452 errno = ERANGE;
453 return (e);
454 }
455 free(res);
456 return (q);
457 }
458
459 int
login_getcapbool(login_cap_t * lc,char * cap,u_int def)460 login_getcapbool(login_cap_t *lc, char *cap, u_int def)
461 {
462 if (!lc->lc_cap)
463 return (def);
464
465 return (cgetcap(lc->lc_cap, cap, ':') != NULL);
466 }
467
468 void
login_close(login_cap_t * lc)469 login_close(login_cap_t *lc)
470 {
471 if (lc) {
472 if (lc->lc_class)
473 free(lc->lc_class);
474 if (lc->lc_cap)
475 free(lc->lc_cap);
476 if (lc->lc_style)
477 free(lc->lc_style);
478 free(lc);
479 }
480 }
481
482 #define CTIME 1
483 #define CSIZE 2
484 #define CNUMB 3
485
486 static struct {
487 int what;
488 int type;
489 char * name;
490 } r_list[] = {
491 { RLIMIT_CPU, CTIME, "cputime", },
492 { RLIMIT_TIME, CTIME, "time", },
493 { RLIMIT_FSIZE, CSIZE, "filesize", },
494 { RLIMIT_DATA, CSIZE, "datasize", },
495 { RLIMIT_STACK, CSIZE, "stacksize", },
496 { RLIMIT_RSS, CSIZE, "memoryuse", },
497 { RLIMIT_MEMLOCK, CSIZE, "memorylocked", },
498 { RLIMIT_NPROC, CNUMB, "maxproc", },
499 { RLIMIT_NOFILE, CNUMB, "openfiles", },
500 { RLIMIT_CORE, CSIZE, "coredumpsize", },
501 #ifdef RLIMIT_VMEM
502 { RLIMIT_VMEM, CSIZE, "vmemoryuse", },
503 #endif
504 { -1, 0, 0 }
505 };
506
507 static int
gsetrl(login_cap_t * lc,int what,char * name,int type)508 gsetrl(login_cap_t *lc, int what, char *name, int type)
509 {
510 struct rlimit rl;
511 struct rlimit r;
512 char name_cur[32];
513 char name_max[32];
514 char *v;
515
516 /*
517 * If we have no capabilities then there is nothing to do and
518 * we can just return success.
519 */
520 if (lc->lc_cap == NULL)
521 return (0);
522
523 snprintf(name_cur, sizeof name_cur, "%s-cur", name);
524 snprintf(name_max, sizeof name_max, "%s-max", name);
525
526 if (getrlimit(what, &r)) {
527 syslog(LOG_ERR, "getting resource limit: %m");
528 return (-1);
529 }
530
531 /*
532 * We need to pre-fetch the 3 possible strings we will look
533 * up to see what order they come in. If the one without
534 * the -cur or -max comes in first then we ignore any later
535 * -cur or -max entries.
536 * Note that the cgetent routines will always return failure
537 * on the entry "". This will cause our login_get* routines
538 * to use the default entry.
539 */
540 if ((v = cgetcap(lc->lc_cap, name, '=')) != NULL) {
541 if (v < cgetcap(lc->lc_cap, name_cur, '='))
542 name_cur[0] = '\0';
543 if (v < cgetcap(lc->lc_cap, name_max, '='))
544 name_max[0] = '\0';
545 }
546
547 #define RCUR r.rlim_cur
548 #define RMAX r.rlim_max
549
550 switch (type) {
551 case CTIME:
552 RCUR = login_getcaptime(lc, name, RCUR, RCUR);
553 RMAX = login_getcaptime(lc, name, RMAX, RMAX);
554 rl.rlim_cur = login_getcaptime(lc, name_cur, RCUR, RCUR);
555 rl.rlim_max = login_getcaptime(lc, name_max, RMAX, RMAX);
556 break;
557 case CSIZE:
558 RCUR = login_getcapsize(lc, name, RCUR, RCUR);
559 RMAX = login_getcapsize(lc, name, RMAX, RMAX);
560 rl.rlim_cur = login_getcapsize(lc, name_cur, RCUR, RCUR);
561 rl.rlim_max = login_getcapsize(lc, name_max, RMAX, RMAX);
562 break;
563 case CNUMB:
564 RCUR = login_getcapnum(lc, name, RCUR, RCUR);
565 RMAX = login_getcapnum(lc, name, RMAX, RMAX);
566 rl.rlim_cur = login_getcapnum(lc, name_cur, RCUR, RCUR);
567 rl.rlim_max = login_getcapnum(lc, name_max, RMAX, RMAX);
568 break;
569 default:
570 return (-1);
571 }
572
573 if (setrlimit(what, &rl)) {
574 syslog(LOG_ERR, "%s: setting resource limit %s: %m",
575 lc->lc_class, name);
576 return (-1);
577 }
578 #undef RCUR
579 #undef RMAX
580 return (0);
581 }
582
583 int
setclasscontext(char * class,u_int flags)584 setclasscontext(char *class, u_int flags)
585 {
586 int ret;
587 login_cap_t *lc;
588
589 flags &= LOGIN_SETRESOURCES | LOGIN_SETPRIORITY | LOGIN_SETUMASK |
590 LOGIN_SETPATH;
591
592 lc = login_getclass(class);
593 ret = lc ? setusercontext(lc, NULL, 0, flags) : -1;
594 login_close(lc);
595 return (ret);
596 }
597
598 int
setusercontext(login_cap_t * lc,struct passwd * pwd,uid_t uid,u_int flags)599 setusercontext(login_cap_t *lc, struct passwd *pwd, uid_t uid, u_int flags)
600 {
601 login_cap_t *flc;
602 quad_t p;
603 int i;
604
605 flc = NULL;
606
607 if (!lc && !(flc = lc = login_getclass(pwd ? pwd->pw_class : NULL)))
608 return (-1);
609
610 /*
611 * Without the pwd entry being passed we cannot set either
612 * the group or the login. We could complain about it.
613 */
614 if (pwd == NULL)
615 flags &= ~(LOGIN_SETGROUP|LOGIN_SETLOGIN);
616
617 if (flags & LOGIN_SETRESOURCES)
618 for (i = 0; r_list[i].name; ++i)
619 if (gsetrl(lc, r_list[i].what, r_list[i].name,
620 r_list[i].type))
621 /* XXX - call syslog()? */;
622
623 if (flags & LOGIN_SETPRIORITY) {
624 p = login_getcapnum(lc, "priority", 0, 0);
625
626 if (setpriority(PRIO_PROCESS, 0, (int)p) < 0)
627 syslog(LOG_ERR, "%s: setpriority: %m", lc->lc_class);
628 }
629
630 if (flags & LOGIN_SETUMASK) {
631 p = login_getcapnum(lc, "umask", LOGIN_DEFUMASK,LOGIN_DEFUMASK);
632 umask((mode_t)p);
633 }
634
635 if (flags & LOGIN_SETGROUP) {
636 if (setgid(pwd->pw_gid) < 0) {
637 syslog(LOG_ERR, "setgid(%u): %m", (u_int)pwd->pw_gid);
638 login_close(flc);
639 return (-1);
640 }
641
642 if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) {
643 syslog(LOG_ERR, "initgroups(%s,%u): %m",
644 pwd->pw_name, (u_int)pwd->pw_gid);
645 login_close(flc);
646 return (-1);
647 }
648 }
649
650 if (flags & LOGIN_SETLOGIN)
651 if (setlogin(pwd->pw_name) < 0) {
652 syslog(LOG_ERR, "setlogin(%s) failure: %m",
653 pwd->pw_name);
654 login_close(flc);
655 return (-1);
656 }
657
658 if (flags & LOGIN_SETUSER) {
659 (void) seteuid(uid); /* just in case */
660 if (setuid(uid) < 0) {
661 syslog(LOG_ERR, "setuid(%u): %m", uid);
662 login_close(flc);
663 return (-1);
664 }
665 }
666
667 if (flags & LOGIN_SETENV) {
668 if (setuserenv(lc, pwd) == -1) {
669 syslog(LOG_ERR, "could not set user environment: %m");
670 login_close(flc);
671 return (-1);
672 }
673 }
674
675 if (flags & LOGIN_SETPATH) {
676 if (setuserpath(lc, pwd) == -1) {
677 syslog(LOG_ERR, "could not set PATH: %m");
678 login_close(flc);
679 return (-1);
680 }
681 }
682
683 login_close(flc);
684 return (0);
685 }
686
687 /*
688 * Look up "path" for this user in login.conf and replace whitespace
689 * with ':' while expanding '~' and '$'. Sets the PATH environment
690 * variable to the result or _PATH_DEFPATH on error.
691 */
692 static int
setuserpath(login_cap_t * lc,const struct passwd * pwd)693 setuserpath(login_cap_t *lc, const struct passwd *pwd)
694 {
695 char *path = NULL, *opath = NULL, *op, *np;
696 int len, error;
697
698 if (lc->lc_cap == NULL)
699 goto setit; /* impossible */
700
701 if ((len = cgetustr(lc->lc_cap, "path", &opath)) <= 0)
702 goto setit;
703
704 if ((path = malloc(len + 1)) == NULL)
705 goto setit;
706
707 /* Convert opath from space-separated to colon-separated path. */
708 for (op = opath, np = path; *op != '\0'; ) {
709 switch (*op) {
710 case ' ':
711 case '\t':
712 /*
713 * Collapse consecutive spaces and trim any space
714 * at the very end.
715 */
716 do {
717 op++;
718 } while (*op == ' ' || *op == '\t');
719 if (*op != '\0')
720 *np++ = ':';
721 break;
722 case '\\':
723 /* check for escaped whitespace */
724 if (*(op + 1) == ' ' || *(op + 1) == '\t')
725 *np++ = *op++;
726 /* FALLTHROUGH */
727 default:
728 *np++ = *op++;
729 break;
730 }
731
732 }
733 *np = '\0';
734 setit:
735 error = login_setenv("PATH", path ? path : _PATH_DEFPATH, pwd, 1);
736 free(opath);
737 free(path);
738 return (error);
739 }
740
741 /*
742 * Look up "setenv" for this user in login.conf and set the comma-separated
743 * list of environment variables, expanding '~' and '$'.
744 */
745 static int
setuserenv(login_cap_t * lc,const struct passwd * pwd)746 setuserenv(login_cap_t *lc, const struct passwd *pwd)
747 {
748 char *beg, *end, *ep, *list, *value;
749 int len, error;
750
751 if (lc->lc_cap == NULL)
752 return (-1); /* impossible */
753
754 if ((len = cgetustr(lc->lc_cap, "setenv", &list)) <= 0)
755 return (0);
756
757 for (beg = end = list, ep = list + len + 1; end < ep; end++) {
758 switch (*end) {
759 case '\\':
760 if (*(end + 1) == ',')
761 end++; /* skip escaped comma */
762 continue;
763 case ',':
764 case '\0':
765 *end = '\0';
766 if (beg == end) {
767 beg++;
768 continue;
769 }
770 break;
771 default:
772 continue;
773 }
774
775 if ((value = strchr(beg, '=')) != NULL)
776 *value++ = '\0';
777 else
778 value = "";
779 if ((error = login_setenv(beg, value, pwd, 0)) != 0) {
780 free(list);
781 return (error);
782 }
783 beg = end + 1;
784 }
785 free(list);
786 return (0);
787 }
788
789 /*
790 * Set an environment variable, substituting for ~ and $
791 */
792 static int
login_setenv(char * name,char * ovalue,const struct passwd * pwd,int ispath)793 login_setenv(char *name, char *ovalue, const struct passwd *pwd, int ispath)
794 {
795 char *value = NULL;
796 int error;
797
798 if (*ovalue != '\0')
799 value = expandstr(ovalue, pwd, ispath);
800 error = setenv(name, value ? value : ovalue, 1);
801 free(value);
802 return (error);
803 }
804
805 /*
806 * Convert an expression of the following forms
807 * 1) A number.
808 * 2) A number followed by a b (mult by 512).
809 * 3) A number followed by a k (mult by 1024).
810 * 5) A number followed by a m (mult by 1024 * 1024).
811 * 6) A number followed by a g (mult by 1024 * 1024 * 1024).
812 * 7) A number followed by a t (mult by 1024 * 1024 * 1024 * 1024).
813 * 8) Two or more numbers (with/without k,b,m,g, or t).
814 * separated by x (also * for backwards compatibility), specifying
815 * the product of the indicated values.
816 */
817 static
818 u_quad_t
strtosize(char * str,char ** endptr,int radix)819 strtosize(char *str, char **endptr, int radix)
820 {
821 u_quad_t num, num2;
822 char *expr, *expr2;
823
824 errno = 0;
825 num = strtoull(str, &expr, radix);
826 if (errno || expr == str) {
827 if (endptr)
828 *endptr = expr;
829 return (num);
830 }
831
832 switch(*expr) {
833 case 'b': case 'B':
834 num = multiply(num, (u_quad_t)512);
835 ++expr;
836 break;
837 case 'k': case 'K':
838 num = multiply(num, (u_quad_t)1024);
839 ++expr;
840 break;
841 case 'm': case 'M':
842 num = multiply(num, (u_quad_t)1024 * 1024);
843 ++expr;
844 break;
845 case 'g': case 'G':
846 num = multiply(num, (u_quad_t)1024 * 1024 * 1024);
847 ++expr;
848 break;
849 case 't': case 'T':
850 num = multiply(num, (u_quad_t)1024 * 1024);
851 num = multiply(num, (u_quad_t)1024 * 1024);
852 ++expr;
853 break;
854 }
855
856 if (errno)
857 goto erange;
858
859 switch(*expr) {
860 case '*': /* Backward compatible. */
861 case 'x':
862 num2 = strtosize(expr+1, &expr2, radix);
863 if (errno) {
864 expr = expr2;
865 goto erange;
866 }
867
868 if (expr2 == expr + 1) {
869 if (endptr)
870 *endptr = expr;
871 return (num);
872 }
873 expr = expr2;
874 num = multiply(num, num2);
875 if (errno)
876 goto erange;
877 break;
878 }
879 if (endptr)
880 *endptr = expr;
881 return (num);
882 erange:
883 if (endptr)
884 *endptr = expr;
885 errno = ERANGE;
886 return (UQUAD_MAX);
887 }
888
889 static
890 u_quad_t
strtolimit(char * str,char ** endptr,int radix)891 strtolimit(char *str, char **endptr, int radix)
892 {
893 if (strcasecmp(str, "infinity") == 0 || strcasecmp(str, "inf") == 0) {
894 if (endptr)
895 *endptr = str + strlen(str);
896 return ((u_quad_t)RLIM_INFINITY);
897 }
898 return (strtosize(str, endptr, radix));
899 }
900
901 static u_quad_t
multiply(u_quad_t n1,u_quad_t n2)902 multiply(u_quad_t n1, u_quad_t n2)
903 {
904 static int bpw = 0;
905 u_quad_t m;
906 u_quad_t r;
907 int b1, b2;
908
909 /*
910 * Get rid of the simple cases
911 */
912 if (n1 == 0 || n2 == 0)
913 return (0);
914 if (n1 == 1)
915 return (n2);
916 if (n2 == 1)
917 return (n1);
918
919 /*
920 * sizeof() returns number of bytes needed for storage.
921 * This may be different from the actual number of useful bits.
922 */
923 if (!bpw) {
924 bpw = sizeof(u_quad_t) * 8;
925 while (((u_quad_t)1 << (bpw-1)) == 0)
926 --bpw;
927 }
928
929 /*
930 * First check the magnitude of each number. If the sum of the
931 * magnatude is way to high, reject the number. (If this test
932 * is not done then the first multiply below may overflow.)
933 */
934 for (b1 = bpw; (((u_quad_t)1 << (b1-1)) & n1) == 0; --b1)
935 ;
936 for (b2 = bpw; (((u_quad_t)1 << (b2-1)) & n2) == 0; --b2)
937 ;
938 if (b1 + b2 - 2 > bpw) {
939 errno = ERANGE;
940 return (UQUAD_MAX);
941 }
942
943 /*
944 * Decompose the multiplication to be:
945 * h1 = n1 & ~1
946 * h2 = n2 & ~1
947 * l1 = n1 & 1
948 * l2 = n2 & 1
949 * (h1 + l1) * (h2 + l2)
950 * (h1 * h2) + (h1 * l2) + (l1 * h2) + (l1 * l2)
951 *
952 * Since h1 && h2 do not have the low bit set, we can then say:
953 *
954 * (h1>>1 * h2>>1 * 4) + ...
955 *
956 * So if (h1>>1 * h2>>1) > (1<<(bpw - 2)) then the result will
957 * overflow.
958 *
959 * Finally, if MAX - ((h1 * l2) + (l1 * h2) + (l1 * l2)) < (h1*h2)
960 * then adding in residual amount will cause an overflow.
961 */
962
963 m = (n1 >> 1) * (n2 >> 1);
964
965 if (m >= ((u_quad_t)1 << (bpw-2))) {
966 errno = ERANGE;
967 return (UQUAD_MAX);
968 }
969
970 m *= 4;
971
972 r = (n1 & n2 & 1)
973 + (n2 & 1) * (n1 & ~(u_quad_t)1)
974 + (n1 & 1) * (n2 & ~(u_quad_t)1);
975
976 if ((u_quad_t)(m + r) < m) {
977 errno = ERANGE;
978 return (UQUAD_MAX);
979 }
980 m += r;
981
982 return (m);
983 }
984
985 int
secure_path(char * path)986 secure_path(char *path)
987 {
988 struct stat sb;
989
990 /*
991 * If not a regular file, or is owned/writeable by someone
992 * other than root, quit.
993 */
994 if (lstat(path, &sb) < 0) {
995 syslog(LOG_ERR, "cannot stat %s: %m", path);
996 return (-1);
997 } else if (!S_ISREG(sb.st_mode)) {
998 syslog(LOG_ERR, "%s: not a regular file", path);
999 return (-1);
1000 } else if (sb.st_uid != 0) {
1001 syslog(LOG_ERR, "%s: not owned by root", path);
1002 return (-1);
1003 } else if (sb.st_mode & (S_IWGRP | S_IWOTH)) {
1004 syslog(LOG_ERR, "%s: writable by non-root", path);
1005 return (-1);
1006 }
1007 return (0);
1008 }
1009
1010 /*
1011 * Check whether or not a tilde in a string should be expanded.
1012 * We only do expansion for things like "~", "~/...", ~me", "~me/...".
1013 * Additionally, for paths the tilde must be a the beginning.
1014 */
1015 #define tilde_valid(s, b, u, l, ip) \
1016 ((!(ip) || (s) == (b) || (s)[-1] == ':') && \
1017 ((s)[1] == '/' || (s)[1] == '\0' || \
1018 (strncmp((s)+1, u, l) == 0 && ((s)[l+1] == '/' || (s)[l+1] == '\0'))))
1019
1020 /*
1021 * Make a copy of a string, expanding '~' to the user's homedir, '$' to the
1022 * login name and other escape sequences as per cgetstr(3).
1023 */
1024 static char *
expandstr(const char * ostr,const struct passwd * pwd,int ispath)1025 expandstr(const char *ostr, const struct passwd *pwd, int ispath)
1026 {
1027 size_t n, olen, nlen, ulen, dlen;
1028 const char *ep, *eo, *op;
1029 char *nstr, *np;
1030 int ch;
1031
1032 if (pwd != NULL) {
1033 ulen = strlen(pwd->pw_name);
1034 dlen = strlen(pwd->pw_dir);
1035 }
1036
1037 /* calculate the size of the new string */
1038 olen = nlen = strlen(ostr);
1039 for (op = ostr, ep = ostr + olen; op < ep; op++) {
1040 switch (*op) {
1041 case '~':
1042 if (pwd == NULL ||
1043 !tilde_valid(op, ostr, pwd->pw_name, ulen, ispath))
1044 break;
1045 if (op[1] != '/' && op[1] != '\0') {
1046 op += ulen; /* ~username */
1047 nlen = nlen - ulen - 1 + dlen;
1048 } else
1049 nlen += dlen - 1;
1050 break;
1051 case '$':
1052 if (pwd != NULL)
1053 nlen += ulen - 1;
1054 break;
1055 case '^':
1056 /* control char */
1057 if (*++op != '\0')
1058 nlen--;
1059 break;
1060 case '\\':
1061 if (op[1] == '\0')
1062 break;
1063 /*
1064 * Byte in octal notation (\123) or an escaped char (\t)
1065 */
1066 eo = op + 4;
1067 do {
1068 op++;
1069 nlen--;
1070 } while (op < eo && *op >= '0' && *op <= '7');
1071 break;
1072 }
1073 }
1074 if ((np = nstr = malloc(++nlen)) == NULL)
1075 return (NULL);
1076
1077 for (op = ostr, ep = ostr + olen; op < ep; op++) {
1078 switch ((ch = *op)) {
1079 case '~':
1080 if (pwd == NULL ||
1081 !tilde_valid(op, ostr, pwd->pw_name, ulen, ispath))
1082 break;
1083 if (op[1] != '/' && op[1] != '\0')
1084 op += ulen; /* ~username */
1085 strlcpy(np, pwd->pw_dir, nlen);
1086 nlen -= dlen;
1087 np += dlen;
1088 continue;
1089 case '$':
1090 if (pwd == NULL)
1091 break;
1092 strlcpy(np, pwd->pw_name, nlen);
1093 nlen -= ulen;
1094 np += ulen;
1095 continue;
1096 case '^':
1097 if (op[1] != '\0')
1098 ch = *++op & 037;
1099 break;
1100 case '\\':
1101 if (op[1] == '\0')
1102 break;
1103 switch(*++op) {
1104 case '0': case '1': case '2': case '3':
1105 case '4': case '5': case '6': case '7':
1106 /* byte in octal up to 3 digits long */
1107 ch = 0;
1108 n = 3;
1109 do {
1110 ch = ch * 8 + (*op++ - '0');
1111 } while (--n && *op >= '0' && *op <= '7');
1112 break;
1113 case 'b': case 'B':
1114 ch = '\b';
1115 break;
1116 case 't': case 'T':
1117 ch = '\t';
1118 break;
1119 case 'n': case 'N':
1120 ch = '\n';
1121 break;
1122 case 'f': case 'F':
1123 ch = '\f';
1124 break;
1125 case 'r': case 'R':
1126 ch = '\r';
1127 break;
1128 case 'e': case 'E':
1129 ch = '\033';
1130 break;
1131 case 'c': case 'C':
1132 ch = ':';
1133 break;
1134 default:
1135 ch = *op;
1136 break;
1137 }
1138 break;
1139 }
1140 *np++ = ch;
1141 nlen--;
1142 }
1143 *np = '\0';
1144 return (nstr);
1145 }
1146