2013-07-05 04:21:12 +00:00
|
|
|
/* abuild-sudo.c - limited root privileges for users in "abuild" group
|
|
|
|
*
|
|
|
|
* Copyright (C) 2012 Natanael Copa <ncopa@alpinelinux.org>
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License version 2 as published
|
|
|
|
* by the Free Software Foundation. See http://www.gnu.org/ for details.
|
|
|
|
*/
|
2012-02-17 13:28:22 +00:00
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
|
|
|
#include <err.h>
|
|
|
|
#include <grp.h>
|
2017-07-17 15:24:07 +00:00
|
|
|
#include <pwd.h>
|
2012-02-17 13:28:22 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
|
|
|
|
#ifndef ABUILD_GROUP
|
|
|
|
#define ABUILD_GROUP "abuild"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
static const char* valid_cmds[] = {
|
|
|
|
"/bin/adduser",
|
2013-05-29 13:07:27 +00:00
|
|
|
"/usr/sbin/adduser",
|
2012-02-17 13:28:22 +00:00
|
|
|
"/bin/addgroup",
|
2013-05-29 13:07:27 +00:00
|
|
|
"/usr/sbin/addgroup",
|
2012-02-17 13:28:22 +00:00
|
|
|
"/sbin/apk",
|
2017-04-05 13:28:13 +00:00
|
|
|
"/usr/bin/abuild-rmtemp",
|
2012-02-17 13:28:22 +00:00
|
|
|
NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
const char *get_command_path(const char *cmd)
|
|
|
|
{
|
|
|
|
const char *p;
|
|
|
|
int i;
|
|
|
|
for (i = 0; valid_cmds[i] != NULL; i++) {
|
2013-05-29 13:07:27 +00:00
|
|
|
if (access(valid_cmds[i], F_OK) == -1)
|
|
|
|
continue;
|
2012-02-17 13:28:22 +00:00
|
|
|
p = strrchr(valid_cmds[i], '/') + 1;
|
|
|
|
if (strcmp(p, cmd) == 0)
|
|
|
|
return valid_cmds[i];
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
int is_in_group(gid_t group)
|
|
|
|
{
|
|
|
|
int ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1;
|
|
|
|
gid_t *buf = malloc(ngroups_max * sizeof(gid_t));
|
2019-02-22 15:50:01 +00:00
|
|
|
int ngroups;
|
2012-02-17 13:28:22 +00:00
|
|
|
int i;
|
|
|
|
if (buf == NULL) {
|
|
|
|
perror("malloc");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
ngroups = getgroups(ngroups_max, buf);
|
|
|
|
for (i = 0; i < ngroups; i++) {
|
|
|
|
if (buf[i] == group)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
free(buf);
|
|
|
|
return i < ngroups;
|
|
|
|
}
|
|
|
|
|
|
|
|
int main(int argc, const char *argv[])
|
|
|
|
{
|
|
|
|
struct group *grent;
|
|
|
|
const char *cmd;
|
|
|
|
const char *path;
|
2013-12-16 10:21:28 +00:00
|
|
|
int i;
|
2017-07-17 15:24:07 +00:00
|
|
|
struct passwd *pw;
|
2012-02-17 13:28:22 +00:00
|
|
|
|
|
|
|
grent = getgrnam(ABUILD_GROUP);
|
|
|
|
if (grent == NULL)
|
|
|
|
errx(1, "%s: Group not found", ABUILD_GROUP);
|
|
|
|
|
2017-07-17 18:02:35 +00:00
|
|
|
char *name = NULL;
|
|
|
|
pw = getpwuid(getuid());
|
|
|
|
if (pw)
|
|
|
|
name = pw->pw_name;
|
2017-07-17 15:24:07 +00:00
|
|
|
|
2016-04-12 22:26:35 +00:00
|
|
|
if (!is_in_group(grent->gr_gid)) {
|
|
|
|
errx(1, "User %s is not a member of group %s\n",
|
2016-04-14 11:48:30 +00:00
|
|
|
name ? name : "(unknown)", ABUILD_GROUP);
|
2016-04-12 22:26:35 +00:00
|
|
|
}
|
2017-07-17 18:02:35 +00:00
|
|
|
|
|
|
|
if (name == NULL)
|
2017-07-17 15:24:07 +00:00
|
|
|
warnx("Could not find username for uid %d\n", getuid());
|
2017-07-17 18:02:35 +00:00
|
|
|
setenv("USER", name ?: "", 1);
|
2012-02-17 13:28:22 +00:00
|
|
|
|
2017-04-21 08:49:40 +00:00
|
|
|
cmd = strrchr(argv[0], '/');
|
|
|
|
if (cmd)
|
|
|
|
cmd++;
|
|
|
|
else
|
|
|
|
cmd = argv[0];
|
|
|
|
cmd = strchr(cmd, '-');
|
2013-07-05 04:21:11 +00:00
|
|
|
if (cmd == NULL)
|
2012-02-17 13:28:22 +00:00
|
|
|
errx(1, "Calling command has no '-'");
|
|
|
|
cmd++;
|
|
|
|
|
|
|
|
path = get_command_path(cmd);
|
|
|
|
if (path == NULL)
|
|
|
|
errx(1, "%s: Not a valid subcommand", cmd);
|
|
|
|
|
2013-12-16 10:21:28 +00:00
|
|
|
/* we dont allow --allow-untrusted option */
|
|
|
|
for (i = 1; i < argc; i++)
|
|
|
|
if (strcmp(argv[i], "--allow-untrusted") == 0)
|
|
|
|
errx(1, "%s: not allowed option", "--allow-untrusted");
|
|
|
|
|
2012-02-17 13:28:22 +00:00
|
|
|
argv[0] = path;
|
2013-07-05 04:21:11 +00:00
|
|
|
/* set our uid to root so bbsuid --install works */
|
2012-02-17 13:28:22 +00:00
|
|
|
setuid(0);
|
2017-05-15 21:06:21 +00:00
|
|
|
/* set our gid to root so apk commit hooks run with the same gid as for "sudo apk add ..." */
|
|
|
|
setgid(0);
|
2012-02-17 13:28:22 +00:00
|
|
|
execv(path, (char * const*)argv);
|
2013-05-29 13:01:00 +00:00
|
|
|
perror(path);
|
2012-02-17 13:28:22 +00:00
|
|
|
return 1;
|
|
|
|
}
|