selinux/policycoreutils/run_init/run_init.c

431 lines
12 KiB
C

/************************************************************************
*
* run_init
*
* SYNOPSIS:
*
* This program allows a user to run an /etc/init.d script in the proper context.
*
* USAGE:
*
* run_init <script> <args>
*
* BUILD OPTIONS:
*
* option USE_PAM:
*
* Set the USE_PAM constant if you want to authenticate users via PAM.
* If USE_PAM is not set, users will be authenticated via direct
* access to the shadow password file.
*
* If you decide to use PAM must be told how to handle run_init. A
* good rule-of-thumb might be to tell PAM to handle run_init in the
* same way it handles su, except that you should remove the pam_rootok.so
* entry so that even root must re-authenticate to run the init scripts
* in the proper context.
*
* If you choose not to use PAM, make sure you have a shadow passwd file
* in /etc/shadow. You can use a simlink if your shadow passwd file
* lives in another directory. Example:
* su
* cd /etc
* ln -s /etc/auth/shadow shadow
*
* If you decide not to use PAM, you will also have to make run_init
* setuid root, so that it can read the shadow passwd file.
*
*
*************************************************************************/
#include <stdio.h>
#include <stdlib.h> /* for malloc(), realloc(), free() */
#include <pwd.h> /* for getpwuid() */
#include <sys/types.h> /* to make getuid() and getpwuid() happy */
#include <sys/wait.h> /* for wait() */
#include <sys/stat.h> /* for struct stat and friends */
#include <getopt.h> /* for getopt_long() form of getopt() */
#include <selinux/selinux.h>
#include <selinux/get_default_type.h>
#include <selinux/context.h> /* for context-mangling functions */
#include <fcntl.h>
#include <ctype.h>
#include <limits.h>
#ifdef USE_AUDIT
#include <libaudit.h>
#endif
#ifdef USE_NLS
#include <libintl.h>
#include <locale.h>
#define _(msgid) gettext (msgid)
#else
#define _(msgid) (msgid)
#endif
#ifndef PACKAGE
#define PACKAGE "policycoreutils" /* the name of this package lang translation */
#endif
/* USAGE_STRING describes the command-line args of this program. */
#define USAGE_STRING _("USAGE: run_init <script> <args ...>\n\
where: <script> is the name of the init script to run,\n\
<args ...> are the arguments to that script.")
#define CONTEXT_FILE "initrc_context"
#ifdef USE_PAM
/************************************************************************
*
* All PAM code goes in this section.
*
************************************************************************/
#include <unistd.h> /* for getuid(), exit(), getopt() */
#include <security/pam_appl.h> /* for PAM functions */
#include <security/pam_misc.h> /* for misc_conv PAM utility function */
#define SERVICE_NAME "run_init" /* the name of this program for PAM */
/* The file containing the context to run
* the scripts under. */
int authenticate_via_pam(const struct passwd *);
/* authenticate_via_pam()
*
* in: p_passwd_line - struct containing data from our user's line in
* the passwd file.
* out: nothing
* return: value condition
* ----- ---------
* 1 PAM thinks that the user authenticated themselves properly
* 0 otherwise
*
* This function uses PAM to authenticate the user running this
* program. This is the only function in this program that makes PAM
* calls.
*
*/
int authenticate_via_pam(const struct passwd *p_passwd_line)
{
int result = 0; /* our result, set to 0 (not authenticated) by default */
pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
/* This is a jump table of functions for PAM to use when it wants to *
* communicate with the user. We'll be using misc_conv(), which is *
* provided for us via pam_misc.h. */
struct pam_conv pam_conversation = {
misc_conv,
NULL
};
/* Make `p_pam_handle' a valid PAM handle so we can use it when *
* calling PAM functions. */
if (PAM_SUCCESS != pam_start(SERVICE_NAME,
p_passwd_line->pw_name,
&pam_conversation, &pam_handle)) {
fprintf(stderr, _("failed to initialize PAM\n"));
exit(-1);
}
/* Ask PAM to authenticate the user running this program */
if (PAM_SUCCESS == pam_authenticate(pam_handle, 0)) {
result = 1; /* user authenticated OK! */
}
/* If we were successful, call pam_acct_mgmt() to reset the
* pam_tally failcount.
*/
if (result && (PAM_SUCCESS != pam_acct_mgmt(pam_handle, 0)) ) {
fprintf(stderr, _("failed to get account information\n"));
exit(-1);
}
/* We're done with PAM. Free `pam_handle'. */
pam_end(pam_handle, PAM_SUCCESS);
return (result);
} /* authenticate_via_pam() */
#else /* else !USE_PAM */
/************************************************************************
*
* All shadow passwd code goes in this section.
*
************************************************************************/
#include <unistd.h> /* for getuid(), exit(), crypt() */
#include <shadow.h> /* for shadow passwd functions */
#include <string.h> /* for strlen(), memset() */
#define PASSWORD_PROMPT _("Password:") /* prompt for getpass() */
int authenticate_via_shadow_passwd(const struct passwd *);
/* authenticate_via_shadow_passwd()
*
* in: p_passwd_line - struct containing data from our user's line in
* the passwd file.
* out: nothing
* return: value condition
* ----- ---------
* 1 user authenticated themselves properly according to the
* shadow passwd file.
* 0 otherwise
*
* This function uses the shadow passwd file to authenticate the user running
* this program.
*
*/
int authenticate_via_shadow_passwd(const struct passwd *p_passwd_line)
{
struct spwd *p_shadow_line; /* struct derived from shadow passwd file line */
char *unencrypted_password_s; /* unencrypted password input by user */
char *encrypted_password_s; /* user's password input after being crypt()ed */
/* Make `p_shadow_line' point to the data from the current user's *
* line in the shadow passwd file. */
setspent(); /* Begin access to the shadow passwd file. */
p_shadow_line = getspnam(p_passwd_line->pw_name);
endspent(); /* End access to the shadow passwd file. */
if (!(p_shadow_line)) {
fprintf(stderr,
_
("Cannot find your entry in the shadow passwd file.\n"));
exit(-1);
}
/* Ask user to input unencrypted password */
if (!(unencrypted_password_s = getpass(PASSWORD_PROMPT))) {
fprintf(stderr, _("getpass cannot open /dev/tty\n"));
exit(-1);
}
/* Use crypt() to encrypt user's input password. Clear the *
* unencrypted password as soon as we're done, so it is not *
* visible to memory snoopers. */
encrypted_password_s = crypt(unencrypted_password_s,
p_shadow_line->sp_pwdp);
memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
/* Return 1 (authenticated) iff the encrypted version of the user's *
* input password matches the encrypted password stored in the *
* shadow password file. */
return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
} /* authenticate_via_shadow_passwd() */
#endif /* if/else USE_PAM */
/*
* authenticate_user()
*
* Authenticate the user.
*
* in: nothing
* out: nothing
* return: 0 When success
* -1 When failure
*/
int authenticate_user(void)
{
#define INITLEN 255
struct passwd *p_passwd_line; /* struct derived from passwd file line */
uid_t uid;
/*
* Determine the Linux user identity to re-authenticate.
* If supported and set, use the login uid, as this should be more stable.
* Otherwise, use the real uid.
* The SELinux user identity is no longer used, as Linux users are now
* mapped to SELinux users via seusers and the SELinux user identity space
* is separate.
*/
#ifdef USE_AUDIT
uid = audit_getloginuid();
if (uid == (uid_t) - 1)
uid = getuid();
#else
uid = getuid();
#endif
p_passwd_line = getpwuid(uid);
if (!p_passwd_line) {
fprintf(stderr, "cannot find your entry in the passwd file.\n");
return (-1);
}
printf("Authenticating %s.\n", p_passwd_line->pw_name);
/*
* Re-authenticate the user running this program.
* This is just to help confirm user intent (vs. invocation by
* malicious software), not to authorize the operation (which is covered
* by policy). Trusted path mechanism would be preferred.
*/
#ifdef USE_PAM
if (!authenticate_via_pam(p_passwd_line)) {
#else /* !USE_PAM */
if (!authenticate_via_shadow_passwd(p_passwd_line)) {
#endif /* if/else USE_PAM */
fprintf(stderr, _("run_init: incorrect password for %s\n"),
p_passwd_line->pw_name);
return (-1);
}
/* If we reach here, then we have authenticated the user. */
#ifdef CANTSPELLGDB
printf("You are authenticated!\n");
#endif
return 0;
} /* authenticate_user() */
/*
* get_init_context()
*
* Get the CONTEXT associated with the context for the init scripts. *
*
* in: nothing
* out: The CONTEXT associated with the context.
* return: 0 on success, -1 on failure.
*/
int get_init_context(security_context_t * context)
{
FILE *fp;
char buf[255], *bufp;
int buf_len;
char context_file[PATH_MAX];
snprintf(context_file, sizeof(context_file) - 1, "%s/%s",
selinux_contexts_path(), CONTEXT_FILE);
fp = fopen(context_file, "r");
if (!fp) {
fprintf(stderr, _("Could not open file %s\n"), context_file);
return -1;
}
while (1) { /* loop until we find a non-empty line */
if (!fgets(buf, sizeof buf, fp))
break;
buf_len = strlen(buf);
if (buf[buf_len - 1] == '\n')
buf[buf_len - 1] = 0;
bufp = buf;
while (*bufp && isspace(*bufp))
bufp++;
if (*bufp) {
*context = strdup(bufp);
if (!(*context))
goto out;
fclose(fp);
return 0;
}
}
out:
fclose(fp);
fprintf(stderr, _("No context in file %s\n"), context_file);
return -1;
} /* get_init_context() */
/*****************************************************************************
* main() *
*****************************************************************************/
int main(int argc, char *argv[])
{
extern char *optarg; /* used by getopt() for arg strings */
extern int opterr; /* controls getopt() error messages */
security_context_t new_context; /* context for the init script context */
#ifdef USE_NLS
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
#endif
/* Verify that we are running on a flask-enabled kernel. */
if (!is_selinux_enabled()) {
fprintf(stderr,
_
("Sorry, run_init may be used only on a SELinux kernel.\n"));
exit(-1);
}
/*
* Step 1: Handle command-line arguments. The first argument is the
* name of the script to run. All other arguments are for the script
* itself, and will be passed directly to the script.
*/
if (argc < 2) {
fprintf(stderr, "%s\n", USAGE_STRING);
exit(-1);
}
/*
* Step 2: Authenticate the user.
*/
if (authenticate_user() != 0) {
fprintf(stderr, _("authentication failed.\n"));
exit(-1);
}
/*
* Step 3: Get the context for the script to be run in.
*/
if (get_init_context(&new_context) == 0) {
#ifdef CANTSPELLGDB
printf("context is %s\n", new_context);
#endif
} else {
exit(-1);
}
/*
* Step 4: Run the command in the correct context.
*/
if (chdir("/")) {
perror("chdir");
exit(-1);
}
if (setexeccon(new_context) < 0) {
fprintf(stderr, _("Could not set exec context to %s.\n"),
new_context);
exit(-1);
}
if (access("/usr/sbin/open_init_pty", X_OK) != 0) {
if (execvp(argv[1], argv + 1)) {
perror("execvp");
exit(-1);
}
return 0;
}
/*
* Do not execvp the command directly from run_init; since it would run
* under with a pty under sysadm_devpts_t. Instead, we call open_init_tty,
* which transitions us into initrc_t, which then spawns a new
* process, that gets a pty with context initrc_devpts_t. Just
* execvp or using a exec(1) recycles pty's, and does not open a new
* one.
*/
if (execvp("/usr/sbin/open_init_pty", argv)) {
perror("execvp");
exit(-1);
}
return 0;
} /* main() */