diff options
| -rw-r--r-- | doc/index.html | 1 | ||||
| -rw-r--r-- | doc/s6-applyuidgid.html | 63 | ||||
| -rw-r--r-- | package/deps.mak | 3 | ||||
| -rw-r--r-- | package/modes | 1 | ||||
| -rw-r--r-- | package/targets.mak | 5 | ||||
| -rw-r--r-- | src/daemontools-extras/deps-exe/s6-applyuidgid | 1 | ||||
| -rw-r--r-- | src/daemontools-extras/s6-applyuidgid.c | 68 |
7 files changed, 141 insertions, 1 deletions
diff --git a/doc/index.html b/doc/index.html index 54e8925..bf8d0ae 100644 --- a/doc/index.html +++ b/doc/index.html @@ -138,6 +138,7 @@ counterpart. <li><a href="s6-setlock.html">The <tt>s6-setlock</tt> program</a></li> <li><a href="s6-setsid.html">The <tt>s6-setsid</tt> program</a></li> <li><a href="s6-setuidgid.html">The <tt>s6-setuidgid</tt> program</a></li> +<li><a href="s6-applyuidgid.html">The <tt>s6-applyuidgid</tt> program</a></li> <li><a href="s6-softlimit.html">The <tt>s6-softlimit</tt> program</a></li> <li><a href="s6-tai64n.html">The <tt>s6-tai64n</tt> program</a></li> <li><a href="s6-tai64nlocal.html">The <tt>s6-tai64nlocal</tt> program</a></li> diff --git a/doc/s6-applyuidgid.html b/doc/s6-applyuidgid.html new file mode 100644 index 0000000..9b4293e --- /dev/null +++ b/doc/s6-applyuidgid.html @@ -0,0 +1,63 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6: the s6-applyuidgid program</title> + <meta name="Description" content="s6: the s6-applyuidgid program" /> + <meta name="Keywords" content="s6 command s6-applyuidgid uid gid groups privilege dropping loss user change su" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The s6-applyuidgid program </h1> + +<p> + s6-applyuidgid executes a program with reduced privileges. +</p> + +<h2> Interface </h2> + +<pre> + s6-applyuidgid [ -z ] [ -u <em>uid</em> ] [ -g <em>gid</em> ] [ -G <em>gidlist</em> ] [ -U ] <em>prog...</em> +</pre> + +<ul> + <li> s6-applyuidgid sets its uid, gid and supplementary group list to the +values given, then executes into <em>prog</em>. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-u <em>uid</em></tt> : set the process' user ID to <em>uid</em> </li> + <li> <tt>-g <em>gid</em></tt> : set the process' group ID to <em>gid</em> </li> + <li> <tt>-G <em>gidlist</em></tt> : set the process' supplementary group list +to <em>gidlist</em>, which must be given as a comma-separated list of numeric GIDs, +without spaces. </li> + <li> <tt>-U</tt> : set the process' user ID, group ID and supplementary group list +to the values of the UID, GID and GIDLIST environment variables. If a <tt>-u</tt>, +<tt>-g</tt> or <tt>-G</tt> option is given after <tt>-U</tt>, the command line +value overrides the environment variable. </li> + <li> <tt>-z</tt> : unexport. The UID, GID and GIDLIST variables will be +removed from the process environment. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> s6-applyuidgid can only be run as root. Its main use is to drop root privileges before +starting a daemon. </li> + <li> s6-applyuidgid is a more generic version of +<a href="s6-setuidgid.html">s6-setuidgid</a>. It is used as a command line +building block by some programs that rewrite their command line, such as +<a href="http://skarnet.org/software/s6-networking/s6-tcpserver.html">s6-tcpserver</a> </li> +</ul> + +</body> +</html> diff --git a/package/deps.mak b/package/deps.mak index e728bb0..4b33279 100644 --- a/package/deps.mak +++ b/package/deps.mak @@ -5,6 +5,7 @@ src/include/s6/ftrigr.h: src/include/s6/config.h src/include/s6/s6.h: src/include/s6/ftrigr.h src/include/s6/ftrigw.h src/include/s6/s6-supervise.h src/include/s6/s6lock.h src/include/s6/s6lock.h: src/include/s6/config.h +src/daemontools-extras/s6-applyuidgid.o src/daemontools-extras/s6-applyuidgid.lo: src/daemontools-extras/s6-applyuidgid.c src/daemontools-extras/s6-envdir.o src/daemontools-extras/s6-envdir.lo: src/daemontools-extras/s6-envdir.c src/daemontools-extras/s6-envuidgid.o src/daemontools-extras/s6-envuidgid.lo: src/daemontools-extras/s6-envuidgid.c src/daemontools-extras/s6-fghack.o src/daemontools-extras/s6-fghack.lo: src/daemontools-extras/s6-fghack.c @@ -69,6 +70,8 @@ src/supervision/s6-svscanctl.o src/supervision/s6-svscanctl.lo: src/supervision/ src/supervision/s6-svstat.o src/supervision/s6-svstat.lo: src/supervision/s6-svstat.c src/include/s6/s6-supervise.h src/supervision/s6-svwait.o src/supervision/s6-svwait.lo: src/supervision/s6-svwait.c src/include/s6/ftrigr.h src/include/s6/s6-supervise.h +s6-applyuidgid: private EXTRA_LIBS := +s6-applyuidgid: src/daemontools-extras/s6-applyuidgid.o -lskarnet s6-envdir: private EXTRA_LIBS := s6-envdir: src/daemontools-extras/s6-envdir.o -lskarnet s6-envuidgid: private EXTRA_LIBS := diff --git a/package/modes b/package/modes index d3fb2e0..4b86721 100644 --- a/package/modes +++ b/package/modes @@ -15,6 +15,7 @@ s6-svscanctl 0755 s6-svok 0755 s6-svstat 0755 s6-svwait 0755 +s6-applyuidgid 0700 s6-envdir 0755 s6-envuidgid 0755 s6-fghack 0755 diff --git a/package/targets.mak b/package/targets.mak index 5353fc6..283cc67 100644 --- a/package/targets.mak +++ b/package/targets.mak @@ -21,12 +21,15 @@ s6-fghack \ s6-log \ s6-setlock \ s6-setsid \ -s6-setuidgid \ s6-softlimit \ s6-tai64n \ s6-tai64nlocal \ ucspilogd +SBIN_TARGETS := \ +s6-applyuidgid \ +s6-setuidgid + LIBEXEC_TARGETS := s6lockd-helper ifdef DO_SHARED diff --git a/src/daemontools-extras/deps-exe/s6-applyuidgid b/src/daemontools-extras/deps-exe/s6-applyuidgid new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/daemontools-extras/deps-exe/s6-applyuidgid @@ -0,0 +1 @@ +-lskarnet diff --git a/src/daemontools-extras/s6-applyuidgid.c b/src/daemontools-extras/s6-applyuidgid.c new file mode 100644 index 0000000..77beef2 --- /dev/null +++ b/src/daemontools-extras/s6-applyuidgid.c @@ -0,0 +1,68 @@ +/* ISC license. */ + +#include <skalibs/nonposix.h> +#include <sys/types.h> +#include <unistd.h> +#include <grp.h> +#include <limits.h> +#include <skalibs/uint.h> +#include <skalibs/gidstuff.h> +#include <skalibs/strerr2.h> +#include <skalibs/sgetopt.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> + +#define USAGE "s6-applyuidgid [ -z ] [ -u uid ] [ -g gid ] [ -G gidlist ] [ -U ] prog..." +#define dieusage() strerr_dieusage(100, USAGE) + +int main (int argc, char const *const *argv, char const *const *envp) +{ + unsigned int uid = 0, gid = 0 ; + gid_t gids[NGROUPS_MAX] ; + unsigned int gidn = (unsigned int)-1 ; + int unexport = 0 ; + PROG = "s6-applyuidgid" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "zUu:g:G:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'z' : unexport = 1 ; break ; + case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; + case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; + case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn)) dieusage() ; break ; + case 'U' : + { + char const *x = env_get2(envp, "UID") ; + if (!x) strerr_dienotset(100, "UID") ; + if (!uint0_scan(x, &uid)) strerr_dieinvalid(100, "UID") ; + x = env_get2(envp, "GID") ; + if (!x) strerr_dienotset(100, "GID") ; + if (!uint0_scan(x, &gid)) strerr_dieinvalid(100, "GID") ; + x = env_get2(envp, "GIDLIST") ; + if (!x) strerr_dienotset(100, "GIDLIST") ; + if (!gid_scanlist(gids, NGROUPS_MAX, x, &gidn) && *x) + strerr_dieinvalid(100, "GIDLIST") ; + break ; + } + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + if (!argc) dieusage() ; + + if (gidn != (unsigned int)-1 && setgroups(gidn, gids) < 0) + strerr_diefu1sys(111, "set supplementary group list") ; + if (gid && setgid(gid) < 0) + strerr_diefu1sys(111, "setgid") ; + if (uid && setuid(uid) < 0) + strerr_diefu1sys(111, "setuid") ; + + if (unexport) pathexec_r(argv, envp, env_len(envp), "UID\0GID\0GIDLIST", 16) ; + else pathexec_run(argv[0], argv, envp) ; + strerr_dieexec(111, argv[0]) ; +} |