Add unprivlx
This commit is contained in:
parent
c46a926a04
commit
e4b73edfc5
|
@ -1 +1,2 @@
|
|||
/privlx
|
||||
/unprivlx
|
||||
|
|
3
compile
3
compile
|
@ -2,4 +2,5 @@
|
|||
set -e
|
||||
SCRIPT_DIR="$(dirname "$(realpath -s "$BASH_SOURCE")")"
|
||||
source "$SCRIPT_DIR/env"
|
||||
"$CC" -std=gnu89 -Werror -Wall -Os -D APP_NAME="\"$APP_NAME\"" -D APP_CONF="\"$APP_CONF\"" "$SCRIPT_DIR/src/main.c" -o "$SCRIPT_DIR/$APP_NAME" $CFLAGS
|
||||
"$CC" -std=gnu89 -Werror -Wall -Os -D APP_NAME="\"$APP_NAME\"" -D APP_CONF="\"$APP_CONF\"" "$SCRIPT_DIR/src/priv.c" -o "$SCRIPT_DIR/$APP_NAME" $CFLAGS
|
||||
"$CC" -std=gnu89 -Werror -Wall -Os -D APP_NAME="\"$APP_NAME\"" -D APP_CONF="\"$APP_CONF\"" "$SCRIPT_DIR/src/unpriv.c" -o "$SCRIPT_DIR/un$APP_NAME" $CFLAGS
|
||||
|
|
2
env
2
env
|
@ -1,4 +1,4 @@
|
|||
APP_NAME="${APP_NAME:=privlx}"
|
||||
APP_BIN="${APP_BIN:=/usr/local/bin/$APP_NAME}"
|
||||
APP_BIN="${APP_BIN:=/usr/local/bin}"
|
||||
APP_CONF="${APP_CONF:=/etc/$APP_NAME}"
|
||||
CC="${CC:=cc}"
|
||||
|
|
19
install
19
install
|
@ -2,13 +2,18 @@
|
|||
set -e
|
||||
SCRIPT_DIR="$(dirname "$(realpath -s "$BASH_SOURCE")")"
|
||||
source "$SCRIPT_DIR/env"
|
||||
mkdir -p "$(dirname "$APP_BIN")"
|
||||
cp "$SCRIPT_DIR/$APP_NAME" "$APP_BIN"
|
||||
chown 0 "$APP_BIN"
|
||||
chgrp 0 "$APP_BIN"
|
||||
chmod 755 "$APP_BIN"
|
||||
chmod u+s "$APP_BIN"
|
||||
chmod g+s "$APP_BIN"
|
||||
mkdir -p "$APP_BIN"
|
||||
cp "$SCRIPT_DIR/$APP_NAME" "$APP_BIN/$APP_NAME"
|
||||
chown 0 "$APP_BIN/$APP_NAME"
|
||||
chgrp 0 "$APP_BIN/$APP_NAME"
|
||||
chmod 755 "$APP_BIN/$APP_NAME"
|
||||
chmod u+s "$APP_BIN/$APP_NAME"
|
||||
chmod g+s "$APP_BIN/$APP_NAME"
|
||||
|
||||
cp "$SCRIPT_DIR/un$APP_NAME" "$APP_BIN/un$APP_NAME"
|
||||
chown 0 "$APP_BIN/un$APP_NAME"
|
||||
chgrp 0 "$APP_BIN/un$APP_NAME"
|
||||
chmod 755 "$APP_BIN/un$APP_NAME"
|
||||
|
||||
mkdir -p "$APP_CONF"
|
||||
if ! [ -f "$APP_CONF/commands.conf" ]; then
|
||||
|
|
|
@ -4,7 +4,8 @@ Allow unprivileged users to run executables for privileged users.
|
|||
NOTE: Some features are still coming, until then expect the ABI to break.
|
||||
|
||||
* Syntax:
|
||||
privlx <command>
|
||||
privlx <command> - Get privileges and run command
|
||||
unprivlx <command> - Drop privileges and run command
|
||||
|
||||
* Config:
|
||||
Add commands you want to allow users to run as root in /etc/privlx/commands.conf, one per line.
|
||||
|
@ -24,8 +25,8 @@ Allow the user to access power management tools. Be warned, poweroff and reboot
|
|||
Before compiling or installing, you may set these environment variables, either in a shell, or inside of ./env:
|
||||
- CC: Your C compiler (default: cc)
|
||||
- CFLAGS: Compilation flags (default: none)
|
||||
- APP_NAME: What the app is called. This is used for outputting errors (default: privlx)
|
||||
- APP_BIN: Where the app's binary is stored (default: /usr/local/$APP_NAME)
|
||||
- APP_NAME: What the app is called. This is used for naming the binaries and outputting errors (default: privlx)
|
||||
- APP_BIN: Where the app's binaries are stored (default: /usr/local/bin)
|
||||
- APP_CONF: Where the app's configuration files are stored (default: /etc/$APP_NAME)
|
||||
|
||||
* Compilation:
|
||||
|
|
|
@ -19,7 +19,7 @@ void *emalloc(void *ptr, size_t size) {
|
|||
int main(int argc, char **argv) {
|
||||
if (clearenv() != 0) { // Clear environment to boost security
|
||||
fprintf(stderr,"["APP_NAME"] Error 254: Clearing environment failed\n");
|
||||
exit(254);
|
||||
return 254;
|
||||
}
|
||||
|
||||
uid_t uid = getuid(); // User who's calling the program
|
|
@ -0,0 +1,103 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#include <limits.h>
|
||||
#include <pwd.h>
|
||||
|
||||
void *emalloc(void *ptr, size_t size) {
|
||||
void *m = realloc(ptr,size);
|
||||
if (size != 0 && m == NULL) {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 255: realloc() failed\n");
|
||||
exit(255);
|
||||
}
|
||||
return m;
|
||||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
char * env;
|
||||
char * endptr;
|
||||
|
||||
// UID
|
||||
env = getenv("SUDO_UID");
|
||||
if (env == NULL) {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 254: Could not query SUDO_UID (errno %d: %s)\n",errno,strerror(errno));
|
||||
return 254;
|
||||
}
|
||||
uid_t euid = strtol(env,&endptr,0);
|
||||
if (errno != 0) {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 253: Could not convert SUDO_UID to number (errno %d: %s)\n",errno,strerror(errno));
|
||||
return 253;
|
||||
}
|
||||
|
||||
// GID
|
||||
env = getenv("SUDO_GID");
|
||||
if (env == NULL) {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 254: Could not query SUDO_GID (errno %d: %s)\n",errno,strerror(errno));
|
||||
return 254;
|
||||
}
|
||||
gid_t egid = strtol(env,&endptr,0);
|
||||
if (errno != 0) {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 253: Could not convert SUDO_GID to number (errno %d: %s)\n",errno,strerror(errno));
|
||||
return 253;
|
||||
}
|
||||
|
||||
// Clear env
|
||||
if (clearenv() != 0) {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 252: Clearing environment failed\n");
|
||||
return 252;
|
||||
}
|
||||
|
||||
// Clear
|
||||
char passwStore[sizeof(struct passwd)];
|
||||
sprintf(passwStore,"%d",euid);
|
||||
setenv("UID",passwStore,1);
|
||||
sprintf(passwStore,"%d",egid);
|
||||
setenv("GID",passwStore,1);
|
||||
struct passwd * pw = getpwuid(euid);
|
||||
if (pw == NULL) {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 253: Failed to get user information (errno: %d: %s)\n",errno,strerror(errno));
|
||||
return 253;
|
||||
}
|
||||
setenv("USER",pw -> pw_name,1);
|
||||
setenv("HOME",pw -> pw_dir,1);
|
||||
setenv("SHELL",pw -> pw_shell,1);
|
||||
|
||||
// ENV
|
||||
// PATH
|
||||
if (euid == 0) {
|
||||
setenv("PATH","/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",1);
|
||||
} else {
|
||||
setenv("PATH","/usr/local/bin:/usr/bin:/bin",1);
|
||||
}
|
||||
|
||||
// Strip first argument, and move them by 1
|
||||
char **cmd;
|
||||
if (argc > 1) {
|
||||
cmd = emalloc(NULL,argc * sizeof(char*));
|
||||
int i = 1;
|
||||
while (i < argc) {
|
||||
cmd[i - 1] = argv[i];
|
||||
++i;
|
||||
}
|
||||
cmd[argc - 1] = NULL;
|
||||
} else {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 252: Invalid syntax, use: %s <command> ...\n",argv[0]);
|
||||
return 252;
|
||||
}
|
||||
|
||||
// Get permissions
|
||||
if (setreuid(euid,egid) == -1) {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 247: Failed to un-elevate user (errno %d: %s)\n",errno,strerror(errno));
|
||||
return 247;
|
||||
}
|
||||
|
||||
// Run progrem
|
||||
if (execvp(cmd[0],cmd) == -1) {
|
||||
fprintf(stderr,"[un"APP_NAME"] Error 246: Failed launching process (errno %d: %s)\n",errno,strerror(errno));
|
||||
return 246;
|
||||
}
|
||||
return 0;
|
||||
}
|
Loading…
Reference in New Issue