The main use case of setpriv is to modify the current state of privileges available to the calling process and spawn a new executable with the modified, new state. Next to the already supported case of modifying the no-new-privs flag, util-linux also supports to modify capability sets. This commit introduces to add or drop capabilities from the set of inheritable capabilities. Quoting from capabilities(7): This is a set of capabilities preserved across an execve(2). Inheritable capabilities remain inheritable when executing any program, and inheritable capabilities are added to the permitted set when executing a program that has the corresponding bits set in the file inheritable set. As such, inheritable capabilities enable executing files with certain privileges if the file itself has these privileges set. Note though that inheritable capabilities are dropped across execve when running as a non-root user. function old new delta getcaps - 237 +237 setpriv_main 1129 1246 +117 .rodata 146198 146307 +109 static.setpriv_longopts 29 40 +11 packed_usage 32107 32092 -15 Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
426 lines
11 KiB
C
426 lines
11 KiB
C
/* vi: set sw=4 ts=4: */
|
|
/*
|
|
* setpriv implementation for busybox based on linux-utils-ng 2.29
|
|
*
|
|
* Copyright (C) 2017 by <assafgordon@gmail.com>
|
|
*
|
|
* Licensed under GPLv2 or later, see file LICENSE in this source tree.
|
|
*
|
|
*/
|
|
//config:config SETPRIV
|
|
//config: bool "setpriv"
|
|
//config: default y
|
|
//config: select PLATFORM_LINUX
|
|
//config: select LONG_OPTS
|
|
//config: help
|
|
//config: Run a program with different Linux privilege settings.
|
|
//config: Requires kernel >= 3.5
|
|
//config:
|
|
//config:config FEATURE_SETPRIV_DUMP
|
|
//config: bool "Support dumping current privilege state"
|
|
//config: default y
|
|
//config: depends on SETPRIV
|
|
//config: help
|
|
//config: Enables the "--dump" switch to print out the current privilege
|
|
//config: state. This is helpful for diagnosing problems.
|
|
//config:
|
|
//config:config FEATURE_SETPRIV_CAPABILITIES
|
|
//config: bool "Support capabilities"
|
|
//config: default y
|
|
//config: depends on SETPRIV
|
|
//config: help
|
|
//config: Capabilities can be used to grant processes additional rights
|
|
//config: without the necessity to always execute as the root user.
|
|
//config: Enabling this option enables "--dump" to show information on
|
|
//config: capabilities.
|
|
//config:
|
|
//config:config FEATURE_SETPRIV_CAPABILITY_NAMES
|
|
//config: bool "Support capability names"
|
|
//config: default y
|
|
//config: depends on SETPRIV && FEATURE_SETPRIV_CAPABILITIES
|
|
//config: help
|
|
//config: Capabilities can be either referenced via a human-readble name,
|
|
//config: e.g. "net_admin", or using their index, e.g. "cap_12". Enabling
|
|
//config: this option allows using the human-readable names in addition to
|
|
//config: the index-based names.
|
|
|
|
//applet:IF_SETPRIV(APPLET(setpriv, BB_DIR_BIN, BB_SUID_DROP))
|
|
|
|
//kbuild:lib-$(CONFIG_SETPRIV) += setpriv.o
|
|
|
|
//usage:#define setpriv_trivial_usage
|
|
//usage: "[OPTIONS] PROG [ARGS]"
|
|
//usage:#define setpriv_full_usage "\n\n"
|
|
//usage: "Run PROG with different privilege settings\n"
|
|
//usage: IF_FEATURE_SETPRIV_DUMP(
|
|
//usage: "\n-d,--dump Show current capabilities"
|
|
//usage: )
|
|
//usage: "\n--nnp,--no-new-privs Ignore setuid/setgid bits and file capabilities"
|
|
//usage: IF_FEATURE_SETPRIV_CAPABILITIES(
|
|
//usage: "\n--inh-caps CAP[,CAP...] Set inheritable capabilities"
|
|
//usage: )
|
|
|
|
//setpriv from util-linux 2.28:
|
|
// -d, --dump show current state (and do not exec anything)
|
|
// --nnp, --no-new-privs disallow granting new privileges
|
|
// --inh-caps <caps,...> set inheritable capabilities
|
|
// --bounding-set <caps> set capability bounding set
|
|
// --ruid <uid> set real uid
|
|
// --euid <uid> set effective uid
|
|
// --rgid <gid> set real gid
|
|
// --egid <gid> set effective gid
|
|
// --reuid <uid> set real and effective uid
|
|
// --regid <gid> set real and effective gid
|
|
// --clear-groups clear supplementary groups
|
|
// --keep-groups keep supplementary groups
|
|
// --groups <group,...> set supplementary groups
|
|
// --securebits <bits> set securebits
|
|
// --selinux-label <label> set SELinux label
|
|
// --apparmor-profile <pr> set AppArmor profile
|
|
|
|
#if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
|
#include <linux/capability.h>
|
|
#include <sys/capability.h>
|
|
#endif
|
|
#include <sys/prctl.h>
|
|
#include "libbb.h"
|
|
|
|
#ifndef PR_CAPBSET_READ
|
|
#define PR_CAPBSET_READ 23
|
|
#endif
|
|
|
|
#ifndef PR_SET_NO_NEW_PRIVS
|
|
#define PR_SET_NO_NEW_PRIVS 38
|
|
#endif
|
|
|
|
#ifndef PR_GET_NO_NEW_PRIVS
|
|
#define PR_GET_NO_NEW_PRIVS 39
|
|
#endif
|
|
|
|
#ifndef PR_CAP_AMBIENT
|
|
#define PR_CAP_AMBIENT 47
|
|
#define PR_CAP_AMBIENT_IS_SET 1
|
|
#endif
|
|
|
|
enum {
|
|
IF_FEATURE_SETPRIV_DUMP(OPTBIT_DUMP,)
|
|
IF_FEATURE_SETPRIV_CAPABILITIES(OPTBIT_INH,)
|
|
OPTBIT_NNP,
|
|
|
|
IF_FEATURE_SETPRIV_DUMP(OPT_DUMP = (1 << OPTBIT_DUMP),)
|
|
IF_FEATURE_SETPRIV_CAPABILITIES(OPT_INH = (1 << OPTBIT_INH),)
|
|
OPT_NNP = (1 << OPTBIT_NNP),
|
|
};
|
|
|
|
#if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
|
struct caps {
|
|
struct __user_cap_header_struct header;
|
|
cap_user_data_t data;
|
|
int u32s;
|
|
};
|
|
|
|
#if ENABLE_FEATURE_SETPRIV_CAPABILITY_NAMES
|
|
static const char *const capabilities[] = {
|
|
"chown",
|
|
"dac_override",
|
|
"dac_read_search",
|
|
"fowner",
|
|
"fsetid",
|
|
"kill",
|
|
"setgid",
|
|
"setuid",
|
|
"setpcap",
|
|
"linux_immutable",
|
|
"net_bind_service",
|
|
"net_broadcast",
|
|
"net_admin",
|
|
"net_raw",
|
|
"ipc_lock",
|
|
"ipc_owner",
|
|
"sys_module",
|
|
"sys_rawio",
|
|
"sys_chroot",
|
|
"sys_ptrace",
|
|
"sys_pacct",
|
|
"sys_admin",
|
|
"sys_boot",
|
|
"sys_nice",
|
|
"sys_resource",
|
|
"sys_time",
|
|
"sys_tty_config",
|
|
"mknod",
|
|
"lease",
|
|
"audit_write",
|
|
"audit_control",
|
|
"setfcap",
|
|
"mac_override",
|
|
"mac_admin",
|
|
"syslog",
|
|
"wake_alarm",
|
|
"block_suspend",
|
|
"audit_read",
|
|
};
|
|
#endif /* FEATURE_SETPRIV_CAPABILITY_NAMES */
|
|
|
|
#endif /* FEATURE_SETPRIV_CAPABILITIES */
|
|
|
|
#if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
|
static void getcaps(struct caps *caps)
|
|
{
|
|
int versions[] = {
|
|
_LINUX_CAPABILITY_U32S_3,
|
|
_LINUX_CAPABILITY_U32S_2,
|
|
_LINUX_CAPABILITY_U32S_1,
|
|
};
|
|
int i;
|
|
|
|
caps->header.pid = 0;
|
|
for (i = 0; i < ARRAY_SIZE(versions); i++) {
|
|
caps->header.version = versions[i];
|
|
if (capget(&caps->header, NULL) == 0)
|
|
goto got_it;
|
|
}
|
|
bb_simple_perror_msg_and_die("capget");
|
|
got_it:
|
|
|
|
switch (caps->header.version) {
|
|
case _LINUX_CAPABILITY_VERSION_1:
|
|
caps->u32s = _LINUX_CAPABILITY_U32S_1;
|
|
break;
|
|
case _LINUX_CAPABILITY_VERSION_2:
|
|
caps->u32s = _LINUX_CAPABILITY_U32S_2;
|
|
break;
|
|
case _LINUX_CAPABILITY_VERSION_3:
|
|
caps->u32s = _LINUX_CAPABILITY_U32S_3;
|
|
break;
|
|
default:
|
|
bb_error_msg_and_die("unsupported capability version");
|
|
}
|
|
|
|
caps->data = xmalloc(sizeof(caps->data[0]) * caps->u32s);
|
|
if (capget(&caps->header, caps->data) < 0)
|
|
bb_simple_perror_msg_and_die("capget");
|
|
}
|
|
#endif /* FEATURE_SETPRIV_CAPABILITIES */
|
|
|
|
#if ENABLE_FEATURE_SETPRIV_DUMP
|
|
static int dump(void)
|
|
{
|
|
IF_FEATURE_SETPRIV_CAPABILITIES(struct caps caps;)
|
|
const char *fmt;
|
|
uid_t ruid, euid, suid;
|
|
gid_t rgid, egid, sgid;
|
|
gid_t *gids;
|
|
int i, ngids, nnp;
|
|
|
|
getresuid(&ruid, &euid, &suid); /* never fails in Linux */
|
|
getresgid(&rgid, &egid, &sgid); /* never fails in Linux */
|
|
ngids = 0;
|
|
gids = bb_getgroups(&ngids, NULL); /* never fails in Linux */
|
|
|
|
nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
|
|
if (nnp < 0)
|
|
bb_perror_msg_and_die("prctl: %s", "GET_NO_NEW_PRIVS");
|
|
|
|
printf("uid: %u\n", (unsigned)ruid);
|
|
printf("euid: %u\n", (unsigned)euid);
|
|
printf("gid: %u\n", (unsigned)rgid);
|
|
printf("egid: %u\n", (unsigned)egid);
|
|
|
|
printf("Supplementary groups: ");
|
|
if (ngids == 0) {
|
|
printf("[none]");
|
|
} else {
|
|
fmt = ",%u" + 1;
|
|
for (i = 0; i < ngids; i++) {
|
|
printf(fmt, (unsigned)gids[i]);
|
|
fmt = ",%u";
|
|
}
|
|
}
|
|
printf("\nno_new_privs: %d\n", nnp);
|
|
|
|
# if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
|
getcaps(&caps);
|
|
printf("Inheritable capabilities: ");
|
|
fmt = "";
|
|
for (i = 0; cap_valid(i); i++) {
|
|
unsigned idx = CAP_TO_INDEX(i);
|
|
if (idx >= caps.u32s) {
|
|
printf("\nindex: %u u32s: %u capability: %u\n", idx, caps.u32s, i);
|
|
bb_error_msg_and_die("unsupported capability");
|
|
}
|
|
if (caps.data[idx].inheritable & CAP_TO_MASK(i)) {
|
|
# if ENABLE_FEATURE_SETPRIV_CAPABILITY_NAMES
|
|
if (i < ARRAY_SIZE(capabilities))
|
|
printf("%s%s", fmt, capabilities[i]);
|
|
else
|
|
# endif
|
|
printf("%scap_%u", fmt, i);
|
|
fmt = ",";
|
|
}
|
|
}
|
|
if (!fmt[0])
|
|
printf("[none]");
|
|
|
|
printf("\nAmbient capabilities: ");
|
|
fmt = "";
|
|
for (i = 0; cap_valid(i); i++) {
|
|
int ret = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, (unsigned long) i, 0UL, 0UL);
|
|
if (ret < 0)
|
|
bb_perror_msg_and_die("prctl: %s", "CAP_AMBIENT_IS_SET");
|
|
if (ret) {
|
|
# if ENABLE_FEATURE_SETPRIV_CAPABILITY_NAMES
|
|
if (i < ARRAY_SIZE(capabilities))
|
|
printf("%s%s", fmt, capabilities[i]);
|
|
else
|
|
# endif
|
|
printf("%scap_%u", fmt, i);
|
|
fmt = ",";
|
|
}
|
|
}
|
|
if (i == 0)
|
|
printf("[unsupported]");
|
|
else if (!fmt[0])
|
|
printf("[none]");
|
|
|
|
printf("\nCapability bounding set: ");
|
|
fmt = "";
|
|
for (i = 0; cap_valid(i); i++) {
|
|
int ret = prctl(PR_CAPBSET_READ, (unsigned long) i, 0UL, 0UL, 0UL);
|
|
if (ret < 0)
|
|
bb_perror_msg_and_die("prctl: %s", "CAPBSET_READ");
|
|
if (ret) {
|
|
# if ENABLE_FEATURE_SETPRIV_CAPABILITY_NAMES
|
|
if (i < ARRAY_SIZE(capabilities))
|
|
printf("%s%s", fmt, capabilities[i]);
|
|
else
|
|
# endif
|
|
printf("%scap_%u", fmt, i);
|
|
fmt = ",";
|
|
}
|
|
}
|
|
if (!fmt[0])
|
|
printf("[none]");
|
|
bb_putchar('\n');
|
|
# endif
|
|
|
|
if (ENABLE_FEATURE_CLEAN_UP) {
|
|
IF_FEATURE_SETPRIV_CAPABILITIES(free(caps.data);)
|
|
free(gids);
|
|
}
|
|
return EXIT_SUCCESS;
|
|
}
|
|
#endif /* FEATURE_SETPRIV_DUMP */
|
|
|
|
#if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
|
static void parse_cap(unsigned long *index, int *add, const char *cap)
|
|
{
|
|
unsigned long i;
|
|
|
|
switch (cap[0]) {
|
|
case '-':
|
|
*add = 0;
|
|
break;
|
|
case '+':
|
|
*add = 1;
|
|
break;
|
|
default:
|
|
bb_error_msg_and_die("invalid capability '%s'", cap);
|
|
break;
|
|
}
|
|
|
|
cap++;
|
|
if ((sscanf(cap, "cap_%lu", &i)) == 1) {
|
|
if (!cap_valid(i))
|
|
bb_error_msg_and_die("unsupported capability '%s'", cap);
|
|
*index = i;
|
|
return;
|
|
}
|
|
|
|
# if ENABLE_FEATURE_SETPRIV_CAPABILITY_NAMES
|
|
for (i = 0; i < ARRAY_SIZE(capabilities); i++) {
|
|
if (strcmp(capabilities[i], cap) != 0)
|
|
continue;
|
|
|
|
if (!cap_valid(i))
|
|
bb_error_msg_and_die("unsupported capability '%s'", cap);
|
|
*index = i;
|
|
return;
|
|
}
|
|
# endif
|
|
|
|
bb_error_msg_and_die("unknown capability '%s'", cap);
|
|
}
|
|
|
|
static void set_inh_caps(char *capstring)
|
|
{
|
|
struct caps caps;
|
|
|
|
getcaps(&caps);
|
|
|
|
capstring = strtok(capstring, ",");
|
|
while (capstring) {
|
|
unsigned long cap;
|
|
int add;
|
|
|
|
parse_cap(&cap, &add, capstring);
|
|
if (CAP_TO_INDEX(cap) >= caps.u32s)
|
|
bb_error_msg_and_die("invalid capability cap");
|
|
if (add)
|
|
caps.data[CAP_TO_INDEX(cap)].inheritable |= CAP_TO_MASK(cap);
|
|
else
|
|
caps.data[CAP_TO_INDEX(cap)].inheritable &= ~CAP_TO_MASK(cap);
|
|
capstring = strtok(NULL, ",");
|
|
}
|
|
|
|
if ((capset(&caps.header, caps.data)) < 0)
|
|
bb_perror_msg_and_die("capset");
|
|
|
|
if (ENABLE_FEATURE_CLEAN_UP)
|
|
free(caps.data);
|
|
}
|
|
#endif /* FEATURE_SETPRIV_CAPABILITIES */
|
|
|
|
int setpriv_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
|
|
int setpriv_main(int argc UNUSED_PARAM, char **argv)
|
|
{
|
|
static const char setpriv_longopts[] ALIGN1 =
|
|
IF_FEATURE_SETPRIV_DUMP(
|
|
"dump\0" No_argument "d"
|
|
)
|
|
"nnp\0" No_argument "\xff"
|
|
"no-new-privs\0" No_argument "\xff"
|
|
IF_FEATURE_SETPRIV_CAPABILITIES(
|
|
"inh-caps\0" Required_argument "\xfe"
|
|
)
|
|
;
|
|
int opts;
|
|
IF_FEATURE_SETPRIV_CAPABILITIES(char *inh_caps;)
|
|
|
|
applet_long_options = setpriv_longopts;
|
|
opts = getopt32(argv, "+"IF_FEATURE_SETPRIV_DUMP("d")
|
|
IF_FEATURE_SETPRIV_CAPABILITIES("\xfe:", &inh_caps));
|
|
argv += optind;
|
|
|
|
#if ENABLE_FEATURE_SETPRIV_DUMP
|
|
if (opts & OPT_DUMP) {
|
|
if (argv[0] || (opts - OPT_DUMP) != 0)
|
|
bb_show_usage();
|
|
return dump();
|
|
}
|
|
#endif
|
|
if (opts & OPT_NNP) {
|
|
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
|
|
bb_perror_msg_and_die("prctl: %s", "SET_NO_NEW_PRIVS");
|
|
}
|
|
|
|
#if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
|
if (opts & OPT_INH)
|
|
set_inh_caps(inh_caps);
|
|
#endif
|
|
|
|
if (!argv[0])
|
|
bb_show_usage();
|
|
BB_EXECVP_or_die(argv);
|
|
}
|