From bac59a32d06fce1477c920a3c8aad60f73ae9af9 Mon Sep 17 00:00:00 2001 From: brian Date: Fri, 18 Aug 2000 00:01:44 +0000 Subject: Make -DNOSUID (or -DPPP_NOSUID) possible to build ppp without SUID capabilities. --- usr.sbin/ppp/Makefile | 20 ++++++++++++++++---- usr.sbin/ppp/bundle.c | 5 +++++ usr.sbin/ppp/chap.c | 2 ++ usr.sbin/ppp/chat.c | 2 ++ usr.sbin/ppp/command.c | 2 ++ usr.sbin/ppp/exec.c | 2 ++ usr.sbin/ppp/id.h | 38 ++++++++++++++++++++++++++++++++++++++ usr.sbin/ppp/physical.c | 3 +++ 8 files changed, 70 insertions(+), 4 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/ppp/Makefile b/usr.sbin/ppp/Makefile index fda3c44..2dc6da0 100644 --- a/usr.sbin/ppp/Makefile +++ b/usr.sbin/ppp/Makefile @@ -3,15 +3,19 @@ PROG= ppp SRCS= acf.c arp.c async.c auth.c bundle.c cbcp.c ccp.c chap.c chat.c \ command.c datalink.c deflate.c defs.c exec.c filter.c fsm.c hdlc.c \ - id.c iface.c ip.c ipcp.c iplist.c lcp.c link.c log.c lqr.c main.c \ + iface.c ip.c ipcp.c iplist.c lcp.c link.c log.c lqr.c main.c \ mbuf.c mp.c pap.c physical.c pred.c probe.c prompt.c proto.c route.c \ server.c sig.c slcompress.c sync.c systems.c tcp.c throughput.c \ timer.c tty.c tun.c udp.c vjcomp.c CFLAGS+=-Wall LDADD+= -lcrypt -lmd -lutil -lz DPADD+= ${LIBCRYPT} ${LIBMD} ${LIBUTIL} ${LIBZ} +.if defined(NOSUID) || defined(PPP_NOSUID) +BINMODE=554 +.else BINMODE=4554 BINOWN= root +.endif BINGRP= network MAN8= ppp.8 @@ -37,6 +41,14 @@ DPADD+= ${LIBALIAS} .endif .endif +.if defined(NOSUID) || defined(PPP_NOSUID) +CFLAGS+=-DNOSUID +.else +.if !defined(RELEASE_CRUNCH) +SRCS+= id.c +.endif +.endif + .if exists(${.CURDIR}/../../secure) && !defined(NOCRYPT) && !defined(NOSECURE) && !defined(NO_OPENSSL) && !defined(RELEASE_CRUNCH) DISTRIBUTION=crypto CFLAGS+=-DHAVE_DES @@ -72,9 +84,9 @@ DPADD+= ${LIBNETGRAPH} .if defined(RELEASE_CRUNCH) # We must create these objects because crunchgen will link them, # and we don't want any unused symbols to spoil the final link. -CFLAGS+=-DNONAT -DNORADIUS -DNOI4B -OBJS+= chap_ms.o nat_cmd.o radius.o -chap_ms.o nat_cmd.o radius.o: +CFLAGS+=-DNONAT -DNORADIUS -DNOI4B -DNOSUID +OBJS+= chap_ms.o id.o nat_cmd.o radius.o +chap_ms.o id.o nat_cmd.o radius.o: >null_${.PREFIX}.c cc -c -o ${.TARGET} null_${.PREFIX}.c .endif diff --git a/usr.sbin/ppp/bundle.c b/usr.sbin/ppp/bundle.c index 00308c9..e6f8787 100644 --- a/usr.sbin/ppp/bundle.c +++ b/usr.sbin/ppp/bundle.c @@ -51,6 +51,9 @@ #include #include #if defined(__FreeBSD__) && !defined(NOKLDLOAD) +#ifdef NOSUID +#include +#endif #include #endif #include @@ -1852,7 +1855,9 @@ bundle_setsid(struct bundle *bundle, int holdsession) waitpid(pid, &status, 0); /* Tweak our process arguments.... */ SetTitle("session owner"); +#ifndef NOSUID setuid(ID0realuid()); +#endif /* * Hang around for a HUP. This should happen as soon as the * ppp that we passed our ctty descriptor to closes it. diff --git a/usr.sbin/ppp/chap.c b/usr.sbin/ppp/chap.c index 1eec6c3..277b728 100644 --- a/usr.sbin/ppp/chap.c +++ b/usr.sbin/ppp/chap.c @@ -254,7 +254,9 @@ chap_StartChild(struct chap *chap, char *prog, const char *name) } for (fd = getdtablesize(); fd > STDERR_FILENO; fd--) fcntl(fd, F_SETFD, 1); +#ifndef NOSUID setuid(ID0realuid()); +#endif command_Expand(nargv, argc, (char const *const *)argv, chap->auth.physical->dl->bundle, 0, pid); execvp(nargv[0], nargv); diff --git a/usr.sbin/ppp/chat.c b/usr.sbin/ppp/chat.c index 2264df8..662e480 100644 --- a/usr.sbin/ppp/chat.c +++ b/usr.sbin/ppp/chat.c @@ -733,7 +733,9 @@ ExecStr(struct physical *physical, char *command, char *out, int olen) open(_PATH_DEVNULL, O_RDWR); /* Leave it closed if it fails... */ for (i = getdtablesize(); i > 3; i--) fcntl(i, F_SETFD, 1); +#ifndef NOSUID setuid(ID0realuid()); +#endif execvp(argv[0], argv); fprintf(stderr, "execvp: %s: %s\n", argv[0], strerror(errno)); _exit(127); diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c index 56849f1..10790ae 100644 --- a/usr.sbin/ppp/command.c +++ b/usr.sbin/ppp/command.c @@ -519,7 +519,9 @@ ShellCommand(struct cmdargs const *arg, int bg) for (i = getdtablesize(); i > STDERR_FILENO; i--) fcntl(i, F_SETFD, 1); +#ifndef NOSUID setuid(ID0realuid()); +#endif if (arg->argc > arg->argn) { /* substitute pseudo args */ char *argv[MAXARGS]; diff --git a/usr.sbin/ppp/exec.c b/usr.sbin/ppp/exec.c index 898d143..1ca9665 100644 --- a/usr.sbin/ppp/exec.c +++ b/usr.sbin/ppp/exec.c @@ -137,7 +137,9 @@ exec_Create(struct physical *p) close(pidpipe[0]); close(fids[0]); timer_TermService(); +#ifndef NOSUID setuid(ID0realuid()); +#endif child_status = 0; switch ((pid = vfork())) { diff --git a/usr.sbin/ppp/id.h b/usr.sbin/ppp/id.h index 8c48767..409da49 100644 --- a/usr.sbin/ppp/id.h +++ b/usr.sbin/ppp/id.h @@ -26,6 +26,7 @@ * $FreeBSD$ */ +#ifndef NOSUID struct utmp; struct sockaddr_un; @@ -51,3 +52,40 @@ extern int ID0kldload(const char *); #ifndef NONETGRAPH extern int ID0NgMkSockNode(const char *, int *, int *); #endif +#else /* NOSUID */ +#define ID0init() +#define ID0realuid() (0) +#define ID0ioctl ioctl +#define ID0unlink unlink +#define ID0socket socket +#define ID0fopen fopen +#define ID0open open +#define ID0write write +#define ID0uu_lock uu_lock +#define ID0uu_lock_txfr uu_lock_txfr +#define ID0uu_unlock uu_unlock +#define ID0login(u) \ + do { \ + if (logout((u)->ut_line)) \ + logwtmp((u)->ut_line, "", ""); \ + login(u); \ + } while (0) +#define ID0logout(dev, no) \ + do { \ + struct utmp ut; \ + strncpy(ut.ut_line, dev, sizeof ut.ut_line - 1); \ + ut.ut_line[sizeof ut.ut_line - 1] = '\0'; \ + if (no || logout(ut.ut_line)) \ + logwtmp(ut.ut_line, "", ""); \ + } while (0) +#define ID0bind_un(s, n) bind(s, (const struct sockaddr *)(n), sizeof *(n)) +#define ID0connect_un(s, n) \ + connect(s, (const struct sockaddr *)(n), sizeof *(n)) +#define ID0kill kill +#if defined(__FreeBSD__) && !defined(NOKLDLOAD) +#define ID0kldload kldload +#endif +#ifndef NONETGRAPH +#define ID0NgMkSockNode NgMkSockNode +#endif +#endif diff --git a/usr.sbin/ppp/physical.c b/usr.sbin/ppp/physical.c index ab0fb53..30fed48 100644 --- a/usr.sbin/ppp/physical.c +++ b/usr.sbin/ppp/physical.c @@ -29,6 +29,9 @@ #include #include #include +#ifdef NOSUID +#include +#endif #include #include #include -- cgit v1.1