This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 273708295b5553f174b27101a33c7d1402e4eb78 (commit) via 157d64250a170b905cb440dd6968f7ba6cbaf988 (commit) via 37fe3658a04f200732651ae997ff408efd7a92f6 (commit) via 354c3e2b45d9b3e51a29c8632bd18deb603a811f (commit) via 64883513d5940c17afe2fcf1d876feae61921ea9 (commit) via 8e4b2125ccfd005c30adb9c568f2103bbc36bdb7 (commit) via 84de1f087c8a3bb0b5ca58503101f95117a69cf0 (commit) via 14dc1c68f75b2ea70c0acfc55c1c168cc1ba8dff (commit) via 5efedb5487fa6fcc771c03bb9f15b5cb2412416c (commit) via c651dd9b6b2e00fb10d1ca1a99cf9efaec42df19 (commit) via cf9efe511a403f9dba38340bf9c89bc1d30776f5 (commit) via db984059b22a4680046df31579b44fa05c8264d5 (commit) via 6733d973d663968e1d642c18b3a0fe6526f07252 (commit) via c33f477f5bf1942f70dfaeff793e3d553afe4960 (commit) via ca060524a79e6d9d874b82f081e8c98d1abe4ff1 (commit) via 5d482a74faf4732db7c77ee693a2bc65e0b81a7a (commit) via d9f9f16366d6a8332d5fd8e864d1a9c552db1387 (commit) from 29156d15f637faa7b5a23c797f0b0cd858a300ff (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 273708295b5553f174b27101a33c7d1402e4eb78 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Jan 27 21:14:44 2021 +0100
sudo: Upgrade to 1.9.5p2
- Update sudo from 1.9.5p1 to 1.9.5p2 - Major changes between version 1.9.5p2 and 1.9.5p1: Fixed sudo's setprogname(3) emulation on systems that don't provide it. Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954. Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically. The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache. When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. - No change to rootfile
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 157d64250a170b905cb440dd6968f7ba6cbaf988 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jan 7 12:13:30 2021 +0000
misc-progs: addonctrl: Replace all sprintf() with snprintf()
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 37fe3658a04f200732651ae997ff408efd7a92f6 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 14:38:03 2021 +0000
samba: Add helper script to pipe password
It is complicated to set the password in the C helper binary.
Therefore it is being set by a helper script.
This is still not an optimal solution since the password might be exposed to the shell environment, but has the advantage that shell command injection is no longer possible.
Fixes: #12562 Reported-by: Albert Schwarzkopf ipfire@quitesimple.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 354c3e2b45d9b3e51a29c8632bd18deb603a811f Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 12:00:32 2021 +0000
samba: Remove option to chose user group and shell
There is no need for this being implemented and it is dangerous to allow the user to create any shell accounts or users that belong to groups with higher privileges.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 64883513d5940c17afe2fcf1d876feae61921ea9 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:56:08 2021 +0000
misc-progs: sambactrl: Sanitise username
Fixes: #12562 Reported-by: Albert Schwarzkopf ipfire@quitesimple.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8e4b2125ccfd005c30adb9c568f2103bbc36bdb7 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:52:39 2021 +0000
misc-progs: sambactrl: Remove unused smbsafeconfpdc command
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 84de1f087c8a3bb0b5ca58503101f95117a69cf0 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:49:04 2021 +0000
misc-progs: sshctrl: Sanitise runtime for "tempstart"
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 14dc1c68f75b2ea70c0acfc55c1c168cc1ba8dff Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:45:20 2021 +0000
misc-progs: smartctrl: Sanitise device name
Fixes: #12562 Reported-by: Albert Schwarzkopf ipfire@quitesimple.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5efedb5487fa6fcc771c03bb9f15b5cb2412416c Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:42:06 2021 +0000
misc-progs: mpfirectrl: Use new run() function
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c651dd9b6b2e00fb10d1ca1a99cf9efaec42df19 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:39:46 2021 +0000
misc-progs: extrahdctrl: Use new run() function
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cf9efe511a403f9dba38340bf9c89bc1d30776f5 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:34:50 2021 +0000
misc-progs: addonctrl: Sanitise add-on names before use
Fixes: #12562 Reported-by: Albert Schwarzkopf ipfire@quitesimple.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit db984059b22a4680046df31579b44fa05c8264d5 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:34:31 2021 +0000
misc-progs: Add functions to sanitise input arguments
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6733d973d663968e1d642c18b3a0fe6526f07252 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:18:33 2021 +0000
misc-progs: pakfire: Use new run() function
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c33f477f5bf1942f70dfaeff793e3d553afe4960 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:17:53 2021 +0000
misc-progs: backupctrl: Use new run() function
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ca060524a79e6d9d874b82f081e8c98d1abe4ff1 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 6 11:15:47 2021 +0000
misc-progs: Introduce run()
This function invokes a new command similar to safe_system() but without launching a shell before.
That way, it is possible to execute commands without any risk of shell command injection from nobody.
Fixes: #12562 Reported-by: Albert Schwarzkopf ipfire@quitesimple.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5d482a74faf4732db7c77ee693a2bc65e0b81a7a Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 5 16:55:25 2021 +0000
core154: Manually set capabilites for etherwake
The changes are not available in the running instance of pakfire and tar.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d9f9f16366d6a8332d5fd8e864d1a9c552db1387 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 5 16:01:56 2021 +0000
Drop launch-ether-wake
The helper binary is being dropped and etherwake is enabled for CAP_NET_RAW. This allows execution by unprivileged users as needed by the web user interface (nobody).
Reported-by: Albert Schwarzkopf ipfire@quitesimple.org Fixes: #12562 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/misc-progs | 1 - config/rootfiles/core/154/filelists/etherwake | 1 + config/rootfiles/core/154/filelists/files | 1 + config/rootfiles/core/154/update.sh | 4 + config/rootfiles/packages/aarch64/samba | 1 + config/rootfiles/packages/armv5tel/samba | 1 + config/rootfiles/packages/i586/samba | 1 + config/rootfiles/packages/x86_64/samba | 1 + .../samba/samba-change-password | 23 ++-- html/cgi-bin/samba.cgi | 14 +-- html/cgi-bin/wakeonlan.cgi | 2 +- lfs/etherwake | 4 + lfs/samba | 3 + lfs/sudo | 4 +- src/misc-progs/Makefile | 2 +- src/misc-progs/addonctrl.c | 40 +++---- src/misc-progs/backupctrl.c | 35 +----- src/misc-progs/extrahdctrl.c | 16 +-- src/misc-progs/launch-ether-wake.c | 37 ------- src/misc-progs/mpfirectrl.c | 30 +---- src/misc-progs/pakfire.c | 21 +--- src/misc-progs/sambactrl.c | 40 ++++--- src/misc-progs/setuid.c | 123 ++++++++++++++++----- src/misc-progs/setuid.h | 5 +- src/misc-progs/smartctrl.c | 5 + src/misc-progs/sshctrl.c | 5 + 26 files changed, 204 insertions(+), 216 deletions(-) create mode 120000 config/rootfiles/core/154/filelists/etherwake copy src/paks/netatalk/uninstall.sh => config/samba/samba-change-password (82%) delete mode 100644 src/misc-progs/launch-ether-wake.c
Difference in files: diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index a335dba7a..d6594b3f8 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -13,7 +13,6 @@ usr/local/bin/getipstat #usr/local/bin/iowrap usr/local/bin/ipfirereboot usr/local/bin/ipsecctrl -usr/local/bin/launch-ether-wake usr/local/bin/logwatch #usr/local/bin/mpfirectrl usr/local/bin/openvpnctrl diff --git a/config/rootfiles/core/154/filelists/etherwake b/config/rootfiles/core/154/filelists/etherwake new file mode 120000 index 000000000..1bf1e6a54 --- /dev/null +++ b/config/rootfiles/core/154/filelists/etherwake @@ -0,0 +1 @@ +../../../common/etherwake \ No newline at end of file diff --git a/config/rootfiles/core/154/filelists/files b/config/rootfiles/core/154/filelists/files index b4ab41790..4f8d4e92b 100644 --- a/config/rootfiles/core/154/filelists/files +++ b/config/rootfiles/core/154/filelists/files @@ -19,6 +19,7 @@ srv/web/ipfire/cgi-bin/optionsfw.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/remote.cgi srv/web/ipfire/cgi-bin/services.cgi +srv/web/ipfire/cgi-bin/wakeonlan.cgi srv/web/ipfire/cgi-bin/wirelessclient.cgi usr/local/bin/ipsec-interfaces usr/local/bin/sshctrl diff --git a/config/rootfiles/core/154/update.sh b/config/rootfiles/core/154/update.sh index a1523f742..143f828c7 100644 --- a/config/rootfiles/core/154/update.sh +++ b/config/rootfiles/core/154/update.sh @@ -33,6 +33,7 @@ done
# Remove files rm -vf \ + /usr/local/bin/launch-ether-wake \ /usr/local/bin/upnpctrl
# Stop services @@ -43,6 +44,9 @@ extract_files # update linker config ldconfig
+# Manually set capabilities +setcap cap_net_raw+ep /usr/sbin/etherwake + # Update Language cache /usr/local/bin/update-lang-cache
diff --git a/config/rootfiles/packages/aarch64/samba b/config/rootfiles/packages/aarch64/samba index 9d88cbacf..c49d544e6 100644 --- a/config/rootfiles/packages/aarch64/samba +++ b/config/rootfiles/packages/aarch64/samba @@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so usr/libexec/samba/smbspool_krb5_wrapper usr/sbin/eventlogadm usr/sbin/nmbd +usr/sbin/samba-change-password usr/sbin/samba-gpupdate usr/sbin/smbd usr/sbin/winbindd diff --git a/config/rootfiles/packages/armv5tel/samba b/config/rootfiles/packages/armv5tel/samba index fa039f604..5f208b03e 100644 --- a/config/rootfiles/packages/armv5tel/samba +++ b/config/rootfiles/packages/armv5tel/samba @@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so usr/libexec/samba/smbspool_krb5_wrapper usr/sbin/eventlogadm usr/sbin/nmbd +usr/sbin/samba-change-password usr/sbin/samba-gpupdate usr/sbin/smbd usr/sbin/winbindd diff --git a/config/rootfiles/packages/i586/samba b/config/rootfiles/packages/i586/samba index 1f406cc71..56ec3822b 100644 --- a/config/rootfiles/packages/i586/samba +++ b/config/rootfiles/packages/i586/samba @@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so usr/libexec/samba/smbspool_krb5_wrapper usr/sbin/eventlogadm usr/sbin/nmbd +usr/sbin/samba-change-password usr/sbin/samba-gpupdate usr/sbin/smbd usr/sbin/winbindd diff --git a/config/rootfiles/packages/x86_64/samba b/config/rootfiles/packages/x86_64/samba index 2df36e438..37b1ff137 100644 --- a/config/rootfiles/packages/x86_64/samba +++ b/config/rootfiles/packages/x86_64/samba @@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so usr/libexec/samba/smbspool_krb5_wrapper usr/sbin/eventlogadm usr/sbin/nmbd +usr/sbin/samba-change-password usr/sbin/samba-gpupdate usr/sbin/smbd usr/sbin/winbindd diff --git a/config/samba/samba-change-password b/config/samba/samba-change-password new file mode 100644 index 000000000..06f783e52 --- /dev/null +++ b/config/samba/samba-change-password @@ -0,0 +1,37 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2021 IPFire Team info@ipfire.org # +# # +############################################################################ + +main() { + local username="${1}" + local password="${2}" + + # Change password UNIX account + printf -- "${username}:${password}\n" | chpasswd + + # Change SMB password + printf -- "${password}\n${password}\n" | smbpasswd -as "${username}" + + return 0 +} + +main "$@" || exit "$?" diff --git a/html/cgi-bin/samba.cgi b/html/cgi-bin/samba.cgi index 6a61300a2..4e0f14a01 100644 --- a/html/cgi-bin/samba.cgi +++ b/html/cgi-bin/samba.cgi @@ -87,7 +87,7 @@ delete $sambasettings{'__CGI__'};delete $sambasettings{'x'};delete $sambasetting
if ($sambasettings{'ACTION'} eq 'smbuserdisable'){system("/usr/local/bin/sambactrl smbuserdisable $sambasettings{'NAME'}");} if ($sambasettings{'ACTION'} eq 'smbuserenable'){system("/usr/local/bin/sambactrl smbuserenable $sambasettings{'NAME'}");} -if ($sambasettings{'ACTION'} eq 'smbuseradd'){system("/usr/local/bin/sambactrl smbuseradd $sambasettings{'USERNAME'} $sambasettings{'PASSWORD'} $sambasettings{'GROUP'} $sambasettings{'SHELL'}");} +if ($sambasettings{'ACTION'} eq 'smbuseradd'){system("/usr/local/bin/sambactrl smbuseradd $sambasettings{'USERNAME'} $sambasettings{'PASSWORD'}");} if ($sambasettings{'ACTION'} eq 'smbchangepw'){system("/usr/local/bin/sambactrl smbchangepw $sambasettings{'USERNAME'} $sambasettings{'PASSWORD'}");} if ($sambasettings{'ACTION'} eq 'smbrestart'){system("/usr/local/bin/sambactrl smbrestart");} if ($sambasettings{'ACTION'} eq 'smbstart'){system("/usr/local/bin/sambactrl smbstart");} @@ -482,18 +482,6 @@ END <input type='password' name='PASSWORD' value='$password' size='30' /> </td> </tr> - <tr> - <td align='left'>$Lang::tr{'unix group'}</td> - <td> - <input type='text' name='GROUP' value='sambauser' size='30' /> - </td> - </tr> - <tr> - <td align='left'>$Lang::tr{'unix shell'}</td> - <td> - <input type='text' name='SHELL' value='/bin/false' size='30' /> - </td> - </tr> <tr> <td colspan='2' align='center'> <input type='hidden' name='ACTION' value='smbuseradd'> diff --git a/html/cgi-bin/wakeonlan.cgi b/html/cgi-bin/wakeonlan.cgi index bb55add70..1f7fde54a 100644 --- a/html/cgi-bin/wakeonlan.cgi +++ b/html/cgi-bin/wakeonlan.cgi @@ -171,7 +171,7 @@ if ( $cgiparams{'ACTION'} eq 'wakeup' )
undef %cgiparams;
- system("/usr/local/bin/launch-ether-wake $mac $iface"); + system("/usr/sbin/etherwake -i $iface $mac");
# make a box with info, 'refresh' to normal screen after 5 seconds if ( $refresh eq 'yes' ) diff --git a/lfs/etherwake b/lfs/etherwake index c133ed12a..3aa961ce2 100644 --- a/lfs/etherwake +++ b/lfs/etherwake @@ -72,5 +72,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP) && make install + + # Allow execution by other users than root + setcap cap_net_raw+ep /usr/sbin/etherwake + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/samba b/lfs/samba index f57a04737..07e0c601b 100644 --- a/lfs/samba +++ b/lfs/samba @@ -114,6 +114,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mkdir -p /var/spool/samba chmod -v 1777 /var/spool/samba/
+ # Install password change helper script + install -m 755 $(DIR_SRC)/config/samba/samba-change-password /usr/sbin/samba-change-password + #install initscripts $(call INSTALL_INITSCRIPT,samba)
diff --git a/lfs/sudo b/lfs/sudo index feba249cd..bb2279e8f 100644 --- a/lfs/sudo +++ b/lfs/sudo @@ -24,7 +24,7 @@
include Config
-VER = 1.9.5p1 +VER = 1.9.5p2
THISAPP = sudo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 145f6e69c116f82cf0377ccf459344eb +$(DL_FILE)_MD5 = e6bc4c18c06346e6b3431637a2b5f3d5
install : $(TARGET)
diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 896b1e916..7c3ef7529 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -27,7 +27,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl suricatactrl \ rebuildhosts backupctrl collectdctrl \ logwatch wioscan wiohelper openvpnctrl firewallctrl \ - wirelessctrl getipstat qosctrl launch-ether-wake \ + wirelessctrl getipstat qosctrl \ redctrl syslogdctrl extrahdctrl sambactrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \ diff --git a/src/misc-progs/addonctrl.c b/src/misc-progs/addonctrl.c index 53e0a55f2..9645cee18 100644 --- a/src/misc-progs/addonctrl.c +++ b/src/misc-progs/addonctrl.c @@ -15,9 +15,8 @@
#define BUFFER_SIZE 1024
-char command[BUFFER_SIZE]; - int main(int argc, char *argv[]) { + char command[BUFFER_SIZE];
if (!(initsetuid())) exit(1); @@ -26,48 +25,51 @@ int main(int argc, char *argv[]) { fprintf(stderr, "\nMissing arguments.\n\naddonctrl addon (start|stop|restart|reload|enable|disable)\n\n"); exit(1); } + + const char* name = argv[1]; - if ( strlen(argv[1])>32 ) { + if (strlen(name) > 32) { fprintf(stderr, "\nString to large.\n\naddonctrl addon (start|stop|restart|reload|enable|disable)\n\n"); exit(1); } - - if ( strchr(argv[1],'/') || strchr(argv[1],'$') || strchr(argv[1],'[') || strchr(argv[1],'{') ) { - fprintf(stderr, "\nIllegal Char found.\n\naddonctrl addon (start|stop|restart|reload|enable|disable)\n\n"); - exit(1); + + // Check if the input argument is valid + if (!is_valid_argument_alnum(name)) { + fprintf(stderr, "Invalid add-on name: %s\n", name); + exit(2); } - - sprintf(command, "/opt/pakfire/db/installed/meta-%s", argv[1]); + + sprintf(command, "/opt/pakfire/db/installed/meta-%s", name); FILE *fp = fopen(command,"r"); if ( fp ) { fclose(fp); } else { - fprintf(stderr, "\nAddon '%s' not found.\n\naddonctrl addon (start|stop|restart|reload|status|enable|disable)\n\n", argv[1]); + fprintf(stderr, "\nAddon '%s' not found.\n\naddonctrl addon (start|stop|restart|reload|status|enable|disable)\n\n", name); exit(1); } - + if (strcmp(argv[2], "start") == 0) { - sprintf(command,"/etc/rc.d/init.d/%s start", argv[1]); + snprintf(command, BUFFER_SIZE - 1, "/etc/rc.d/init.d/%s start", name); safe_system(command); } else if (strcmp(argv[2], "stop") == 0) { - sprintf(command,"/etc/rc.d/init.d/%s stop", argv[1]); + snprintf(command, BUFFER_SIZE - 1, "/etc/rc.d/init.d/%s stop", name); safe_system(command); } else if (strcmp(argv[2], "restart") == 0) { - sprintf(command,"/etc/rc.d/init.d/%s restart", argv[1]); + snprintf(command, BUFFER_SIZE - 1, "/etc/rc.d/init.d/%s restart", name); safe_system(command); } else if (strcmp(argv[2], "reload") == 0) { - sprintf(command,"/etc/rc.d/init.d/%s reload", argv[1]); + snprintf(command, BUFFER_SIZE - 1, "/etc/rc.d/init.d/%s reload", name); safe_system(command); } else if (strcmp(argv[2], "status") == 0) { - sprintf(command,"/etc/rc.d/init.d/%s status", argv[1]); + snprintf(command, BUFFER_SIZE - 1, "/etc/rc.d/init.d/%s status", name); safe_system(command); } else if (strcmp(argv[2], "enable") == 0) { - sprintf(command,"mv -f /etc/rc.d/rc3.d/off/S??%s /etc/rc.d/rc3.d" , argv[1]); + snprintf(command, BUFFER_SIZE - 1, "mv -f /etc/rc.d/rc3.d/off/S??%s /etc/rc.d/rc3.d" , name); safe_system(command); } else if (strcmp(argv[2], "disable") == 0) { - sprintf(command,"mkdir -p /etc/rc.d/rc3.d/off"); + snprintf(command, BUFFER_SIZE - 1, "mkdir -p /etc/rc.d/rc3.d/off"); safe_system(command); - sprintf(command,"mv -f /etc/rc.d/rc3.d/S??%s /etc/rc.d/rc3.d/off" , argv[1]); + snprintf(command, BUFFER_SIZE - 1, "mv -f /etc/rc.d/rc3.d/S??%s /etc/rc.d/rc3.d/off" , name); safe_system(command); } else { fprintf(stderr, "\nBad argument given.\n\naddonctrl addon (start|stop|restart|reload|enable|disable)\n\n"); diff --git a/src/misc-progs/backupctrl.c b/src/misc-progs/backupctrl.c index 00c8d5b86..0a85141ca 100644 --- a/src/misc-progs/backupctrl.c +++ b/src/misc-progs/backupctrl.c @@ -5,40 +5,11 @@ * */
-#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> #include "setuid.h"
-int main(int argc, char *argv[]) { - int i; - char command[STRING_SIZE] = "/var/ipfire/backup/bin/backup.pl"; - char temp[STRING_SIZE]; - - if (!(initsetuid())) +int main(int argc, char** argv) { + if (!initsetuid()) exit(1);
- for (i = 1; i < argc; i++) { - if (strstr(argv[i], "&&")){ - fprintf (stderr, "Bad Argument!\n"); - exit (1); - - } else if (strstr(argv[i], "|")) { - fprintf (stderr, "Bad Argument!\n"); - exit (1); - - } else if (argc > 3) { - fprintf (stderr, "Too Many Arguments!\n"); - exit (1); - - } else { - snprintf(temp, STRING_SIZE, "%s %s", command, argv[i]); - snprintf(command, STRING_SIZE, "%s", temp); - } - } - - return safe_system(command); + return run("/var/ipfire/backup/bin/backup.pl", argv); } diff --git a/src/misc-progs/extrahdctrl.c b/src/misc-progs/extrahdctrl.c index 1d5b96019..49a25387f 100644 --- a/src/misc-progs/extrahdctrl.c +++ b/src/misc-progs/extrahdctrl.c @@ -5,21 +5,11 @@ * */
-#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> #include "setuid.h"
-int main(int argc, char *argv[]) { - - char command[512]; - if (!(initsetuid())) +int main(int argc, char** argv) { + if (!initsetuid()) exit(1);
- snprintf(command, 512, "/var/ipfire/extrahd/bin/extrahd.pl %s %s", argv[1], argv[2]); - safe_system("chmod 755 /var/ipfire/extrahd/bin/extrahd.pl 2>&1 >/dev/null"); - safe_system(command); + return run("/var/ipfire/extrahd/bin/extrahd.pl", argv); } diff --git a/src/misc-progs/launch-ether-wake.c b/src/misc-progs/launch-ether-wake.c deleted file mode 100644 index cac4d3c3f..000000000 --- a/src/misc-progs/launch-ether-wake.c +++ /dev/null @@ -1,37 +0,0 @@ -/* This file is part of the Wake-on-LAN GUI AddOn - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * Copyright (C) 2006-03-03 weizen_42 - * - * - */ - -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <stdlib.h> -#include <sys/types.h> -#include <fcntl.h> -#include "setuid.h" - - -#define BUFFER_SIZE 512 - -char command[BUFFER_SIZE]; - -int main(int argc, char *argv[]) -{ - if (!(initsetuid())) - exit(1); - - snprintf(command, BUFFER_SIZE-1, "/usr/sbin/etherwake -i %s %s", argv[2], argv[1]); - safe_system(command); - - /* Send magic packet with broadcast flag set. */ - snprintf(command, BUFFER_SIZE-1, "/usr/sbin/etherwake -i %s -b %s", argv[2], argv[1]); - safe_system(command); - - return(0); -} diff --git a/src/misc-progs/mpfirectrl.c b/src/misc-progs/mpfirectrl.c index 07b3e8f5c..a71789c0f 100644 --- a/src/misc-progs/mpfirectrl.c +++ b/src/misc-progs/mpfirectrl.c @@ -5,35 +5,11 @@ * */
-#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> #include "setuid.h"
-int main(int argc, char *argv[]) { - int i; - char command[1024]; - char add[STRING_SIZE]; - - if (!(initsetuid())) +int main(int argc, char** argv) { + if (!initsetuid()) exit(1);
- snprintf(command, STRING_SIZE, "/var/ipfire/mpfire/bin/mpfire.pl"); - - for (i = 1; i < argc; i++) { - if (strstr(argv[i], "&&")){ - fprintf (stderr, "Bad Argument!\n"); - exit (1); - } - else if (strstr(argv[i], "|")){ - fprintf (stderr, "Bad Argument!\n"); - exit (1); - } - sprintf(add, " %s", argv[i]); - strcat(command, add); - } - return safe_system(command); + return run("/var/ipfire/mpfire/bin/mpfire.pl", argv); } diff --git a/src/misc-progs/pakfire.c b/src/misc-progs/pakfire.c index fe6edfc32..93a18e604 100644 --- a/src/misc-progs/pakfire.c +++ b/src/misc-progs/pakfire.c @@ -5,26 +5,11 @@ * */
-#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> #include "setuid.h"
-int main(int argc, char *argv[]) { - int i; - char command[STRING_SIZE] = "/opt/pakfire/pakfire"; - char temp[STRING_SIZE]; - - if (!(initsetuid())) +int main(int argc, char** argv) { + if (!initsetuid()) exit(1);
- for (i = 1; i < argc; i++) { - snprintf(temp, STRING_SIZE, "%s %s", command, argv[i]); - snprintf(command, STRING_SIZE, "%s", temp); - } - - return safe_system(command); + return run("/opt/pakfire/pakfire", argv); } diff --git a/src/misc-progs/sambactrl.c b/src/misc-progs/sambactrl.c index 91761a422..9753492f6 100644 --- a/src/misc-progs/sambactrl.c +++ b/src/misc-progs/sambactrl.c @@ -20,14 +20,29 @@ int main(int argc, char *argv[]) { return 1;
} else if (strcmp(argv[1], "smbuserdisable") == 0) { + if (!is_valid_argument_alnum(argv[2])) { + fprintf(stderr, "Invalid username '%s'\n", argv[2]); + exit(2); + } + snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -d %s >/dev/null", argv[2]); safe_system(command);
} else if (strcmp(argv[1], "smbuserenable") == 0) { + if (!is_valid_argument_alnum(argv[2])) { + fprintf(stderr, "Invalid username '%s'\n", argv[2]); + exit(2); + } + snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -e %s >/dev/null", argv[2]); safe_system(command);
} else if (strcmp(argv[1], "smbuserdelete") == 0) { + if (!is_valid_argument_alnum(argv[2])) { + fprintf(stderr, "Invalid username '%s'\n", argv[2]); + exit(2); + } + snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -x %s >/dev/null", argv[2]); safe_system(command);
@@ -37,9 +52,6 @@ int main(int argc, char *argv[]) { } else if (strcmp(argv[1], "smbsafeconf") == 0) { safe_system("/bin/cat /var/ipfire/samba/global /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf");
- } else if (strcmp(argv[1], "smbsafeconfpdc") == 0) { - safe_system("/bin/cat /var/ipfire/samba/global /var/ipfire/samba/pdc /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf"); - } else if (strcmp(argv[1], "smbstop") == 0) { safe_system("/etc/rc.d/init.d/samba stop >/dev/null"); safe_system("/usr/local/bin/sambactrl disable"); @@ -59,24 +71,26 @@ int main(int argc, char *argv[]) { safe_system(command);
} else if (strcmp(argv[1], "smbuseradd") == 0) { - snprintf(command, BUFFER_SIZE-1, "/usr/sbin/groupadd sambauser >/dev/null"); - safe_system(command); + if (!is_valid_argument_alnum(argv[2])) { + fprintf(stderr, "Invalid username '%s'\n", argv[2]); + exit(2); + }
- snprintf(command, BUFFER_SIZE-1, "/usr/sbin/useradd -c 'Samba User' -m -g %s -s %s %s >/dev/null", argv[4], argv[5], argv[2]); + snprintf(command, BUFFER_SIZE-1, "/usr/sbin/groupadd sambauser >/dev/null"); safe_system(command);
- snprintf(command, BUFFER_SIZE-1, "echo %s:%s | chpasswd", argv[2], argv[3]); + snprintf(command, BUFFER_SIZE-1, "/usr/sbin/useradd -c 'Samba User' -m -g sambauser -s /bin/false %s >/dev/null", argv[2]); safe_system(command);
- snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s >/dev/null", argv[3], argv[3], argv[2]); - safe_system(command); + run("/usr/sbin/samba-change-password", argv + 1);
} else if (strcmp(argv[1], "smbchangepw") == 0) { - snprintf(command, BUFFER_SIZE-1, "echo %s:%s | chpasswd", argv[2], argv[3]); - safe_system(command); + if (!is_valid_argument_alnum(argv[2])) { + fprintf(stderr, "Invalid username '%s'\n", argv[2]); + exit(2); + }
- snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s >/dev/null", argv[3], argv[3], argv[2]); - safe_system(command); + run("/usr/sbin/samba-change-password", argv + 1);
} else if (strcmp(argv[1], "readsmbpasswd") == 0) { safe_system("/bin/chown root:nobody /var/ipfire/samba/private >/dev/null"); diff --git a/src/misc-progs/setuid.c b/src/misc-progs/setuid.c index e54b5d3ab..efd181ad8 100644 --- a/src/misc-progs/setuid.c +++ b/src/misc-progs/setuid.c @@ -20,6 +20,7 @@ * */
+#include <ctype.h> #include <stdio.h> #include <string.h> #include <errno.h> @@ -41,6 +42,8 @@ #define OPEN_MAX 256 #endif
+#define MAX_ARGUMENTS 128 + /* Trusted environment for executing commands */ char * trusted_env[4] = { "PATH=/usr/bin:/usr/sbin:/sbin:/bin", @@ -49,37 +52,40 @@ char * trusted_env[4] = { NULL };
-/* Spawns a child process that uses /bin/sh to interpret a command. - * This is much the same in use and purpose as system(), yet as it uses execve - * to pass a trusted environment it's immune to attacks based upon changing - * IFS, ENV, BASH_ENV and other such variables. - * Note this does NOT guard against any other attacks, inparticular you MUST - * validate the command you are passing. If the command is formed from user - * input be sure to check this input is what you expect. Nasty things can - * happen if a user can inject ; or `` into your command for example */ -int safe_system(char* command) { - return system_core(command, 0, 0, "safe_system"); -} - -/* Much like safe_system but lets you specify a non-root uid and gid to run - * the command as */ -int unpriv_system(char* command, uid_t uid, gid_t gid) { - return system_core(command, uid, gid, "unpriv_system"); -} - -int system_core(char* command, uid_t uid, gid_t gid, char *error) { +static int system_core(char* command, char** args, uid_t uid, gid_t gid, char *error) { int pid, status;
+ char* argv[MAX_ARGUMENTS + 1]; + unsigned int argc = 0; + if(!command) return 1;
+#if 0 + // Add command as first element to argv + argv[argc++] = command; +#endif + + // Add all other arguments + if (args) { + while (*args) { + argv[argc++] = *args++; + + // Break when argv is full + if (argc >= MAX_ARGUMENTS) { + return 2; + } + } + } + + // Make sure that argv is NULL-terminated + argv[argc] = NULL; + switch(pid = fork()) { case -1: return -1;
case 0: /* child */ { - char *argv[4]; - if (gid && setgid(gid)) { fprintf(stderr, "%s: ", error); perror("Couldn't setgid"); @@ -92,11 +98,8 @@ int system_core(char* command, uid_t uid, gid_t gid, char *error) { exit(127); }
- argv[0] = "sh"; - argv[1] = "-c"; - argv[2] = command; - argv[3] = NULL; - execve("/bin/sh", argv, trusted_env); + execve(command, argv, trusted_env); + fprintf(stderr, "%s: ", error); perror("execve failed"); exit(127); @@ -115,6 +118,35 @@ int system_core(char* command, uid_t uid, gid_t gid, char *error) {
}
+int run(char* command, char** argv) { + return system_core(command, argv, 0, 0, "run"); +} + +/* Spawns a child process that uses /bin/sh to interpret a command. + * This is much the same in use and purpose as system(), yet as it uses execve + * to pass a trusted environment it's immune to attacks based upon changing + * IFS, ENV, BASH_ENV and other such variables. + * Note this does NOT guard against any other attacks, inparticular you MUST + * validate the command you are passing. If the command is formed from user + * input be sure to check this input is what you expect. Nasty things can + * happen if a user can inject ; or `` into your command for example */ +int safe_system(char* command) { + char* argv[4] = { + "/bin/sh", + "-c", + command, + NULL, + }; + + return system_core(argv[0], argv, 0, 0, "safe_system"); +} + +/* Much like safe_system but lets you specify a non-root uid and gid to run + * the command as */ +int unpriv_system(char* command, uid_t uid, gid_t gid) { + return system_core(command, NULL, uid, gid, "unpriv_system"); +} + /* General routine to initialise a setuid root program, and put the * environment in a known state. Returns 1 on success, if initsetuid() returns * 0 then you should exit(1) immediately, DON'T attempt to recover from the @@ -167,3 +199,42 @@ int initsetuid(void) {
return 1; } + +/* Checks if a string only contains alphanumerical characters, dash or underscore */ +int is_valid_argument_alnum(const char* arg) { + size_t l = strlen(arg); + + for (unsigned int i = 0; i < l; i++) { + char c = arg[i]; + + // Dash or underscore + if (c == '-' || c == '_') + continue; + + // Any alphanumerical character + if (isalnum(c)) + continue; + + // Invalid + return 0; + } + + return 1; +} + +int is_valid_argument_num(const char* arg) { + size_t l = strlen(arg); + + for (unsigned int i = 0; i < l; i++) { + char c = arg[i]; + + // Any digit + if (isdigit(c)) + continue; + + // Invalid + return 0; + } + + return 1; +} diff --git a/src/misc-progs/setuid.h b/src/misc-progs/setuid.h index 7f3fda308..2936c4399 100644 --- a/src/misc-progs/setuid.h +++ b/src/misc-progs/setuid.h @@ -28,11 +28,14 @@
extern char * trusted_env[4];
-int system_core(char* command, uid_t uid, gid_t gid, char *error); +int run(char* command, char** argv); int safe_system(char* command); int unpriv_system(char* command, uid_t uid, gid_t gid); int initsetuid(void);
+int is_valid_argument_alnum(const char* arg); +int is_valid_argument_num(const char* arg); + /* Compatibility for the local copy of strlcat, * which has been removed. */ #define strlcat(src, dst, size) strncat(src, dst, size) diff --git a/src/misc-progs/smartctrl.c b/src/misc-progs/smartctrl.c index c6451acba..22f0e0a10 100644 --- a/src/misc-progs/smartctrl.c +++ b/src/misc-progs/smartctrl.c @@ -22,6 +22,11 @@ int main(int argc, char *argv[]) { exit(1); }
+ if (!is_valid_argument_alnum(argv[1])) { + fprintf(stderr, "Invalid device name '%s'\n", argv[1]); + exit(2); + } + char command[STRING_SIZE]; snprintf(command, STRING_SIZE, "/var/run/hddshutdown-%s", argv[1]);
diff --git a/src/misc-progs/sshctrl.c b/src/misc-progs/sshctrl.c index 6e8652c84..0d458a865 100644 --- a/src/misc-progs/sshctrl.c +++ b/src/misc-progs/sshctrl.c @@ -133,6 +133,11 @@ int main(int argc, char *argv[]) return 0; } else if (strcmp(argv[1], "tempstart") == 0) { + if (!is_valid_argument_num(argv[2])) { + fprintf(stderr, "Invalid time '%s'\n", argv[2]); + exit(2); + } + safe_system("/usr/local/bin/sshctrl"); sleep(5); unlink("/var/ipfire/remote/enablessh");
hooks/post-receive -- IPFire 2.x development tree