ladybird/Userland/Utilities/pls.cpp

/*
 * Copyright (c) 2021, Jesse Buhagiar <jooster669@gmail.com>
 * Copyright (c) 2021, Andreas Kling <kling@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <LibCore/Account.h>
#include <LibCore/ArgsParser.h>
#include <LibCore/GetPassword.h>
#include <LibCore/System.h>
#include <LibMain/Main.h>
#include <stdio.h>
#include <unistd.h>

ErrorOr<int> serenity_main(Main::Arguments arguments)
{
    Vector<char const*> command;
    Core::ArgsParser args_parser;
    uid_t as_user_uid = 0;
    args_parser.add_option(as_user_uid, "User to execute as", nullptr, 'u', "UID");
    args_parser.add_positional_argument(command, "Command to run at elevated privilege level", "command");
    args_parser.parse(arguments);

    TRY(Core::System::pledge("stdio rpath exec id tty"));

    TRY(Core::System::seteuid(0));

    auto as_user = TRY(Core::Account::from_uid(as_user_uid));

    // If the current user is not a superuser, make them authenticate themselves.
    if (auto uid = getuid()) {
        auto account = TRY(Core::Account::from_uid(uid));
        if (account.has_password()) {
            auto password = TRY(Core::get_password());
            if (!account.authenticate(password))
                return Error::from_string_literal("Incorrect or disabled password."sv);
        }
    }

    TRY(Core::System::pledge("stdio rpath exec id"));

    TRY(Core::System::setgid(0));
    TRY(Core::System::setuid(as_user_uid));

    TRY(Core::System::pledge("stdio rpath exec"));

    Vector<char const*> exec_arguments;
    for (auto const& arg : command)
        exec_arguments.append(arg);
    exec_arguments.append(nullptr);

    Vector<String> environment_strings;
    if (auto* term = getenv("TERM"))
        environment_strings.append(String::formatted("TERM={}", term));

    Vector<char const*> exec_environment;
    for (auto& item : environment_strings)
        exec_environment.append(item.characters());
    exec_environment.append(nullptr);

    if (execvpe(command.at(0), const_cast<char**>(exec_arguments.data()), const_cast<char**>(exec_environment.data())) < 0) {
        perror("execvpe");
        exit(1);
    }
    return 0;
}
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`/*`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-16 14:55:05 +00:00			`* Copyright (c) 2021, Jesse Buhagiar <jooster669@gmail.com>`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`* Copyright (c) 2021, Andreas Kling <kling@serenityos.org>`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`*`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-16 14:55:05 +00:00			`* SPDX-License-Identifier: BSD-2-Clause`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`*/`

			`#include <LibCore/Account.h>`
			`#include <LibCore/ArgsParser.h>`
			`#include <LibCore/GetPassword.h>`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`#include <LibCore/System.h>`
			`#include <LibMain/Main.h>`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`#include <stdio.h>`
			`#include <unistd.h>`

pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`ErrorOr<int> serenity_main(Main::Arguments arguments)`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`{`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`Vector<char const*> command;`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`Core::ArgsParser args_parser;`
Userland: Add as-user execution to the pls utility Commands may be executed as a specific user by passing the user's UID to the '-u' flag in pls. 2021-08-16 02:58:34 +00:00			`uid_t as_user_uid = 0;`
			`args_parser.add_option(as_user_uid, "User to execute as", nullptr, 'u', "UID");`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`args_parser.add_positional_argument(command, "Command to run at elevated privilege level", "command");`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`args_parser.parse(arguments);`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`TRY(Core::System::pledge("stdio rpath exec id tty"));`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`TRY(Core::System::seteuid(0));`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-16 14:55:05 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`auto as_user = TRY(Core::Account::from_uid(as_user_uid));`
Userland: Add as-user execution to the pls utility Commands may be executed as a specific user by passing the user's UID to the '-u' flag in pls. 2021-08-16 02:58:34 +00:00
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`// If the current user is not a superuser, make them authenticate themselves.`
			`if (auto uid = getuid()) {`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`auto account = TRY(Core::Account::from_uid(uid));`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`if (account.has_password()) {`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`auto password = TRY(Core::get_password());`
			`if (!account.authenticate(password))`
			`return Error::from_string_literal("Incorrect or disabled password."sv);`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`}`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`}`

pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`TRY(Core::System::pledge("stdio rpath exec id"));`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`TRY(Core::System::setgid(0));`
			`TRY(Core::System::setuid(as_user_uid));`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-16 14:55:05 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`TRY(Core::System::pledge("stdio rpath exec"));`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`Vector<char const*> exec_arguments;`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`for (auto const& arg : command)`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`exec_arguments.append(arg);`
			`exec_arguments.append(nullptr);`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-16 14:55:05 +00:00
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`Vector<String> environment_strings;`
			`if (auto* term = getenv("TERM"))`
			`environment_strings.append(String::formatted("TERM={}", term));`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`Vector<char const*> exec_environment;`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`for (auto& item : environment_strings)`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`exec_environment.append(item.characters());`
			`exec_environment.append(nullptr);`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`if (execvpe(command.at(0), const_cast<char>(exec_arguments.data()), const_cast<char>(exec_environment.data())) < 0) {`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`perror("execvpe");`
			`exit(1);`
			`}`
			`return 0;`
			`}`