ladybird/Userland/Utilities/pls.cpp

/*
 * Copyright (c) 2021, Jesse Buhagiar <jooster669@gmail.com>
 * Copyright (c) 2021, Andreas Kling <kling@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <LibCore/Account.h>
#include <LibCore/ArgsParser.h>
#include <LibCore/GetPassword.h>
#include <LibCore/System.h>
#include <LibMain/Main.h>
#include <unistd.h>

ErrorOr<int> serenity_main(Main::Arguments arguments)
{
    Vector<StringView> command;
    Core::ArgsParser args_parser;
    uid_t as_user_uid = 0;
    bool preserve_env = false;
    args_parser.set_stop_on_first_non_option(true);
    args_parser.add_option(as_user_uid, "User to execute as", nullptr, 'u', "UID");
    args_parser.add_option(preserve_env, "Preserve user environment when running command", "preserve-env", 'E');
    args_parser.add_positional_argument(command, "Command to run at elevated privilege level", "command");
    args_parser.parse(arguments);

    TRY(Core::System::pledge("stdio rpath exec id tty"));

    TRY(Core::System::seteuid(0));

    auto as_user = TRY(Core::Account::from_uid(as_user_uid));

    // If the current user is not a superuser, make them authenticate themselves.
    if (auto uid = getuid()) {
        auto account = TRY(Core::Account::from_uid(uid));
        if (account.has_password()) {
            auto password = TRY(Core::get_password());
            if (!account.authenticate(password))
                return Error::from_string_literal("Incorrect or disabled password.");
        }
    }

    TRY(Core::System::pledge("stdio rpath exec id"));

    TRY(as_user.login());

    TRY(Core::System::pledge("stdio rpath exec"));
    TRY(Core::System::exec_command(command, preserve_env));
    return 0;
}
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`/*`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-16 14:55:05 +00:00			`* Copyright (c) 2021, Jesse Buhagiar <jooster669@gmail.com>`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`* Copyright (c) 2021, Andreas Kling <kling@serenityos.org>`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`*`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-16 14:55:05 +00:00			`* SPDX-License-Identifier: BSD-2-Clause`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`*/`

			`#include <LibCore/Account.h>`
			`#include <LibCore/ArgsParser.h>`
			`#include <LibCore/GetPassword.h>`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`#include <LibCore/System.h>`
			`#include <LibMain/Main.h>`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`#include <unistd.h>`

pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`ErrorOr<int> serenity_main(Main::Arguments arguments)`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`{`
pls: Use Core::System::exec() 2022-03-12 20:58:50 +00:00			`Vector<StringView> command;`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`Core::ArgsParser args_parser;`
Userland: Add as-user execution to the pls utility Commands may be executed as a specific user by passing the user's UID to the '-u' flag in pls. 2021-08-16 02:58:34 +00:00			`uid_t as_user_uid = 0;`
pls: Implement support for `--preserve-env` 2022-06-28 17:10:31 +00:00			`bool preserve_env = false;`
pls: Stop on first non option when parsing arguments This allows using pls on a program with arguments more ergonomically, e.g. `pls -- echo "hello friends"` can now simply be done as: `pls echo "hello friends"`. 2021-12-28 18:10:22 +00:00			`args_parser.set_stop_on_first_non_option(true);`
Userland: Add as-user execution to the pls utility Commands may be executed as a specific user by passing the user's UID to the '-u' flag in pls. 2021-08-16 02:58:34 +00:00			`args_parser.add_option(as_user_uid, "User to execute as", nullptr, 'u', "UID");`
pls: Implement support for `--preserve-env` 2022-06-28 17:10:31 +00:00			`args_parser.add_option(preserve_env, "Preserve user environment when running command", "preserve-env", 'E');`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`args_parser.add_positional_argument(command, "Command to run at elevated privilege level", "command");`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`args_parser.parse(arguments);`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`TRY(Core::System::pledge("stdio rpath exec id tty"));`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`TRY(Core::System::seteuid(0));`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-16 14:55:05 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`auto as_user = TRY(Core::Account::from_uid(as_user_uid));`
Userland: Add as-user execution to the pls utility Commands may be executed as a specific user by passing the user's UID to the '-u' flag in pls. 2021-08-16 02:58:34 +00:00
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`// If the current user is not a superuser, make them authenticate themselves.`
			`if (auto uid = getuid()) {`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`auto account = TRY(Core::Account::from_uid(uid));`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`if (account.has_password()) {`
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`auto password = TRY(Core::get_password());`
			`if (!account.authenticate(password))`
Everywhere: Split Error::from_string_literal and Error::from_string_view Error::from_string_literal now takes direct char consts, while Error::from_string_view does what Error::from_string_literal used to do: taking StringViews. This change will remove the need to insert `sv` after error strings when returning string literal errors once StringView(char const) is removed. No functional changes. 2022-07-11 17:57:32 +00:00			`return Error::from_string_literal("Incorrect or disabled password.");`
pls: Drastically simplify this program Since this program is setuid-root, it should be as simple as possible. To that end, remove `/etc/plsusers` and use filesystem permissions to achieve the same thing. `/bin/pls` is now only executable by `root` or members of the `wheel` group. Also remove all the logic that went to great lengths to `unveil()` a minimal set of filesystem paths that may be used for the command. The complexity-to-benefit ratio did not seem justified, and I think we're better off keeping this simple. Finally, remove pledge promises the moment they are no longer needed. 2021-05-30 20:06:28 +00:00			`}`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`}`

pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`TRY(Core::System::pledge("stdio rpath exec id"));`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00
pls: Use `LibCore::Account::login()` instead of manually setting the uid In addition to changing the uid, the method also changes the gid and properly sets groups. So this patch will also mitigate the security issue of `pls`. 2022-08-14 19:19:05 +00:00			`TRY(as_user.login());`
Userland: Check sudoers file perms and owner in pls As per comment found in #6319 by @bcoles, `pls` should check the permissions and owner of the sudoers file to ensure that it hasn't been compromised. 2021-04-16 14:55:05 +00:00
pls: Port to LibMain :^) 2021-12-16 18:18:37 +00:00			`TRY(Core::System::pledge("stdio rpath exec"));`
Userland/pls: Use Core::System::exec_command method to execute a command 2022-11-04 09:54:29 +00:00			`TRY(Core::System::exec_command(command, preserve_env));`
Userland: Implement `pls`, a sudo clone 2021-04-14 02:23:55 +00:00			`return 0;`
			`}`