webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 11:43:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

misc-progs: Convert to right file encoding.

Browse Source
This commit is contained in:
Michael Tremer
2013-10-12 18:25:33 +02:00
parent 555637d156
commit 1293811896
7 changed files with 421 additions and 420 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
src/misc-progs/fireinfoctrl.c
View File

@@ -1,23 +1,23 @@
/* IPFire helper program - fireinfoctrl /* IPFire helper program - fireinfoctrl
* *
* This program is distributed under the terms of the GNU General Public * This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details. * Licence. See the file COPYING for details.
* *
* (c) IPFire Team, 2011 * (c) IPFire Team, 2011
* *
* Simple program that calls "sendprofile" as the root user. * Simple program that calls "sendprofile" as the root user.
* *
*/ */
#include <stdlib.h> #include <stdlib.h>
#include "setuid.h" #include "setuid.h"
int main(void) int main(void)
{ {
if (!(initsetuid())) if (!(initsetuid()))
exit(1); exit(1);
safe_system("/usr/bin/sendprofile"); safe_system("/usr/bin/sendprofile");
return 0; return 0;
} }

62
src/misc-progs/getconntracktable.c
View File

@@ -1,31 +1,31 @@
/* IPFire helper program - getconntracktable /* IPFire helper program - getconntracktable
* *
* This program is distributed under the terms of the GNU General Public * This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details. * Licence. See the file COPYING for details.
* *
* The kernel's connection tracking table is not readable by * The kernel's connection tracking table is not readable by
* non-root users. So this helper will just read and output it. * non-root users. So this helper will just read and output it.
*/ */
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include "setuid.h" #include "setuid.h"
int main(void) { int main(void) {
if (!(initsetuid())) if (!(initsetuid()))
exit(1); exit(1);
FILE *fp = fopen("/proc/net/nf_conntrack", "r"); FILE *fp = fopen("/proc/net/nf_conntrack", "r");
if (fp == NULL) { if (fp == NULL) {
exit(1); exit(1);
} }
/* Read content line by line and write it to stdout. */ /* Read content line by line and write it to stdout. */
char linebuf[STRING_SIZE]; char linebuf[STRING_SIZE];
while (fgets(linebuf, STRING_SIZE, fp)) { while (fgets(linebuf, STRING_SIZE, fp)) {
printf("%s", linebuf); printf("%s", linebuf);
} }
fclose(fp); fclose(fp);
return 0; return 0;
} }

88
src/misc-progs/iowrap.c
View File

@@ -1,44 +1,44 @@
/* SmoothWall helper program - iowrap. /* SmoothWall helper program - iowrap.
* *
* This program is distributed under the terms of the GNU General Public * This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details. * Licence. See the file COPYING for details.
* *
* (c) Lawrence Manning, 2001 * (c) Lawrence Manning, 2001
* Installer helper for redirecting stdout/stderr to a file/terminal. * Installer helper for redirecting stdout/stderr to a file/terminal.
* init calls ash through this program to shove it on a tty. * init calls ash through this program to shove it on a tty.
* *
* $Id: iowrap.c,v 1.2 2001/11/27 15:20:50 riddles Exp $ * $Id: iowrap.c,v 1.2 2001/11/27 15:20:50 riddles Exp $
* *
*/ */
#include <stdio.h> #include <stdio.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <fcntl.h> #include <fcntl.h>
#include <unistd.h> #include <unistd.h>
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
/* Prog takes one argument. A device to run on (like a getty) */ /* Prog takes one argument. A device to run on (like a getty) */
if (argc >= 2) if (argc >= 2)
{ {
int fd; int fd;
if ((fd = open(argv[1], O_RDWR)) == -1) if ((fd = open(argv[1], O_RDWR)) == -1)
{ {
printf("Couldn't open device\n"); printf("Couldn't open device\n");
return 0; return 0;
} }
dup2(fd, 0); dup2(fd, 0);
dup2(fd, 1); dup2(fd, 1);
dup2(fd, 2); dup2(fd, 2);
/* Now its sending/reading on that device. */ /* Now its sending/reading on that device. */
} }
if (argc >= 3) if (argc >= 3)
execvp(argv[2], &argv[2]); execvp(argv[2], &argv[2]);
else else
printf("No command\n"); printf("No command\n");
return 0; return 0;
} }

50
src/misc-progs/ipfiredeath.c
View File

@@ -1,25 +1,25 @@
/* SmoothWall helper program - smoothiedeath /* SmoothWall helper program - smoothiedeath
* *
* This program is distributed under the terms of the GNU General Public * This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details. * Licence. See the file COPYING for details.
* *
* (c) Lawrence Manning, 2001 * (c) Lawrence Manning, 2001
* Simple program intended to be installed setuid(0) that can be used for * Simple program intended to be installed setuid(0) that can be used for
* starting shutdown. * starting shutdown.
* *
* $Id: ipcopdeath.c,v 1.2 2003/12/11 10:57:34 riddles Exp $ * $Id: ipcopdeath.c,v 1.2 2003/12/11 10:57:34 riddles Exp $
* *
*/ */
#include <stdlib.h> #include <stdlib.h>
#include "setuid.h" #include "setuid.h"
int main(void) int main(void)
{ {
if (!(initsetuid())) if (!(initsetuid()))
exit(1); exit(1);
safe_system("/sbin/shutdown -h now"); safe_system("/sbin/shutdown -h now");
return 0; return 0;
} }

50
src/misc-progs/ipfirerebirth.c
View File

@@ -1,25 +1,25 @@
/* SmoothWall helper program - smoothierebirth /* SmoothWall helper program - smoothierebirth
* *
* This program is distributed under the terms of the GNU General Public * This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details. * Licence. See the file COPYING for details.
* *
* (c) Lawrence Manning, 2001 * (c) Lawrence Manning, 2001
* Simple program intended to be installed setuid(0) that can be used for * Simple program intended to be installed setuid(0) that can be used for
* starting reboot. * starting reboot.
* *
* $Id: ipcoprebirth.c,v 1.2 2003/12/11 10:57:34 riddles Exp $ * $Id: ipcoprebirth.c,v 1.2 2003/12/11 10:57:34 riddles Exp $
* *
*/ */
#include <stdlib.h> #include <stdlib.h>
#include "setuid.h" #include "setuid.h"
int main(void) int main(void)
{ {
if (!(initsetuid())) if (!(initsetuid()))
exit(1); exit(1);
safe_system("/sbin/shutdown -r now"); safe_system("/sbin/shutdown -r now");
return 0; return 0;
} }

234
src/misc-progs/ipfirereboot.c
View File

@@ -1,117 +1,117 @@
/* /*
* This file is part of the IPCop Firewall. * This file is part of the IPCop Firewall.
* *
* IPCop is free software; you can redistribute it and/or modify * IPCop is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or * the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* IPCop is distributed in the hope that it will be useful, * IPCop is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details. * GNU General Public License for more details.
* *
* You should have received a copy of the GNU General Public License * You should have received a copy of the GNU General Public License
* along with IPCop; if not, write to the Free Software * along with IPCop; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
* *
* Copyright (C) 2005-10-25 Franck Bourdonnec * Copyright (C) 2005-10-25 Franck Bourdonnec
* *
* $Id: ipcopreboot.c,v 1.1.2.2 2005/10/24 23:05:50 franck78 Exp $ * $Id: ipcopreboot.c,v 1.1.2.2 2005/10/24 23:05:50 franck78 Exp $
* *
*/ */
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <stdlib.h> #include <stdlib.h>
#include "setuid.h" #include "setuid.h"
/* define operations */ /* define operations */
#define OP_REBOOT "boot" #define OP_REBOOT "boot"
#define OP_REBOOT_FS "bootfs" // add filesystem check option (not yet in GUI) #define OP_REBOOT_FS "bootfs" // add filesystem check option (not yet in GUI)
#define OP_SHUTDOWN "down" #define OP_SHUTDOWN "down"
#define OP_SCHEDULE_ADD "cron+" #define OP_SCHEDULE_ADD "cron+"
#define OP_SCHEDULE_REM "cron-" #define OP_SCHEDULE_REM "cron-"
#define OP_SCHEDULE_GET "cron?" #define OP_SCHEDULE_GET "cron?"
int main(int argc, char**argv) int main(int argc, char**argv)
{ {
if (!(initsetuid())) if (!(initsetuid()))
return 1; return 1;
// Check what command is asked // Check what command is asked
if (argc==1) if (argc==1)
{ {
fprintf (stderr, "Missing reboot command!\n"); fprintf (stderr, "Missing reboot command!\n");
return 1; return 1;
} }
if (argc==2 && strcmp(argv[1], OP_SHUTDOWN)==0) if (argc==2 && strcmp(argv[1], OP_SHUTDOWN)==0)
{ {
safe_system("/sbin/shutdown -h now"); safe_system("/sbin/shutdown -h now");
return 0; return 0;
} }
if (argc==2 && strcmp(argv[1], OP_REBOOT)==0) if (argc==2 && strcmp(argv[1], OP_REBOOT)==0)
{ {
safe_system("/sbin/shutdown -r now"); safe_system("/sbin/shutdown -r now");
return 0; return 0;
} }
if (argc==2 && strcmp(argv[1], OP_REBOOT_FS)==0) if (argc==2 && strcmp(argv[1], OP_REBOOT_FS)==0)
{ {
safe_system("/sbin/shutdown -F -r now"); safe_system("/sbin/shutdown -F -r now");
return 0; return 0;
} }
// output schedule to stdout // output schedule to stdout
if (argc==2 && strcmp(argv[1], OP_SCHEDULE_GET)==0) if (argc==2 && strcmp(argv[1], OP_SCHEDULE_GET)==0)
{ {
safe_system("/bin/grep /sbin/shutdown /var/spool/cron/root.orig"); safe_system("/bin/grep /sbin/shutdown /var/spool/cron/root.orig");
return 0; return 0;
} }
if (argc==2 && strcmp(argv[1], OP_SCHEDULE_REM)==0) if (argc==2 && strcmp(argv[1], OP_SCHEDULE_REM)==0)
{ {
safe_system("/usr/bin/perl -i -p -e 's/^.*\\/sbin\\/shutdown.*$//s' /var/spool/cron/root.orig"); safe_system("/usr/bin/perl -i -p -e 's/^.*\\/sbin\\/shutdown.*$//s' /var/spool/cron/root.orig");
safe_system("/usr/bin/fcrontab -u root -z"); safe_system("/usr/bin/fcrontab -u root -z");
return 0; return 0;
} }
if (argc==6 && strcmp(argv[1], OP_SCHEDULE_ADD)==0) if (argc==6 && strcmp(argv[1], OP_SCHEDULE_ADD)==0)
{ {
// check args // check args
if (!( strlen(argv[2])<3 && if (!( strlen(argv[2])<3 &&
strspn(argv[2], "0123456789") == strlen (argv[2]) && strspn(argv[2], "0123456789") == strlen (argv[2]) &&
strlen(argv[3])<3 && strlen(argv[3])<3 &&
strspn(argv[3], "0123456789") == strlen (argv[3]) && strspn(argv[3], "0123456789") == strlen (argv[3]) &&
strlen(argv[4])<14 && strlen(argv[4])<14 &&
strspn(argv[4], "1234567,*") == strlen (argv[4]) && strspn(argv[4], "1234567,*") == strlen (argv[4]) &&
((strcmp(argv[5], "-r")==0) || //reboot ((strcmp(argv[5], "-r")==0) || //reboot
(strcmp(argv[5], "-h")==0)) ) //hangup (strcmp(argv[5], "-h")==0)) ) //hangup
) { ) {
fprintf (stderr, "Bad cron+ parameters!\n"); fprintf (stderr, "Bad cron+ parameters!\n");
return 1; return 1;
} }
// remove old entry // remove old entry
safe_system("/usr/bin/perl -i -p -e 's/^.*\\/sbin\\/shutdown.*$//s' /var/spool/cron/root.orig"); safe_system("/usr/bin/perl -i -p -e 's/^.*\\/sbin\\/shutdown.*$//s' /var/spool/cron/root.orig");
// add new entry // add new entry
FILE *fd = NULL; FILE *fd = NULL;
if ((fd = fopen("/var/spool/cron/root.orig", "a"))) if ((fd = fopen("/var/spool/cron/root.orig", "a")))
{ {
fprintf (fd,"%s %s * * %s /sbin/shutdown %s 1\n",argv[2],argv[3],argv[4],argv[5]); fprintf (fd,"%s %s * * %s /sbin/shutdown %s 1\n",argv[2],argv[3],argv[4],argv[5]);
fclose (fd); fclose (fd);
} }
// inform cron // inform cron
safe_system("/usr/bin/fcrontab -u root -z"); safe_system("/usr/bin/fcrontab -u root -z");
return 0; return 0;
} }
fprintf (stderr, "Bad reboot command!\n"); fprintf (stderr, "Bad reboot command!\n");
return 1; return 1;
} }

311
src/misc-progs/setuid.c
View File

@@ -1,155 +1,156 @@
/* This file is part of the IPCop Firewall. /* This file is part of the IPCop Firewall.
* *
* IPCop is free software; you can redistribute it and/or modify * IPCop is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or * the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* IPCop is distributed in the hope that it will be useful, * IPCop is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details. * GNU General Public License for more details.
* *
* You should have received a copy of the GNU General Public License * You should have received a copy of the GNU General Public License
* along with IPCop; if not, write to the Free Software * along with IPCop; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
* *
* Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to> * Copyright (C) 2003-04-22 Robert Kerr <rkerr@go.to>
* *
* $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $ * $Id: setuid.c,v 1.2.2.1 2005/11/18 14:51:43 franck78 Exp $
* *
*/ */
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <errno.h> #include <errno.h>
#include <unistd.h> #include <unistd.h>
#include <stdlib.h> #include <stdlib.h>
#include <sys/types.h> #include <sys/types.h>
#include <limits.h> #include <limits.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <fcntl.h> #include <fcntl.h>
#include <grp.h> #include <grp.h>
#include <signal.h> #include <signal.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <glob.h> #include <glob.h>
#include "setuid.h" #include "setuid.h"
#ifndef OPEN_MAX #ifndef OPEN_MAX
#define OPEN_MAX 256 #define OPEN_MAX 256
#endif #endif
/* Trusted environment for executing commands */ /* Trusted environment for executing commands */
char * trusted_env[4]={ char * trusted_env[4] = {
"PATH=/usr/bin:/usr/sbin:/sbin:/bin", "PATH=/usr/bin:/usr/sbin:/sbin:/bin",
"SHELL=/bin/sh", "SHELL=/bin/sh",
"TERM=dumb", "TERM=dumb",
NULL}; NULL
};
/* Spawns a child process that uses /bin/sh to interpret a command.
* This is much the same in use and purpose as system(), yet as it uses execve /* Spawns a child process that uses /bin/sh to interpret a command.
* to pass a trusted environment it's immune to attacks based upon changing * This is much the same in use and purpose as system(), yet as it uses execve
* IFS, ENV, BASH_ENV and other such variables. * to pass a trusted environment it's immune to attacks based upon changing
* Note this does NOT guard against any other attacks, inparticular you MUST * IFS, ENV, BASH_ENV and other such variables.
* validate the command you are passing. If the command is formed from user * Note this does NOT guard against any other attacks, inparticular you MUST
* input be sure to check this input is what you expect. Nasty things can * validate the command you are passing. If the command is formed from user
* happen if a user can inject ; or `` into your command for example */ * input be sure to check this input is what you expect. Nasty things can
int safe_system(char* command) * happen if a user can inject ; or `` into your command for example */
{ int safe_system(char* command)
return system_core( command, 0, 0, "safe_system" ); {
} return system_core( command, 0, 0, "safe_system" );
}
/* Much like safe_system but lets you specify a non-root uid and gid to run
* the command as */ /* Much like safe_system but lets you specify a non-root uid and gid to run
int unpriv_system(char* command, uid_t uid, gid_t gid) * the command as */
{ int unpriv_system(char* command, uid_t uid, gid_t gid)
return system_core(command, uid, gid, "unpriv_system" ); {
} return system_core(command, uid, gid, "unpriv_system" );
}
int system_core(char* command, uid_t uid, gid_t gid, char *error)
{ int system_core(char* command, uid_t uid, gid_t gid, char *error)
int pid, status; {
int pid, status;
if(!command)
return 1; if(!command)
return 1;
switch( pid = fork() )
{ switch( pid = fork() )
case -1: {
return -1; case -1:
case 0: /* child */ return -1;
{ case 0: /* child */
char * argv[4]; {
if (gid && setgid(gid)) char * argv[4];
{ if (gid && setgid(gid))
fprintf(stderr, "%s: ", error); {
perror("Couldn't setgid"); fprintf(stderr, "%s: ", error);
exit(127); perror("Couldn't setgid");
} exit(127);
if (uid && setuid(uid)) }
{ if (uid && setuid(uid))
fprintf(stderr, "%s: ", error); {
perror("Couldn't setuid"); fprintf(stderr, "%s: ", error);
exit(127); perror("Couldn't setuid");
} exit(127);
argv[0] = "sh"; }
argv[1] = "-c"; argv[0] = "sh";
argv[2] = command; argv[1] = "-c";
argv[3] = NULL; argv[2] = command;
execve("/bin/sh", argv, trusted_env); argv[3] = NULL;
fprintf(stderr, "%s: ", error); execve("/bin/sh", argv, trusted_env);
perror("execve failed"); fprintf(stderr, "%s: ", error);
exit(127); perror("execve failed");
} exit(127);
default: /* parent */ }
do { default: /* parent */
if( waitpid(pid, &status, 0) == -1 ) { do {
if( errno != EINTR ) if( waitpid(pid, &status, 0) == -1 ) {
return -1; if( errno != EINTR )
} else return -1;
return status; } else
} while (1); return status;
} } while (1);
}
}
}
/* General routine to initialise a setuid root program, and put the
* environment in a known state. Returns 1 on success, if initsetuid() returns /* General routine to initialise a setuid root program, and put the
* 0 then you should exit(1) immediately, DON'T attempt to recover from the * environment in a known state. Returns 1 on success, if initsetuid() returns
* error */ * 0 then you should exit(1) immediately, DON'T attempt to recover from the
int initsetuid(void) * error */
{ int initsetuid(void)
int fds,i; {
struct stat st; int fds,i;
struct rlimit rlim; struct stat st;
struct rlimit rlim;
/* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
for( i = 0; i < NSIG; i++ ) { /* Prevent signal tricks by ignoring all except SIGKILL and SIGCHILD */
if( i != SIGKILL && i != SIGCHLD ) for( i = 0; i < NSIG; i++ ) {
signal(i, SIG_IGN); if( i != SIGKILL && i != SIGCHLD )
} signal(i, SIG_IGN);
}
/* dump all non-standard file descriptors (a full descriptor table could
* lead to DoS by preventing us opening files) */ /* dump all non-standard file descriptors (a full descriptor table could
if ((fds = getdtablesize()) == -1) fds = OPEN_MAX; * lead to DoS by preventing us opening files) */
for( i = 3; i < fds; i++ ) close(i); if ((fds = getdtablesize()) == -1) fds = OPEN_MAX;
for( i = 3; i < fds; i++ ) close(i);
/* check stdin, stdout & stderr are open before going any further */
for( i = 0; i < 3; i++ ) /* check stdin, stdout & stderr are open before going any further */
if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i )) for( i = 0; i < 3; i++ )
return 0; if( fstat(i, &st) == -1 && ((errno != EBADF) || (close(i), open("/dev/null", O_RDWR, 0)) != i ))
return 0;
/* disable core dumps in case we're processing sensitive information */
rlim.rlim_cur = rlim.rlim_max = 0; /* disable core dumps in case we're processing sensitive information */
if(setrlimit(RLIMIT_CORE, &rlim)) rlim.rlim_cur = rlim.rlim_max = 0;
{ perror("Couldn't disable core dumps"); return 0; } if(setrlimit(RLIMIT_CORE, &rlim))
{ perror("Couldn't disable core dumps"); return 0; }
/* drop any supplementary groups, set uid & gid to root */
if (setgroups(0, NULL)) { perror("Couldn't clear group list"); return 0; } /* drop any supplementary groups, set uid & gid to root */
if (setgid(0)) { perror("Couldn't setgid(0)"); return 0; } if (setgroups(0, NULL)) { perror("Couldn't clear group list"); return 0; }
if (setuid(0)) { perror("Couldn't setuid(0)"); return 0; } if (setgid(0)) { perror("Couldn't setgid(0)"); return 0; }
if (setuid(0)) { perror("Couldn't setuid(0)"); return 0; }
return 1;
} return 1;
}