1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

Added the security changes suggested by Andrew - become the

user that authenticated to swat permanently (if not root).
Jeremy.
(This used to be commit 7d55bf3791)
This commit is contained in:
Jeremy Allison 1998-11-12 03:06:00 +00:00
parent 84c10df026
commit b0a2e2e778
3 changed files with 110 additions and 81 deletions

View File

@ -2657,4 +2657,5 @@ void status_page(void);
/*The following definitions come from web/swat.c */ /*The following definitions come from web/swat.c */
BOOL become_user_permanently(uid_t uid, gid_t gid);
#endif /* _PROTO_H_ */ #endif /* _PROTO_H_ */

View File

@ -293,29 +293,83 @@ static void base64_decode(char *s)
/*************************************************************************** /***************************************************************************
handle a http authentication line handle a http authentication line
***************************************************************************/ ***************************************************************************/
static int cgi_handle_authorization(char *line) static BOOL cgi_handle_authorization(char *line)
{ {
char *p, *user, *pass; char *p, *user, *user_pass;
struct passwd *pass = NULL;
int ret = False;
if (strncasecmp(line,"Basic ", 6)) { if (strncasecmp(line,"Basic ", 6)) {
cgi_setup_error("401 Bad Authorization", "", cgi_setup_error("401 Bad Authorization", "",
"Only basic authorization is understood"); "Only basic authorization is understood");
return False;
} }
line += 6; line += 6;
while (line[0] == ' ') line++; while (line[0] == ' ') line++;
base64_decode(line); base64_decode(line);
if (!(p=strchr(line,':'))) { if (!(p=strchr(line,':'))) {
/*
* Always give the same error so a cracker
* cannot tell why we fail.
*/
cgi_setup_error("401 Bad Authorization", "", cgi_setup_error("401 Bad Authorization", "",
"username/password must be supplied"); "username/password must be supplied");
return False;
} }
*p = 0; *p = 0;
user = line; user = line;
pass = p+1; user_pass = p+1;
/*
* Try and get the user from the UNIX password file.
*/
if(!(pass = Get_Pwnam(user,False))) {
/*
* Always give the same error so a cracker
* cannot tell why we fail.
*/
cgi_setup_error("401 Bad Authorization", "",
"username/password must be supplied");
return False;
}
/*
* Validate the password they have given.
*/
if((ret = pass_check(user, user_pass, strlen(user_pass), NULL, NULL)) == True) {
/*
* Password was ok.
*/
if(pass->pw_uid != 0) {
/*
* We have not authenticated as root,
* become the user *permanently*.
*/
if(!become_user_permanently(pass->pw_uid, pass->pw_gid)) {
/*
* Always give the same error so a cracker
* cannot tell why we fail.
*/
cgi_setup_error("401 Bad Authorization", "",
"username/password must be supplied");
return False;
}
/*
* On exit from here we are the authenticated
* user - no way back.
*/
}
/* Save the users name */ /* Save the users name */
C_user = strdup(user); C_user = strdup(user);
}
return pass_check(user, pass, strlen(pass), NULL, NULL); return ret;
} }
/*************************************************************************** /***************************************************************************
@ -323,7 +377,7 @@ is this root?
***************************************************************************/ ***************************************************************************/
BOOL am_root(void) BOOL am_root(void)
{ {
if ((C_user) && (strcmp(C_user,"root") == 0)) { if (geteuid() == 0) {
return( True); return( True);
} else { } else {
return( False); return( False);
@ -393,7 +447,7 @@ run as a true cgi program by a web browser or is itself a mini web server
***************************************************************************/ ***************************************************************************/
void cgi_setup(char *rootdir, int auth_required) void cgi_setup(char *rootdir, int auth_required)
{ {
int authenticated = 0; BOOL authenticated = False;
char line[1024]; char line[1024];
char *url=NULL; char *url=NULL;
char *p; char *p;

View File

@ -771,76 +771,64 @@ static BOOL talk_to_smbpasswd(char *old, char *new)
} }
/**************************************************************************** /****************************************************************************
become the specified uid become the specified uid - permanently !
****************************************************************************/ ****************************************************************************/
static BOOL become_uid(uid_t uid)
BOOL become_user_permanently(uid_t uid, gid_t gid)
{ {
#ifdef HAVE_TRAPDOOR_UID
#ifdef HAVE_SETUIDX if (geteuid() != 0) {
/* AIX3 has setuidx which is NOT a trapoor function (tridge) */ return(True);
if (setuidx(ID_EFFECTIVE, uid) != 0) { }
if (seteuid(uid) != 0) {
printf("<p> Can't set uid %d (setuidx)\n", (int)uid); /* now completely lose our privilages. This is a fairly paranoid
way of doing it, but it does work on all systems that I know of */
#ifdef HAVE_SETRESUID
/*
* Firstly ensure all our uids are set to root.
*/
setresgid(0,0,0);
setresuid(0,0,0);
/*
* Now ensure we change all our gids.
*/
setresgid(gid,gid,gid);
/*
* Now ensure all the uids are the user.
*/
setresuid(uid,uid,uid);
#else
/*
* Firstly ensure all our uids are set to root.
*/
setuid(0);
seteuid(0);
/*
* Now ensure we change all our gids.
*/
setgid(gid);
setegid(gid);
/*
* Now ensure all the uids are the user.
*/
setuid(uid);
seteuid(uid);
#endif
if (getuid() != uid || geteuid() != uid ||
getgid() != gid || getegid() != gid) {
/* We failed to lose our privilages. */
return False; return False;
} }
}
#endif
#endif
#ifdef HAVE_SETRESUID
if (setresuid(-1,uid,-1) != 0)
#else
if ((seteuid(uid) != 0) && (setuid(uid) != 0))
#endif
{
printf("<p> Couldn't set uid %d currently set to (uid %d, euid %d)\n",
(int)uid,(int)getuid(), (int)geteuid());
if (uid > (uid_t)32000) {
printf("<p> Looks like your OS doesn't like high uid values - try using a different account\n");
}
return(False);
}
if (((uid == (uid_t)-1) || ((sizeof(uid_t) == 2) && (uid == 65535))) &&
(geteuid() != uid)) {
printf("<p> Invalid uid -1. perhaps you have a account with uid 65535?\n");
return(False);
}
return(True); return(True);
} }
/****************************************************************************
become the specified gid
****************************************************************************/
static BOOL become_gid(gid_t gid)
{
#ifdef HAVE_SETRESUID
if (setresgid(-1,gid,-1) != 0)
#else
if (setgid(gid) != 0)
#endif
{
printf("<p> Couldn't set gid %d currently set to (gid %d, egid %d)\n",
(int)gid,(int)getgid(),(int)getegid());
if (gid > 32000) {
printf("<p> Looks like your OS doesn't like high gid values - try using a different account\n");
}
return(False);
}
return(True);
}
/****************************************************************************
become the specified uid and gid
****************************************************************************/
static BOOL become_id(uid_t uid,gid_t gid)
{
return(become_gid(gid) && become_uid(uid));
}
/**************************************************************************** /****************************************************************************
do the stuff required to add or change a password do the stuff required to add or change a password
****************************************************************************/ ****************************************************************************/
@ -881,19 +869,6 @@ static void chg_passwd(void)
} }
} }
/* Get the UID/GID of the user, and become that user */
if (am_root() == False) {
pass = Get_Pwnam(cgi_variable(user),True);
if (pass == NULL) {
printf("<p> User uid unknown \n");
} else {
if (become_id(pass->pw_uid, pass->pw_gid) == False) {
printf("<p> uid/gid set failed \n");
return;
}
}
}
#ifdef SWAT_DEBUG #ifdef SWAT_DEBUG
if (pass) printf("<p> User uid %d gid %d \n", pass->pw_uid, pass->pw_gid); if (pass) printf("<p> User uid %d gid %d \n", pass->pw_uid, pass->pw_gid);
printf("<p> Processes uid %d, euid %d, gid %d, egid %d \n",getuid(),geteuid(),getgid(),getegid()); printf("<p> Processes uid %d, euid %d, gid %d, egid %d \n",getuid(),geteuid(),getgid(),getegid());
@ -1138,4 +1113,3 @@ static void printers_page(void)
print_footer(); print_footer();
return 0; return 0;
} }