1 /*****************************************************************************
2 * rootwrap.c
3 *****************************************************************************
4 * Copyright © 2005-2008 Rémi Denis-Courmont
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
19 *****************************************************************************/
20
21 #ifdef HAVE_CONFIG_H
22 # include <config.h>
23 #endif
24 #define _XPG4_2 /* ancilliary data on Solaris */
25
26 #include <stdlib.h> /* exit() */
27 #include <stdio.h>
28 #include <string.h>
29
30 #include <sys/types.h>
31 #include <unistd.h>
32 #include <fcntl.h>
33 #include <sys/stat.h>
34 #include <sys/socket.h>
35 #include <sys/uio.h>
36 #include <sys/resource.h> /* getrlimit() */
37 #ifdef RLIMIT_RTPRIO
38 #include <sched.h>
39 #endif
40 #include <errno.h>
41 #include <netinet/in.h>
42
43 #if defined (AF_INET6) && !defined (IPV6_V6ONLY)
44 # warning Uho, your IPv6 support is broken and has been disabled. Fix your C library.
45 # undef AF_INET6
46 #endif
47 #ifndef AF_LOCAL
48 # define AF_LOCAL AF_UNIX
49 #endif
50 #if !defined(MSG_NOSIGNAL) && defined(SO_NOSIGPIPE)
51 # define MSG_NOSIGNAL 0
52 #endif
53 /* Required yet non-standard cmsg functions */
54 #ifndef CMSG_ALIGN
55 # define CMSG_ALIGN(len) (((len) + sizeof(intptr_t)-1) & ~(sizeof(intptr_t)-1))
56 #endif
57 #ifndef CMSG_SPACE
58 # define CMSG_SPACE(len) (CMSG_ALIGN(sizeof(struct cmsghdr)) + CMSG_ALIGN(len))
59 #endif
60 #ifndef CMSG_LEN
61 # define CMSG_LEN(len) (CMSG_ALIGN(sizeof(struct cmsghdr)) + (len))
62 #endif
63
is_allowed_port(uint16_t port)64 static inline int is_allowed_port (uint16_t port)
65 {
66 port = ntohs (port);
67 return (port == 80) || (port == 443) || (port == 554);
68 }
69
70
send_err(int fd,int err)71 static inline int send_err (int fd, int err)
72 {
73 return send(fd, &err, sizeof (err), MSG_NOSIGNAL) == sizeof (err) ? 0 : -1;
74 }
75
76 /**
77 * Send a file descriptor to another process
78 */
send_fd(int p,int fd)79 static int send_fd (int p, int fd)
80 {
81 struct msghdr hdr;
82 struct iovec iov;
83 struct cmsghdr *cmsg;
84 char buf[CMSG_SPACE (sizeof (fd))];
85 int val = 0;
86
87 hdr.msg_name = NULL;
88 hdr.msg_namelen = 0;
89 hdr.msg_iov = &iov;
90 hdr.msg_iovlen = 1;
91 hdr.msg_control = buf;
92 hdr.msg_controllen = sizeof (buf);
93
94 iov.iov_base = &val;
95 iov.iov_len = sizeof (val);
96
97 cmsg = CMSG_FIRSTHDR (&hdr);
98 cmsg->cmsg_level = SOL_SOCKET;
99 cmsg->cmsg_type = SCM_RIGHTS;
100 cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
101 memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
102 hdr.msg_controllen = cmsg->cmsg_len;
103
104 return sendmsg(p, &hdr, MSG_NOSIGNAL) == sizeof (val) ? 0 : -1;
105 }
106
107
108 /**
109 * Background process run as root to open privileged TCP ports.
110 */
rootprocess(int fd)111 static void rootprocess (int fd)
112 {
113 union
114 {
115 struct sockaddr sa;
116 struct sockaddr_storage ss;
117 struct sockaddr_in sin;
118 #ifdef AF_INET6
119 struct sockaddr_in6 sin6;
120 #endif
121 } addr;
122
123 while (recv (fd, &addr.ss, sizeof (addr.ss), 0) == sizeof (addr.ss))
124 {
125 unsigned len;
126 int sock;
127 int family;
128
129 switch (addr.sa.sa_family)
130 {
131 case AF_INET:
132 if (!is_allowed_port (addr.sin.sin_port))
133 {
134 if (send_err (fd, EACCES))
135 return;
136 continue;
137 }
138 len = sizeof (struct sockaddr_in);
139 family = PF_INET;
140 break;
141
142 #ifdef AF_INET6
143 case AF_INET6:
144 if (!is_allowed_port (addr.sin6.sin6_port))
145 {
146 if (send_err (fd, EACCES))
147 return;
148 continue;
149 }
150 len = sizeof (struct sockaddr_in6);
151 family = PF_INET6;
152 break;
153 #endif
154
155 default:
156 if (send_err (fd, EAFNOSUPPORT))
157 return;
158 continue;
159 }
160
161 sock = socket (family, SOCK_STREAM, IPPROTO_TCP);
162 if (sock != -1)
163 {
164 const int val = 1;
165
166 setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, &val, sizeof (val));
167 #ifdef AF_INET6
168 if (addr.sa.sa_family == AF_INET6)
169 setsockopt (sock, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof (val));
170 #endif
171 if (bind (sock, &addr.sa, len) == 0)
172 {
173 send_fd (fd, sock);
174 close (sock);
175 continue;
176 }
177 close (sock);
178 }
179 send_err (fd, errno);
180 }
181 }
182
183 /* TODO?
184 * - use libcap if available,
185 * - call chroot
186 */
187
main(int argc,char * argv[])188 int main (int argc, char *argv[])
189 {
190 /* Support for dynamically opening RTSP, HTTP and HTTP/SSL ports */
191 int pair[2];
192
193 if (socketpair (AF_LOCAL, SOCK_STREAM, 0, pair))
194 return 1;
195 if (pair[0] < 3)
196 goto error; /* we want 0, 1 and 2 open */
197
198 #ifdef SO_NOSIGPIPE
199 setsockopt(pair[1], SOL_SOCKET, SO_NOSIGPIPE, &(int){ 1 }, sizeof (int));
200 #endif
201
202 pid_t pid = fork ();
203 switch (pid)
204 {
205 case -1:
206 goto error;
207
208 case 0:
209 {
210 int null = open ("/dev/null", O_RDWR);
211 if (null != -1)
212 {
213 dup2 (null, 0);
214 dup2 (null, 1);
215 dup2 (null, 2);
216 close (null);
217 }
218 close (pair[0]);
219 setsid ();
220 rootprocess (pair[1]);
221 exit (0);
222 }
223 }
224
225 close (pair[1]);
226 pair[1] = -1;
227
228 char buf[21];
229 snprintf (buf, sizeof (buf), "%d", pair[0]);
230 setenv ("VLC_ROOTWRAP_SOCK", buf, 1);
231
232 /* Support for real-time priorities */
233 #ifdef RLIMIT_RTPRIO
234 struct rlimit rlim;
235 rlim.rlim_max = rlim.rlim_cur = sched_get_priority_min (SCHED_RR) + 24;
236 setrlimit (RLIMIT_RTPRIO, &rlim);
237 #endif
238
239 uid_t uid = getuid ();
240 if (uid == 0)
241 {
242 const char *sudo = getenv ("SUDO_UID");
243 if (sudo)
244 uid = atoi (sudo);
245 }
246 if (uid == 0)
247 {
248 fputs("Cannot determine unprivileged user for VLC!\n", stderr);
249 exit (1);
250 }
251 setuid (uid);
252
253 if (!setuid (0)) /* sanity check: we cannot get root back */
254 exit (1);
255
256 /* Yeah, the user can execute just about anything from here.
257 * But we've dropped privileges, so it does not matter. */
258 if (strlen (argv[0]) < sizeof ("-wrapper"))
259 goto error;
260 argv[0][strlen (argv[0]) - strlen ("-wrapper")] = '\0';
261
262 (void)argc;
263 if (execvp (argv[0], argv))
264 perror (argv[0]);
265
266 error:
267 close (pair[0]);
268 if (pair[1] != -1)
269 close (pair[1]);
270 return 1;
271 }
272