Annotation of src/usr.bin/sudo/sudo_edit.c, Revision 1.6
1.1 millert 1: /*
1.4 millert 2: * Copyright (c) 2004-2005 Todd C. Miller <Todd.Miller@courtesan.com>
1.1 millert 3: *
4: * Permission to use, copy, modify, and distribute this software for any
5: * purpose with or without fee is hereby granted, provided that the above
6: * copyright notice and this permission notice appear in all copies.
7: *
8: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: */
16:
1.4 millert 17: #include <config.h>
1.1 millert 18:
19: #include <sys/types.h>
20: #include <sys/param.h>
21: #include <sys/stat.h>
22: #include <sys/time.h>
23: #include <sys/wait.h>
24: #include <sys/socket.h>
25: #include <stdio.h>
26: #ifdef STDC_HEADERS
27: # include <stdlib.h>
28: # include <stddef.h>
29: #else
30: # ifdef HAVE_STDLIB_H
31: # include <stdlib.h>
32: # endif
33: #endif /* STDC_HEADERS */
34: #ifdef HAVE_STRING_H
35: # include <string.h>
36: #else
37: # ifdef HAVE_STRINGS_H
38: # include <strings.h>
39: # endif
40: #endif /* HAVE_STRING_H */
41: #ifdef HAVE_UNISTD_H
42: # include <unistd.h>
43: #endif /* HAVE_UNISTD_H */
44: #ifdef HAVE_ERR_H
45: # include <err.h>
46: #else
47: # include "emul/err.h"
48: #endif /* HAVE_ERR_H */
49: #include <ctype.h>
50: #include <pwd.h>
1.4 millert 51: #include <grp.h>
1.1 millert 52: #include <signal.h>
53: #include <errno.h>
54: #include <fcntl.h>
1.4 millert 55: #if TIME_WITH_SYS_TIME
56: # include <time.h>
57: #endif
58: #ifndef HAVE_TIMESPEC
59: # include <emul/timespec.h>
60: #endif
1.1 millert 61:
62: #include "sudo.h"
63:
64: #ifndef lint
1.6 ! millert 65: __unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.6.2.9 2008/06/21 00:47:52 millert Exp $";
1.1 millert 66: #endif /* lint */
67:
1.6 ! millert 68: extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
1.4 millert 69: extern char **environ;
1.1 millert 70:
71: /*
72: * Wrapper to allow users to edit privileged files with their own uid.
73: */
1.4 millert 74: int sudo_edit(argc, argv, envp)
1.1 millert 75: int argc;
76: char **argv;
1.4 millert 77: char **envp;
1.1 millert 78: {
79: ssize_t nread, nwritten;
80: pid_t kidpid, pid;
81: const char *tmpdir;
82: char **nargv, **ap, *editor, *cp;
83: char buf[BUFSIZ];
1.4 millert 84: int error, i, ac, ofd, tfd, nargc, rval, tmplen, wasblank;
1.1 millert 85: sigaction_t sa;
86: struct stat sb;
87: struct timespec ts1, ts2;
88: struct tempfile {
89: char *tfile;
90: char *ofile;
91: struct timespec omtim;
92: off_t osize;
93: } *tf;
94:
95: /*
96: * Find our temporary directory, one of /var/tmp, /usr/tmp, or /tmp
97: */
98: if (stat(_PATH_VARTMP, &sb) == 0 && S_ISDIR(sb.st_mode))
99: tmpdir = _PATH_VARTMP;
100: #ifdef _PATH_USRTMP
101: else if (stat(_PATH_USRTMP, &sb) == 0 && S_ISDIR(sb.st_mode))
102: tmpdir = _PATH_USRTMP;
103: #endif
104: else
105: tmpdir = _PATH_TMP;
1.2 millert 106: tmplen = strlen(tmpdir);
107: while (tmplen > 0 && tmpdir[tmplen - 1] == '/')
108: tmplen--;
1.1 millert 109:
110: /*
111: * For each file specified by the user, make a temporary version
112: * and copy the contents of the original to it.
113: */
114: tf = emalloc2(argc - 1, sizeof(*tf));
115: memset(tf, 0, (argc - 1) * sizeof(*tf));
116: for (i = 0, ap = argv + 1; i < argc - 1 && *ap != NULL; i++, ap++) {
1.4 millert 117: error = -1;
1.1 millert 118: set_perms(PERM_RUNAS);
1.4 millert 119:
120: /*
121: * We close the password file before we try to open the user-specified
122: * path to prevent the opening of things like /dev/fd/4.
123: */
124: endpwent();
125: if ((ofd = open(*ap, O_RDONLY, 0644)) != -1 || errno == ENOENT) {
126: if (ofd == -1) {
127: memset(&sb, 0, sizeof(sb)); /* new file */
128: error = 0;
129: } else {
1.1 millert 130: #ifdef HAVE_FSTAT
1.4 millert 131: error = fstat(ofd, &sb);
1.1 millert 132: #else
1.4 millert 133: error = stat(tf[i].ofile, &sb);
1.1 millert 134: #endif
135: }
136: }
137: set_perms(PERM_ROOT);
1.5 millert 138: if (error || (ofd != -1 && !S_ISREG(sb.st_mode))) {
1.4 millert 139: if (error)
1.1 millert 140: warn("%s", *ap);
1.4 millert 141: else
142: warnx("%s: not a regular file", *ap);
143: if (ofd != -1)
144: close(ofd);
1.1 millert 145: argc--;
146: i--;
147: continue;
148: }
149: tf[i].ofile = *ap;
150: tf[i].omtim.tv_sec = mtim_getsec(sb);
151: tf[i].omtim.tv_nsec = mtim_getnsec(sb);
152: tf[i].osize = sb.st_size;
153: if ((cp = strrchr(tf[i].ofile, '/')) != NULL)
154: cp++;
155: else
156: cp = tf[i].ofile;
1.2 millert 157: easprintf(&tf[i].tfile, "%.*s/%s.XXXXXXXX", tmplen, tmpdir, cp);
1.1 millert 158: set_perms(PERM_USER);
159: tfd = mkstemp(tf[i].tfile);
160: set_perms(PERM_ROOT);
161: if (tfd == -1) {
162: warn("mkstemp");
163: goto cleanup;
164: }
165: if (ofd != -1) {
166: while ((nread = read(ofd, buf, sizeof(buf))) != 0) {
167: if ((nwritten = write(tfd, buf, nread)) != nread) {
168: if (nwritten == -1)
169: warn("%s", tf[i].tfile);
170: else
171: warnx("%s: short write", tf[i].tfile);
172: goto cleanup;
173: }
174: }
175: close(ofd);
176: }
177: #ifdef HAVE_FSTAT
178: /*
179: * If we are unable to set the mtime on the temp file to the value
180: * of the original file just make the stashed mtime match the temp
181: * file's mtime. It is better than nothing and we only use the info
182: * to determine whether or not a file has been modified.
183: */
184: if (touch(tfd, NULL, &tf[i].omtim) == -1) {
185: if (fstat(tfd, &sb) == 0) {
186: tf[i].omtim.tv_sec = mtim_getsec(sb);
187: tf[i].omtim.tv_nsec = mtim_getnsec(sb);
188: }
189: /* XXX - else error? */
190: }
191: #endif
192: close(tfd);
193: }
194: if (argc == 1)
195: return(1); /* no files readable, you lose */
196:
197: /*
198: * Determine which editor to use. We don't bother restricting this
199: * based on def_env_editor or def_editor since the editor runs with
200: * the uid of the invoking user, not the runas (privileged) user.
201: */
1.4 millert 202: environ = envp;
1.1 millert 203: if (((editor = getenv("VISUAL")) != NULL && *editor != '\0') ||
204: ((editor = getenv("EDITOR")) != NULL && *editor != '\0')) {
205: editor = estrdup(editor);
206: } else {
207: editor = estrdup(def_editor);
208: if ((cp = strchr(editor, ':')) != NULL)
209: *cp = '\0'; /* def_editor could be a path */
210: }
211:
212: /*
213: * Allocate space for the new argument vector and fill it in.
214: * The EDITOR and VISUAL environment variables may contain command
215: * line args so look for those and alloc space for them too.
216: */
217: nargc = argc;
1.4 millert 218: for (wasblank = FALSE, cp = editor; *cp != '\0'; cp++) {
219: if (isblank((unsigned char) *cp))
220: wasblank = TRUE;
221: else if (wasblank) {
222: wasblank = FALSE;
1.1 millert 223: nargc++;
1.4 millert 224: }
1.1 millert 225: }
226: nargv = (char **) emalloc2(nargc + 1, sizeof(char *));
227: ac = 0;
228: for ((cp = strtok(editor, " \t")); cp != NULL; (cp = strtok(NULL, " \t")))
229: nargv[ac++] = cp;
230: for (i = 0; i < argc - 1 && ac < nargc; )
231: nargv[ac++] = tf[i++].tfile;
232: nargv[ac] = NULL;
233:
1.6 ! millert 234: /* Allow the editor to be suspended. */
1.1 millert 235: sigemptyset(&sa.sa_mask);
236: sa.sa_flags = SA_RESTART;
237: sa.sa_handler = SIG_DFL;
238: (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
239:
240: /*
241: * Fork and exec the editor with the invoking user's creds,
242: * keeping track of the time spent in the editor.
243: */
244: gettime(&ts1);
245: kidpid = fork();
246: if (kidpid == -1) {
247: warn("fork");
248: goto cleanup;
249: } else if (kidpid == 0) {
250: /* child */
251: (void) sigaction(SIGINT, &saved_sa_int, NULL);
252: (void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
253: set_perms(PERM_FULL_USER);
1.4 millert 254: endpwent();
255: endgrent();
256: closefrom(STDERR_FILENO + 1);
1.1 millert 257: execvp(nargv[0], nargv);
258: warn("unable to execute %s", nargv[0]);
259: _exit(127);
260: }
261:
262: /*
263: * Wait for status from the child. Most modern kernels
264: * will not let an unprivileged child process send a
1.4 millert 265: * signal to its privileged parent so we have to request
1.1 millert 266: * status when the child is stopped and then send the
267: * same signal to our own pid.
268: */
269: do {
270: #ifdef sudo_waitpid
271: pid = sudo_waitpid(kidpid, &i, WUNTRACED);
272: #else
273: pid = wait(&i);
274: #endif
275: if (pid == kidpid) {
276: if (WIFSTOPPED(i))
277: kill(getpid(), WSTOPSIG(i));
278: else
279: break;
280: }
281: } while (pid != -1 || errno == EINTR);
282: gettime(&ts2);
283: if (pid == -1 || !WIFEXITED(i))
284: rval = 1;
285: else
286: rval = WEXITSTATUS(i);
287:
288: /* Copy contents of temp files to real ones */
289: for (i = 0; i < argc - 1; i++) {
1.4 millert 290: error = -1;
1.1 millert 291: set_perms(PERM_USER);
1.4 millert 292: if ((tfd = open(tf[i].tfile, O_RDONLY, 0644)) != -1) {
293: #ifdef HAVE_FSTAT
294: error = fstat(tfd, &sb);
295: #else
296: error = stat(tf[i].tfile, &sb);
297: #endif
298: }
1.1 millert 299: set_perms(PERM_ROOT);
1.4 millert 300: if (error || !S_ISREG(sb.st_mode)) {
301: if (error)
302: warn("%s", tf[i].tfile);
303: else
304: warnx("%s: not a regular file", tf[i].tfile);
1.1 millert 305: warnx("%s left unmodified", tf[i].ofile);
1.4 millert 306: if (tfd != -1)
307: close(tfd);
1.1 millert 308: continue;
309: }
1.4 millert 310: if (tf[i].osize == sb.st_size && tf[i].omtim.tv_sec == mtim_getsec(sb)
311: && tf[i].omtim.tv_nsec == mtim_getnsec(sb)) {
312: /*
313: * If mtime and size match but the user spent no measurable
314: * time in the editor we can't tell if the file was changed.
315: */
1.3 millert 316: #ifdef HAVE_TIMESPECSUB2
1.4 millert 317: timespecsub(&ts1, &ts2);
1.3 millert 318: #else
1.4 millert 319: timespecsub(&ts1, &ts2, &ts2);
1.3 millert 320: #endif
1.4 millert 321: if (timespecisset(&ts2)) {
322: warnx("%s unchanged", tf[i].ofile);
323: unlink(tf[i].tfile);
324: close(tfd);
325: continue;
1.1 millert 326: }
327: }
328: set_perms(PERM_RUNAS);
329: ofd = open(tf[i].ofile, O_WRONLY|O_TRUNC|O_CREAT, 0644);
330: set_perms(PERM_ROOT);
331: if (ofd == -1) {
332: warn("unable to write to %s", tf[i].ofile);
333: warnx("contents of edit session left in %s", tf[i].tfile);
334: close(tfd);
335: continue;
336: }
337: while ((nread = read(tfd, buf, sizeof(buf))) > 0) {
338: if ((nwritten = write(ofd, buf, nread)) != nread) {
339: if (nwritten == -1)
340: warn("%s", tf[i].ofile);
341: else
342: warnx("%s: short write", tf[i].ofile);
343: break;
344: }
345: }
346: if (nread == 0) {
347: /* success, got EOF */
348: unlink(tf[i].tfile);
349: } else if (nread < 0) {
350: warn("unable to read temporary file");
351: warnx("contents of edit session left in %s", tf[i].tfile);
352: } else {
353: warn("unable to write to %s", tf[i].ofile);
354: warnx("contents of edit session left in %s", tf[i].tfile);
355: }
356: close(ofd);
357: }
358:
359: return(rval);
360: cleanup:
361: /* Clean up temp files and return. */
362: for (i = 0; i < argc - 1; i++) {
363: if (tf[i].tfile != NULL)
364: unlink(tf[i].tfile);
365: }
366: return(1);
367: }