rdo/rdo.c

#include <pwd.h>
#include <grp.h>
#include <err.h>
#include <shadow.h>
#include <crypt.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "readpassphrase.h"
#include "sessions.h"

#define VERSION "1.4.2"

void getconf(FILE* fp, const char* entry, char* result, size_t len_result) {
	char* line = NULL;
	size_t len = 0;

	fseek(fp, 0, SEEK_SET);

	while (getline(&line, &len, fp) != -1) {
		if (strncmp(entry, line, strlen(entry)) == 0) {
			strtok(line, "=");
			char* token = strtok(NULL, "=");
			if (token) {
				strncpy(result, token, len_result);
				result[strcspn(result, "\n")] = 0;
				free(line);
				return;
			}
		}
	}

	errx(1, "Could not get '%s' entry in config", entry);
}

void runprog(char** program_argv) {
	if (setuid(0) < 0)
		err(1, "Could not setuid");
	if (setgid(0) < 0)
		err(1, "Could not setgid");

	putenv("HOME=/root");

	// NOTE: this does not return when no error occurred.
	execvp(program_argv[0], program_argv);

	err(1, "%s", program_argv[0]);
}

int main(int argc, char** argv) {
	char groupname[64], wrong_pw_sleep[64], session_ttl[64], password[128];
	unsigned int sleep_us, tries, ts_ttl;

	int read_pw_from_stdin = 0;
	if (argc > 1)
		read_pw_from_stdin = strcmp(argv[1], "-") == 0;

	if (argc == 1 || (read_pw_from_stdin && argc == 2)) {
		printf("RootDO version: %s\n\n", VERSION);
		printf("Usage: %s [command]\n", argv[0]);
		return 0;
	}

	if (geteuid() != 0)
		errx(1, "The rdo binary needs to be installed as SUID.");

	int ruid = getuid();
	if (ruid == 0)
		runprog(&argv[read_pw_from_stdin+1]);

	FILE* fp = fopen("/etc/rdo.conf", "r");

	if (!fp)
		err(1, "Could not open /etc/rdo.conf");

	getconf(fp, "group", groupname, sizeof(groupname));
	getconf(fp, "wrong_pw_sleep", wrong_pw_sleep, sizeof(wrong_pw_sleep));
	getconf(fp, "session_ttl", session_ttl, sizeof(session_ttl));
	sleep_us = atoi(wrong_pw_sleep) * 1000;
	ts_ttl = atoi(session_ttl) * 60;

	fclose(fp);

	if (getsession(getppid(), ts_ttl, ruid) == 0 && !read_pw_from_stdin)
		runprog(&argv[1]);

	struct passwd* pw = getpwuid(ruid);
	if (!pw) {
		if (errno == 0)
			errx(1, "No user with UID %d", ruid);
		else
			err(1, "Could not get user info");
	}

	struct group* current_group_entry = getgrent();
	while (current_group_entry) {
		if (strcmp(current_group_entry->gr_name, groupname) == 0)
			break;
		current_group_entry = getgrent();
	}

	if (!current_group_entry)
		errx(1, "The group '%s' does not exist.", groupname);
	
	char* current_member = current_group_entry->gr_mem[0];
	for (int i = 1; current_member; i++) {
		if (strcmp(current_member, pw->pw_name) == 0)
			break;
		current_member = current_group_entry->gr_mem[i];
	}

	if (!current_member)
		errx(1, "You are not allowed to execute rdo.");

	struct spwd* shadowEntry = getspnam(pw->pw_name);

	if (!shadowEntry || !shadowEntry->sp_pwdp)
		err(1, "Could not get shadow entry");

	tries = 0;
	while (tries < 3) {
		if (!readpassphrase("(rdo) Password: ", password, sizeof(password), read_pw_from_stdin))
			err(1, "Could not get passphrase");

		char* hashed_pw = crypt(password, shadowEntry->sp_pwdp);
		memset(password, 0, sizeof(password));
		
		if (!hashed_pw)
			errx(1, "Could not hash password, does your user have a password?");

		if (strcmp(shadowEntry->sp_pwdp, hashed_pw) == 0) {
			if (!read_pw_from_stdin)
				setsession(getppid(), ts_ttl, ruid);
			runprog(&argv[read_pw_from_stdin+1]);
		}

		usleep(sleep_us);
		fprintf(stderr, "Wrong password.\n");
		tries++;
	}
	errx(1, "Too many wrong password attempts.");
	return 1;
}
First Commit 2021-07-13 21:33:12 +02:00			`#include <pwd.h>`
Add groups support rdo now supports taking a group name instead of only allowing a single user. This also completely removes the user option, as it isn't necessary anymore with groups support. 2022-03-08 17:32:53 +01:00			`#include <grp.h>`
Improve error messages This commit makes rdo make use of the err.h header for more pleasant and convenient error logging. 2021-07-13 22:39:28 +02:00			`#include <err.h>`
First Commit 2021-07-13 21:33:12 +02:00			`#include <shadow.h>`
			`#include <crypt.h>`
			`#include <unistd.h>`
			`#include <stdio.h>`
Add sleep between wrong password attempts This is required for #1 2021-07-13 23:42:11 +02:00			`#include <stdlib.h>`
First Commit 2021-07-13 21:33:12 +02:00			`#include <string.h>`
Add own readpassphrase function This removes the libbsd dependency. Fixed #10. 2022-05-05 08:21:48 +02:00
			`#include "readpassphrase.h"`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`#include "sessions.h"`
First Commit 2021-07-13 21:33:12 +02:00
Fix string format, push version 1.4.2 2022-07-28 17:21:52 +02:00			`#define VERSION "1.4.2"`
Add version and usage if no arguments are given. 2021-07-17 18:29:39 +02:00
Add error message for faulty config 2021-07-13 23:31:23 +02:00			`void getconf(FILE* fp, const char* entry, char* result, size_t len_result) {`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00			`char* line = NULL;`
			`size_t len = 0;`

			`fseek(fp, 0, SEEK_SET);`

			`while (getline(&line, &len, fp) != -1) {`
			`if (strncmp(entry, line, strlen(entry)) == 0) {`
			`strtok(line, "=");`
			`char* token = strtok(NULL, "=");`
			`if (token) {`
			`strncpy(result, token, len_result);`
			`result[strcspn(result, "\n")] = 0;`
Fix memory leak in getconf() As getline() calls malloc() to allocate new memory for our usage, we have to free() it after. 2021-07-18 23:34:31 +02:00			`free(line);`
Add error message for faulty config 2021-07-13 23:31:23 +02:00			`return;`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00			`}`
			`}`
			`}`

Add error message for faulty config 2021-07-13 23:31:23 +02:00			`errx(1, "Could not get '%s' entry in config", entry);`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00			`}`

Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`void runprog(char** program_argv) {`
Normalize the way we check for errors 2021-07-16 00:38:50 +02:00			`if (setuid(0) < 0)`
Check return values of setuid() and setgid() 2021-07-14 06:12:50 +02:00			`err(1, "Could not setuid");`
Normalize the way we check for errors 2021-07-16 00:38:50 +02:00			`if (setgid(0) < 0)`
Check return values of setuid() and setgid() 2021-07-14 06:12:50 +02:00			`err(1, "Could not setgid");`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00
Change HOME to /root on exec This affected some programs like vim, which put root-owned swap files into the normal user's swap directory, since $HOME didn't change. Fixes #11 2022-05-05 07:26:56 +02:00			`putenv("HOME=/root");`

			`// NOTE: this does not return when no error occurred.`
Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`execvp(program_argv[0], program_argv);`
Move type declerations to start of main 2021-07-15 16:17:54 +02:00
Fix string format, push version 1.4.2 2022-07-28 17:21:52 +02:00			`err(1, "%s", program_argv[0]);`
First Commit 2021-07-13 21:33:12 +02:00			`}`

			`int main(int argc, char** argv) {`
Add groups support rdo now supports taking a group name instead of only allowing a single user. This also completely removes the user option, as it isn't necessary anymore with groups support. 2022-03-08 17:32:53 +01:00			`char groupname[64], wrong_pw_sleep[64], session_ttl[64], password[128];`
Rename sleep_ms to sleep_us The variable name was misleading, as we didn't calculate the time to sleep in milliseconds, but in microseconds. 2022-03-08 17:03:14 +01:00			`unsigned int sleep_us, tries, ts_ttl;`
Add sleep between wrong password attempts This is required for #1 2021-07-13 23:42:11 +02:00
Add ability to read password from stdin This can be done by supplying `-` as the first argument. 2022-12-17 00:25:24 +01:00			`int read_pw_from_stdin = 0;`
			`if (argc > 1)`
			`read_pw_from_stdin = strcmp(argv[1], "-") == 0;`

			`if (argc == 1 \|\| (read_pw_from_stdin && argc == 2)) {`
Add version and usage if no arguments are given. 2021-07-17 18:29:39 +02:00			`printf("RootDO version: %s\n\n", VERSION);`
			`printf("Usage: %s [command]\n", argv[0]);`
			`return 0;`
			`}`
First Commit 2021-07-13 21:33:12 +02:00
Error if euid != 0 This can happen if the rdo binary isn't set up as SUID. 2022-02-09 20:17:45 +01:00			`if (geteuid() != 0)`
			`errx(1, "The rdo binary needs to be installed as SUID.");`

First Commit 2021-07-13 21:33:12 +02:00			`int ruid = getuid();`
Move type declerations to start of main 2021-07-15 16:17:54 +02:00			`if (ruid == 0)`
Add ability to read password from stdin This can be done by supplying `-` as the first argument. 2022-12-17 00:25:24 +01:00			`runprog(&argv[read_pw_from_stdin+1]);`
Removed extra whitespace 2021-07-15 12:46:27 +02:00
Check uid before opening file 2021-07-15 14:59:24 +02:00			`FILE* fp = fopen("/etc/rdo.conf", "r");`

			`if (!fp)`
			`err(1, "Could not open /etc/rdo.conf");`

Add groups support rdo now supports taking a group name instead of only allowing a single user. This also completely removes the user option, as it isn't necessary anymore with groups support. 2022-03-08 17:32:53 +01:00			`getconf(fp, "group", groupname, sizeof(groupname));`
Add sleep between wrong password attempts This is required for #1 2021-07-13 23:42:11 +02:00			`getconf(fp, "wrong_pw_sleep", wrong_pw_sleep, sizeof(wrong_pw_sleep));`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`getconf(fp, "session_ttl", session_ttl, sizeof(session_ttl));`
Rename sleep_ms to sleep_us The variable name was misleading, as we didn't calculate the time to sleep in milliseconds, but in microseconds. 2022-03-08 17:03:14 +01:00			`sleep_us = atoi(wrong_pw_sleep) * 1000;`
Don't multiply session_ttl by 100 2021-07-16 00:15:04 +02:00			`ts_ttl = atoi(session_ttl) * 60;`
First Commit 2021-07-13 21:33:12 +02:00
Check uid before opening file 2021-07-15 14:59:24 +02:00			`fclose(fp);`

Add ability to read password from stdin This can be done by supplying `-` as the first argument. 2022-12-17 00:25:24 +01:00			`if (getsession(getppid(), ts_ttl, ruid) == 0 && !read_pw_from_stdin)`
Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`runprog(&argv[1]);`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00
Add groups support rdo now supports taking a group name instead of only allowing a single user. This also completely removes the user option, as it isn't necessary anymore with groups support. 2022-03-08 17:32:53 +01:00			`struct passwd* pw = getpwuid(ruid);`
			`if (!pw) {`
Be more specific with getpwnam() errors getpwnam() does not populate errno when the user simply doesn't exist, making err() print "Success" as the error. We now check for errno == 0, and print a different error message for it. 2022-02-09 20:06:28 +01:00			`if (errno == 0)`
Add groups support rdo now supports taking a group name instead of only allowing a single user. This also completely removes the user option, as it isn't necessary anymore with groups support. 2022-03-08 17:32:53 +01:00			`errx(1, "No user with UID %d", ruid);`
Be more specific with getpwnam() errors getpwnam() does not populate errno when the user simply doesn't exist, making err() print "Success" as the error. We now check for errno == 0, and print a different error message for it. 2022-02-09 20:06:28 +01:00			`else`
			`err(1, "Could not get user info");`
			`}`
First Commit 2021-07-13 21:33:12 +02:00
Add groups support rdo now supports taking a group name instead of only allowing a single user. This also completely removes the user option, as it isn't necessary anymore with groups support. 2022-03-08 17:32:53 +01:00			`struct group* current_group_entry = getgrent();`
			`while (current_group_entry) {`
			`if (strcmp(current_group_entry->gr_name, groupname) == 0)`
			`break;`
			`current_group_entry = getgrent();`
			`}`

			`if (!current_group_entry)`
			`errx(1, "The group '%s' does not exist.", groupname);`

			`char* current_member = current_group_entry->gr_mem[0];`
			`for (int i = 1; current_member; i++) {`
			`if (strcmp(current_member, pw->pw_name) == 0)`
			`break;`
			`current_member = current_group_entry->gr_mem[i];`
			`}`

			`if (!current_member)`
Be more specific with getpwnam() errors getpwnam() does not populate errno when the user simply doesn't exist, making err() print "Success" as the error. We now check for errno == 0, and print a different error message for it. 2022-02-09 20:06:28 +01:00			`errx(1, "You are not allowed to execute rdo.");`
First Commit 2021-07-13 21:33:12 +02:00
Add groups support rdo now supports taking a group name instead of only allowing a single user. This also completely removes the user option, as it isn't necessary anymore with groups support. 2022-03-08 17:32:53 +01:00			`struct spwd* shadowEntry = getspnam(pw->pw_name);`
First Commit 2021-07-13 21:33:12 +02:00
Add checks for crypt() and getspnam() failure 2022-02-08 21:09:36 +01:00			`if (!shadowEntry \|\| !shadowEntry->sp_pwdp)`
Improve error messages This commit makes rdo make use of the err.h header for more pleasant and convenient error logging. 2021-07-13 22:39:28 +02:00			`err(1, "Could not get shadow entry");`
First Commit 2021-07-13 21:33:12 +02:00
Move type declerations to start of main 2021-07-15 16:17:54 +02:00			`tries = 0;`
First Commit 2021-07-13 21:33:12 +02:00			`while (tries < 3) {`
Add ability to read password from stdin This can be done by supplying `-` as the first argument. 2022-12-17 00:25:24 +01:00			`if (!readpassphrase("(rdo) Password: ", password, sizeof(password), read_pw_from_stdin))`
Improve error messages This commit makes rdo make use of the err.h header for more pleasant and convenient error logging. 2021-07-13 22:39:28 +02:00			`err(1, "Could not get passphrase");`
Get passphrase from TTY This is required for #1. 2021-07-13 22:23:27 +02:00
Add checks for crypt() and getspnam() failure 2022-02-08 21:09:36 +01:00			`char* hashed_pw = crypt(password, shadowEntry->sp_pwdp);`
Clear password after we're done using it Previously, the password would not be cleared after we hashed it with crypt(), which lead to the password staying in memory for the duration of program runtime. This was only really an issue for incorrect passwords, as execve() purges our memory anyway, but attackers could use an incorrect but mostly correct password for privilege escalation. Due to this being a security issue, this commit also introduces rdo version 1.3. Fixes #7 2022-02-07 14:37:54 +01:00			`memset(password, 0, sizeof(password));`
Add checks for crypt() and getspnam() failure 2022-02-08 21:09:36 +01:00
			`if (!hashed_pw)`
Make the hashing failure error message more descriptive This error occurs when the user we try to hash the password for doesn't have a password, as seen in #8. We now mention this, to avoid future confusion. 2022-02-12 08:07:48 +01:00			`errx(1, "Could not hash password, does your user have a password?");`
Clear password after we're done using it Previously, the password would not be cleared after we hashed it with crypt(), which lead to the password staying in memory for the duration of program runtime. This was only really an issue for incorrect passwords, as execve() purges our memory anyway, but attackers could use an incorrect but mostly correct password for privilege escalation. Due to this being a security issue, this commit also introduces rdo version 1.3. Fixes #7 2022-02-07 14:37:54 +01:00
Add checks for crypt() and getspnam() failure 2022-02-08 21:09:36 +01:00			`if (strcmp(shadowEntry->sp_pwdp, hashed_pw) == 0) {`
Add ability to read password from stdin This can be done by supplying `-` as the first argument. 2022-12-17 00:25:24 +01:00			`if (!read_pw_from_stdin)`
			`setsession(getppid(), ts_ttl, ruid);`
			`runprog(&argv[read_pw_from_stdin+1]);`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`}`
Removed extra whitespace 2021-07-15 12:46:27 +02:00
Rename sleep_ms to sleep_us The variable name was misleading, as we didn't calculate the time to sleep in milliseconds, but in microseconds. 2022-03-08 17:03:14 +01:00			`usleep(sleep_us);`
First Commit 2021-07-13 21:33:12 +02:00			`fprintf(stderr, "Wrong password.\n");`
Fix various formatting mistakes in rdo.c 2021-07-13 22:14:46 +02:00			`tries++;`
First Commit 2021-07-13 21:33:12 +02:00			`}`
Improve error messages This commit makes rdo make use of the err.h header for more pleasant and convenient error logging. 2021-07-13 22:39:28 +02:00			`errx(1, "Too many wrong password attempts.");`
			`return 1;`
First Commit 2021-07-13 21:33:12 +02:00			`}`