wrapper с дополнительными возможностями (chroot/jail,clearenv,unset_env,set_env,chdir etc.), на основе lighttpd wrapper

В сети я отыскал несколько настраиваемых wrapper:
такие как: exec-wrapper, execwrap

• первый это простой генератор настраиваемой "обертки(wrapper)", а именно выполняемого файла с возможностью настройки переменных окружения и установки прав SUID, SGID на выполняемый файл. возможность chroot/jail тут отсутствует.
• второй это "обертка(wrapper)" для lighttpd web сервера. Очень гибкая версия с дополнительными проверками прав при запуске, но к сожалению настройка переменных окружения при запуске отсутствует. Так же отсутствует chroot/jail.

Мне не подошел ни первый вариант, ни второй. Пришлось написать свою версию "обертки(wrapper)" объединив и улучшив эти два варианта, добавив возможность chroot. За основу взят второй вариант, patch для которого приведен ниже. Из первого была взята только идея, но реализацию пришлось поменять, для лучшей переносимости.

создадим папку проекта:
mkdir jail-wrap; cd jail-wrap
в папке создадим следующие файлы:

execwrap.patch:
--- execwrap.c.orig 2008-07-07 20:15:59.000000000 +0000 +++ execwrap.c 2011-04-23 14:08:48.000000000 +0000 @@ -63,6 +63,7 @@ #define ENV_TARGET "TARGET=" #define ENV_CHECK_GID "CHECK_GID=" #define ENV_NON_RESIDENT "NON_RESIDENT=" +#define ENV_DEBUG "DEBUG" /* Return values for various errors. */ @@ -83,10 +84,15 @@ #define RC_BAD_OPTION 24 #define RC_CHILD_ABNORMAL_EXIT 25 #define RC_MISSING_PWENT 26 +#define RC_NO_CHROOT 27 +#define RC_NO_CHDIR 28 +#define RC_CANT_CLEAR_ENV 29 +#define RC_CANT_UNSET_ENV 30 +#define RC_CANT_SET_ENV 31 /* User configuration. */ -#include "execwrap_config.h" +#include "config.h" /* Compile-time security checks. */ #if !TARGET_MIN_UID @@ -123,7 +129,28 @@ #include <unistd.h> #include <signal.h> #include <pwd.h> +#include <sys/types.h> +#include <grp.h> +#if USE_SYSLOG + +# include <syslog.h> +# include <errno.h> + +#else /* USE_SYSLOG */ + +/* this should be after all includes */ +# undef SKIP +# undef openlog +# undef setlogmask +# undef syslog + +# define SKIP do { } while (0) +# define openlog(...) SKIP +# define setlogmask(...) SKIP +# define syslog(...) SKIP + +#endif /* USE_SYSLOG */ /* The global child PID and previous SIGTERM handler. */ int pid; @@ -142,13 +169,34 @@ } +void unset_env_trap(const char* name) +{ + if( unsetenv(name) ) { + syslog(LOG_ERR, "exiting with RC_CANT_UNSET_ENV, cant't unsetenv(\"%s\")", name); + exit(RC_CANT_UNSET_ENV); + } +} + +void set_env_trap(char* namev) +{ + if( putenv(namev) ) { + syslog(LOG_ERR, "exiting with RC_CANT_SET_ENV, cant't putenv(\"%s\")", namev); + exit(RC_CANT_SET_ENV); + } +} /* Down to business. */ int main(int argc, char* argv[], char* envp[]) { + openlog(SYSLOG_NAME, LOG_PID, LOG_AUTHPRIV); + setlogmask(LOG_UPTO(LOG_NOTICE)); /* Verify parent UID. Only the super user and PARENT_UID are allowed. */ - if(getuid() != 0 && getuid() != PARENT_UID) return RC_CALLER_UID; + int myuid = getuid(); + if(myuid != 0 && myuid != PARENT_UID) { + syslog(LOG_ERR, "exiting with RC_CALLER_UID, UID=%d", myuid); + return RC_CALLER_UID; + } /* Command line options. */ if(argc > 1) @@ -163,6 +211,11 @@ printf("TARGET_MIN_UID : %d\n", TARGET_MIN_UID); printf("TARGET_MIN_GID : %d\n", TARGET_MIN_GID); printf("TARGET_PATH_PREFIX : %s\n", TARGET_PATH_PREFIX); + #if CHROOT_ENABLED + printf("CHROOT_PATH : %s\n", CHROOT_PATH); + printf("CHDIR_PATH : %s\n", CHDIR_PATH); + #endif + printf("CLEAR_ENV : %d\n", CLEAR_ENV); printf("DEFAULT_UID : %d\n", DEFAULT_UID); printf("DEFAULT_GID : %d\n", DEFAULT_GID); puts(""); @@ -175,31 +228,43 @@ return RC_BAD_OPTION; } + /* we need this check before the loop over the environment, + as we cannot rely on it to be the first env var we find */ + if (NULL != getenv(ENV_DEBUG)) { + setlogmask(LOG_UPTO(LOG_DEBUG)); + syslog(LOG_DEBUG, "activated debug output"); + } + /* Grab stuff from environment, and set defaults. */ - int uid = DEFAULT_UID; - int gid = DEFAULT_GID; + uid_t uid = DEFAULT_UID; + gid_t gid = DEFAULT_GID; char* target = 0; - char* args = 0; char check_gid = 0; char non_resident = 0; char** p = envp; char* s; - char* t; - while(s = *p++) + while(NULL != (s = *p++)) { - /* Target UID. */ if(!strncmp(ENV_UID, s, ENV_UID_LEN)) { uid = atoi(s + ENV_UID_LEN); - if(uid < TARGET_MIN_UID) return RC_TARGET_UID; + if(uid < TARGET_MIN_UID) { + syslog(LOG_ERR, "exiting with RC_TARGET_UID, UID=%d", uid); + return RC_TARGET_UID; + } + syslog(LOG_DEBUG, "target UID is %d", uid); } /* Target GID. */ if(!strncmp(ENV_GID, s, ENV_GID_LEN)) { gid = atoi(s + ENV_GID_LEN); - if(gid < TARGET_MIN_GID) return RC_TARGET_GID; + if(gid < TARGET_MIN_GID) { + syslog(LOG_ERR, "exiting with RC_TARGET_GID, GID=%d", gid); + return RC_TARGET_GID; + } + syslog(LOG_DEBUG, "target GID is %d", gid); } /* Target script. */ @@ -207,7 +272,11 @@ { target = s + ENV_TARGET_LEN; if((target[0] != '/') || strchr(target, '~') || strstr(target, "..") || - strncmp(TARGET_PATH_PREFIX, target, TARGET_PATH_PREFIX_LEN)) return RC_TARGET; + strncmp(TARGET_PATH_PREFIX, target, TARGET_PATH_PREFIX_LEN)) { + syslog(LOG_ERR, "exiting with RC_TARGET, target=%s", target); + return RC_TARGET; + } + syslog(LOG_DEBUG, "TARGET is %s", target); } /* Check GID instead of UID. */ @@ -227,43 +296,97 @@ } /* See if we got all we need. */ - if(!target) return RC_MISSING_CONFIG; + if(!target) { + syslog(LOG_ERR, "exiting with RC_MISSING_CONFIG, no TARGET"); + return RC_MISSING_CONFIG; + } + + #if CHROOT_ENABLED + if( chroot(CHROOT_PATH) ) { + syslog(LOG_ERR, "exiting with RC_NO_CHROOT CHROOT=%s",CHROOT_PATH); + return RC_NO_CHROOT; + } + #endif + + #if CHDIR_PATH_ENABLED + if( chdir(CHDIR_PATH) ) + { + syslog(LOG_ERR, "exiting with RC_NO_CHDIR CHDIR=%s",CHDIR_PATH); + return RC_NO_CHDIR; + } + #endif + + #if CLEAR_ENV + if( clearenv() ) { + syslog(LOG_ERR, "exiting with RC_CANT_CLEAR_ENV"); + return RC_CANT_CLEAR_ENV; + } + #endif + + @UNSET_ENV@ + + @SET_ENV@ /* Fetch user information from passwd. */ struct passwd *pwent = getpwuid(uid); #if REQUIRE_PWENT - if(!pwent) return RC_MISSING_PWENT; + if(!pwent) { + syslog(LOG_ERR, "exiting with RC_MISSING_PWENT, pwent required by config, but not found"); + return RC_MISSING_PWENT; + } #endif + if (pwent) { + syslog(LOG_DEBUG, "pwent found, pw_name=%s", pwent->pw_name); + } + /* Install the SIGTERM handler. */ if(!non_resident) { oldHandler = signal(SIGTERM, sigTermHandler); if(oldHandler == SIG_ERR) return RC_SIGNAL_HANDLER; } - + /* Fork off (or, if we are a non-resident wrapper, just carry on). */ if(non_resident || !(pid = fork())) { /* We're in the child. Drop privileges and set the group list. */ - if(pwent && initgroups(pwent->pw_name, gid)) return RC_SETGID; - if(setgid(gid)) return RC_SETGID; - if(setuid(uid)) return RC_SETUID; + if(pwent && initgroups(pwent->pw_name, gid)) { + syslog(LOG_ERR, "exiting with RC_SETGID, initgroup failed, errno=%d", errno); + return RC_SETGID; + } + if(setgid(gid)) { + syslog(LOG_ERR, "exiting with RC_SETGID, setgid failed, errno=%d", errno); + return RC_SETGID; + } + if(setuid(uid)) { + syslog(LOG_ERR, "exiting with RC_SETUID, setuid failed, errno=%d", errno); + return RC_SETUID; + } /* Stat the target script. */ char uid_ok = 1; struct stat stat_buf; - if(stat(target, &stat_buf)) return RC_STAT; + if(stat(target, &stat_buf)) { + syslog(LOG_ERR, "exiting with RC_STAT, stat failed, errno=%d", errno); + return RC_STAT; + } int modes = stat_buf.st_mode; /* Never allow world-write. */ - if(modes & S_IWOTH) return RC_WORLD_WRITE; + if(modes & S_IWOTH) { + syslog(LOG_ERR, "exiting with RC_WORLD_WRITE, modes=%d", modes); + return RC_WORLD_WRITE; + } /* Only allow user miss-match if check_gid is set. */ if(uid != stat_buf.st_uid) { - if(!check_gid) return RC_WRONG_USER; + if(!check_gid) { + syslog(LOG_ERR, "exiting with RC_WRONG_USER"); + return RC_WRONG_USER; + } uid_ok = 0; } @@ -271,11 +394,18 @@ Also, don't allow if neither user or group match. */ if(gid != stat_buf.st_gid) { - if(modes & S_IWGRP) return RC_GROUP_WRITE; - if(!uid_ok) return RC_WRONG_GROUP; + if(modes & S_IWGRP) { + syslog(LOG_ERR, "exiting with RC_GROUP_WRITE, modes=%d", modes); + return RC_GROUP_WRITE; + } + if(!uid_ok) { + syslog(LOG_ERR, "exiting with RC_WRONG_GROUP"); + return RC_WRONG_GROUP; + } } /* All checks passed, let's become the target! */ + syslog(LOG_NOTICE, "executing target=%s, UID=%d, GID=%d", target, uid, gid); execl(target, target, NULL); return RC_EXEC;

configure.ac:
AC_INIT([wrap], [0.01], [isaleksey@gmail.com], [wrap-tar], [http://isaleksey.blogspot.com]) AM_INIT_AUTOMAKE(wrap, 0.01) AC_PROG_CC AC_HEADER_STDC AC_CHECK_TOOL([STRIP],[strip]) AM_PROG_INSTALL_STRIP AC_CHECK_HEADERS([stdio.h]) AC_CHECK_HEADERS([stdlib.h]) AC_CHECK_HEADERS([string.h]) AC_CHECK_HEADERS([sys/stat.h]) AC_CHECK_HEADERS([sys/wait.h]) AC_CHECK_HEADERS([unistd.h]) AC_CHECK_HEADERS([signal.h]) AC_CHECK_HEADERS([pwd.h]) AC_CHECK_HEADERS([sys/types.h]) AC_CHECK_HEADERS([grp.h]) AC_CHECK_HEADERS([syslog.h]) AC_CHECK_HEADERS([errno.h]) # get program name if test "$program_prefix" = "NONE"; then program_prefix="" fi if test "$program_suffix" = "NONE"; then program_suffix="" fi program_name="${program_prefix}${PACKAGE_NAME}${program_suffix}" # ---------------------------------- enable options ------------------------------------- AC_ARG_ENABLE(,[ Enable/Disable additional features:]) AC_ARG_ENABLE(chroot, [ --enable-chroot Enable Chroot functionality], [chroot_enabled=$enableval]) if test "$chroot_enabled" = "yes"; then chroot_enabled=1 else chroot_enabled=0 fi AC_DEFINE_UNQUOTED(CHROOT_ENABLED, [${chroot_enabled}], [Enable Chroot.]) AC_ARG_ENABLE(clear-env, [ --enable-clear-env Clear all environment variables.], [clear_env_enabled=$enableval]) if test "$clear_env_enabled" = "yes"; then clear_env_enabled=1 else clear_env_enabled=0 fi AC_DEFINE_UNQUOTED(CLEAR_ENV, [${clear_env_enabled}], [Clear all environment variables.]) AC_ARG_ENABLE(syslog, [ --enable-syslog Use syslog to report errors.], [syslog_enabled=$enableval]) if test "$syslog_enabled" = "yes"; then syslog_enabled=1 else syslog_enabled=0 fi AC_DEFINE_UNQUOTED(USE_SYSLOG, [${syslog_enabled}], [Use syslog to report errors.]) AC_ARG_ENABLE(check-gid, [ --enable-check-gid Allow use of the CHECK_GID mode.], [check_gid_enabled=$enableval]) if test "$check_gid_enabled" = "yes"; then check_gid_enabled=1 else check_gid_enabled=0 fi AC_DEFINE_UNQUOTED(ALLOW_CHECKGID, [${check_gid_enabled}], [Allow use of the CHECK_GID mode.]) AC_ARG_ENABLE(pwent, [ --enable-pwent Require users to have pwents (i.e. entries in /etc/passwd or similar).], [pwent_enabled=$enableval]) if test "$pwent_enabled" = "yes"; then pwent_enabled=1 else pwent_enabled=0 fi AC_DEFINE_UNQUOTED(REQUIRE_PWENT, [${pwent_enabled}], [Require users to have pwents (i.e. entries in /etc/passwd or similar).]) ########################################################################################## # check with options AC_ARG_WITH([parent-uid], [AS_HELP_STRING([--with-parent-uid=x], [use parent uid (default is 0)])], [parent_uid=$withval],[parent_uid=0]) AC_DEFINE_UNQUOTED(PARENT_UID, [${parent_uid}], [Our parent must have this UID, or we will abort.]) AC_ARG_WITH([min-uid], [AS_HELP_STRING([--with-min-uid=x], [use minimum target uid (default is 50000)])], [min_uid=$withval],[min_uid=50000]) AC_DEFINE_UNQUOTED(TARGET_MIN_UID, [${min_uid}], [Minimum UID we can switch to.]) AC_ARG_WITH([min-gid], [AS_HELP_STRING([--with-min-gid=x], [use minimum target gid (default is 50000)])], [min_gid=$withval],[min_gid=50000]) AC_DEFINE_UNQUOTED(TARGET_MIN_GID, [${min_gid}], [Minimum GID we can switch to.]) AC_ARG_WITH([target-prefix], [AS_HELP_STRING([--with-target-prefix=DIR], [use target path prefix (default is /bin/)])], [target_path_prefix=$withval],[ if test "$chroot_enabled" = "1"; then target_path_prefix="/bin/" else target_path_prefix="/usr/local/bin/" fi ]) AC_DEFINE_UNQUOTED(TARGET_PATH_PREFIX, ["${target_path_prefix}"], [Path prefix all targets must start with.]) AC_ARG_WITH([chroot-path], [AS_HELP_STRING([--with-chroot-path=DIR], [use chroot jail path (default is /var/tmp/)])], [chroot_path=$withval],[ if test "$chroot_enabled" = "1"; then chroot_path="/var/tmp/" else chroot_path="" fi ]) if test "$chroot_enabled" = "1"; then AC_DEFINE_UNQUOTED(CHROOT_PATH, ["${chroot_path}"], [Chrooted jail path.]) fi chdir_path_enabled=1 AC_ARG_WITH([chdir-path], [AS_HELP_STRING([--with-chdir-path=DIR], [use jail chdir path (default is /)])], [chdir_path=$withval],[ if test "$chroot_enabled" = "1"; then chdir_path="/" else chdir_path="" chdir_path_enabled=0 fi ]) if test "$chdir_path_enabled" = "1"; then if test "x$chdir_path" = "x"; then chdir_path_enabled=0 else AC_DEFINE(CHDIR_PATH_ENABLED,[1],[Chdir enabled]) AC_DEFINE_UNQUOTED(CHDIR_PATH, ["${chdir_path}"], [Jail chdir path.]) fi fi AC_ARG_WITH([default-uid], [AS_HELP_STRING([--with-default-uid=x], [use default uid (default is 50000)])], [default_uid=$withval],[default_uid=50000]) AC_DEFINE_UNQUOTED(DEFAULT_UID, [${default_uid}], [Default UID to switch to, if none given.]) AC_ARG_WITH([default-gid], [AS_HELP_STRING([--with-default-gid=x], [use default gid (default is 50000)])], [default_gid=$withval],[default_gid=50000]) AC_DEFINE_UNQUOTED(DEFAULT_GID, [${default_gid}], [Default GID to switch to, if none given.]) # setup variables AC_ARG_VAR(UNSET_ENV, AS_HELP_STRING([], [ UnSet environment variables from file/string. File with environment/value list (one NAME=VALUE on each line), or environment list ("N1=V1\\nN2=V2\\n..etc.") ])) AC_ARG_VAR(SET_ENV, AS_HELP_STRING([], [ Set environment variables from file/string. File with environment/value list (one NAME=VALUE on each line), or environment list ("N1=V1\\nN2=V2\\n..etc.") ])) # function parse_unset() { local out_v in_v i a arr enter enter="`printf "\r"`" eval "in_v=\$$1" out_v="" if ! test "x$in_v" = "x"; then if @<:@ -f "$in_v" @:>@; then echo "read $1 vars from file: $in_v ..." while read line do if @<:@ "$1" == "UNSET_ENV" @:>@; then a=$(echo $line | tr "=" "\n"); arr=($a) if @<:@ ${#arr} -gt 0 @:>@; then out_v=${out_v}" unset_env_trap(\"${arr@<:@0@:>@}\");$enter" fi else out_v=${out_v}" set_env_trap(\"${line}\");$enter" fi done < "$in_v" else echo "read $1 vars ..." for i in $(printf $in_v); do if @<:@ "$1" == "UNSET_ENV" @:>@; then a=$(echo $i | tr "=" "\n"); arr=($a) if @<:@ ${#arr} -gt 0 @:>@; then out_v=${out_v}" unset_env_trap(\"${arr@<:@0@:>@}\");$enter" fi else out_v=${out_v}" set_env_trap(\"${i}\");$enter" fi done fi fi # end of if ! test "x$1" = "x" eval "$1=\$(echo \$out_v | sed 's/\r/\n/g')" } parse_unset "UNSET_ENV" parse_unset "SET_ENV" # generate config file AC_CONFIG_HEADERS([config.h:config.h.in]) #AC_DEFINE(SYSLOG_NAME, [$PACKAGE_NAME], [SysLog name]) AC_DEFINE_UNQUOTED(SYSLOG_NAME, ["${program_name}"], [SysLog name]) AC_CONFIG_FILES([Makefile]) AC_OUTPUT(execwrap.c) echo echo "------------------------------------------------------------------------" echo "$PACKAGE_NAME $PACKAGE_VERSION" echo "------------------------------------------------------------------------" echo echo "Configuration Options Summary:" echo echo "Install target name: $program_name" echo "CHROOT_ENABLED : $chroot_enabled" echo "USE_SYSLOG : $syslog_enabled" echo "PARENT_UID : $parent_uid" echo "REQUIRE_PWENT : $pwent_enabled" echo "ALLOW_CHECKGID : $check_gid_enabled" echo "TARGET_MIN_UID : $min_uid" echo "TARGET_MIN_GID : $min_gid" echo "DEFAULT_UID : $default_uid" echo "DEFAULT_GID : $default_gid" echo "TARGET_PATH_PREFIX : $target_path_prefix" if test "$chroot_enabled" = "1"; then echo "CHROOT_PATH : $chroot_path" fi if test "$chdir_path_enabled" = "1"; then echo "CHDIR_PATH : $chdir_path" fi echo "CLEAR_ENV : $clear_env_enabled" echo "UNSET_ENV :" echo " $UNSET_ENV" echo "SET_ENV :" echo " $SET_ENV"

Makefile.am:
MAINTAINERCLEANFILES = Makefile.in bin_PROGRAMS = wrap wrap_SOURCES = execwrap.c

build.sh:
#!/bin/bash if [ ! -f NEWS ]; then touch AUTHORS ChangeLog NEWS README fi if [ -f config.h.in ] ; then rm -R .deps autom4te.cache config.log config.status configure \ Makefile Makefile.in config.h config.h.in [ -f wrap ] && rm wrap [ -f execwrap.o ] && rm execwrap.o [ -f execwrap.c ] && rm execwrap.c [ -f stamp-h1 ] && rm stamp-h1 fi if [ ! "$1" == "clear" ] ; then # get patched source if [ ! -f execwrap.c.in ]; then if [ ! -f execwrap-0.5.tar.gz ] ; then wget http://cgit.stbuehler.de/gitosis/execwrap/snapshot/execwrap-0.5.tar.gz fi tar -xvf execwrap-0.5.tar.gz cp execwrap-0.5/execwrap.c ./ rm -R execwrap-0.5 rm execwrap-0.5.tar.gz patch -p0 -i execwrap.patch mv execwrap.c execwrap.c.in fi autoheader aclocal automake --add-missing automake if [ -f Makefile.in ]; then cat Makefile.in | sed -e '/^SET_ENV/d' -e '/^UNSET_ENV/d' > Makefile.out mv Makefile.out Makefile.in fi autoconf fi

Выполним следующие команды:
chmod 755 build.sh
./build.sh

результатом работы будет файл конфигурации:
configure

пример использования:
./configure --prefix=/usr \
    --program-prefix=test- --program-suffix=2 \
    --enable-chroot \
    --with-parent-uid=100 \
    SET_ENV=test1=1\\ntest2=2 \
    UNSET_ENV=testn1=1\\ntestn2=2

где SET_ENV,UNSET_ENV список переменных,
которые нужно установить/очистоить для разделения
переменных используется символ "\\n"

либо пример номер 2:
./configure --prefix=/usr \
    --program-prefix=whois- --program-suffix=2 \
    --with-parent-uid=100 --enable-chroot \
    SET_ENV=test1 \
    UNSET_ENV=test1

где SET_ENV,UNSET_ENV имена файлов, из которых будут браться
списки переменных. По одной в строке name=value.

и наконец выполним:
make
make install-strip

Скачать все файлы (вариант 1)
Скачать все файлы (вариант 2)