1
/* IVLE - Informatics Virtual Learning Environment
2
* Copyright (C) 2007-2008 The University of Melbourne
4
* This program is free software; you can redistribute it and/or modify
5
* it under the terms of the GNU General Public License as published by
6
* the Free Software Foundation; either version 2 of the License, or
7
* (at your option) any later version.
9
* This program is distributed in the hope that it will be useful,
10
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
* GNU General Public License for more details.
14
* You should have received a copy of the GNU General Public License
15
* along with this program; if not, write to the Free Software
16
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
19
* Author: Tom Conway, Matt Giuca
22
* This program runs a given program in a given working dir.
23
* First, it chroots to a jail path and setuids to a given user ID.
24
* This is intented to provide a safe execution environment for arbitrary
25
* programs and services.
27
* Scripts (such as Python programs) should be executed by supplying
28
* "/usr/bin/python" as the program, and the script as the first argument.
30
* Usage: trampoline uid jail-path working-path program [args...]
31
* Must run as root. Will safely setuid to the supplied uid, checking that it
32
* is not root. Recommended that the file is set up as follows:
33
* sudo chown root:root trampoline; sudo chroot +s trampoline
43
#include <sys/mount.h>
44
#include <sys/types.h>
47
#include <sys/resource.h>
51
/* conf.h is admin-configured by the setup process.
52
* It defines jail_base.
58
/* Returns TRUE if the given uid is allowed to execute trampoline.
59
* Only root or the web server should be allowed to execute.
60
* This is determined by the whitelist allowed_uids in conf.h.
62
int uid_allowed(int uid)
65
/* root is always allowed to execute trampoline */
68
/* loop over all allowed_uids */
69
for (i=(sizeof(allowed_uids)/sizeof(*allowed_uids))-1; i>=0; i--)
71
if (allowed_uids[i] == uid)
74
/* default to disallowing */
78
/* Turn the process into a daemon using the standard
85
/* already a daemon */
86
if ( getppid() == 1 ) return;
88
/* Fork off the parent process */
93
/* If we got a good PID, then we can exit the parent process. */
98
/* At this point we are executing as the child process */
100
/* Change the file mode mask */
103
/* Create a new SID for the child process */
109
/* Change the current working directory. This prevents the current
110
directory from being locked; hence not being able to remove it. */
111
if ((chdir("/")) < 0) {
115
/* Redirect standard files to /dev/null */
116
freopen( "/dev/null", "r", stdin);
117
freopen( "/dev/null", "w", stdout);
118
freopen( "/dev/null", "w", stderr);
121
static void usage(const char* nm)
124
"usage: %s [-d] [-u] <uid> <jail> <cwd> <program> [args...]\n", nm);
128
#ifdef IVLE_AUFS_JAILS
129
/* Die more pleasantly if mallocs fail. */
130
void *die_if_null(void *ptr)
134
perror("not enough memory");
140
/* Find the path of the user components of a jail, given a mountpoint. */
141
char *jail_src(const char* jailpath)
147
srclen = strlen(jail_src_base);
148
dstlen = strlen(jail_base);
150
src = die_if_null(malloc(strlen(jailpath) + (srclen - dstlen) + 1));
151
strcpy(src, jail_src_base);
152
strcat(src, jailpath+dstlen);
157
/* Check for the validity of a jail in the given path, mounting it if it looks
159
* TODO: Updating /etc/mtab would be nice. */
160
void mount_if_needed(const char* jailpath)
166
/* Check if there is something useful in the jail. If not, it's probably
168
jaillib = die_if_null(malloc(strlen(jailpath) + 5));
169
sprintf(jaillib, "%s/lib", jailpath);
171
if (access(jaillib, F_OK))
173
/* No /lib? Mustn't be mounted. Mount it, creating the dir if needed. */
174
if (access(jailpath, F_OK))
176
if(mkdir(jailpath, 0755))
178
syslog(LOG_ERR, "could not create mountpoint %s\n", jailpath);
179
perror("could not create jail mountpoint");
182
syslog(LOG_NOTICE, "created mountpoint %s\n", jailpath);
185
jailsrc = jail_src(jailpath);
186
mountdata = die_if_null(malloc(3 + strlen(jailsrc) + 4 + strlen(jail_system) + 3 + 1));
187
sprintf(mountdata, "br:%s=rw:%s=ro", jailsrc, jail_system);
188
if (mount("none", jailpath, "aufs", 0, mountdata))
190
syslog(LOG_ERR, "could not mount %s\n", jailpath);
191
perror("could not mount");
195
syslog(LOG_INFO, "mounted %s\n", jailpath);
203
#endif /* IVLE_AUFS_JAILS */
205
/* Unsets any signal mask applied by the parent process */
206
int unmask_signals(void)
210
sigset = die_if_null(malloc(sizeof(sigset_t)));
212
result = sigprocmask(SIG_SETMASK, sigset, NULL);
214
printf("%d", result);
218
int main(int argc, char* const argv[])
228
char canonical_jailpath[PATH_MAX];
230
/* Disallow execution from all users but the whitelisted ones, and root */
231
if (!uid_allowed(getuid()))
233
fprintf(stderr, "only the web server may execute trampoline\n");
237
/* Args check and usage */
243
if (strcmp(argv[arg_num], "-d") == 0)
253
if (strcmp(argv[arg_num], "-u") == 0)
262
uid = atoi(argv[arg_num++]);
263
jailpath = argv[arg_num++];
264
work_dir = argv[arg_num++];
265
prog = argv[arg_num];
266
args = argv + arg_num;
268
/* Disallow suiding to the root user */
271
fprintf(stderr, "cannot set up a jail as root\n");
275
/* Jail path must be an absolute path,
276
* and it must begin with jail_base.
278
if (norm(canonical_jailpath, PATH_MAX, jailpath) != 0)
280
fprintf(stderr, "bad jail path: %s\n", jailpath);
283
if (strncmp(canonical_jailpath, jail_base, strlen(jail_base)))
285
fprintf(stderr, "bad jail path: %s\n", jailpath);
289
openlog("trampoline", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_USER);
291
#ifdef IVLE_AUFS_JAILS
292
mount_if_needed(canonical_jailpath);
293
#endif /* IVLE_AUFS_JAILS */
295
/* chroot into the jail.
296
* Henceforth this process, and its children, cannot see anything above
297
* canoncial_jailpath. */
298
if (chroot(canonical_jailpath))
300
syslog(LOG_ERR, "chroot to %s failed\n", canonical_jailpath);
302
perror("could not chroot");
306
/* chdir into the specified working directory */
309
perror("could not chdir");
313
/* setuid to the given user ID.
314
* Henceforth we will be running as this user instead of root.
318
perror("could not setgid");
324
perror("could not setuid");
328
/* set user resource limits */
332
/* Process adress space in memory */
333
l.rlim_cur = 192 * 1024 * 1024; /* 192MiB */
334
l.rlim_max = 256 * 1024 * 1024; /* 256MiB */
335
if (setrlimit(RLIMIT_AS, &l))
337
perror("could not setrlimit/RLIMIT_AS");
341
/* Process data segment in memory
342
* Note: This requires a kernel patch to work correctly otherwise it is
343
* ineffective (thus you are only limited by RLIMIT_AS)
345
l.rlim_cur = 192 * 1024 * 1024; /* 192MiB */
346
l.rlim_max = 256 * 1024 * 1024; /* 256MiB */
347
if (setrlimit(RLIMIT_DATA, &l))
349
perror("could not setrlimit/RLIMIT_DATA");
354
l.rlim_cur = 0; /* No core files */
355
l.rlim_max = 0; /* No core files */
356
if (setrlimit(RLIMIT_CORE, &l))
358
perror("could not setrlimit/RLIMIT_CORE");
363
l.rlim_cur = 25; /* 25 Seconds */
364
l.rlim_max = 30; /* 30 Seconds */
365
if (setrlimit(RLIMIT_CPU, &l))
367
perror("could not setrlimit/RLIMIT_CPU");
372
l.rlim_cur = 64 * 1024 * 1024; /* 64MiB */
373
l.rlim_max = 72 * 1024 * 1024; /* 72MiB */
374
if (setrlimit(RLIMIT_FSIZE, &l))
376
perror("could not setrlimit/RLIMIT_FSIZE");
381
/* Remove any signal handler masks so we can send signals to the child */
384
perror("could not unmask signals");
388
/* If everything was OK daemonize (if required) */
394
/* exec (replace this process with the a new instance of the target
395
* program). Pass along all the arguments.
396
* Note that for script execution, the "program" will be the interpreter,
397
* and the first argument will be the script. */
400
/* nb exec won't return unless there was an error */
401
syslog(LOG_ERR, "exec of %s in %s failed", prog, canonical_jailpath);
403
perror("could not exec");
added
removed
trampoline/trampoline.c
