1
/* IVLE - Informatics Virtual Learning Environment
2
* Copyright (C) 2007-2008 The University of Melbourne
4
* This program is free software; you can redistribute it and/or modify
5
* it under the terms of the GNU General Public License as published by
6
* the Free Software Foundation; either version 2 of the License, or
7
* (at your option) any later version.
9
* This program is distributed in the hope that it will be useful,
10
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
* GNU General Public License for more details.
14
* You should have received a copy of the GNU General Public License
15
* along with this program; if not, write to the Free Software
16
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
19
* Author: Tom Conway, Matt Giuca
22
* This program runs a given program in a given working dir.
23
* First, it chroots to a jail path and setuids to a given user ID.
24
* This is intented to provide a safe execution environment for arbitrary
25
* programs and services.
27
* Scripts (such as Python programs) should be executed by supplying
28
* "/usr/bin/python" as the program, and the script as the first argument.
30
* Must run as root. Will safely setuid to the supplied uid, checking that it
31
* is not root. Recommended that the file is set up as follows:
32
* sudo chown root:root trampoline; sudo chroot +s trampoline
43
#include <sys/mount.h>
44
#include <sys/types.h>
47
#include <sys/resource.h>
52
/* conf.h is admin-configured by the setup process.
53
* It defines jail_base.
59
/* Returns TRUE if the given uid is allowed to execute trampoline.
60
* Only root or the web server should be allowed to execute.
61
* This is determined by the whitelist allowed_uids in conf.h.
63
int uid_allowed(int uid)
66
/* root is always allowed to execute trampoline */
69
/* loop over all allowed_uids */
70
for (i=(sizeof(allowed_uids)/sizeof(*allowed_uids))-1; i>=0; i--)
72
if (allowed_uids[i] == uid)
75
/* default to disallowing */
79
/* Turn the process into a daemon using the standard
86
/* already a daemon */
87
if ( getppid() == 1 ) return;
89
/* Fork off the parent process */
94
/* If we got a good PID, then we can exit the parent process. */
99
/* At this point we are executing as the child process */
101
/* Change the file mode mask */
104
/* Create a new SID for the child process */
110
/* Change the current working directory. This prevents the current
111
directory from being locked; hence not being able to remove it. */
112
if ((chdir("/")) < 0) {
116
/* Redirect standard files to /dev/null */
117
freopen( "/dev/null", "r", stdin);
118
freopen( "/dev/null", "w", stdout);
119
freopen( "/dev/null", "w", stderr);
122
static void usage(const char* nm)
125
"usage: %s [-d] [-u] <uid> <base> <src> <system> <jail> <cwd> <program> [args...]\n", nm);
126
fprintf(stderr, " -d \tDaemonize\n");
127
fprintf(stderr, " -u \tPrint usage\n");
128
fprintf(stderr, " <uid> \tUID to run program as\n");
129
fprintf(stderr, " <base> \tDirectory that jails will be mounted in\n");
130
fprintf(stderr, " <src> \tDirectory containing users jail data\n");
131
fprintf(stderr, " <system> \tDirectory containing main jail file system\n");
132
fprintf(stderr, " <jail> \tDirectory of users mounted jail\n");
133
fprintf(stderr, " <cwd> \tDirectory inside the jail to change dir to\n");
134
fprintf(stderr, " <program>\tProgram inside jail to execute\n");
138
#ifdef IVLE_AUFS_JAILS
139
/* Die more pleasantly if mallocs fail. */
140
void *die_if_null(void *ptr)
144
perror("not enough memory");
150
int checked_mount(const char *source, const char *target,
151
const char *filesystemtype, unsigned long mountflags,
154
int result = mount(source, target, filesystemtype, mountflags, data);
157
syslog(LOG_ERR, "could not mount %s on %s\n", source, target);
158
perror("could not mount");
166
/* Find the path of the user components of a jail, given a mountpoint. */
167
char *jail_src(const char *jail_src_base, const char *jail_base,
168
const char *jailpath)
174
srclen = strlen(jail_src_base);
175
dstlen = strlen(jail_base);
177
src = die_if_null(malloc(strlen(jailpath) + (srclen - dstlen) + 1));
178
strcpy(src, jail_src_base);
179
strcat(src, jailpath+dstlen);
184
/* Check for the validity of a jail in the given path, mounting it if it looks
186
* TODO: Updating /etc/mtab would be nice. */
187
void mount_if_needed(const char *jail_src_base, const char *jail_base,
188
const char *jail_system, const char *jailpath)
195
/* Check if there is something useful in the jail. If not, it's probably
197
jaillib = die_if_null(malloc(strlen(jailpath) + 5));
198
sprintf(jaillib, "%s/lib", jailpath);
200
if (access(jaillib, F_OK))
202
/* No /lib? Mustn't be mounted. Mount it, creating the dir if needed. */
203
if (access(jailpath, F_OK))
205
if(mkdir(jailpath, 0755))
207
syslog(LOG_ERR, "could not create mountpoint %s\n", jailpath);
208
perror("could not create jail mountpoint");
211
syslog(LOG_NOTICE, "created mountpoint %s\n", jailpath);
214
jailsrc = jail_src(jail_src_base, jail_base, jailpath);
215
checked_mount(jail_system, jailpath, NULL, MS_BIND | MS_RDONLY, NULL);
217
source_bits = die_if_null(malloc(strlen(jailsrc) + 5 + 1));
218
target_bits = die_if_null(malloc(strlen(jailpath) + 5 + 1));
219
sprintf(source_bits, "%s/home", jailsrc);
220
sprintf(target_bits, "%s/home", jailpath);
222
checked_mount(source_bits, target_bits, NULL, MS_BIND, NULL);
224
sprintf(source_bits, "%s/tmp", jailsrc);
225
sprintf(target_bits, "%s/tmp", jailpath);
227
checked_mount(source_bits, target_bits, NULL, MS_BIND, NULL);
229
syslog(LOG_INFO, "mounted %s\n", jailpath);
238
#endif /* IVLE_AUFS_JAILS */
240
/* Unsets any signal mask applied by the parent process */
241
int unmask_signals(void)
245
sigset = die_if_null(malloc(sizeof(sigset_t)));
247
result = sigprocmask(SIG_SETMASK, sigset, NULL);
249
printf("%d", result);
253
int main(int argc, char* const argv[])
267
char canonical_jailpath[PATH_MAX];
269
/* Disallow execution from all users but the whitelisted ones, and root */
270
if (!uid_allowed(getuid()))
272
fprintf(stderr, "only the web server may execute trampoline\n");
276
/* Args check and usage */
282
if (strcmp(argv[arg_num], "-d") == 0)
292
if (strcmp(argv[arg_num], "-u") == 0)
301
uid = atoi(argv[arg_num++]);
302
jail_base = argv[arg_num++];
303
jail_src_base = argv[arg_num++];
304
jail_system = argv[arg_num++];
305
jailpath = argv[arg_num++];
306
work_dir = argv[arg_num++];
307
prog = argv[arg_num];
308
args = argv + arg_num;
310
/* Disallow suiding to the root user */
313
fprintf(stderr, "cannot set up a jail as root\n");
317
/* Jail path must be an absolute path,
318
* and it must begin with jail_base.
320
if (norm(canonical_jailpath, PATH_MAX, jailpath) != 0)
322
fprintf(stderr, "bad jail path: %s\n", jailpath);
325
if (strncmp(canonical_jailpath, jail_base, strlen(jail_base)))
327
fprintf(stderr, "bad jail path: %s\n", jailpath);
331
openlog("trampoline", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_USER);
333
#ifdef IVLE_AUFS_JAILS
334
mount_if_needed(jail_src_base, jail_base, jail_system, canonical_jailpath);
335
#endif /* IVLE_AUFS_JAILS */
337
/* chroot into the jail.
338
* Henceforth this process, and its children, cannot see anything above
339
* canoncial_jailpath. */
340
if (chroot(canonical_jailpath))
342
syslog(LOG_ERR, "chroot to %s failed\n", canonical_jailpath);
344
perror("could not chroot");
348
/* chdir into the specified working directory */
351
perror("could not chdir");
355
/* setuid to the given user ID.
356
* Henceforth we will be running as this user instead of root.
360
perror("could not setgid");
365
if (setgroups(1, groups))
367
perror("could not setgroups");
373
perror("could not setuid");
377
/* set user resource limits */
381
/* Process adress space in memory */
382
l.rlim_cur = 448 * 1024 * 1024; /* 512MiB - 64MiB */
383
l.rlim_max = 512 * 1024 * 1024; /* 512MiB */
384
if (setrlimit(RLIMIT_AS, &l))
386
perror("could not setrlimit/RLIMIT_AS");
390
/* Process data segment in memory
391
* Note: This requires a kernel patch to work correctly otherwise it is
392
* ineffective (thus you are only limited by RLIMIT_AS)
394
l.rlim_cur = 448 * 1024 * 1024; /* 512MiB - 64MiB */
395
l.rlim_max = 512 * 1024 * 1024; /* 512MiB */
396
if (setrlimit(RLIMIT_DATA, &l))
398
perror("could not setrlimit/RLIMIT_DATA");
403
l.rlim_cur = 0; /* No core files */
404
l.rlim_max = 0; /* No core files */
405
if (setrlimit(RLIMIT_CORE, &l))
407
perror("could not setrlimit/RLIMIT_CORE");
412
l.rlim_cur = 25; /* 25 Seconds */
413
l.rlim_max = 30; /* 30 Seconds */
414
if (setrlimit(RLIMIT_CPU, &l))
416
perror("could not setrlimit/RLIMIT_CPU");
421
l.rlim_cur = 64 * 1024 * 1024; /* 64MiB */
422
l.rlim_max = 72 * 1024 * 1024; /* 72MiB */
423
if (setrlimit(RLIMIT_FSIZE, &l))
425
perror("could not setrlimit/RLIMIT_FSIZE");
429
/* Number of Processes */
432
if (setrlimit(RLIMIT_NPROC, &l))
434
perror("could not setrlimit/RLIMIT_NPROC");
439
/* Remove any signal handler masks so we can send signals to the child */
442
perror("could not unmask signals");
446
/* If everything was OK daemonize (if required) */
452
/* exec (replace this process with the a new instance of the target
453
* program). Pass along all the arguments.
454
* Note that for script execution, the "program" will be the interpreter,
455
* and the first argument will be the script. */
458
/* nb exec won't return unless there was an error */
459
syslog(LOG_ERR, "exec of %s in %s failed", prog, canonical_jailpath);
461
perror("could not exec");
added
removed
bin/trampoline/trampoline.c
