| [3225] | 1 | /*
|
|---|
| 2 | Template for a setuid program that calls a script.
|
|---|
| 3 |
|
|---|
| 4 | The script should be in an unwritable directory and should itself
|
|---|
| 5 | be unwritable. In fact all parent directories up to the root
|
|---|
| 6 | should be unwritable. The script must not be setuid, that's what
|
|---|
| 7 | this program is for.
|
|---|
| 8 |
|
|---|
| 9 | This is a template program. You need to fill in the name of the
|
|---|
| 10 | script that must be executed. This is done by changing the
|
|---|
| 11 | definition of FULL_PATH below.
|
|---|
| 12 |
|
|---|
| 13 | There are also some rules that should be adhered to when writing
|
|---|
| 14 | the script itself.
|
|---|
| 15 |
|
|---|
| 16 | The first and most important rule is to never, ever trust that the
|
|---|
| 17 | user of the program will behave properly. Program defensively.
|
|---|
| 18 | Check your arguments for reasonableness. If the user is allowed to
|
|---|
| 19 | create files, check the names of the files. If the program depends
|
|---|
| 20 | on argv[0] for the action it should perform, check it.
|
|---|
| 21 |
|
|---|
| 22 | Assuming the script is a Bourne shell script, the first line of the
|
|---|
| 23 | script should be
|
|---|
| 24 | #!/bin/sh -
|
|---|
| 25 | The - is important, don't omit it. If you're using esh, the first
|
|---|
| 26 | line should be
|
|---|
| 27 | #!/usr/local/bin/esh -f
|
|---|
| 28 | and for ksh, the first line should be
|
|---|
| 29 | #!/usr/local/bin/ksh -p
|
|---|
| 30 | The script should then set the variable IFS to the string
|
|---|
| 31 | consisting of <space>, <tab>, and <newline>. After this (*not*
|
|---|
| 32 | before!), the PATH variable should be set to a reasonable value and
|
|---|
| 33 | exported. Do not expect the PATH to have a reasonable value, so do
|
|---|
| 34 | not trust the old value of PATH. You should then set the umask of
|
|---|
| 35 | the program by calling
|
|---|
| 36 | umask 077 # or 022 if you want the files to be readable
|
|---|
| 37 | If you plan to change directories, you should either unset CDPATH
|
|---|
| 38 | or set it to a good value. Setting CDPATH to just ``.'' (dot) is a
|
|---|
| 39 | good idea.
|
|---|
| 40 | If, for some reason, you want to use csh, the first line should be
|
|---|
| 41 | #!/bin/csh -fb
|
|---|
| 42 | You should then set the path variable to something reasonable,
|
|---|
| 43 | without trusting the inherited path. Here too, you should set the
|
|---|
| 44 | umask using the command
|
|---|
| 45 | umask 077 # or 022 if you want the files to be readable
|
|---|
| 46 | */
|
|---|
| 47 |
|
|---|
| 48 | #include <unistd.h>
|
|---|
| 49 | #include <stdlib.h>
|
|---|
| 50 | #include <stdio.h>
|
|---|
| 51 | #include <sys/types.h>
|
|---|
| 52 | #include <sys/stat.h>
|
|---|
| 53 | #include <string.h>
|
|---|
| 54 |
|
|---|
| 55 | /* CONFIGURATION SECTION */
|
|---|
| 56 |
|
|---|
| 57 | #ifndef FULL_PATH /* so that this can be specified from the Makefile */
|
|---|
| 58 | /* Uncomment the following line:
|
|---|
| 59 | #define FULL_PATH "/full/path/of/script"
|
|---|
| 60 | * Then comment out the #error line. */
|
|---|
| 61 | #error "You must define FULL_PATH somewhere"
|
|---|
| 62 | #endif
|
|---|
| 63 | #ifndef UMASK
|
|---|
| 64 | #define UMASK 077
|
|---|
| 65 | #endif
|
|---|
| 66 |
|
|---|
| 67 | /* END OF CONFIGURATION SECTION */
|
|---|
| 68 |
|
|---|
| 69 | #if defined(__STDC__) && defined(__sgi)
|
|---|
| 70 | #define environ _environ
|
|---|
| 71 | #endif
|
|---|
| 72 |
|
|---|
| 73 | /* don't change def_IFS */
|
|---|
| 74 | char def_IFS[] = "IFS= \t\n";
|
|---|
| 75 | /* you may want to change def_PATH, but you should really change it in */
|
|---|
| 76 | /* your script */
|
|---|
| |
|---|
