// This file is part of BOINC. // http://boinc.berkeley.edu // Copyright (C) 2018 University of California // // BOINC is free software; you can redistribute it and/or modify it // under the terms of the GNU Lesser General Public License // as published by the Free Software Foundation, // either version 3 of the License, or (at your option) any later version. // // BOINC is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. // See the GNU Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public License // along with BOINC. If not, see . // check_security.C #include #include #include #include // getpwnam #include #include #include #include "util.h" #include "error_numbers.h" #include "file_names.h" #include "filesys.h" #ifdef __WXMAC__ // If Mac BOINC Manager #include "mac_util.h" #endif #ifdef __APPLE__ // If Mac BOINC Manager #include "mac_branding.h" bool IsUserInGroup(char* groupName); #endif static int CheckNestedDirectories( char * basepath, int depth, int use_sandbox, int isManager, char * path_to_error, int len ); #if (! defined(__WXMAC__) && ! defined(_MAC_INSTALLER)) static char * PersistentFGets(char *buf, size_t buflen, FILE *f); static void GetPathToThisProcess(char* outbuf, size_t maxLen); #endif #define REAL_BOINC_MASTER_NAME "boinc_master" #define REAL_BOINC_PROJECT_NAME "boinc_project" static char boinc_master_user_name[64]; static char boinc_master_group_name[64]; static char boinc_project_user_name[64]; static char boinc_project_group_name[64]; static gid_t boinc_master_gid, boinc_project_gid; static uid_t boinc_master_uid, boinc_project_uid; // Called from BOINC Manager, BOINC Client and Installer. // Returns FALSE (0) if owners and permissions are OK, else TRUE (1) int check_security( #ifdef _MAC_INSTALLER char *bundlePath, char *dataPath, // These arguments are used only when called from the Installer #endif int use_sandbox, int isManager, char* path_to_error, int len ) { passwd *pw; group *grp; gid_t egid; uid_t euid; char dir_path[MAXPATHLEN], full_path[MAXPATHLEN]; struct stat sbuf; int retval; int useFakeProjectUserAndGroup = 0; useFakeProjectUserAndGroup = ! use_sandbox; #ifdef _DEBUG #ifdef DEBUG_WITH_FAKE_PROJECT_USER_AND_GROUP useFakeProjectUserAndGroup = 1; #endif #if (defined(__APPLE__) && ! defined(_MAC_INSTALLER)) // Debugging Mac client or Mac BOINC Manager // Normally, the Mac Development (Debug) builds do not define SANDBOX, so // check_security() is never called. However, it is possible to use GDB // or LLDB on sandbox-specific code, as long as the code is run as the // current user (i.e., not as boinc_master or boinc_project), and the // current user is a member of both groups boinc_master and boinc_project. // Note that this newer approach supersedes the old one described and // implemented below. But since it has not been thoroughly tested, I have // not removed the old code. if (IsUserInGroup(REAL_BOINC_MASTER_NAME) && IsUserInGroup(REAL_BOINC_PROJECT_NAME)) { return 0; } else { return -1099; } #endif #endif // _DEBUG // GDB can't attach to applications which are running as a diferent user or group so // it ignores the S_ISUID and S_ISGID permisison bits when launching an application. // To work around this, and to allow testing the uninstalled Deployment version, we // assume that the BOINC Client has the correct user and group. // We must get the BOINC Client's user and group differently depending on whether we // were called from the Manager or from the Client #ifdef __WXMAC__ // If Mac BOINC Manager // Get the full path to BOINC Manager application's bundle getPathToThisApp(dir_path, sizeof(dir_path)); #elif defined (_MAC_INSTALLER) strlcpy(dir_path, bundlePath, sizeof(dir_path)); #endif if (use_sandbox) { #if (defined(__WXMAC__) || defined(_MAC_INSTALLER)) // If called from Mac BOINC Manager or installer // Get the full path to BOINC Client inside this application's bundle snprintf(full_path, sizeof(full_path), "%s/Contents/Resources/boinc", dir_path ); #else if (isManager) { // If called from BOINC Manager but not on Mac getcwd(full_path, sizeof(full_path)); // Assume Client is in current directory strlcat(full_path, "/boinc", sizeof(full_path)); } else // If called from BOINC Client GetPathToThisProcess(full_path, sizeof(full_path)); #endif retval = stat(full_path, &sbuf); if (retval) return -1004; // Should never happen if ((sbuf.st_mode & (S_ISUID | S_ISGID)) != (S_ISUID | S_ISGID)) return -1005; boinc_master_uid = sbuf.st_uid; boinc_master_gid = sbuf.st_gid; #ifdef __WXMAC__ if (!IsUserInGroup(REAL_BOINC_MASTER_NAME)) return -1099; #endif } else { boinc_master_uid = geteuid(); boinc_master_gid = getegid(); } #ifdef _MAC_INSTALLER // Require absolute owner and group boinc_master:boinc_master strlcpy(boinc_master_user_name, REAL_BOINC_MASTER_NAME, sizeof(boinc_master_user_name)); pw = getpwnam(boinc_master_user_name); if (pw == NULL) return -1006; // User boinc_master does not exist boinc_master_uid = pw->pw_uid; strlcpy(boinc_master_group_name, REAL_BOINC_MASTER_NAME, sizeof(boinc_master_group_name)); grp = getgrnam(boinc_master_group_name); if (grp == NULL) return -1007; // Group boinc_master does not exist boinc_master_gid = grp->gr_gid; #else // Use current user and group (see comment above) pw = getpwuid(boinc_master_uid); if (pw == NULL) return -1008; // Should never happen strlcpy(boinc_master_user_name, pw->pw_name, sizeof(boinc_master_user_name)); grp = getgrgid(boinc_master_gid); if (grp == NULL) return -1009; strlcpy(boinc_master_group_name, grp->gr_name, sizeof(boinc_master_group_name)); #endif if (useFakeProjectUserAndGroup) { // For easier debugging of project applications strlcpy(boinc_project_user_name, boinc_master_user_name, sizeof(boinc_project_user_name)); strlcpy(boinc_project_group_name, boinc_master_group_name, sizeof(boinc_project_group_name)); boinc_project_uid = boinc_master_uid; boinc_project_gid = boinc_master_gid; } else { strlcpy(boinc_project_user_name, REAL_BOINC_PROJECT_NAME, sizeof(boinc_project_user_name)); pw = getpwnam(boinc_project_user_name); if (pw == NULL) return -1010; // User boinc_project does not exist boinc_project_uid = pw->pw_uid; strlcpy(boinc_project_group_name, REAL_BOINC_PROJECT_NAME, sizeof(boinc_project_group_name)); grp = getgrnam(boinc_project_group_name); if (grp == NULL) return -1011; // Group boinc_project does not exist boinc_project_gid = grp->gr_gid; } #if 0 // Manager is no longer setgid #if (defined(__WXMAC__) || defined(_MAC_INSTALLER)) // If Mac BOINC Manager or installer // Get the full path to BOINC Manager executable // inside this application's bundle // snprintf(full_path, sizeof(full_path), "%s/Contents/MacOS/", dir_path); // To allow for branding, assume name of executable inside bundle // is same as name of bundle // p = strrchr(dir_path, '/'); // Assume name of executable inside bundle is same as name of bundle if (p == NULL) p = dir_path - 1; strlcat(full_path, p+1, sizeof(full_path)); p = strrchr(full_path, '.'); // Strip off bundle extension (".app") if (p) *p = '\0'; retval = lstat(full_path, &sbuf); if (retval) return -1013; // Should never happen if (sbuf.st_gid != boinc_master_gid) return -1014; if (use_sandbox) { if ((sbuf.st_mode & S_ISGID) != S_ISGID) return -1015; } #endif #endif // Manager is no longer setgid #ifdef _MAC_INSTALLER // Require absolute owner and group boinc_master:boinc_master // Get the full path to BOINC Client inside this application's bundle // snprintf(full_path, sizeof(full_path), "%s/Contents/Resources/boinc", dir_path ); retval = stat(full_path, &sbuf); if (retval) return -1016; // Should never happen if (sbuf.st_gid != boinc_master_gid) return -1017; if (sbuf.st_uid != boinc_master_uid) return -1018; #endif #if (defined(__WXMAC__) || defined(_MAC_INSTALLER)) // If Mac BOINC Manager or installer // Version 6 screensaver has its own embedded switcher application, but older versions don't. // We don't allow unauthorized users to run the standard switcher application in the BOINC // Data directory because they could use it to run as user & group boinc_project and damage // project files. The screensaver's gfx_switcher application has very limited functionality // to avoid this risk. if (use_sandbox) { for (int i=0; i 1) && (errno == EACCES)) { return 0; } else { retval = -1200; } } while (dirp) { // Skip this if dirp == NULL, else loop until break dp = readdir(dirp); if (dp == NULL) break; // End of list if (dp->d_name[0] == '.') continue; // Ignore names beginning with '.' snprintf(full_path, sizeof(full_path), "%s/%s", basepath, dp->d_name); retval = lstat(full_path, &sbuf); if (retval) break; // Should never happen isDirectory = S_ISDIR(sbuf.st_mode); if (!S_ISLNK(sbuf.st_mode)) { // The system ignores ownership & permissions of symbolic links if (depth > 1) { // files and subdirectories created by projects may have owner boinc_master or boinc_project if ( (sbuf.st_uid != boinc_master_uid) && (sbuf.st_uid != boinc_project_uid) ) { retval = -1202; break; } } else { // project & slot directories (projects/setiathome.berkeley.edu, slots/0 etc.) // must have owner boinc_master if (sbuf.st_uid != boinc_master_uid) { retval = -1202; break; } } if (use_sandbox) { if (sbuf.st_gid != boinc_project_gid) { retval = -1201; break; } if (isDirectory) { if (depth == 1) { // project & slot directories (projects/setiathome.berkeley.edu, slots/0 etc.) // must be readable & executable by other if ((sbuf.st_mode & 0777) != 0775) { retval = -1203; break; } #if 0 // We may enforce permissions later for subdirectories written by project applications } else { // subdirectories created by projects may be executable by other or not if ((sbuf.st_mode & 0770) != 0770) { retval = -1203; break; } #endif } #if 0 // We may enforce permissions later for files written by project applications } else { // ! isDirectory if ((sbuf.st_mode & 0666) != 0660) { retval = -1204; break; } #endif } } // if (use_sandbox) } // if (!S_ISLNK(sbuf.st_mode)) if (isDirectory && !S_ISLNK(sbuf.st_mode)) { if (use_sandbox && (depth > 1)) { #if 0 // No longer check project-created subdirectories under project or slot directories // because we have not told projects these must be readable and executable by group if ((! isManager) && (sbuf.st_uid != boinc_master_uid)) #endif continue; // Client can't check subdirectories owned by boinc_project } retval = CheckNestedDirectories(full_path, depth + 1, use_sandbox, isManager, path_to_error, len); if (retval) break; } } // End while (true) if (dirp) { closedir(dirp); } if (retval && !errShown) { fprintf(stderr, "Permissions error %d at %s\n", retval, full_path); if (path_to_error) { strlcpy(path_to_error, full_path, len); } errShown = 1; } return retval; } #if (! defined(__WXMAC__) && ! defined(_MAC_INSTALLER)) static char * PersistentFGets(char *buf, size_t buflen, FILE *f) { char *p = buf; size_t len = buflen; size_t datalen = 0; *buf = '\0'; while (datalen < (buflen - 1)) { fgets(p, len, f); if (feof(f)) break; if (ferror(f) && (errno != EINTR)) break; if (strchr(buf, '\n')) break; datalen = strlen(buf); p = buf + datalen; len -= datalen; } return (buf[0] ? buf : NULL); } static void GetPathToThisProcess(char* outbuf, size_t maxLen) { FILE *f; char buf[256], *p, *q; pid_t aPID = getpid(); *outbuf = '\0'; sprintf(buf, "ps -xwo command -p %d", (int)aPID); f = popen(buf, "r"); if (f == NULL) return; PersistentFGets (outbuf, maxLen, f); // Discard header line PersistentFGets (outbuf, maxLen, f); pclose(f); // Remove trailing newline if present p = strchr(outbuf, '\n'); if (p) *p = '\0'; // Strip off any arguments p = strstr(outbuf, " -"); q = p; if (p) { while (*p == ' ') { q = p; if (--p < outbuf) break; } } if (q) *q = '\0'; } #endif #ifdef __APPLE__ // If Mac BOINC Manager bool IsUserInGroup(char* groupName) { group *grp; gid_t rgid; char *userName, *groupMember; int i; grp = getgrnam(groupName); if (grp) { rgid = getgid(); if (rgid == grp->gr_gid) { return true; // User's primary group is boinc_master } // On some systems with Automatic Login set, getlogin() returns "root" for a // time after the system is first booted, so we check "USER" environment variable. userName = getenv("USER"); if (userName) { for (i=0; ; i++) { // Step through all users in group boinc_master groupMember = grp->gr_mem[i]; if (groupMember == NULL) return false; // User is not a member of group boinc_master if (strcmp(userName, groupMember) == 0) { return true; // User is a member of group boinc_master } } // for (i) } // if (userName) } // if grp return false; } #endif // __WXMAC__