boinc/client/check_security.cpp

698 lines
23 KiB
C++

// This file is part of BOINC.
// http://boinc.berkeley.edu
// Copyright (C) 2018 University of California
//
// BOINC is free software; you can redistribute it and/or modify it
// under the terms of the GNU Lesser General Public License
// as published by the Free Software Foundation,
// either version 3 of the License, or (at your option) any later version.
//
// BOINC is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
// See the GNU Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public License
// along with BOINC. If not, see <http://www.gnu.org/licenses/>.
// check_security.C
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <pwd.h> // getpwnam
#include <grp.h>
#include <dirent.h>
#include <cerrno>
#include "util.h"
#include "error_numbers.h"
#include "file_names.h"
#include "filesys.h"
#ifdef __WXMAC__ // If Mac BOINC Manager
#include "mac_util.h"
#endif
#ifdef __APPLE__ // If Mac BOINC Manager
#include "mac_branding.h"
bool IsUserInGroup(char* groupName);
#endif
static int CheckNestedDirectories(
char * basepath, int depth,
int use_sandbox, int isManager,
char * path_to_error,
int len
);
#if (! defined(__WXMAC__) && ! defined(_MAC_INSTALLER))
static char * PersistentFGets(char *buf, size_t buflen, FILE *f);
static void GetPathToThisProcess(char* outbuf, size_t maxLen);
#endif
#define REAL_BOINC_MASTER_NAME "boinc_master"
#define REAL_BOINC_PROJECT_NAME "boinc_project"
static char boinc_master_user_name[64];
static char boinc_master_group_name[64];
static char boinc_project_user_name[64];
static char boinc_project_group_name[64];
static gid_t boinc_master_gid, boinc_project_gid;
static uid_t boinc_master_uid, boinc_project_uid;
// Called from BOINC Manager, BOINC Client and Installer.
// Returns FALSE (0) if owners and permissions are OK, else TRUE (1)
int check_security(
#ifdef _MAC_INSTALLER
char *bundlePath, char *dataPath, // These arguments are used only when called from the Installer
#endif
int use_sandbox, int isManager, char* path_to_error, int len
) {
passwd *pw;
group *grp;
gid_t egid;
uid_t euid;
char dir_path[MAXPATHLEN], full_path[MAXPATHLEN];
struct stat sbuf;
int retval;
int useFakeProjectUserAndGroup = 0;
useFakeProjectUserAndGroup = ! use_sandbox;
#ifdef _DEBUG
#ifdef DEBUG_WITH_FAKE_PROJECT_USER_AND_GROUP
useFakeProjectUserAndGroup = 1;
#endif
#if (defined(__APPLE__) && ! defined(_MAC_INSTALLER))
// Debugging Mac client or Mac BOINC Manager
// Normally, the Mac Development (Debug) builds do not define SANDBOX, so
// check_security() is never called. However, it is possible to use GDB
// or LLDB on sandbox-specific code, as long as the code is run as the
// current user (i.e., not as boinc_master or boinc_project), and the
// current user is a member of both groups boinc_master and boinc_project.
// Note that this newer approach supersedes the old one described and
// implemented below. But since it has not been thoroughly tested, I have
// not removed the old code.
if (IsUserInGroup(REAL_BOINC_MASTER_NAME) && IsUserInGroup(REAL_BOINC_PROJECT_NAME)) {
return 0;
} else {
return -1099;
}
#endif
#endif // _DEBUG
// GDB can't attach to applications which are running as a diferent user or group so
// it ignores the S_ISUID and S_ISGID permisison bits when launching an application.
// To work around this, and to allow testing the uninstalled Deployment version, we
// assume that the BOINC Client has the correct user and group.
// We must get the BOINC Client's user and group differently depending on whether we
// were called from the Manager or from the Client
#ifdef __WXMAC__ // If Mac BOINC Manager
// Get the full path to BOINC Manager application's bundle
getPathToThisApp(dir_path, sizeof(dir_path));
#elif defined (_MAC_INSTALLER)
strlcpy(dir_path, bundlePath, sizeof(dir_path));
#endif
if (use_sandbox) {
#if (defined(__WXMAC__) || defined(_MAC_INSTALLER)) // If called from Mac BOINC Manager or installer
// Get the full path to BOINC Client inside this application's bundle
snprintf(full_path, sizeof(full_path),
"%s/Contents/Resources/boinc", dir_path
);
#else
if (isManager) { // If called from BOINC Manager but not on Mac
getcwd(full_path, sizeof(full_path));
// Assume Client is in current directory
strlcat(full_path, "/boinc", sizeof(full_path));
} else
// If called from BOINC Client
GetPathToThisProcess(full_path, sizeof(full_path));
#endif
retval = stat(full_path, &sbuf);
if (retval)
return -1004; // Should never happen
if ((sbuf.st_mode & (S_ISUID | S_ISGID)) != (S_ISUID | S_ISGID))
return -1005;
boinc_master_uid = sbuf.st_uid;
boinc_master_gid = sbuf.st_gid;
#ifdef __WXMAC__
if (!IsUserInGroup(REAL_BOINC_MASTER_NAME))
return -1099;
#endif
} else {
boinc_master_uid = geteuid();
boinc_master_gid = getegid();
}
#ifdef _MAC_INSTALLER
// Require absolute owner and group boinc_master:boinc_master
strlcpy(boinc_master_user_name, REAL_BOINC_MASTER_NAME, sizeof(boinc_master_user_name));
pw = getpwnam(boinc_master_user_name);
if (pw == NULL)
return -1006; // User boinc_master does not exist
boinc_master_uid = pw->pw_uid;
strlcpy(boinc_master_group_name, REAL_BOINC_MASTER_NAME, sizeof(boinc_master_group_name));
grp = getgrnam(boinc_master_group_name);
if (grp == NULL)
return -1007; // Group boinc_master does not exist
boinc_master_gid = grp->gr_gid;
#else // Use current user and group (see comment above)
pw = getpwuid(boinc_master_uid);
if (pw == NULL)
return -1008; // Should never happen
strlcpy(boinc_master_user_name, pw->pw_name, sizeof(boinc_master_user_name));
grp = getgrgid(boinc_master_gid);
if (grp == NULL)
return -1009;
strlcpy(boinc_master_group_name, grp->gr_name, sizeof(boinc_master_group_name));
#endif
if (useFakeProjectUserAndGroup) {
// For easier debugging of project applications
strlcpy(boinc_project_user_name, boinc_master_user_name, sizeof(boinc_project_user_name));
strlcpy(boinc_project_group_name, boinc_master_group_name, sizeof(boinc_project_group_name));
boinc_project_uid = boinc_master_uid;
boinc_project_gid = boinc_master_gid;
} else {
strlcpy(boinc_project_user_name, REAL_BOINC_PROJECT_NAME, sizeof(boinc_project_user_name));
pw = getpwnam(boinc_project_user_name);
if (pw == NULL)
return -1010; // User boinc_project does not exist
boinc_project_uid = pw->pw_uid;
strlcpy(boinc_project_group_name, REAL_BOINC_PROJECT_NAME, sizeof(boinc_project_group_name));
grp = getgrnam(boinc_project_group_name);
if (grp == NULL)
return -1011; // Group boinc_project does not exist
boinc_project_gid = grp->gr_gid;
}
#if 0 // Manager is no longer setgid
#if (defined(__WXMAC__) || defined(_MAC_INSTALLER)) // If Mac BOINC Manager or installer
// Get the full path to BOINC Manager executable
// inside this application's bundle
//
snprintf(full_path, sizeof(full_path), "%s/Contents/MacOS/", dir_path);
// To allow for branding, assume name of executable inside bundle
// is same as name of bundle
//
p = strrchr(dir_path, '/'); // Assume name of executable inside bundle is same as name of bundle
if (p == NULL)
p = dir_path - 1;
strlcat(full_path, p+1, sizeof(full_path));
p = strrchr(full_path, '.'); // Strip off bundle extension (".app")
if (p)
*p = '\0';
retval = lstat(full_path, &sbuf);
if (retval)
return -1013; // Should never happen
if (sbuf.st_gid != boinc_master_gid)
return -1014;
if (use_sandbox) {
if ((sbuf.st_mode & S_ISGID) != S_ISGID)
return -1015;
}
#endif
#endif // Manager is no longer setgid
#ifdef _MAC_INSTALLER
// Require absolute owner and group boinc_master:boinc_master
// Get the full path to BOINC Client inside this application's bundle
//
snprintf(full_path, sizeof(full_path),
"%s/Contents/Resources/boinc", dir_path
);
retval = stat(full_path, &sbuf);
if (retval)
return -1016; // Should never happen
if (sbuf.st_gid != boinc_master_gid)
return -1017;
if (sbuf.st_uid != boinc_master_uid)
return -1018;
#endif
#if (defined(__WXMAC__) || defined(_MAC_INSTALLER)) // If Mac BOINC Manager or installer
// Version 6 screensaver has its own embedded switcher application, but older versions don't.
// We don't allow unauthorized users to run the standard switcher application in the BOINC
// Data directory because they could use it to run as user & group boinc_project and damage
// project files. The screensaver's gfx_switcher application has very limited functionality
// to avoid this risk.
if (use_sandbox) {
for (int i=0; i<NUMBRANDS; i++) {
// Does gfx_switcher exist in screensaver bundle?
sprintf(full_path, "/Library/Screen Savers/%s.saver/Contents/Resources/gfx_switcher", saverName[i]);
retval = stat(full_path, &sbuf);
if (! retval) {
#ifdef _DEBUG
if (sbuf.st_uid != boinc_master_uid)
return -1101;
if (sbuf.st_gid != boinc_master_gid)
return -1102;
if ((sbuf.st_mode & (S_ISUID | S_ISGID)) != 0)
return -1103;
#else
if (sbuf.st_uid != 0)
return -1101;
if (sbuf.st_gid != boinc_master_gid)
return -1102;
if ((sbuf.st_mode & (S_ISUID | S_ISGID)) != S_ISUID)
return -1103;
#endif
}
}
}
#endif
// rgid = getgid();
// ruid = getuid();
egid = getegid();
euid = geteuid();
#ifdef _MAC_INSTALLER
strlcpy(dir_path, dataPath, sizeof(dir_path)); // Installer
#else // _MAC_INSTALLER
getcwd(dir_path, sizeof(dir_path)); // Client or Manager
if (! isManager) { // If BOINC Client
if (egid != boinc_master_gid)
return -1019; // Client should be running setgid boinc_master
if (euid != boinc_master_uid)
return -1020; // BOINC Client should be running setuid boinc_master
}
#endif
retval = stat(dir_path, &sbuf);
if (retval)
return -1021; // Should never happen
if (use_sandbox) {
// The top-level BOINC Data directory can have a different user if created by the Manager,
// but it should always have group boinc_master.
if (sbuf.st_gid != boinc_master_gid)
return -1022;
// The top-level BOINC Data directory should have permission 771 or 571
if ((sbuf.st_mode & 0577) != 0571)
return -1023;
} else {
if (sbuf.st_uid != boinc_master_uid)
return -1022;
}
snprintf(full_path, sizeof(full_path), "%s/%s", dir_path, PROJECTS_DIR);
retval = stat(full_path, &sbuf);
if (!retval) {
// Client can create projects directory if it does not yet exist.
//
if (use_sandbox) {
if (sbuf.st_gid != boinc_project_gid)
return -1024;
if ((sbuf.st_mode & 0777) != 0770)
return -1025;
}
if (sbuf.st_uid != boinc_master_uid)
return -1026;
// Step through project directories
retval = CheckNestedDirectories(full_path, 1, use_sandbox, isManager, path_to_error, len);
if (retval)
return retval;
}
snprintf(full_path, sizeof(full_path), "%s/%s", dir_path, SLOTS_DIR);
retval = stat(full_path, &sbuf);
if (! retval) { // Client can create slots directory if it does not yet exist.
if (use_sandbox) {
if (sbuf.st_gid != boinc_project_gid)
return -1027;
if ((sbuf.st_mode & 0777) != 0770)
return -1028;
}
if (sbuf.st_uid != boinc_master_uid)
return -1029;
// Step through slot directories
retval = CheckNestedDirectories(full_path, 1, use_sandbox, isManager, path_to_error, len);
if (retval)
return retval;
}
snprintf(full_path, sizeof(full_path),
"%s/%s", dir_path, GUI_RPC_PASSWD_FILE
);
retval = stat(full_path, &sbuf);
if (! retval) { // Client can create RPC password file if it does not yet exist.
if (use_sandbox) {
if (sbuf.st_gid != boinc_master_gid)
return -1030;
if ((sbuf.st_mode & 0777) != 0660)
return -1032;
} else {
if ((sbuf.st_mode & 0717) != 0600)
return -1032;
}
if (sbuf.st_uid != boinc_master_uid)
return -1031;
}
if (use_sandbox) {
snprintf(full_path, sizeof(full_path), "%s/%s", dir_path, SWITCHER_DIR);
retval = stat(full_path, &sbuf);
if (retval)
return -1033;
if (sbuf.st_gid != boinc_master_gid)
return -1034;
if (sbuf.st_uid != boinc_master_uid)
return -1035;
if ((sbuf.st_mode & 0777) != 0550)
return -1036;
strlcat(full_path, "/", sizeof(full_path));
strlcat(full_path, SWITCHER_FILE_NAME, sizeof(full_path));
retval = stat(full_path, &sbuf);
if (retval)
return -1037;
if (sbuf.st_gid != boinc_master_gid)
return -1038;
if (sbuf.st_uid != 0) // root
return -1039;
if ((sbuf.st_mode & 07777) != 04050)
return -1040;
snprintf(full_path, sizeof(full_path),
"%s/%s/%s", dir_path, SWITCHER_DIR, SETPROJECTGRP_FILE_NAME
);
retval = stat(full_path, &sbuf);
if (retval)
return -1041;
if (sbuf.st_gid != boinc_project_gid)
return -1042;
if (sbuf.st_uid != boinc_master_uid)
return -1043;
if ((sbuf.st_mode & 07777) != 02500)
return -1044;
#ifdef __APPLE__
#if 0 // AppStats is deprecated as of version 5.8.15
strlcat(full_path, "/", sizeof(full_path));
strlcat(full_path, APP_STATS_FILE_NAME, sizeof(full_path));
retval = stat(full_path, &sbuf);
if (retval)
return -1045;
if (sbuf.st_gid != boinc_master_gid)
return -1046;
if (sbuf.st_uid != 0) // AppStats application must be setuid root
return -1047;
if ((sbuf.st_mode & 07777) != 04550)
return -1048;
#endif
#endif // __APPLE__
snprintf(full_path, sizeof(full_path),
"%s/%s", dir_path, SS_CONFIG_FILE
);
retval = stat(full_path, &sbuf);
if (!retval) {
if (sbuf.st_uid != boinc_master_uid)
return -1051;
if (sbuf.st_gid != boinc_master_gid)
return -1052;
if ((sbuf.st_mode & 0777) != 0664)
return -1053;
} // Screensaver config file ss_config.xml exists
} // if (use_sandbox)
return 0;
}
static int CheckNestedDirectories(
char * basepath, int depth,
int use_sandbox, int isManager,
char * path_to_error, int len
) {
int isDirectory;
char full_path[MAXPATHLEN];
struct stat sbuf;
int retval = 0;
DIR *dirp;
dirent *dp;
static int errShown = 0;
dirp = opendir(basepath);
if (dirp == NULL) {
// Ideally, all project-created subdirectories under project or slot
// directoriesshould have read-by-group and execute-by-group permission
// bits set, but some don't. If these permission bits are missing, the
// project applications will run OK but we can't access the contents of
// the subdirectory to check them.
strlcpy(full_path, basepath, sizeof(full_path));
if ((depth > 1) && (errno == EACCES)) {
return 0;
} else {
retval = -1200;
}
}
while (dirp) { // Skip this if dirp == NULL, else loop until break
dp = readdir(dirp);
if (dp == NULL)
break; // End of list
if (dp->d_name[0] == '.')
continue; // Ignore names beginning with '.'
snprintf(full_path, sizeof(full_path), "%s/%s", basepath, dp->d_name);
retval = lstat(full_path, &sbuf);
if (retval)
break; // Should never happen
isDirectory = S_ISDIR(sbuf.st_mode);
if (!S_ISLNK(sbuf.st_mode)) { // The system ignores ownership & permissions of symbolic links
if (depth > 1) {
// files and subdirectories created by projects may have owner boinc_master or boinc_project
if ( (sbuf.st_uid != boinc_master_uid) && (sbuf.st_uid != boinc_project_uid) ) {
retval = -1202;
break;
}
} else {
// project & slot directories (projects/setiathome.berkeley.edu, slots/0 etc.)
// must have owner boinc_master
if (sbuf.st_uid != boinc_master_uid) {
retval = -1202;
break;
}
}
if (use_sandbox) {
if (sbuf.st_gid != boinc_project_gid) {
retval = -1201;
break;
}
if (isDirectory) {
if (depth == 1) {
// project & slot directories (projects/setiathome.berkeley.edu, slots/0 etc.)
// must be readable & executable by other
if ((sbuf.st_mode & 0777) != 0775) {
retval = -1203;
break;
}
#if 0 // We may enforce permissions later for subdirectories written by project applications
} else {
// subdirectories created by projects may be executable by other or not
if ((sbuf.st_mode & 0770) != 0770) {
retval = -1203;
break;
}
#endif
}
#if 0 // We may enforce permissions later for files written by project applications
} else { // ! isDirectory
if ((sbuf.st_mode & 0666) != 0660) {
retval = -1204;
break;
}
#endif
}
} // if (use_sandbox)
} // if (!S_ISLNK(sbuf.st_mode))
if (isDirectory && !S_ISLNK(sbuf.st_mode)) {
if (use_sandbox && (depth > 1)) {
#if 0 // No longer check project-created subdirectories under project or slot directories
// because we have not told projects these must be readable and executable by group
if ((! isManager) && (sbuf.st_uid != boinc_master_uid))
#endif
continue; // Client can't check subdirectories owned by boinc_project
}
retval = CheckNestedDirectories(full_path, depth + 1, use_sandbox, isManager, path_to_error, len);
if (retval)
break;
}
} // End while (true)
if (dirp) {
closedir(dirp);
}
if (retval && !errShown) {
fprintf(stderr, "Permissions error %d at %s\n", retval, full_path);
if (path_to_error) {
strlcpy(path_to_error, full_path, len);
}
errShown = 1;
}
return retval;
}
#if (! defined(__WXMAC__) && ! defined(_MAC_INSTALLER))
static char * PersistentFGets(char *buf, size_t buflen, FILE *f) {
char *p = buf;
size_t len = buflen;
size_t datalen = 0;
*buf = '\0';
while (datalen < (buflen - 1)) {
fgets(p, len, f);
if (feof(f)) break;
if (ferror(f) && (errno != EINTR)) break;
if (strchr(buf, '\n')) break;
datalen = strlen(buf);
p = buf + datalen;
len -= datalen;
}
return (buf[0] ? buf : NULL);
}
static void GetPathToThisProcess(char* outbuf, size_t maxLen) {
FILE *f;
char buf[256], *p, *q;
pid_t aPID = getpid();
*outbuf = '\0';
sprintf(buf, "ps -xwo command -p %d", (int)aPID);
f = popen(buf, "r");
if (f == NULL)
return;
PersistentFGets (outbuf, maxLen, f); // Discard header line
PersistentFGets (outbuf, maxLen, f);
pclose(f);
// Remove trailing newline if present
p = strchr(outbuf, '\n');
if (p)
*p = '\0';
// Strip off any arguments
p = strstr(outbuf, " -");
q = p;
if (p) {
while (*p == ' ') {
q = p;
if (--p < outbuf)
break;
}
}
if (q)
*q = '\0';
}
#endif
#ifdef __APPLE__ // If Mac BOINC Manager
bool IsUserInGroup(char* groupName) {
group *grp;
gid_t rgid;
char *userName, *groupMember;
int i;
grp = getgrnam(groupName);
if (grp) {
rgid = getgid();
if (rgid == grp->gr_gid) {
return true; // User's primary group is boinc_master
}
// On some systems with Automatic Login set, getlogin() returns "root" for a
// time after the system is first booted, so we check "USER" environment variable.
userName = getenv("USER");
if (userName) {
for (i=0; ; i++) { // Step through all users in group boinc_master
groupMember = grp->gr_mem[i];
if (groupMember == NULL)
return false; // User is not a member of group boinc_master
if (strcmp(userName, groupMember) == 0) {
return true; // User is a member of group boinc_master
}
} // for (i)
} // if (userName)
} // if grp
return false;
}
#endif // __WXMAC__