abhisek · February 21, 2013 10:28
diff --git a/drop_exec.c b/drop_exec.c
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/types.h>
 #include <unistd.h>
 #include <pwd.h>
 #include <errno.h>
 #include <assert.h>

 #define dprintf(__m)		fprintf(stderr, "[DBG] %s\n", __m)
 #define dvprintf(__m, ...)	fprintf(stderr, "[DBG] " __m "\n", __VA_ARGS__)

 #define FATAL(__m, ...)	\
 	do {	\
 		fprintf(stderr, "[FATAL] " __m "\n", __VA_ARGS__);	\
 		exit(EXIT_FAILURE);	\
 	} while(0)

 void usage()
 {
 	printf("Chroot/Drop-Priv and execute\n");
 	printf("Usage: \n");
 	printf("\n");
 	printf("drop-exec [new-root] [user] [prog] [params]\n");
 }

 void safe_drop_priv(const char *user, const char *newroot)
 {
 	struct passwd *passwd;

 	passwd = getpwnam(user);
 	if(!passwd)
 		FATAL("Failed to query user: %s (errno: %d)", user, errno);

 	if(chroot(newroot))
 		FATAL("Failed to change root to: %s (errno: %d)", newroot, errno);
 	if(chdir("/"))
 		FATAL("Failed to chdir to '/': (errno: %d)", errno);

 	if(setresgid(passwd->pw_gid, passwd->pw_gid, passwd->pw_gid))
 		FATAL("Failed to drop priv to gid: %d (errno: %d)", passwd->pw_gid, errno);
 	if(setresuid(passwd->pw_uid, passwd->pw_uid, passwd->pw_uid))
 		FATAL("Failed to drop priv to uid: %d (errno: %d)", passwd->pw_uid, errno);

 	dvprintf("UID: %d GID: %d", getuid(), getgid());
 	dvprintf("Privilege dropped successfully (user: %s newroot: %s)", user, newroot);
 }

 void safe_exec(int argc, char **argv)
 {
 	char **args = &argv[1];

 	if(!argc) {
 		dprintf("[prog] missing");
 		return;
 	}

 	dvprintf("Executing: %s with %d params", argv[0], argc - 1);
 	
 	execv(argv[0], args);
 	perror("execv");
 }

 int main(int argc, char **argv)
 {
 	if(argc < 4) {
 		usage();
 		exit(EXIT_FAILURE);
 	}

 	safe_drop_priv(argv[2], argv[1]);
 	safe_exec(argc - 3, &argv[3]);

 	return 0;
 }
	#include <stdio.h>
	#include <stdlib.h>
	#include <sys/types.h>
	#include <unistd.h>
	#include <pwd.h>
	#include <errno.h>
	#include <assert.h>

	#define dprintf(__m) fprintf(stderr, "[DBG] %s\n", __m)
	#define dvprintf(__m, ...) fprintf(stderr, "[DBG] " __m "\n", __VA_ARGS__)

	#define FATAL(__m, ...) \
	do { \
	fprintf(stderr, "[FATAL] " __m "\n", __VA_ARGS__); \
	exit(EXIT_FAILURE); \
	} while(0)

	void usage()
	{
	printf("Chroot/Drop-Priv and execute\n");
	printf("Usage: \n");
	printf("\n");
	printf("drop-exec [new-root] [user] [prog] [params]\n");
	}

	void safe_drop_priv(const char user, const char newroot)
	{
	struct passwd *passwd;

	passwd = getpwnam(user);
	if(!passwd)
	FATAL("Failed to query user: %s (errno: %d)", user, errno);

	if(chroot(newroot))
	FATAL("Failed to change root to: %s (errno: %d)", newroot, errno);
	if(chdir("/"))
	FATAL("Failed to chdir to '/': (errno: %d)", errno);

	if(setresgid(passwd->pw_gid, passwd->pw_gid, passwd->pw_gid))
	FATAL("Failed to drop priv to gid: %d (errno: %d)", passwd->pw_gid, errno);
	if(setresuid(passwd->pw_uid, passwd->pw_uid, passwd->pw_uid))
	FATAL("Failed to drop priv to uid: %d (errno: %d)", passwd->pw_uid, errno);

	dvprintf("UID: %d GID: %d", getuid(), getgid());
	dvprintf("Privilege dropped successfully (user: %s newroot: %s)", user, newroot);
	}

	void safe_exec(int argc, char **argv)
	{
	char **args = &argv[1];

	if(!argc) {
	dprintf("[prog] missing");
	return;
	}

	dvprintf("Executing: %s with %d params", argv[0], argc - 1);

	execv(argv[0], args);
	perror("execv");
	}

	int main(int argc, char **argv)
	{
	if(argc < 4) {
	usage();
	exit(EXIT_FAILURE);
	}

	safe_drop_priv(argv[2], argv[1]);
	safe_exec(argc - 3, &argv[3]);

	return 0;
	}