| // Copyright 2016 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| // |
| // This file implements a wrapper to run the virtual me2me session within a |
| // proper PAM session. It will generally be run as root and drop privileges to |
| // the specified user before running the me2me session script. |
| |
| #include <sys/types.h> |
| #include <sys/stat.h> |
| #include <sys/wait.h> |
| #include <fcntl.h> |
| #include <grp.h> |
| #include <pwd.h> |
| #include <unistd.h> |
| |
| #include <cerrno> |
| #include <cstdio> |
| #include <cstdlib> |
| #include <cstring> |
| #include <ctime> |
| |
| #include <map> |
| #include <memory> |
| #include <string> |
| #include <tuple> |
| #include <utility> |
| #include <vector> |
| |
| #include <security/pam_appl.h> |
| |
| #include "base/command_line.h" |
| #include "base/environment.h" |
| #include "base/files/file_path.h" |
| #include "base/logging.h" |
| #include "base/macros.h" |
| #include "base/optional.h" |
| #include "base/process/launch.h" |
| #include "base/strings/string_piece.h" |
| |
| namespace { |
| |
| const char kPamName[] = "chrome-remote-desktop"; |
| |
| const char kHelpSwitchName[] = "help"; |
| const char kQuestionSwitchName[] = "?"; |
| const char kUserSwitchName[] = "user"; |
| const char kScriptSwitchName[] = "me2me-script"; |
| const char kForegroundSwitchName[] = "foreground"; |
| |
| // This template will be formatted by strftime and then used by mkstemp |
| const char kLogFileTemplate[] = |
| "/tmp/chrome_remote_desktop_%Y%m%d_%H%M%S_XXXXXX"; |
| |
| const char kUsageMessage[] = |
| "Usage: %s [options]\n" |
| "\n" |
| "Options:\n" |
| " --help, -? - Print this message.\n" |
| " --user=<user> - Create session as the specified user. " |
| "(Must run as root.)\n" |
| " --me2me-script=<script> - Location of the me2me python script " |
| "(required)\n" |
| " --foreground - Don't daemonize.\n"; |
| |
| void PrintUsage(const base::FilePath& program_name) { |
| std::printf(kUsageMessage, program_name.MaybeAsASCII().c_str()); |
| } |
| |
| // Shell-escapes a single argument in a way that is compatible with various |
| // different shells. Returns nullopt when argument contains a newline, which |
| // can't be represented in a cross-shell fashion. |
| base::Optional<std::string> ShellEscapeArgument( |
| const base::StringPiece argument) { |
| std::string result; |
| for (char character : argument) { |
| // csh in particular doesn't provide a good way to handle this |
| if (character == '\n') { |
| return base::nullopt; |
| } |
| |
| // Some shells ascribe special meaning to some escape sequences such as \t, |
| // so don't escape any alphanumerics. (Also cuts down on verbosity.) This is |
| // similar to the approach sudo takes. |
| if (!((character >= '0' && character <= '9') || |
| (character >= 'A' && character <= 'Z') || |
| (character >= 'a' && character <= 'z') || |
| (character == '-' || character == '_'))) { |
| result.push_back('\\'); |
| } |
| result.push_back(character); |
| } |
| return result; |
| } |
| |
| // PAM conversation function. Since the wrapper runs in a non-interactive |
| // context, log any messages, but return an error if asked to provide user |
| // input. |
| extern "C" int Converse(int num_messages, |
| const struct pam_message** messages, |
| struct pam_response** responses, |
| void* context) { |
| bool failed = false; |
| |
| for (int i = 0; i < num_messages; ++i) { |
| // This is correct for the PAM included with Linux, OS X, and BSD. However, |
| // apparently Solaris and HP/UX require instead `&(*msg)[i]`. That is, they |
| // disagree as to which level of indirection contains the array. |
| const pam_message* message = messages[i]; |
| |
| switch (message->msg_style) { |
| case PAM_PROMPT_ECHO_OFF: |
| case PAM_PROMPT_ECHO_ON: |
| LOG(WARNING) << "PAM requested user input (unsupported): " |
| << (message->msg ? message->msg : ""); |
| failed = true; |
| break; |
| case PAM_TEXT_INFO: |
| LOG(INFO) << "[PAM] " << (message->msg ? message->msg : ""); |
| break; |
| case PAM_ERROR_MSG: |
| // Error messages from PAM are not necessarily fatal to the operation, |
| // as the module may be optional. |
| LOG(WARNING) << "[PAM] " << (message->msg ? message->msg : ""); |
| break; |
| default: |
| LOG(WARNING) << "Encountered unknown PAM message style"; |
| failed = true; |
| break; |
| } |
| } |
| |
| if (failed) |
| return PAM_CONV_ERR; |
| |
| pam_response* response_list = static_cast<pam_response*>( |
| std::calloc(num_messages, sizeof(*response_list))); |
| |
| if (response_list == nullptr) |
| return PAM_BUF_ERR; |
| |
| *responses = response_list; |
| return PAM_SUCCESS; |
| } |
| |
| const struct pam_conv kPamConversation = {Converse, nullptr}; |
| |
| // Wrapper class for working with PAM and cleaning up in an RAII fashion |
| class PamHandle { |
| public: |
| // Attempts to initialize PAM transaction. Check the result with IsInitialized |
| // before calling any other member functions. |
| PamHandle(const char* service_name, |
| const char* user, |
| const struct pam_conv* pam_conversation) { |
| last_return_code_ = |
| pam_start(service_name, user, pam_conversation, &pam_handle_); |
| if (last_return_code_ != PAM_SUCCESS) { |
| pam_handle_ = nullptr; |
| } |
| } |
| |
| // Terminates PAM transaction |
| ~PamHandle() { |
| if (pam_handle_ != nullptr) { |
| pam_end(pam_handle_, last_return_code_); |
| } |
| } |
| |
| // Checks whether the PAM transaction was successfully initialized. Only call |
| // other member functions if this returns true. |
| bool IsInitialized() const { return pam_handle_ != nullptr; } |
| |
| // Performs account validation |
| int AccountManagement(int flags) { |
| return last_return_code_ = pam_acct_mgmt(pam_handle_, flags); |
| } |
| |
| // Establishes or deletes PAM user credentials |
| int SetCredentials(int flags) { |
| return last_return_code_ = pam_setcred(pam_handle_, flags); |
| } |
| |
| // Starts user session |
| int OpenSession(int flags) { |
| return last_return_code_ = pam_open_session(pam_handle_, flags); |
| } |
| |
| // Ends user session |
| int CloseSession(int flags) { |
| return last_return_code_ = pam_close_session(pam_handle_, flags); |
| } |
| |
| // Returns the current username according to PAM. It is possible for PAM |
| // modules to change this from the initial value passed to the constructor. |
| base::Optional<std::string> GetUser() { |
| const char* user; |
| last_return_code_ = pam_get_item(pam_handle_, PAM_USER, |
| reinterpret_cast<const void**>(&user)); |
| if (last_return_code_ != PAM_SUCCESS || user == nullptr) |
| return base::nullopt; |
| return std::string(user); |
| } |
| |
| // Obtains the list of environment variables provided by PAM modules. |
| base::Optional<base::EnvironmentMap> GetEnvironment() { |
| char** environment = pam_getenvlist(pam_handle_); |
| |
| if (environment == nullptr) |
| return base::nullopt; |
| |
| base::EnvironmentMap environment_map; |
| |
| for (char** variable = environment; *variable != nullptr; ++variable) { |
| char* delimiter = std::strchr(*variable, '='); |
| if (delimiter != nullptr) { |
| environment_map[std::string(*variable, delimiter)] = |
| std::string(delimiter + 1); |
| } |
| std::free(*variable); |
| } |
| std::free(environment); |
| |
| return environment_map; |
| } |
| |
| // Returns a description of the given return code |
| const char* ErrorString(int return_code) { |
| return pam_strerror(pam_handle_, return_code); |
| } |
| |
| // Logs a fatal error if return_code isn't PAM_SUCCESS |
| void CheckReturnCode(int return_code, base::StringPiece what) { |
| if (return_code != PAM_SUCCESS) { |
| LOG(FATAL) << "[PAM] " << what << ": " << ErrorString(return_code); |
| } |
| } |
| |
| private: |
| pam_handle_t* pam_handle_ = nullptr; |
| int last_return_code_ = PAM_SUCCESS; |
| |
| DISALLOW_COPY_AND_ASSIGN(PamHandle); |
| }; |
| |
| // Runs the me2me script in a PAM session. Exits the program on failure. |
| // If chown_log is true, the owner and group of the file associated with stdout |
| // will be changed to the target user. |
| void ExecuteSession(std::string user, base::StringPiece script_path, |
| bool chown_log) { |
| ////////////////////////////////////////////////////////////////////////////// |
| // Set up the PAM session |
| ////////////////////////////////////////////////////////////////////////////// |
| |
| PamHandle pam_handle(kPamName, user.c_str(), &kPamConversation); |
| CHECK(pam_handle.IsInitialized()) << "Failed to initialize PAM"; |
| |
| // Make sure the account is valid and enabled. |
| pam_handle.CheckReturnCode(pam_handle.AccountManagement(0), "Account check"); |
| |
| // PAM may remap the user at any stage. |
| user = pam_handle.GetUser().value_or(std::move(user)); |
| |
| // setcred explicitly does not handle group membership, and specifies that |
| // group membership should be established before calling setcred. PAM modules |
| // may also use getpwnam, so pwinfo can only be assumed valid until the next |
| // PAM call. |
| errno = 0; |
| struct passwd* pwinfo = getpwnam(user.c_str()); |
| PCHECK(pwinfo != nullptr) << "getpwnam failed"; |
| PCHECK(setgid(pwinfo->pw_gid) == 0) << "setgid failed"; |
| PCHECK(initgroups(pwinfo->pw_name, pwinfo->pw_gid) == 0) |
| << "initgroups failed"; |
| |
| // The documentation states that setcred should be called before open_session, |
| // as done here, but it may be worth noting that `login` calls open_session |
| // first. |
| pam_handle.CheckReturnCode(pam_handle.SetCredentials(PAM_ESTABLISH_CRED), |
| "Set credentials"); |
| |
| pam_handle.CheckReturnCode(pam_handle.OpenSession(0), "Open session"); |
| |
| // The above may have remapped the user. |
| user = pam_handle.GetUser().value_or(std::move(user)); |
| |
| base::Optional<base::EnvironmentMap> pam_environment = |
| pam_handle.GetEnvironment(); |
| CHECK(pam_environment) << "Failed to get environment from PAM"; |
| |
| ////////////////////////////////////////////////////////////////////////////// |
| // Prepare to execute remoting session process |
| ////////////////////////////////////////////////////////////////////////////// |
| |
| // Callback to be run in child process after fork and before exec. |
| // chdir is called manually instead of using LaunchOptions.current_directory |
| // because it should take place after setuid. (This both makes sure the user |
| // has the proper permissions and also apparently avoids some obscure errors |
| // that can occur when accessing some network filesystems as the wrong user.) |
| class PreExecDelegate : public base::LaunchOptions::PreExecDelegate { |
| public: |
| void RunAsyncSafe() override { |
| // Use RAW_CHECK to avoid allocating post-fork. |
| RAW_CHECK(setuid(pwinfo_->pw_uid) == 0); |
| RAW_CHECK(chdir(pwinfo_->pw_dir) == 0); |
| } |
| |
| PreExecDelegate(struct passwd* pwinfo) : pwinfo_(pwinfo) {} |
| |
| private: |
| struct passwd* pwinfo_; |
| }; |
| |
| // Fetch pwinfo again, as it may have been invalidated or the user name might |
| // have been remapped. |
| pwinfo = getpwnam(user.c_str()); |
| PCHECK(pwinfo != nullptr) << "getpwnam failed"; |
| |
| if (chown_log) { |
| int result = fchown(STDOUT_FILENO, pwinfo->pw_uid, pwinfo->pw_gid); |
| PLOG_IF(WARNING, result != 0) << "Failed to change log file owner"; |
| } |
| |
| PreExecDelegate pre_exec_delegate(pwinfo); |
| |
| base::LaunchOptions launch_options; |
| |
| // Required to allow suid binaries to function in the session. |
| launch_options.allow_new_privs = true; |
| |
| launch_options.kill_on_parent_death = true; |
| |
| launch_options.clear_environ = true; |
| launch_options.environ = std::move(*pam_environment); |
| launch_options.environ["USER"] = pwinfo->pw_name; |
| launch_options.environ["LOGNAME"] = pwinfo->pw_name; |
| launch_options.environ["HOME"] = pwinfo->pw_dir; |
| launch_options.environ["SHELL"] = pwinfo->pw_shell; |
| if (!launch_options.environ.count("PATH")) { |
| launch_options.environ["PATH"] = "/bin:/usr/bin"; |
| } |
| |
| launch_options.pre_exec_delegate = &pre_exec_delegate; |
| |
| // By convention, a login shell is signified by preceeding the shell name in |
| // argv[0] with a '-'. |
| base::CommandLine command_line(base::FilePath( |
| '-' + base::FilePath(pwinfo->pw_shell).BaseName().value())); |
| |
| base::Optional<std::string> escaped_script_path = |
| ShellEscapeArgument(script_path); |
| |
| CHECK(escaped_script_path) << "Could not escape script path"; |
| |
| command_line.AppendSwitch("-c"); |
| command_line.AppendArg(*escaped_script_path + |
| " --start --foreground --keep-parent-env"); |
| |
| // Tell LaunchProcess where to find the executable, since argv[0] doesn't |
| // point to it. |
| launch_options.real_path = base::FilePath(pwinfo->pw_shell); |
| |
| ////////////////////////////////////////////////////////////////////////////// |
| // We're ready to execute the remoting session |
| ////////////////////////////////////////////////////////////////////////////// |
| |
| base::Process child = base::LaunchProcess(command_line, launch_options); |
| |
| if (child.IsValid()) { |
| int exit_code = 0; |
| // Die if wait fails so we don't close the PAM session while the child is |
| // still running. |
| CHECK(child.WaitForExit(&exit_code)) << "Failed to wait for child process"; |
| LOG_IF(WARNING, exit_code != 0) << "Child did not exit normally"; |
| } |
| |
| // Best effort PAM cleanup |
| if (pam_handle.CloseSession(0) != PAM_SUCCESS) { |
| LOG(WARNING) << "Failed to close PAM session"; |
| } |
| ignore_result(pam_handle.SetCredentials(PAM_DELETE_CRED)); |
| } |
| |
| // Opens a temp file for logging. Exits the program on failure. |
| int OpenLogFile() { |
| char logfile[265]; |
| std::time_t time = std::time(nullptr); |
| CHECK_NE(time, (std::time_t)(-1)); |
| // Safe because we're single threaded |
| std::tm* localtime = std::localtime(&time); |
| CHECK_NE(std::strftime(logfile, sizeof(logfile), kLogFileTemplate, localtime), |
| (std::size_t) 0); |
| |
| mode_t mode = umask(0177); |
| int fd = mkstemp(logfile); |
| PCHECK(fd != -1); |
| umask(mode); |
| |
| return fd; |
| } |
| |
| // Daemonizes the process. Output is redirected to a file. Exits the program on |
| // failure. |
| // |
| // This logic is mostly the same as daemonize() in linux_me2me_host.py. Log- |
| // file redirection especially should be kept in sync. Note that this does |
| // not currently wait for the host to start successfully before exiting the |
| // parent process like the Python script does, as that functionality is |
| // probably not useful at boot, where the wrapper is expected to be used. If |
| // it turns out to be desired, it can be implemented by setting up a pipe and |
| // passing a file descriptor to the Python script. |
| void Daemonize() { |
| |
| int log_fd = OpenLogFile(); |
| int devnull_fd = open("/dev/null", O_RDONLY); |
| PCHECK(devnull_fd != -1); |
| |
| PCHECK(dup2(devnull_fd, STDIN_FILENO) != -1); |
| PCHECK(dup2(log_fd, STDOUT_FILENO) != -1); |
| PCHECK(dup2(log_fd, STDERR_FILENO) != -1); |
| |
| // Close all file descriptors except stdio, including any we may have |
| // inherited. |
| base::CloseSuperfluousFds(base::InjectiveMultimap()); |
| |
| // Allow parent to exit, and ensure we're not a session leader so setsid can |
| // succeed |
| pid_t pid = fork(); |
| PCHECK(pid != -1); |
| |
| if (pid != 0) { |
| std::exit(EXIT_SUCCESS); |
| } |
| |
| // Start a new process group and session with no controlling terminal. |
| PCHECK(setsid() != -1); |
| |
| // Fork again so we're no longer a session leader and can't get a controlling |
| // terminal. |
| pid = fork(); |
| PCHECK(pid != -1); |
| |
| if (pid != 0) { |
| std::exit(EXIT_SUCCESS); |
| } |
| |
| // We don't want to change to the target user's home directory until we've |
| // dropped privileges, so change to / to make sure we're not keeping any other |
| // directory in use. |
| PCHECK(chdir("/") == 0); |
| |
| // Done! |
| } |
| |
| } // namespace |
| |
| int main(int argc, char** argv) { |
| base::CommandLine::Init(argc, argv); |
| |
| const base::CommandLine* command_line = |
| base::CommandLine::ForCurrentProcess(); |
| if (command_line->HasSwitch(kHelpSwitchName) || |
| command_line->HasSwitch(kQuestionSwitchName)) { |
| PrintUsage(command_line->GetProgram()); |
| std::exit(EXIT_SUCCESS); |
| } |
| |
| base::FilePath script_path = |
| command_line->GetSwitchValuePath(kScriptSwitchName); |
| std::string user = command_line->GetSwitchValueNative(kUserSwitchName); |
| bool foreground = command_line->HasSwitch(kForegroundSwitchName); |
| |
| if (script_path.empty()) { |
| std::fputs("The path to the me2me python script is required.\n", stderr); |
| std::exit(EXIT_FAILURE); |
| } |
| |
| if (user.empty()) { |
| std::fputs("The target user must be specified.\n", stderr); |
| std::exit(EXIT_FAILURE); |
| } |
| |
| if (!foreground) { |
| Daemonize(); |
| } |
| |
| ExecuteSession(std::move(user), script_path.value(), !foreground); |
| } |