[perl5.git] / eg / wrapsuid

#!/usr/bin/perl
'di';
'ig00';
#
# $Header: wrapsuid,v 1.1 90/08/11 13:51:29 lwall Locked $
#
# $Log:	wrapsuid,v $
# Revision 1.1  90/08/11  13:51:29  lwall
# Initial revision
# 

$xdev = '-xdev' unless -d '/dev/iop';

if ($#ARGV >= 0) {
    @list = @ARGV;
    foreach $name (@ARGV) {
	die "You must use absolute pathnames.\n" unless $name =~ m|^/|;
    }
}
else {
    open(DF,"/etc/mount|") || die "Can't run /etc/mount";

    while (<DF>) {
	chop;
	$_ .= <DF> if length($_) < 50;
	@ary = split;
	push(@list,$ary[2]) if ($ary[0] =~ m|^/dev|);
    }
}
$fslist = join(' ',@list);

die "Can't find local filesystems" unless $fslist;

open(FIND,
  "find $fslist $xdev -type f \\( -perm -04000 -o -perm -02000 \\) -print|");

while (<FIND>) {
    chop;
    next unless -T;
    print "Fixing ", $_, "\n";
    ($dir,$file) = m|(.*)/(.*)|;
    chdir $dir || die "Can't chdir to $dir";
    ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,
       $blksize,$blocks) = stat($file);
       die "Can't stat $_" unless $ino;
    chmod $mode & 01777, $file;		# wipe out set[ug]id bits
    rename($file,".$file");
    open(C,">.tmp$$.c") || die "Can't write C program for $_";
    $real = "$dir/.$file";
    print C '
main(argc,argv)
int argc;
char **argv;
{
    execv("' . $real . '",argv);
}
';
    close C;
    system '/bin/cc', ".tmp$$.c", '-o', $file;
    die "Can't compile new $_" if $?;
    chmod $mode, $file;
    chown $uid, $gid, $file;
    unlink ".tmp$$.c";
    chdir '/';
}
##############################################################################

	# These next few lines are legal in both Perl and nroff.

.00;			# finish .ig
 
'di			\" finish diversion--previous line must be blank
.nr nl 0-1		\" fake up transition to first page again
.nr % 0			\" start at page 1
'; __END__ ############# From here on it's a standard manual page ############
.TH SUIDSCRIPT 1 "July 30, 1990"
.AT 3
.SH NAME
wrapsuid \- puts a compiled C wrapper around a setuid or setgid script
.SH SYNOPSIS
.B wrapsuid [dirlist]
.SH DESCRIPTION
.I Wrapsuid
creates a small C program to execute a script with setuid or setgid privileges
without having to set the setuid or setgid bit on the script, which is
a security problem on many machines.
Specify the list of directories or files that you wish to process.
The names must be absolute pathnames.
With no arguments it will attempt to process all the local directories
for this machine.
The scripts to be processed must have the setuid or setgid bit set.
The wrapsuid program will delete the bits and set them on the wrapper.
.PP
Non-superusers may only process their own files.
.SH ENVIRONMENT
No environment variables are used.
.SH FILES
None.
.SH AUTHOR
Larry Wall
.SH "SEE ALSO"
.SH DIAGNOSTICS
.SH BUGS
.ex
Commit	Line	Data
a0d0e21e LW	1	#!/usr/bin/perl
	2	'di';
	3	'ig00';
	4	#
	5	# $Header: wrapsuid,v 1.1 90/08/11 13:51:29 lwall Locked $
	6	#
	7	# $Log: wrapsuid,v $
	8	# Revision 1.1 90/08/11 13:51:29 lwall
	9	# Initial revision
	10	#
	11
	12	$xdev = '-xdev' unless -d '/dev/iop';
	13
	14	if ($#ARGV >= 0) {
	15	@list = @ARGV;
	16	foreach $name (@ARGV) {
	17	die "You must use absolute pathnames.\n" unless $name =~ m\|^/\|;
	18	}
	19	}
	20	else {
	21	open(DF,"/etc/mount\|") \|\| die "Can't run /etc/mount";
	22
	23	while (<DF>) {
	24	chop;
	25	$_ .= <DF> if length($_) < 50;
	26	@ary = split;
	27	push(@list,$ary[2]) if ($ary[0] =~ m\|^/dev\|);
	28	}
	29	}
	30	$fslist = join(' ',@list);
	31
	32	die "Can't find local filesystems" unless $fslist;
	33
	34	open(FIND,
	35	"find $fslist $xdev -type f \\( -perm -04000 -o -perm -02000 \\) -print\|");
	36
	37	while (<FIND>) {
	38	chop;
	39	next unless -T;
	40	print "Fixing ", $_, "\n";
	41	($dir,$file) = m\|(.)/(.)\|;
	42	chdir $dir \|\| die "Can't chdir to $dir";
	43	($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,
	44	$blksize,$blocks) = stat($file);
	45	die "Can't stat $_" unless $ino;
	46	chmod $mode & 01777, $file; # wipe out set[ug]id bits
	47	rename($file,".$file");
	48	open(C,">.tmp$$.c") \|\| die "Can't write C program for $_";
	49	$real = "$dir/.$file";
	50	print C '
	51	main(argc,argv)
	52	int argc;
	53	char **argv;
	54	{
	55	execv("' . $real . '",argv);
	56	}
	57	';
	58	close C;
	59	system '/bin/cc', ".tmp$$.c", '-o', $file;
	60	die "Can't compile new $_" if $?;
	61	chmod $mode, $file;
	62	chown $uid, $gid, $file;
	63	unlink ".tmp$$.c";
	64	chdir '/';
65	}
66	##############################################################################
67
68	# These next few lines are legal in both Perl and nroff.
69
70	.00; # finish .ig
71
72	'di \" finish diversion--previous line must be blank
73	.nr nl 0-1 \" fake up transition to first page again
74	.nr % 0 \" start at page 1
75	'; __END__ ############# From here on it's a standard manual page ############
76	.TH SUIDSCRIPT 1 "July 30, 1990"
77	.AT 3
78	.SH NAME
79	wrapsuid \- puts a compiled C wrapper around a setuid or setgid script
80	.SH SYNOPSIS
81	.B wrapsuid [dirlist]
82	.SH DESCRIPTION
83	.I Wrapsuid
84	creates a small C program to execute a script with setuid or setgid privileges
85	without having to set the setuid or setgid bit on the script, which is
86	a security problem on many machines.
87	Specify the list of directories or files that you wish to process.
88	The names must be absolute pathnames.
89	With no arguments it will attempt to process all the local directories
90	for this machine.
91	The scripts to be processed must have the setuid or setgid bit set.
92	The wrapsuid program will delete the bits and set them on the wrapper.
93	.PP
94	Non-superusers may only process their own files.
95	.SH ENVIRONMENT
96	No environment variables are used.
97	.SH FILES
98	None.
99	.SH AUTHOR
100	Larry Wall
101	.SH "SEE ALSO"
102	.SH DIAGNOSTICS
103	.SH BUGS
104	.ex