src/subscribe-wrapper.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

/*
** generic wrapper that will take info from a environment 
** variable, and pass it to two commands.
**
** 10-17-96 : Hal Schechner
** 12-14-96 : John Viega -- changed to work on 1 command, 
**                          take a list of valid commands,
**                          just pass on argv, and use execvp()
**                          Also threw in some useful feedback for when there's
**                          a failure, mainly for future debugging.
**
** Chmod this bitch 4755.
**
*/
#include <stdio.h>

const char *COMMAND = "/home/mailman/mailman/cgi/subscribe";
FILE *f;

/* Might want to make this full path.  
   I can write whatever program named sendmail,
   so this isn't much for security.
*/
const char *LEGAL_PARENT_NAMES[] = {
  "httpd",
  NULL /* Sentinal, don't remove */
};

/* Should make these arrays too... */
const int  LEGAL_PARENT_UID = 60001;  /* nobody's UID */
const int  LEGAL_PARENT_GID = 60001; /* nobody's GID */


/*
** what is the name of the process with pid of 'pid'
*/
char *get_process_name(int pid) {
    FILE *proc;
    char fname[30];
    char tmp[255];
    static char procname[255];
    sprintf(fname, "/proc/%d/status", pid);
    proc = fopen(fname, "r");
    fgets(tmp, 256, proc);
    sscanf(tmp, "Name:   %s\n", procname);
    fclose(proc);
    return procname;
}


int valid_parent(char *parent){
  int i = 0;

  while(LEGAL_PARENT_NAMES[i] != NULL)
    {
      if(!strcmp(parent, LEGAL_PARENT_NAMES[i]))
	{
	  return 1;
	}
      i++;
    }
  return 0;
}

/* 
** is the parent process allowed to call us?
*/
int legal_caller() {
    /* compare to our parent's uid */
    if(LEGAL_PARENT_UID != getuid()) 
      {
	fprintf(f,"GOT UID %d.\n", getuid());
	fflush(f);
        return 0;
      }
    if(LEGAL_PARENT_GID != getgid())
      {
	fprintf(f,"GOT GID %d.\n", getgid());
	fflush(f);
        return 0;
      }
    return 1;
}

void main(int argc, char **argv, char **env) {
  char  *command;
  int   i;
  command = (char *)malloc(sizeof(char) * i);

  f = fopen("/tmp/wtf_man","w+");
  fprintf(f, "Hello...\n");
  fflush(f);
  if(legal_caller()) {
    setuid(geteuid());
    fprintf(f, "Sheesh...\n");
    fflush(f);
    execve(COMMAND, &argv[0], env);
    fprintf(f, "Damn, I suck.\n");
    fflush(f);
  }
    else {
      fprintf(f,"Illegal caller!\n");
      fflush(f);
    }
}