Jak vykonat skript suid

[Pavel Kankovsky]

Jen tak mimochodem...pro zajimavost prikladam kus meho programu, jehoz
ucelem je maximalne bezpecne spustit jiny program. Neni to cele, 
jeste byla na jinem miste sanace argv[] a envp[]...tedy v pripade envp[]
to spis byla synteza uplne noveho environmentu, ve kterem nebylo nic
z toho stareho.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


------

#define MB (1024*1024)
 
struct rlim_check { int limit, value; };
 
struct rlim_check sensible_limits[] = {
  { RLIMIT_CPU,    120 },
  { RLIMIT_FSIZE,  16 * MB },
  { RLIMIT_DATA,   16 * MB },
  { RLIMIT_STACK,  1 * MB },
  { RLIMIT_AS,     16 * MB },
  { RLIMIT_NOFILE, 30 },
  { RLIMIT_NPROC,  50 },
  { -1, -1 }
};
 
struct sig_check { int signal; struct sigaction value; };
 
struct sig_check sensible_signals[] = {
  { SIGIO, { SIG_IGN, 0, 0 } },
  { -1, {} }
};
 
void
sanity_checks()
{
  int i, j;
  struct rlimit rlim;
 
  for (i = 0; i < 3; ++i) {
    if (fcntl(i, F_GETFD, &j) != 0)
      exit(EX_TEMPFAIL);
    /* no error diag */
  }
 
  for (i = 3; i < OPEN_MAX; ++i)
    close(i);
 
  for (i = 0; sensible_limits[i].limit >= 0; ++i) {
    if (getrlimit(sensible_limits[i].limit, &rlim) != 0) {
      perror(PROGNAME_C "getrlimit");
      exit(EX_OSERR);
    }
    if (rlim.rlim_cur != RLIM_INFINITY &&
        rlim.rlim_cur < sensible_limits[i].value) {
      fprintf(stderr, PROGNAME_C "living environment not kosher");
      exit(EX_TEMPFAIL);
    }
  }
 
  for (i = 0; sensible_signals[i].signal >= 0; ++i) {
    if (sigaction(sensible_signals[i].signal,
                  &sensible_signals[i].value, NULL) != 0) {
      perror(PROGNAME_C "sigaction");
      exit(EX_OSERR);
    }
  }

  umask(022);

  if (chdir("/") != 0) {
    perror(PROGNAME_C "chdir");
    exit(EX_OSERR);
  }
}