OpenVPN
run_command.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #include "buffer.h"
31 #include "error.h"
32 #include "platform.h"
33 #include "win32.h"
34 
35 #include "memdbg.h"
36 
37 #include "run_command.h"
38 
39 /* contains an SSEC_x value defined in platform.h */
40 static int script_security_level = SSEC_BUILT_IN; /* GLOBAL */
41 
42 int
43 script_security(void)
44 {
45  return script_security_level;
46 }
47 
48 void
49 script_security_set(int level)
50 {
51  script_security_level = level;
52 }
53 
54 /*
55  * Generate an error message based on the status code returned by openvpn_execve().
56  */
57 static const char *
58 system_error_message(int stat, struct gc_arena *gc)
59 {
60  struct buffer out = alloc_buf_gc(256, gc);
61 
62  switch (stat)
63  {
64  case OPENVPN_EXECVE_NOT_ALLOWED:
65  buf_printf(&out, "disallowed by script-security setting");
66  break;
67 
68 #ifdef _WIN32
69  case OPENVPN_EXECVE_ERROR:
70  buf_printf(&out, "external program did not execute -- ");
71  /* fall through */
72 
73  default:
74  buf_printf(&out, "returned error code %d", stat);
75  break;
76 #else /* ifdef _WIN32 */
77 
78  case OPENVPN_EXECVE_ERROR:
79  buf_printf(&out, "external program fork failed");
80  break;
81 
82  default:
83  if (!WIFEXITED(stat))
84  {
85  buf_printf(&out, "external program did not exit normally");
86  }
87  else
88  {
89  const int cmd_ret = WEXITSTATUS(stat);
90  if (!cmd_ret)
91  {
92  buf_printf(&out, "external program exited normally");
93  }
94  else if (cmd_ret == OPENVPN_EXECVE_FAILURE)
95  {
96  buf_printf(&out, "could not execute external program");
97  }
98  else
99  {
100  buf_printf(&out, "external program exited with error status: %d", cmd_ret);
101  }
102  }
103  break;
104 #endif /* ifdef _WIN32 */
105  }
106  return (const char *)out.data;
107 }
108 
109 #ifndef WIN32
110 bool
111 openvpn_waitpid_check(pid_t pid, const char *msg_prefix, int msglevel)
112 {
113  if (pid == 0)
114  {
115  return false;
116  }
117  int status;
118  pid_t pidret = waitpid(pid, &status, WNOHANG);
119  if (pidret != pid)
120  {
121  return true;
122  }
123 
124  if (WIFEXITED(status))
125  {
126  int exitcode = WEXITSTATUS(status);
127 
128  if (exitcode == OPENVPN_EXECVE_FAILURE)
129  {
130  msg(msglevel, "%scould not execute external program (exit code 127)",
131  msg_prefix);
132  }
133  else
134  {
135  msg(msglevel, "%sexternal program exited with error status: %d",
136  msg_prefix, exitcode);
137  }
138 
139  }
140  else if (WIFSIGNALED(status))
141  {
142  msg(msglevel, "%sexternal program received signal %d",
143  msg_prefix, WTERMSIG(status));
144  }
145 
146  return false;
147 }
148 #endif /* ifndef WIN32 */
149 
150 bool
151 openvpn_execve_allowed(const unsigned int flags)
152 {
153  if (flags & S_SCRIPT)
154  {
155  return script_security() >= SSEC_SCRIPTS;
156  }
157  else
158  {
159  return script_security() >= SSEC_BUILT_IN;
160  }
161 }
162 
163 
164 #ifndef _WIN32
165 /*
166  * Run execve() inside a fork(). Designed to replicate the semantics of system() but
167  * in a safer way that doesn't require the invocation of a shell or the risks
168  * associated with formatting and parsing a command line.
169  * Returns the exit status of child, OPENVPN_EXECVE_NOT_ALLOWED if openvpn_execve_allowed()
170  * returns false, or OPENVPN_EXECVE_ERROR on other errors.
171  */
172 int
173 openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags)
174 {
175  struct gc_arena gc = gc_new();
176  int ret = OPENVPN_EXECVE_ERROR;
177  static bool warn_shown = false;
178 
179  if (a && a->argv[0])
180  {
181 #if defined(ENABLE_FEATURE_EXECVE)
182  if (openvpn_execve_allowed(flags))
183  {
184  const char *cmd = a->argv[0];
185  char *const *argv = a->argv;
186  char *const *envp = (char *const *)make_env_array(es, true, &gc);
187  pid_t pid;
188 
189  pid = fork();
190  if (pid == (pid_t)0) /* child side */
191  {
192  execve(cmd, argv, envp);
193  exit(OPENVPN_EXECVE_FAILURE);
194  }
195  else if (pid < (pid_t)0) /* fork failed */
196  {
197  msg(M_ERR, "openvpn_execve: unable to fork");
198  }
199  else if (flags & S_NOWAITPID)
200  {
201  ret = pid;
202  }
203  else /* parent side */
204  {
205  if (waitpid(pid, &ret, 0) != pid)
206  {
207  ret = OPENVPN_EXECVE_ERROR;
208  }
209  }
210  }
211  else
212  {
213  ret = OPENVPN_EXECVE_NOT_ALLOWED;
214  if (!warn_shown && (script_security() < SSEC_SCRIPTS))
215  {
216  msg(M_WARN, SCRIPT_SECURITY_WARNING);
217  warn_shown = true;
218  }
219  }
220 #else /* if defined(ENABLE_FEATURE_EXECVE) */
221  msg(M_WARN, "openvpn_execve: execve function not available");
222 #endif /* if defined(ENABLE_FEATURE_EXECVE) */
223  }
224  else
225  {
226  msg(M_FATAL, "openvpn_execve: called with empty argv");
227  }
228 
229  gc_free(&gc);
230  return ret;
231 }
232 #endif /* ifndef _WIN32 */
233 
234 /*
235  * Wrapper around openvpn_execve
236  */
237 int
238 openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
239 {
240  struct gc_arena gc = gc_new();
241  const int stat = openvpn_execve(a, es, flags);
242  int ret = false;
243 
244  if (flags & S_EXITCODE)
245  {
246  ret = platform_ret_code(stat);
247  if (ret != -1)
248  {
249  goto done;
250  }
251  }
252  else if (flags & S_NOWAITPID && (stat > 0))
253  {
254  ret = stat;
255  goto done;
256  }
257  else if (platform_system_ok(stat))
258  {
259  ret = true;
260  goto done;
261  }
262  if (error_message)
263  {
264  msg(((flags & S_FATAL) ? M_FATAL : M_WARN), "%s: %s",
265  error_message,
266  system_error_message(stat, &gc));
267  }
268 done:
269  gc_free(&gc);
270 
271  return ret;
272 }
273 
274 /*
275  * Run execve() inside a fork(), duping stdout. Designed to replicate the semantics of popen() but
276  * in a safer way that doesn't require the invocation of a shell or the risks
277  * associated with formatting and parsing a command line.
278  */
279 int
280 openvpn_popen(const struct argv *a, const struct env_set *es)
281 {
282  struct gc_arena gc = gc_new();
283  int ret = -1;
284 
285  if (a && a->argv[0])
286  {
287 #if defined(ENABLE_FEATURE_EXECVE)
288  static bool warn_shown = false;
289  if (script_security() >= SSEC_BUILT_IN)
290  {
291  const char *cmd = a->argv[0];
292  char *const *argv = a->argv;
293  char *const *envp = (char *const *)make_env_array(es, true, &gc);
294  pid_t pid;
295  int pipe_stdout[2];
296 
297  if (pipe(pipe_stdout) == 0)
298  {
299  pid = fork();
300  if (pid == (pid_t)0) /* child side */
301  {
302  close(pipe_stdout[0]); /* Close read end */
303  dup2(pipe_stdout[1], 1);
304  execve(cmd, argv, envp);
305  exit(OPENVPN_EXECVE_FAILURE);
306  }
307  else if (pid > (pid_t)0) /* parent side */
308  {
309  int status = 0;
310 
311  close(pipe_stdout[1]); /* Close write end */
312  waitpid(pid, &status, 0);
313  ret = pipe_stdout[0];
314  }
315  else /* fork failed */
316  {
317  close(pipe_stdout[0]);
318  close(pipe_stdout[1]);
319  msg(M_ERR, "openvpn_popen: unable to fork %s", cmd);
320  }
321  }
322  else
323  {
324  msg(M_WARN, "openvpn_popen: unable to create stdout pipe for %s", cmd);
325  ret = -1;
326  }
327  }
328  else if (!warn_shown && (script_security() < SSEC_SCRIPTS))
329  {
330  msg(M_WARN, SCRIPT_SECURITY_WARNING);
331  warn_shown = true;
332  }
333 #else /* if defined(ENABLE_FEATURE_EXECVE) */
334  msg(M_WARN, "openvpn_popen: execve function not available");
335 #endif /* if defined(ENABLE_FEATURE_EXECVE) */
336  }
337  else
338  {
339  msg(M_FATAL, "openvpn_popen: called with empty argv");
340  }
341 
342  gc_free(&gc);
343  return ret;
344 }
error.h
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1025
run_command.h
platform_ret_code
int platform_ret_code(int stat)
Return an exit code if valid and between 0 and 255, -1 otherwise.
Definition: platform.c:425
M_FATAL
#define M_FATAL
Definition: error.h:89
win32.h
argv
Definition: argv.h:35
script_security_set
void script_security_set(int level)
Definition: run_command.c:49
es
struct env_set * es
Definition: test_pkcs11.c:141
OPENVPN_EXECVE_ERROR
#define OPENVPN_EXECVE_ERROR
Definition: run_command.h:36
SSEC_SCRIPTS
#define SSEC_SCRIPTS
Definition: run_command.h:33
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
platform_system_ok
bool platform_system_ok(int stat)
interpret the status code returned by execve()
Definition: platform.c:414
openvpn_waitpid_check
bool openvpn_waitpid_check(pid_t pid, const char *msg_prefix, int msglevel)
Checks if a running process is still running.
Definition: run_command.c:111
openvpn_execve_check
int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
Definition: run_command.c:238
argv::argv
char ** argv
Definition: argv.h:39
system_error_message
static const char * system_error_message(int stat, struct gc_arena *gc)
Definition: run_command.c:58
OPENVPN_EXECVE_NOT_ALLOWED
#define OPENVPN_EXECVE_NOT_ALLOWED
Definition: run_command.h:37
M_WARN
#define M_WARN
Definition: error.h:91
M_ERR
#define M_ERR
Definition: error.h:105
script_security_level
static int script_security_level
Definition: run_command.c:40
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
SSEC_BUILT_IN
#define SSEC_BUILT_IN
Definition: run_command.h:32
buffer.h
syshead.h
platform.h
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
env_set
Definition: env_set.h:42
openvpn_execve_allowed
bool openvpn_execve_allowed(const unsigned int flags)
Definition: run_command.c:151
S_EXITCODE
#define S_EXITCODE
Instead of returning 1/0 for success/fail, return exit code when between 0 and 255 and -1 otherwise.
Definition: run_command.h:49
S_NOWAITPID
#define S_NOWAITPID
instead of waiting for child process to exit and report the status, return the pid of the child proce...
Definition: run_command.h:52
status
static SERVICE_STATUS status
Definition: interactive.c:53
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1033
openvpn_popen
int openvpn_popen(const struct argv *a, const struct env_set *es)
Definition: run_command.c:280
config.h
S_FATAL
#define S_FATAL
Definition: run_command.h:46
S_SCRIPT
#define S_SCRIPT
Definition: run_command.h:45
SCRIPT_SECURITY_WARNING
#define SCRIPT_SECURITY_WARNING
Definition: common.h:98
OPENVPN_EXECVE_FAILURE
#define OPENVPN_EXECVE_FAILURE
Definition: run_command.h:38
memdbg.h
msg
#define msg(flags,...)
Definition: error.h:144
make_env_array
const char ** make_env_array(const struct env_set *es, const bool check_allowed, struct gc_arena *gc)
Definition: env_set.c:421
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
openvpn_execve
int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags)
Definition: win32.c:1001
script_security
int script_security(void)
Definition: run_command.c:43
gc
struct gc_arena gc
Definition: test_ssl.c:155
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
Generated by   doxygen 1.8.17