allow unpriviledged user to run "encrypt" and "spf walk"

ok todd@, gilles@, sunil@

2 files changed, 90 insertions, 61 deletions

diff --git a/usr.sbin/smtpd/smtpctl.c b/usr.sbin/smtpd/smtpctl.c
index ec2320b0a31..5642d1b5da2 100644
--- a/usr.sbin/smtpd/smtpctl.c
+++ b/usr.sbin/smtpd/smtpctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpctl.c,v 1.155 2018/01/06 07:59:27 sunil Exp $	*/
+/*	$OpenBSD: smtpctl.c,v 1.156 2018/01/26 08:00:54 eric Exp $	*/
 
 /*
  * Copyright (c) 2013 Eric Faurot <eric@openbsd.org>
@@ -69,7 +69,7 @@ static int is_gzip_buffer(const char *);
 static FILE *offline_file(void);
 static void sendmail_compat(int, char **);
 
-extern int	do_spfwalk(int, struct parameter *);
+extern int	spfwalk(int, struct parameter *);
 
 extern char	*__progname;
 int		 sendmail;
@@ -478,6 +478,29 @@ srv_show_cmd(int cmd, const void *data, size_t len)
 	} while (!done);
 }
 
+static void
+droppriv(void)
+{
+	struct passwd *pw;
+
+	if (geteuid())
+		return;
+
+	if ((pw = getpwnam(SMTPD_USER)) == NULL)
+		errx(1, "unknown user " SMTPD_USER);
+
+	if ((setgroups(1, &pw->pw_gid) ||
+	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
+	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)))
+		err(1, "cannot drop privileges");
+}
+
+static int
+do_permission_denied(int argc, struct parameter *argv)
+{
+	errx(1, "need root privileges");
+}
+
 static int
 do_log_brief(int argc, struct parameter *argv)
 {
@@ -906,6 +929,8 @@ do_encrypt(int argc, struct parameter *argv)
 {
 	const char *p = NULL;
 
+	droppriv();
+
 	if (argv)
 		p = argv[0].u.u_str;
 	execl(PATH_ENCRYPT, "encrypt", p, (char *)NULL);
@@ -1014,67 +1039,81 @@ do_uncorrupt(int argc, struct parameter *argv)
 	return (0);
 }
 
+static int
+do_spf_walk(int argc, struct parameter *argv)
+{
+	droppriv();
+
+	return spfwalk(argc, argv);
+}
+
+#define cmd_install_priv(s, f) \
+	cmd_install((s), privileged ? (f) : do_permission_denied)
+
 int
 main(int argc, char **argv)
 {
 	gid_t		 gid;
+	int		 privileged;
 	char		*argv_mailq[] = { "show", "queue", NULL };
 
 	sendmail_compat(argc, argv);
-	if (geteuid())
-		errx(1, "need root privileges");
+	privileged = geteuid() == 0;
 
 	gid = getgid();
 	if (setresgid(gid, gid, gid) == -1)
 		err(1, "setresgid");
 
-	cmd_install("discover <evpid>",		do_discover);
-	cmd_install("discover <msgid>",		do_discover);
+	/* Privileged commands */
+	cmd_install_priv("discover <evpid>",	do_discover);
+	cmd_install_priv("discover <msgid>",	do_discover);
+	cmd_install_priv("pause mta from <addr> for <str>", do_block_mta);
+	cmd_install_priv("resume mta from <addr> for <str>", do_unblock_mta);
+	cmd_install_priv("show mta paused",	do_show_mta_block);
+	cmd_install_priv("log brief",		do_log_brief);
+	cmd_install_priv("log verbose",		do_log_verbose);
+	cmd_install_priv("monitor",		do_monitor);
+	cmd_install_priv("pause envelope <evpid>", do_pause_envelope);
+	cmd_install_priv("pause envelope <msgid>", do_pause_envelope);
+	cmd_install_priv("pause envelope all",	do_pause_envelope);
+	cmd_install_priv("pause mda",		do_pause_mda);
+	cmd_install_priv("pause mta",		do_pause_mta);
+	cmd_install_priv("pause smtp",		do_pause_smtp);
+	cmd_install_priv("profile <str>",	do_profile);
+	cmd_install_priv("remove <evpid>",	do_remove);
+	cmd_install_priv("remove <msgid>",	do_remove);
+	cmd_install_priv("remove all",		do_remove);
+	cmd_install_priv("resume envelope <evpid>", do_resume_envelope);
+	cmd_install_priv("resume envelope <msgid>", do_resume_envelope);
+	cmd_install_priv("resume envelope all",	do_resume_envelope);
+	cmd_install_priv("resume mda",		do_resume_mda);
+	cmd_install_priv("resume mta",		do_resume_mta);
+	cmd_install_priv("resume route <routeid>", do_resume_route);
+	cmd_install_priv("resume smtp",		do_resume_smtp);
+	cmd_install_priv("schedule <msgid>",	do_schedule);
+	cmd_install_priv("schedule <evpid>",	do_schedule);
+	cmd_install_priv("schedule all",	do_schedule);
+	cmd_install_priv("show envelope <evpid>", do_show_envelope);
+	cmd_install_priv("show hoststats",	do_show_hoststats);
+	cmd_install_priv("show message <msgid>", do_show_message);
+	cmd_install_priv("show message <evpid>", do_show_message);
+	cmd_install_priv("show queue",		do_show_queue);
+	cmd_install_priv("show queue <msgid>",	do_show_queue);
+	cmd_install_priv("show hosts",		do_show_hosts);
+	cmd_install_priv("show relays",		do_show_relays);
+	cmd_install_priv("show routes",		do_show_routes);
+	cmd_install_priv("show stats",		do_show_stats);
+	cmd_install_priv("show status",		do_show_status);
+	cmd_install_priv("trace <str>",		do_trace);
+	cmd_install_priv("uncorrupt <msgid>",	do_uncorrupt);
+	cmd_install_priv("unprofile <str>",	do_unprofile);
+	cmd_install_priv("untrace <str>",	do_untrace);
+	cmd_install_priv("update table <str>",	do_update_table);
+
+	/* Unprivileged commands */
 	cmd_install("encrypt",			do_encrypt);
 	cmd_install("encrypt <str>",		do_encrypt);
-	cmd_install("pause mta from <addr> for <str>", do_block_mta);
-	cmd_install("resume mta from <addr> for <str>", do_unblock_mta);
-	cmd_install("show mta paused",		do_show_mta_block);
-	cmd_install("log brief",		do_log_brief);
-	cmd_install("log verbose",		do_log_verbose);
-	cmd_install("monitor",			do_monitor);
-	cmd_install("pause envelope <evpid>",	do_pause_envelope);
-	cmd_install("pause envelope <msgid>",	do_pause_envelope);
-	cmd_install("pause envelope all",	do_pause_envelope);
-	cmd_install("pause mda",		do_pause_mda);
-	cmd_install("pause mta",		do_pause_mta);
-	cmd_install("pause smtp",		do_pause_smtp);
-	cmd_install("profile <str>",		do_profile);
-	cmd_install("remove <evpid>",		do_remove);
-	cmd_install("remove <msgid>",		do_remove);
-	cmd_install("remove all",		do_remove);
-	cmd_install("resume envelope <evpid>",	do_resume_envelope);
-	cmd_install("resume envelope <msgid>",	do_resume_envelope);
-	cmd_install("resume envelope all",	do_resume_envelope);
-	cmd_install("resume mda",		do_resume_mda);
-	cmd_install("resume mta",		do_resume_mta);
-	cmd_install("resume route <routeid>",	do_resume_route);
-	cmd_install("resume smtp",		do_resume_smtp);
-	cmd_install("schedule <msgid>",		do_schedule);
-	cmd_install("schedule <evpid>",		do_schedule);
-	cmd_install("schedule all",		do_schedule);
-	cmd_install("show envelope <evpid>",	do_show_envelope);
-	cmd_install("show hoststats",		do_show_hoststats);
-	cmd_install("show message <msgid>",	do_show_message);
-	cmd_install("show message <evpid>",	do_show_message);
-	cmd_install("show queue",		do_show_queue);
-	cmd_install("show queue <msgid>",	do_show_queue);
-	cmd_install("show hosts",		do_show_hosts);
-	cmd_install("show relays",		do_show_relays);
-	cmd_install("show routes",		do_show_routes);
-	cmd_install("show stats",		do_show_stats);
-	cmd_install("show status",		do_show_status);
-	cmd_install("spf walk",			do_spfwalk);
-	cmd_install("trace <str>",		do_trace);
-	cmd_install("uncorrupt <msgid>",	do_uncorrupt);
-	cmd_install("unprofile <str>",		do_unprofile);
-	cmd_install("untrace <str>",		do_untrace);
-	cmd_install("update table <str>",	do_update_table);
+	cmd_install("spf walk",			do_spf_walk);
 
 	if (strcmp(__progname, "mailq") == 0)
 		return cmd_run(2, argv_mailq);
diff --git a/usr.sbin/smtpd/spfwalk.c b/usr.sbin/smtpd/spfwalk.c
index 1e3ff8fbe67..46bff7086b9 100644
--- a/usr.sbin/smtpd/spfwalk.c
+++ b/usr.sbin/smtpd/spfwalk.c
@@ -25,7 +25,6 @@
 #include <err.h>
 #include <errno.h>
 #include <event.h>
-#include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -36,7 +35,7 @@
 #include "unpack_dns.h"
 #include "parser.h"
 
-int do_spfwalk(int, struct parameter *);
+int spfwalk(int, struct parameter *);
 
 static void	dispatch_txt(struct dns_rr *);
 static void	dispatch_mx(struct dns_rr *);
@@ -51,9 +50,8 @@ int     ip_v6 = 0;
 int     ip_both = 1;
 
 int
-do_spfwalk(int argc, struct parameter *argv)
+spfwalk(int argc, struct parameter *argv)
 {
-	struct passwd	*pw;
 	const char	*ip_family = NULL;
 	char		*line = NULL;
 	size_t		 linesize = 0;
@@ -76,14 +74,6 @@ do_spfwalk(int argc, struct parameter *argv)
 	argv += optind;
 	argc -= optind;
 
-	if ((pw = getpwnam(SMTPD_USER)) == NULL)
-		errx(1, "unknown user " SMTPD_USER);
-
-	if (setgroups(1, &pw->pw_gid) ||
-	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
-	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
-		err(1, "do_spfwalk: cannot drop privileges");
-
   	event_init();
 
 	while ((linelen = getline(&line, &linesize, stdin)) != -1) {