File: //proc/self/root/scripts.20110531.215904.25158/fetchfpexec
#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.2.1).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.
#
# Made on 2003-08-07 22:51 EDT by <root@photon.cpanel.net>.
# Source directory was `/'.
#
# Existing files will *not* be overwritten unless `-c' is specified.
#
# This shar contains:
# length mode name
# ------ ---------- ------------------------------------------
# 13285 -rw-r--r-- /usr/local/frontpage/version5.0/apache-fp/fpexe.c
#
save_IFS="${IFS}"
IFS="${IFS}:"
gettext_dir=FAILED
locale_dir=FAILED
first_param="$1"
for dir in $PATH
do
if test "$gettext_dir" = FAILED && test -f $dir/gettext \
&& ($dir/gettext --version >/dev/null 2>&1)
then
set `$dir/gettext --version 2>&1`
if test "$3" = GNU
then
gettext_dir=$dir
fi
fi
if test "$locale_dir" = FAILED && test -f $dir/shar \
&& ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
then
locale_dir=`$dir/shar --print-text-domain-dir`
fi
done
IFS="$save_IFS"
if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
then
echo=echo
else
TEXTDOMAINDIR=$locale_dir
export TEXTDOMAINDIR
TEXTDOMAIN=sharutils
export TEXTDOMAIN
echo="$gettext_dir/gettext -s"
fi
if touch -am -t 200112312359.59 $$.touch >/dev/null 2>&1 && test ! -f 200112312359.59 -a -f $$.touch; then
shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
elif touch -am 123123592001.59 $$.touch >/dev/null 2>&1 && test ! -f 123123592001.59 -a ! -f 123123592001.5 -a -f $$.touch; then
shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
elif touch -am 1231235901 $$.touch >/dev/null 2>&1 && test ! -f 1231235901 -a -f $$.touch; then
shar_touch='touch -am $3$4$5$6$2 "$8"'
else
shar_touch=:
echo
$echo 'WARNING: not restoring timestamps. Consider getting and'
$echo "installing GNU \`touch', distributed in GNU File Utilities..."
echo
fi
rm -f 200112312359.59 123123592001.59 123123592001.5 1231235901 $$.touch
#
if mkdir _sh04084; then
$echo 'x -' 'creating lock directory'
else
$echo 'failed to create lock directory'
exit 1
fi
# ============= /usr/local/frontpage/version5.0/apache-fp/fpexe.c ==============
if test ! -d '/usr'; then
$echo 'x -' 'creating directory' '/usr'
mkdir '/usr'
fi
if test ! -d '/usr/local'; then
$echo 'x -' 'creating directory' '/usr/local'
mkdir '/usr/local'
fi
if test ! -d '/usr/local/frontpage'; then
$echo 'x -' 'creating directory' '/usr/local/frontpage'
mkdir '/usr/local/frontpage'
fi
if test ! -d '/usr/local/frontpage/version5.0'; then
$echo 'x -' 'creating directory' '/usr/local/frontpage/version5.0'
mkdir '/usr/local/frontpage/version5.0'
fi
if test ! -d '/usr/local/frontpage/version5.0/apache-fp'; then
$echo 'x -' 'creating directory' '/usr/local/frontpage/version5.0/apache-fp'
mkdir '/usr/local/frontpage/version5.0/apache-fp'
fi
if test -f '/usr/local/frontpage/version5.0/apache-fp/fpexe.c' && test "$first_param" != -c; then
$echo 'x -' SKIPPING '/usr/local/frontpage/version5.0/apache-fp/fpexe.c' '(file already exists)'
else
$echo 'x -' extracting '/usr/local/frontpage/version5.0/apache-fp/fpexe.c' '(text)'
sed 's/^X//' << 'SHAR_EOF' > '/usr/local/frontpage/version5.0/apache-fp/fpexe.c' &&
/* ====================================================================
X *
X * FrontPage SUID Stub Executable
X *
X * Copyright (c) 1995-2000 Microsoft Corporation -- All Rights Reserved.
X *
X * NO WARRANTIES. Microsoft expressly disclaims any warranty for this code and
X * information. This code and information and any related documentation is
X * provided "as is" without warranty of any kind, either express or implied,
X * including, without limitation, the implied warranties or merchantability,
X * fitness for a particular purpose, or noninfringement. The entire risk
X * arising out of use or performance of this code and information remains with
X * you.
X *
X * NO LIABILITY FOR DAMAGES. In no event shall Microsoft or its suppliers be
X * liable for any damages whatsoever (including, without limitation, damages
X * for loss of business profits, business interruption, loss of business
X * information, or any other pecuniary loss) arising out of the use of or
X * inability to use this Microsoft product, even if Microsoft has been advised
X * of the possibility of such damages. Because some states/jurisdictions do not
X * allow the exclusion or limitation of liability for consequential or
X * incidental damages, the above limitation may not apply to you.
X *
X * Version 5.0.0.0
X */
X
X
/*
X * User configurable items. We will not run the server extensions with any
X * UID/GID less than LOWEST_VALID_UID/LOWEST_VALID_GID.
X */
X
#if defined(RS6000)
#define _ALL_SOURCE
#endif
X
#if defined(RS6000) | defined(UWARE7)
int initgroups (char *, int);
#endif
X
#if defined(MIPS_LINUX)
#define _GNU_SOURCE
#endif
#if defined(LINUX) || defined(MIPS_LINUX)
#define LOWEST_VALID_UID 15
#else
#define LOWEST_VALID_UID 11
#endif
X
#if defined(HPUX) || defined(IRIX) || defined(SUNOS4)
#define LOWEST_VALID_GID 20
#else
#if defined(SCO)
#define LOWEST_VALID_GID 24
#else
#define LOWEST_VALID_GID 21 /* Solaris, AIX, Alpha, Bsdi, etc. */
#endif
#endif
X
#if defined(UWARE7)
#define Vstat stat32
#define Vlstat lstat32
int lstat32 (const char *, struct stat *);
int stat32 (const char *, struct stat *);
#else
#define Vstat stat
#define Vlstat lstat
#endif
X
#define CLEAN_PATH "PATH=/usr/bin:/bin"
X
static struct SaveEnvVars
{
X const char* szVar;
X int iLen;
} gSafeEnvVars[] =
{
X { "AUTH_TYPE=", 0 },
X { "CONTENT_LENGTH=", 0 },
X { "CONTENT_TYPE=", 0 },
X { "DATE_GMT=", 0 },
X { "DATE_LOCAL=", 0 },
X { "DOCUMENT_NAME=", 0 },
X { "DOCUMENT_PATH_INFO=", 0 },
X { "DOCUMENT_ROOT=", 0 },
X { "DOCUMENT_URI=", 0 },
X { "FILEPATH_INFO=", 0 },
#ifdef ALPHAOSF
X { "FP_USE_FLOCK=", 0 },
#endif
X { "FRONTPAGE_TEST_INSTALL=", 0 },
X { "GATEWAY_INTERFACE=", 0 },
X { "HTTP_", 0 },
X { "LAST_MODIFIED=", 0 },
X { "PATH_INFO=", 0 },
X { "PATH_TRANSLATED=", 0 },
X { "QUERY_STRING=", 0 },
X { "QUERY_STRING_UNESCAPED=", 0 },
X { "REDIRECT_QUERY_STRING=", 0 },
X { "REDIRECT_STATUS=", 0 },
X { "REDIRECT_URL=", 0 },
X { "REMOTE_ADDR=", 0 },
X { "REMOTE_HOST=", 0 },
X { "REMOTE_IDENT=", 0 },
X { "REMOTE_PORT=", 0 },
X { "REMOTE_USER=", 0 },
X { "REQUEST_METHOD=", 0 },
X { "SCRIPT_FILENAME=", 0 },
X { "SCRIPT_NAME=", 0 },
X { "SCRIPT_URI=", 0 },
X { "SCRIPT_URL=", 0 },
X { "SERVER_ADMIN=", 0 },
X { "SERVER_NAME=", 0 },
X { "SERVER_PORT=", 0 },
X { "SERVER_PROTOCOL=", 0 },
X { "SERVER_SOFTWARE=", 0 },
X { "TZ=", 0 },
X { "USER_NAME=", 0 },
X { 0, 0 }
};
X
/*
X * End of user configurable items
X */
X
X
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <ctype.h>
#include <time.h>
#include <pwd.h>
#include <grp.h>
#if !defined(bsdi) && !defined(hpux) && !defined(sun) && !defined(linux) && !defined(SCO5) && !defined(UWARE7) && !defined(FREEBSD)
#include <sys/mode.h>
#endif
X
#if defined(sun) || defined(bsdi) || defined(sgi) || defined(SCO5) || defined(UWARE7) || defined(FREEBSD) || defined(linux)
extern const char ** environ;
#endif
extern int errno;
X
X
#ifndef TRUE
#define TRUE 1
#endif
X
#ifndef FALSE
#define FALSE 0
#endif
X
#ifndef MAXPATHLEN
#define MAXPATHLEN 1024
#endif
#if (MAXPATHLEN < 1024)
#undef MAXPATHLEN
#define MAXPATHLEN 1024
#endif
X
#define KEYLEN 128 /* Should be a multiple of sizeof(int) */
X
X
#define FPKEYDIR "/usr/local/frontpage/version5.0/apache-fp"
#define KEYFILE "/usr/local/frontpage/version5.0/apache-fp/suidkey.%d"
#define FPDIR "/usr/local/frontpage/version5.0/exes"
X
/* Legal modules */
#define SHTML "/_vti_bin/shtml.exe"
#define FPCOUNT "/_vti_bin/fpcount.exe"
#define AUTHOR "/_vti_bin/_vti_aut/author.exe"
#define ADMIN "/_vti_bin/_vti_adm/admin.exe"
#define ADMINCGI "/_vti_bin/_vti_adm/fpadmcgi.exe"
X
X
/*
X * Something is not quite right - give up
X */
void die(const char *msg)
{
X char timebuf[26];
X time_t t = time(0);
X strcpy(timebuf, ctime(&t));
X timebuf[24] = '\0';
X fprintf(stderr, "[%s] %s\n", timebuf, msg);
X printf("Content-Type: text/html\n\n<HTML>*-*-* :-| :^| :-/ :-( 8-( *-*-*\n<ul>\n<li>status=1\n<li>osstatus=0\n<li>msg=FrontPage security violation.\n<li>osmsg=\n</ul>\n");
X exit(0);
}
X
/*
X * Remove any variable that is not known to be a standard CGI or OS
X * environment variable. Also, sanitizes the PATH.
X */
static void CleanEnvironment()
{
X const char** pp;
X const char** ppi;
X struct SaveEnvVars* pOkEnv;
X
X for (ppi = pp = environ; *pp; pp++)
X {
X /*
X * Inefficient linear lookup; could be improved with binary search.
X */
X for (pOkEnv = gSafeEnvVars; pOkEnv->szVar; pOkEnv++)
X {
X int iLen = pOkEnv->iLen;
X if (!iLen)
X pOkEnv->iLen = iLen = strlen(pOkEnv->szVar);
X
X if (strncmp(pOkEnv->szVar, *pp, iLen) == 0)
X break;
X }
X
X if (!strncmp(*pp, "PATH=", 5))
X *ppi++ = CLEAN_PATH;
X else if (pOkEnv->szVar)
X *ppi++ = *pp;
X }
X
X *ppi = 0;
}
X
int main(int argc, char **argv)
{
X struct passwd* pw = 0;
X const char* szFpUserName;
X const char* szFpExe = getenv("FPEXE");
X const char* szFpUid = getenv("FPUID");
X const char* szFpGid = getenv("FPGID");
X const char* szFpFd = getenv("FPFD");
X const char* szFpDir = getenv("FPEXEDIR");
X char* pEnd;
X char* pDir;
X uid_t iFpUid;
X uid_t iFpGid;
X uid_t iBinUid;
X int iFpFd;
X int iKeyFd;
X int iCount;
X char szKeyFile[MAXPATHLEN];
X char szWork[MAXPATHLEN];
X char inpKey[KEYLEN];
X char refKey[KEYLEN];
X struct stat fs;
X
X /*
X * Fall back to default location for the real FrontPage executables.
X * if FPEXEDIR is not set in the environment.
X */
X if (!szFpDir)
X szFpDir = FPDIR;
X
X /*
X * Assure that this program was actually SUID'd to root
X */
X if (geteuid())
X /*
X * User recovery: Make sure fpexe is setuid to root
X */
X die("FrontPage SUID Error: not running as root");
X
X /*
X * Assure that the user the web server runs as is a valid user
X */
X if (!getpwuid(getuid()))
X /*
X * User recovery: Make sure that the web server user is in /etc/passwd
X */
X die("FrontPage SUID Error: invalid uid");
X
X /*
X * Assure that we have the proper arguments (passed in the environment)
X */
X if (!szFpExe || !szFpUid || !szFpGid || !szFpFd || !szFpDir)
X /*
X * User recovery: Make sure fpexe is run from patched Apache server
X */
X die("FrontPage SUID Error: invalid environment arguments");
X
X /*
X * Validate the arguments
X */
X if (strcmp(szFpExe, SHTML) != 0 &&
X strcmp(szFpExe, FPCOUNT) != 0 &&
X strcmp(szFpExe, AUTHOR) != 0 &&
X strcmp(szFpExe, ADMIN) != 0 &&
X strcmp(szFpExe, ADMINCGI) != 0)
X /*
X * User recovery: Make sure fpexe is only invoked to run FrontPage
X * server extension programs.
X */
X die("FrontPage SUID Error: target program violation");
X
X if (strlen(szFpExe) + strlen(szFpDir) + 1 > MAXPATHLEN)
X die("FrontPage SUID Error: path too long");
X strcpy(szWork, szFpDir);
X strcat(szWork, szFpExe);
X
X iFpUid = strtol(szFpUid, &pEnd, 10);
X if (!pEnd || *pEnd)
X iFpUid = 0;
X if (iFpUid < LOWEST_VALID_UID || !(pw = getpwuid(iFpUid)))
X /*
X * User recovery: Make sure FrontPage user ids are above minimum
X */
X die("FrontPage SUID Error: invalid target uid");
X szFpUserName = strdup(pw->pw_name);
X
X iFpGid = strtol(szFpGid, &pEnd, 10);
X if (!pEnd || *pEnd)
X iFpGid = 0;
X if (iFpGid < LOWEST_VALID_GID || !getgrgid(iFpGid))
X /*
X * User recovery: Make sure FrontPage group ids are above minimum
X */
X die("FrontPage SUID Error: invalid target gid");
X
X iFpFd = strtol(szFpFd, &pEnd, 10);
X if (!pEnd || *pEnd)
X iFpFd = -1;
X if (iFpFd < 0)
X /*
X * User recovery: Make sure fpexe is run from patched Apache server
X */
X die("FrontPage SUID Error: invalid key file descriptor");
X
X /*
X * Read the key from our server. And, while we're still root and have
X * access, read the key from the master key file. Verify the key matches.
X */
X if (Vlstat(FPKEYDIR, &fs) == -1 ||
X (fs.st_mode & (S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH)) || fs.st_uid ||
X !(S_ISDIR(fs.st_mode)))
X /*
X * User recovery is: set directory to be owned by by root with
X * permissions rwx--x--x.
X */
X die("FrontPage SUID Error: key file directory is insecure");
X
#if defined(sun) && !defined(__SVR4)
X sprintf(szKeyFile, KEYFILE, (int)getpgrp(0));
#else
X sprintf(szKeyFile, KEYFILE, (int)getpgrp());
#endif
X if (Vstat(szKeyFile, &fs) == -1 ||
X (fs.st_mode & (S_IRWXG | S_IRWXO)) || fs.st_uid)
X /*
X * User recovery is: Make sure the key file is properly protected
X * (owned by root, permissions r**------), restart patched Apache
X * server.
X */
X die("FrontPage SUID Error: key file security violation");
X
X iKeyFd = open(szKeyFile, O_RDONLY);
X if (iKeyFd < 0)
X /*
X * User recovery is: Make sure fpexe is run from patched Apache
X * server, restart the patched Apache server.
X */
X die("FrontPage SUID Error: could not open key file" );
X iCount = read(iKeyFd, refKey, sizeof(refKey));
X close(iKeyFd);
X if (iCount != sizeof(refKey))
X /*
X * User recovery is: Make sure fpexe is run from patched Apache
X * server, restart the patched Apache server.
X */
X die("FrontPage SUID Error: could not read valid key from key file");
X
X iCount = read(iFpFd, inpKey, sizeof(inpKey));
X close(iFpFd);
X if (iCount != sizeof(inpKey))
X /*
X * User recovery is: Make sure fpexe is run from patched Apache server
X */
X die("FrontPage SUID Error: could not read valid input key");
X
X if (memcmp(inpKey, refKey, sizeof(refKey)) != 0)
X /*
X * User recovery is: Make sure fpexe is run from patched Apache server
X */
X die("FrontPage SUID Error: key security violation");
X
X /*
X * Change user and group IDs to be the indicated user
X */
X if (setgid(iFpGid) == -1 || initgroups(szFpUserName, iFpGid) == -1)
X /*
X * User recovery: Make sure user is properly registered in
X * /etc/passwd and /etc/group.
X */
X die("FrontPage SUID Error: setgid() failed");
X
X if (setuid(iFpUid) == -1)
X /*
X * User recovery: Make sure user is properly registered in
X * /etc/passwd.
X */
X die("FrontPage SUID Error: setuid() failed");
X
X /*
X * Validate the target directory.
X */
X iBinUid = 0;
X if (pw = getpwnam("bin"))
X iBinUid = pw->pw_uid;
X
X pDir = strrchr(szWork, '/');
X *pDir = 0;
X if (Vlstat(szWork, &fs) == -1 || (fs.st_mode & (S_IWGRP | S_IWOTH)) ||
X (fs.st_uid != iBinUid && fs.st_uid != 0) ||
X !(S_ISDIR(fs.st_mode)))
X /*
X * User recovery is: make sure FrontPage exe programs are available,
X * set directory to be owned by bin or root and have permissions
X * rwx*-x*-x.
X */
X die("FrontPage SUID Error: target directory not found or insecure");
X
X *pDir = '/';
X
X /*
X * Validate the target program
X */
X if (Vstat(szWork, &fs) == -1 || ((fs.st_mode & (S_IWGRP | S_IWOTH)) ||
X (fs.st_mode & (S_ISUID | S_ISGID)) ||
X (fs.st_uid != iBinUid && fs.st_uid != 0)))
X /*
X * User recovery is: make sure FrontPage exe programs are available,
X * set programs to be owned by bin or root and have permissions
X * rwx*-x*-x.
X */
X die("FrontPage SUID Error: target program not found or insecure");
X
X *pDir = '/';
X
X /*
X * Make sure the environment contains no unsafe values.
X */
X CleanEnvironment();
X
X /*
X * Run the specified program.
X */
X argv[0] = szWork;
X umask(022);
X execv(argv[0], argv);
X
X /*
X * We should never get here. Exit with error.
X */
X return (1);
}
SHAR_EOF
(set 20 03 08 07 22 36 30 '/usr/local/frontpage/version5.0/apache-fp/fpexe.c'; eval "$shar_touch") &&
chmod 0644 '/usr/local/frontpage/version5.0/apache-fp/fpexe.c' ||
$echo 'restore of' '/usr/local/frontpage/version5.0/apache-fp/fpexe.c' 'failed'
if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
&& ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
md5sum -c << SHAR_EOF >/dev/null 2>&1 \
|| $echo '/usr/local/frontpage/version5.0/apache-fp/fpexe.c:' 'MD5 check failed'
d36f12a6d50602de170900806e94f47f /usr/local/frontpage/version5.0/apache-fp/fpexe.c
SHAR_EOF
else
shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < '/usr/local/frontpage/version5.0/apache-fp/fpexe.c'`"
test 13285 -eq "$shar_count" ||
$echo '/usr/local/frontpage/version5.0/apache-fp/fpexe.c:' 'original size' '13285,' 'current size' "$shar_count!"
fi
fi
rm -fr _sh04084
exit 0