Add support for CRD user-session to operate setuid

remoting/host/linux/remoting_user_session.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This file implements a wrapper to run the virtual me2me session within a
 // proper PAM session. It will generally be run as root and drop privileges to
 // the specified user before running the me2me session script.
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ skipping 227 matching lines @@
 
  private:
   pam_handle_t* pam_handle_ = nullptr;
   int last_return_code_ = PAM_SUCCESS;
 
   DISALLOW_COPY_AND_ASSIGN(PamHandle);
 };
 
 // Runs the me2me script in a PAM session. Exits the program on failure.
 // If chown_log is true, the owner and group of the file associated with stdout
-// will be changed to the target user.
-void ExecuteSession(std::string user, base::StringPiece script_path,
-                    bool chown_log) {
+// will be changed to the target user. If match_uid is not nullopt, this
+// function will fail if the final user id does not match the one provided.
+void ExecuteSession(std::string user,
+                    base::StringPiece script_path,
+                    bool chown_log,
+                    base::Optional<uid_t> match_uid) {
   //////////////////////////////////////////////////////////////////////////////
   // Set up the PAM session
   //////////////////////////////////////////////////////////////////////////////
 
   PamHandle pam_handle(kPamName, user.c_str(), &kPamConversation);
   CHECK(pam_handle.IsInitialized()) << "Failed to initialize PAM";
 
   // Make sure the account is valid and enabled.
   pam_handle.CheckReturnCode(pam_handle.AccountManagement(0), "Account check");
 
@@ skipping 47 matching lines @@
 
    private:
     struct passwd* pwinfo_;
   };
 
   // Fetch pwinfo again, as it may have been invalidated or the user name might
   // have been remapped.
   pwinfo = getpwnam(user.c_str());
   PCHECK(pwinfo != nullptr) << "getpwnam failed";
 
+  if (match_uid && pwinfo->pw_uid != *match_uid) {
+    LOG(FATAL) << "PAM remapped username to one with a different user ID.";
+  }
+
   if (chown_log) {
     int result = fchown(STDOUT_FILENO, pwinfo->pw_uid, pwinfo->pw_gid);
     PLOG_IF(WARNING, result != 0) << "Failed to change log file owner";
   }
 
   PreExecDelegate pre_exec_delegate(pwinfo);
 
   base::LaunchOptions launch_options;
 
   // Required to allow suid binaries to function in the session.
@@ skipping 63 matching lines @@
            (std::size_t) 0);
 
   mode_t mode = umask(0177);
   int fd = mkstemp(logfile);
   PCHECK(fd != -1);
   umask(mode);
 
   return fd;
 }
 
+// Find the username for the current user. If either USER or LOGNAME is set to
+// a user matching our real user id, we return that. Otherwise, we use getpwuid
+// to attempt a reverse lookup. Note: It's possible to more than user with the
+// same user id but different group membership, home directories, et cetera,
+// which is why we check USER and LOGNAME first.
+std::string FindCurrentUsername() {
+  uid_t real_id = getuid();
+  struct passwd* pwinfo;
+  for (const char* var : {"USER", "LOGNAME"}) {
+    const char* value = getenv(var);
+    if (value) {
+      pwinfo = getpwnam(value);
+      // USER and LOGNAME can be overridden, so make sure the value is valid
+      // and matches the UID of the invoking user.
+      if (pwinfo && pwinfo->pw_uid == real_id) {
+        return pwinfo->pw_name;
+      }
+    }
+  }
+  errno = 0;
+  pwinfo = getpwuid(real_id);
+  PCHECK(pwinfo) << "getpwuid failed";
+  return pwinfo->pw_name;
+}
+
 // Daemonizes the process. Output is redirected to a file. Exits the program on
 // failure.
 //
 // This logic is mostly the same as daemonize() in linux_me2me_host.py. Log-
 // file redirection especially should be kept in sync. Note that this does
 // not currently wait for the host to start successfully before exiting the
 // parent process like the Python script does, as that functionality is
 // probably not useful at boot, where the wrapper is expected to be used. If
 // it turns out to be desired, it can be implemented by setting up a pipe and
 // passing a file descriptor to the Python script.
@@ skipping 56 matching lines @@
   base::FilePath script_path =
       command_line->GetSwitchValuePath(kScriptSwitchName);
   std::string user = command_line->GetSwitchValueNative(kUserSwitchName);
   bool foreground = command_line->HasSwitch(kForegroundSwitchName);
 
   if (script_path.empty()) {
     std::fputs("The path to the me2me python script is required.\n", stderr);
     std::exit(EXIT_FAILURE);
   }
 
+  uid_t real_uid = getuid();

[Jamie, 2017/06/16 19:24:23]

Please be consistent with the naming of this; real_uid or real_id are both fine,
but pick one :)

[rkjnsn, 2017/06/16 20:28:31]

Good catch.

+
+  if (real_uid == 0 && user.empty()) {
+    std::fputs("Target user must be specified when run as root.\n", stderr);
+    std::exit(EXIT_FAILURE);
+  } else if (real_uid != 0 && !user.empty()) {
+    std::fputs("Target user may not be specified by non-root users.\n", stderr);
+    std::exit(EXIT_FAILURE);

[Jamie, 2017/06/16 19:24:23]

Since you already check LOGNAME and USER and use them if they are valid,
couldn't you allow the user to be specified for non-root, but subject it to the
same check? Prohibiting it doesn't buy you anything because a user can set one
of the variables in lieu of passing the command-line flag.

If you allow the username to be specified on the command-line, you could even
get rid of the special-casing for LOGNAME and USER if you think it's
sufficiently rare that it will be needed, since users who do need it would have
a workaround.

[rkjnsn, 2017/06/16 20:28:31]

user-session isn't really intended to be called directly by the user. Instead,
it is expected that the user will continue to call
`/etc/init.d/chrome-remote-desktop start` (or possibly
`/opt/google/chrome-remote-desktop/chrome-remote-desktop --start`) as they
currently do, and user_session will be used transparently. In this context, it
really only makes sense to try to automatically obtain the correct username.

While we certainly *could* accept --user when run as non-root for only a few
additional lines of code, I don't think it would buy us anything. Even with it,
I imagine a user would be much more apt to run `sudo -u other_username
/etc/init.d/chrome-remote-desktop start` than
`/opt/google/chrome-remote-desktop/user-session --user=other_username
--me2me-script=/opt/google/chrome-remote-desktop/chrome-remote-desktop`. By
checking the USER environment variable, we ensure that the former does the right
thing.

+  }
+
   if (user.empty()) {
-    std::fputs("The target user must be specified.\n", stderr);
-    std::exit(EXIT_FAILURE);
+    user = FindCurrentUsername();
   }
 
   if (!foreground) {
     Daemonize();
   }
 
-  ExecuteSession(std::move(user), script_path.value(), !foreground);
+  ExecuteSession(std::move(user), script_path.value(), !foreground,
+                 real_uid != 0 ? base::make_optional(real_uid) : base::nullopt);
 }