The s6-sudod program
s6-sudod receives command-line arguments, environment variables and standard descriptors from a peer s6-sudoc program over a Unix socket, then forks another program.
Interface
s6-sudod [ -0 ] [ -1 ] [ -2 ] [ -d ] [ -t timeout ] [ sargv... ]
- s6-sudod gets 3 file descriptors via fd-passing over a Unix socket that must be open on its descriptors 0 and 1. (The received descriptors will be the stdin, stdout and stderr of the server program.) It expects a s6-sudoc process to be sending them on the client side.
- It also receives a list of command-line arguments cargv..., and an environment clientenv.
- s6-sudod forks and executes sargv... cargv... The client command line is appended to the server command line.
- s6-sudod waits for its child to exit and transmits its exit code to the peer s6-sudoc process. It then exits 0.
Environment
s6-sudod transmits its own environment to its child, plus the environment sent by s6-sudoc, filtered in the following manner: for every variable sent by s6-sudoc, if the variable is present but empty in s6-sudod's environment, then its value is overriden by the value given by s6-sudoc. A variable that is already nonempty, or that doesn't exist, in s6-sudod's environment, will not be transmitted to the child. In other words:
- If there's no variable X in s6-sudod's environment, the child will have no variable X defined
- If there's a non-empty variable X in s6-sudod's environment, the child will inherit that variable, with its value, from s6-sudod
- If there's an empty variable X in s6-sudod's environment, and s6-sudoc transmits variable X, then the child will inherit that variable with the value from s6-sudoc. (If s6-sudoc does not transmit X, the variable will be present, but empty, in the child's environment.)
Options
- -0 : do not inherit stdin from s6-sudoc. The child will be run with its stdin pointing to /dev/null instead.
- -1 : do not inherit stdout from s6-sudoc. The child will be run with its stdout pointing to /dev/null instead.
- -2 : do not inherit stderr from s6-sudoc. The child will be run with its stderr being a copy of s6-sudod's stderr instead. (This is useful to still log the child's error messages without sending them to the client.)
- -d : detach. The child will keep running until it naturally exits, even if the client disconnects. Setting this option also enforces -0, -1 and -2. Bear in mind that this option relinquishes a lot of control over the child, and administrators should make sure it is appropriately short-lived.
- -t timeout : if s6-sudod has not received all the needed data from the client after timeout milliseconds, it will exit without spawning a child. By default, timeout is 0, meaning infinite. This mechanism exists to protect the server from malicious or buggy clients that would uselessly consume resources.
Usage example
The typical use of s6-sudod is in a local service with a s6-ipcserver process listening on a Unix socket, an s6-ipcserver-access process performing client authentication and access control, and possibly a s6-envdir process setting up the environment variables that will be accepted by s6-sudod. The following script, meant to be a run script in a service directory, will set up a privileged program:
#!/command/execlineb -P fdmove -c 2 1 fdmove 1 3 s6-envuidgid serveruser s6-ipcserver -U -1 -- serversocket s6-ipcserver-access -v2 -l0 -i rules -- exec -c s6-envdir env s6-sudod sargv
- execlineb executes the script.
- fdmove makes sure the script's error messages are sent to the service's logger.
- fdmove redirects the script's stdout to file descriptor 3. This is useful if the service directory contains a notification-fd file containing 3, so the daemon can perform readiness notification by writing a newline to its stdout. (The -1 option to s6-ipcserver tells it to do this.)
- s6-envuidgid sets the UID, GID and GIDLIST environment variables for s6-ipcserver to interpret.
- s6-ipcserver binds to serversocket,
drops its privileges to those of serveruser, and announces its
readiness. Then, for every client connecting to serversocket:
- s6-ipcserver-access checks the client's credentials according to the rules in directory rules.
- exec -c clears the environment.
- s6-envdir sets environment variables according to the directory env. You can make sure that a variable VAR will be present but empty by performing echo > env/VAR. (A single newline is interpreted by s6-envdir as an empty variable; whereas if env/VAR is totally empty, then the VAR variable will be removed from the environment.)
- s6-sudod reads a command line cargv, a client environment and file descriptors over the socket.
- s6-sudod spawns sargv cargv.
This means that user clientuser running s6-sudo serversocket cargv will be able, if authorized by the configuration in rules, to run sargv cargv as user serveruser, with stdin, stdout, stderr and the environment variables properly listed in env transmitted to sargv.
Notes
- If the -d option to s6-sudod has not been given, and s6-sudoc is killed (or exits after timeoutrun milliseconds) while the server program is still running, s6-sudod will send a SIGTERM and a SIGCONT to its child, then exit 1. However, sending a SIGTERM to the child does not guarantee that it will die; and if it keeps running, it might still read from the file that was s6-sudoc's stdin, or write to the files that were s6-sudoc's stdout or stderr. This is a potential security risk. Administrators should audit their server programs to make sure this does not happen.
- More generally, anything using signals or terminals will not be handled transparently by the s6-sudoc + s6-sudod mechanism. The mechanism was designed to allow programs to gain privileges in specific situations: short-lived, simple, noninteractive processes. It was not designed to emulate the full suid functionality and will not go out of its way to do so.
- Administrators should also make sure that it's not a problem if s6-sudod's child keeps running after the s6-sudoc client exits, if they have given the -d option to s6-sudod. In particular, they should study what happens if another connection to the same service occurs while an instance is still running.
- sargv may be empty. In that case, the client is in complete control of the command line executed as serveruser. This setup is permitted by s6-sudod, but it is very dangerous, and extreme attention should be paid to the construction of the s6-ipcserver-access rules.