/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/* activation-helper.c  Setuid helper for launching programs as a custom
 *                      user. This file is security sensitive.
 *
 * Copyright (C) 2007 Red Hat, Inc.
 *
 * Licensed under the Academic Free License version 2.1
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 *
 */

#include <config.h>

#include "bus.h"
#include "driver.h"
#include "utils.h"
#include "desktop-file.h"
#include "config-parser-trivial.h"
#include "activation-helper.h"
#include "activation-exit-codes.h"

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>

#include <dbus/dbus-shell.h>
#include <dbus/dbus-marshal-validate.h>

static BusDesktopFile *
desktop_file_for_name (BusConfigParser *parser,
                       const char *name,
                       DBusError  *error)
{
  BusDesktopFile *desktop_file;
  DBusList **service_dirs;
  DBusList *link;
  DBusError tmp_error;
  DBusString full_path;
  DBusString filename;
  const char *dir;

  _DBUS_ASSERT_ERROR_IS_CLEAR (error);

  desktop_file = NULL;

  if (!_dbus_string_init (&filename))
    {
      BUS_SET_OOM (error);
      goto out_all;
    }

  if (!_dbus_string_init (&full_path))
    {
      BUS_SET_OOM (error);
      goto out_filename;
    }

  if (!_dbus_string_append (&filename, name) ||
      !_dbus_string_append (&filename, ".service"))
    {
      BUS_SET_OOM (error);
      goto out;
    }

  service_dirs = bus_config_parser_get_service_dirs (parser);
  for (link = _dbus_list_get_first_link (service_dirs);
       link != NULL;
       link = _dbus_list_get_next_link (service_dirs, link))
    {
      dir = link->data;
      _dbus_verbose ("Looking at '%s'\n", dir);

      dbus_error_init (&tmp_error);

      /* clear the path from last time */
      _dbus_string_set_length (&full_path, 0);

      /* build the full path */
      if (!_dbus_string_append (&full_path, dir) ||
          !_dbus_concat_dir_and_file (&full_path, &filename))
        {
          BUS_SET_OOM (error);
          goto out;
        }

      _dbus_verbose ("Trying to load file '%s'\n", _dbus_string_get_data (&full_path));
      desktop_file = bus_desktop_file_load (&full_path, &tmp_error);
      if (desktop_file == NULL)
        {
          _DBUS_ASSERT_ERROR_IS_SET (&tmp_error);
          _dbus_verbose ("Could not load %s: %s: %s\n",
                         _dbus_string_get_const_data (&full_path),
                         tmp_error.name, tmp_error.message);

          /* we may have failed if the file is not found; this is not fatal */
          if (dbus_error_has_name (&tmp_error, DBUS_ERROR_NO_MEMORY))
            {
              dbus_move_error (&tmp_error, error);
              /* we only bail out on OOM */
              goto out;
            }
          dbus_error_free (&tmp_error);
        }

      /* did we find the desktop file we want? */
      if (desktop_file != NULL)
        break;
    }

  /* Didn't find desktop file; set error */
  if (desktop_file == NULL)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_SERVICE_NOT_FOUND,
                      "The name %s was not provided by any .service files",
                      name);
    }

out:
  _dbus_string_free (&full_path);
out_filename:
  _dbus_string_free (&filename);
out_all:
  return desktop_file;
}

/* Cleares the environment, except for DBUS_VERBOSE and DBUS_STARTER_x */
static dbus_bool_t
clear_environment (DBusError *error)
{
  const char *debug_env = NULL;
  const char *starter_env = NULL;

#ifdef DBUS_ENABLE_VERBOSE_MODE
  /* are we debugging */
  debug_env = _dbus_getenv ("DBUS_VERBOSE");
#endif

  /* we save the starter */
  starter_env = _dbus_getenv ("DBUS_STARTER_ADDRESS");

#ifndef ACTIVATION_LAUNCHER_TEST
  /* totally clear the environment */
  if (!_dbus_clearenv ())
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_SETUP_FAILED,
                      "could not clear environment\n");
      return FALSE;
    }
#endif

#ifdef DBUS_ENABLE_VERBOSE_MODE
  /* restore the debugging environment setting if set */
  if (debug_env)
    _dbus_setenv ("DBUS_VERBOSE", debug_env);
#endif

  /* restore the starter */
  if (starter_env)
    _dbus_setenv ("DBUS_STARTER_ADDRESS", starter_env);

  /* set the type, which must be system if we got this far */
  _dbus_setenv ("DBUS_STARTER_BUS_TYPE", "system");

  return TRUE;
}

static dbus_bool_t
check_permissions (const char *dbus_user, DBusError *error)
{
  uid_t uid, euid;
  struct passwd *pw;

  pw = NULL;
  uid = 0;
  euid = 0;

#ifndef ACTIVATION_LAUNCHER_TEST
  /* bail out unless the dbus user is invoking the helper */
  pw = getpwnam(dbus_user);
  if (!pw)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_PERMISSIONS_INVALID,
                      "cannot find user '%s'", dbus_user);
      return FALSE;
    }
  uid = getuid();
  if (pw->pw_uid != uid)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_PERMISSIONS_INVALID,
                      "not invoked from user '%s'", dbus_user);
      return FALSE;
    }

  /* bail out unless we are setuid to user root */
  euid = geteuid();
  if (euid != 0)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_PERMISSIONS_INVALID,
                      "not setuid root");
      return FALSE;
    }
#endif

  return TRUE;
}

static dbus_bool_t
check_service_name (BusDesktopFile *desktop_file,
                    const char     *service_name,
                    DBusError      *error)
{
  char *name_tmp;
  dbus_bool_t retval;

  retval = FALSE;

  /* try to get Name */
  if (!bus_desktop_file_get_string (desktop_file,
                                    DBUS_SERVICE_SECTION,
                                    DBUS_SERVICE_NAME,
                                    &name_tmp,
                                    error))
    goto failed;

  /* verify that the name is the same as the file service name */
  if (strcmp (service_name, name_tmp) != 0)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_FILE_INVALID,
                      "Service '%s' does not match expected value", name_tmp);
      goto failed_free;
    }

  retval = TRUE;

failed_free:
  /* we don't return the name, so free it here */
  dbus_free (name_tmp);
failed:
  return retval;
}

static dbus_bool_t
get_parameters_for_service (BusDesktopFile *desktop_file,
                            const char     *service_name,
                            char          **exec,
                            char          **user,
                            DBusError      *error)
{
  char *exec_tmp;
  char *user_tmp;

  exec_tmp = NULL;
  user_tmp = NULL;

  /* check the name of the service */
  if (!check_service_name (desktop_file, service_name, error))
    goto failed;

  /* get the complete path of the executable */
  if (!bus_desktop_file_get_string (desktop_file,
                                    DBUS_SERVICE_SECTION,
                                    DBUS_SERVICE_EXEC,
                                    &exec_tmp,
                                    error))
    {
      _DBUS_ASSERT_ERROR_IS_SET (error);
      goto failed;
    }

  /* get the user that should run this service - user is compulsary for system activation */
  if (!bus_desktop_file_get_string (desktop_file,
                                    DBUS_SERVICE_SECTION,
                                    DBUS_SERVICE_USER,
                                    &user_tmp,
                                    error))
    {
      _DBUS_ASSERT_ERROR_IS_SET (error);
      goto failed;
    }

  /* only assign if all the checks passed */
  *exec = exec_tmp;
  *user = user_tmp;
  return TRUE;

failed:
  dbus_free (exec_tmp);
  dbus_free (user_tmp);
  return FALSE;
}

static dbus_bool_t
switch_user (char *user, DBusError *error)
{
#ifndef ACTIVATION_LAUNCHER_TEST
  struct passwd *pw;

  /* find user */
  pw = getpwnam (user);
  if (!pw)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_SETUP_FAILED,
                      "cannot find user '%s'\n", user);
      return FALSE;
    }

  /* initialize the group access list */
  if (initgroups (user, pw->pw_gid))
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_SETUP_FAILED,
                      "could not initialize groups");
      return FALSE;
    }

  /* change to the primary group for the user */
  if (setgid (pw->pw_gid))
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_SETUP_FAILED,
                      "cannot setgid group %i", pw->pw_gid);
      return FALSE;
    }

  /* change to the user specified */
  if (setuid (pw->pw_uid) < 0)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_SETUP_FAILED,
                      "cannot setuid user %i", pw->pw_uid);
      return FALSE;
    }
#endif
  return TRUE;
}

static dbus_bool_t
exec_for_correct_user (char *exec, char *user, DBusError *error)
{
  char **argv;
  int argc;
  dbus_bool_t retval;

  argc = 0;
  retval = TRUE;
  argv = NULL;

  if (!switch_user (user, error))
    return FALSE;

  /* convert command into arguments */
  if (!_dbus_shell_parse_argv (exec, &argc, &argv, error))
    return FALSE;

#ifndef ACTIVATION_LAUNCHER_DO_OOM
  /* replace with new binary, with no environment */
  if (execv (argv[0], argv) < 0)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_EXEC_FAILED,
                      "Failed to exec: %s", argv[0]);
      retval = FALSE;
    }
#endif

  dbus_free_string_array (argv);
  return retval;
}

static dbus_bool_t
check_bus_name (const char *bus_name,
                DBusError  *error)
{
  DBusString str;

  _dbus_string_init_const (&str, bus_name);
  if (!_dbus_validate_bus_name (&str, 0, _dbus_string_get_length (&str)))
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_SERVICE_NOT_FOUND,
                      "bus name '%s' is not a valid bus name\n",
                      bus_name);
      return FALSE;
    }
  
  return TRUE;
}

static dbus_bool_t
get_correct_parser (BusConfigParser **parser, DBusError *error)
{
  DBusString config_file;
  dbus_bool_t retval;
  const char *test_config_file;

  retval = FALSE;
  test_config_file = NULL;

#ifdef ACTIVATION_LAUNCHER_TEST
  /* there is no _way_ we should be setuid if this define is set.
   * but we should be doubly paranoid and check... */
  if (getuid() != geteuid())
    _dbus_assert_not_reached ("dbus-daemon-launch-helper-test binary is setuid!");

  /* this is not a security hole. The environment variable is only passed in the
   * dbus-daemon-lauch-helper-test NON-SETUID launcher */
  test_config_file = _dbus_getenv ("TEST_LAUNCH_HELPER_CONFIG");
  if (test_config_file == NULL)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_SETUP_FAILED,
                      "the TEST_LAUNCH_HELPER_CONFIG env variable is not set");
      goto out;
    }
#endif

  /* we _only_ use the predefined system config file */
  if (!_dbus_string_init (&config_file))
    {
      BUS_SET_OOM (error);
      goto out;
    }
#ifndef ACTIVATION_LAUNCHER_TEST
  if (!_dbus_string_append (&config_file, DBUS_SYSTEM_CONFIG_FILE))
    {
      BUS_SET_OOM (error);
      goto out_free_config;
    }
#else
  if (!_dbus_string_append (&config_file, test_config_file))
    {
      BUS_SET_OOM (error);
      goto out_free_config;
    }
#endif

  /* where are we pointing.... */
  _dbus_verbose ("dbus-daemon-activation-helper: using config file: %s\n",
                 _dbus_string_get_const_data (&config_file));

  /* get the dbus user */
  *parser = bus_config_load (&config_file, TRUE, NULL, error);
  if (*parser == NULL)
    {
      goto out_free_config;
    }

  /* woot */
  retval = TRUE;

out_free_config:
  _dbus_string_free (&config_file);
out:
  return retval;
}

static dbus_bool_t
launch_bus_name (const char *bus_name, BusConfigParser *parser, DBusError *error)
{
  BusDesktopFile *desktop_file;
  char *exec, *user;
  dbus_bool_t retval;

  exec = NULL;
  user = NULL;
  retval = FALSE;

  /* get the correct service file for the name we are trying to activate */
  desktop_file = desktop_file_for_name (parser, bus_name, error);
  if (desktop_file == NULL)
    return FALSE;

  /* get exec and user for service name */
  if (!get_parameters_for_service (desktop_file, bus_name, &exec, &user, error))
    goto finish;

  _dbus_verbose ("dbus-daemon-activation-helper: Name='%s'\n", bus_name);
  _dbus_verbose ("dbus-daemon-activation-helper: Exec='%s'\n", exec);
  _dbus_verbose ("dbus-daemon-activation-helper: User='%s'\n", user);

  /* actually execute */
  if (!exec_for_correct_user (exec, user, error))
    goto finish;

  retval = TRUE;

finish:
  dbus_free (exec);
  dbus_free (user);
  bus_desktop_file_free (desktop_file);
  return retval;
}

static dbus_bool_t
check_dbus_user (BusConfigParser *parser, DBusError *error)
{
  const char *dbus_user;

  dbus_user = bus_config_parser_get_user (parser);
  if (dbus_user == NULL)
    {
      dbus_set_error (error, DBUS_ERROR_SPAWN_CONFIG_INVALID,
                      "could not get user from config file\n");
      return FALSE;
    }

  /* check to see if permissions are correct */
  if (!check_permissions (dbus_user, error))
    return FALSE;

  return TRUE;
}

dbus_bool_t
run_launch_helper (const char *bus_name,
                   DBusError  *error)
{
  BusConfigParser *parser;
  dbus_bool_t retval;

  parser = NULL;
  retval = FALSE;

  /* clear the environment, apart from a few select settings */
  if (!clear_environment (error))
    goto error;

  /* check to see if we have a valid bus name */
  if (!check_bus_name (bus_name, error))
    goto error;

  /* get the correct parser, either the test or default parser */
  if (!get_correct_parser (&parser, error))
    goto error;

  /* check we are being invoked by the correct dbus user */
  if (!check_dbus_user (parser, error))
    goto error_free_parser;

  /* launch the bus with the service defined user */
  if (!launch_bus_name (bus_name, parser, error))
    goto error_free_parser;

  /* woohoo! */
  retval = TRUE;

error_free_parser:
  bus_config_parser_unref (parser);
error:
  return retval;
}