118 lines
2.9 KiB
C
118 lines
2.9 KiB
C
/*
|
|
* limitcheck.c - given a user, drop privileges and check ulimits
|
|
*
|
|
* Compile: gcc -o limitcheck limitcheck.c
|
|
* Use: sudo ./limitcheck <user>
|
|
*
|
|
* Author: Troy Engel
|
|
* License: APL 2.0
|
|
*/
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/resource.h>
|
|
#include <unistd.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <pwd.h>
|
|
#include <grp.h>
|
|
|
|
/*
|
|
* portions of this cribbed from tcpdump; it's important it's done in
|
|
* a very specific order - initgroups for validity, then group, then
|
|
* user.
|
|
*/
|
|
static int drop_privileges(const char *user)
|
|
{
|
|
struct passwd *pw = NULL;
|
|
pw = getpwnam(user);
|
|
if (pw) {
|
|
if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
|
|
setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) {
|
|
fprintf(stdout, "Couldn't change to '%.32s' uid=%lu gid=%lu\n",
|
|
user, (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid);
|
|
return 1;
|
|
} else {
|
|
fprintf(stdout, "Successfully changed to '%.32s' uid=%lu gid=%lu\n",
|
|
user, (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid);
|
|
return 0;
|
|
}
|
|
} else {
|
|
fprintf(stdout, "Couldn't find user '%.32s'\n", user);
|
|
return 1;
|
|
}
|
|
}
|
|
|
|
/* /usr/include/bits/resource.h */
|
|
static void print_limits()
|
|
{
|
|
struct rlimit rl;
|
|
|
|
fprintf(stdout, "%15s %11s %11s\n",
|
|
" ", "soft", "hard");
|
|
|
|
/*
|
|
* this could be done as a tagged, multidimensional array using a struct
|
|
* with an enum, the work involved in C is a pain - the natural state in
|
|
* C is all array elements are the same type and size, mixed int + char
|
|
* are horrible to code around. doing it one by one is simpler code.
|
|
*/
|
|
getrlimit(RLIMIT_CORE, &rl);
|
|
fprintf(stdout, "%15s %11d %11d\n",
|
|
"core file size:",
|
|
(long long int)rl.rlim_cur,
|
|
(long long int)rl.rlim_max);
|
|
|
|
getrlimit(RLIMIT_CPU, &rl);
|
|
fprintf(stdout, "%15s %11d %11d\n",
|
|
"cpu time:",
|
|
(long long int)rl.rlim_cur,
|
|
(long long int)rl.rlim_max);
|
|
|
|
getrlimit(RLIMIT_DATA, &rl);
|
|
fprintf(stdout, "%15s %11d %11d\n",
|
|
"data seg size:",
|
|
(long long int)rl.rlim_cur,
|
|
(long long int)rl.rlim_max);
|
|
|
|
getrlimit(RLIMIT_FSIZE, &rl);
|
|
fprintf(stdout, "%15s %11d %11d\n",
|
|
"file size:",
|
|
(long long int)rl.rlim_cur,
|
|
(long long int)rl.rlim_max);
|
|
|
|
getrlimit(RLIMIT_NOFILE, &rl);
|
|
fprintf(stdout, "%15s %11d %11d\n",
|
|
"open files:",
|
|
(long long int)rl.rlim_cur,
|
|
(long long int)rl.rlim_max);
|
|
|
|
getrlimit(RLIMIT_STACK, &rl);
|
|
fprintf(stdout, "%15s %11d %11d\n",
|
|
"stack size:",
|
|
(long long int)rl.rlim_cur,
|
|
(long long int)rl.rlim_max);
|
|
|
|
getrlimit(RLIMIT_AS, &rl);
|
|
fprintf(stdout, "%15s %11d %11d\n",
|
|
"memory size:",
|
|
(long long int)rl.rlim_cur,
|
|
(long long int)rl.rlim_max);
|
|
|
|
}
|
|
|
|
/* we only accept one argument - the user to check */
|
|
int main(int argc, char **argv)
|
|
{
|
|
if (argc == 2) {
|
|
if (drop_privileges(argv[1]) == 0) {
|
|
print_limits();
|
|
return 0;
|
|
} else {
|
|
return 1;
|
|
}
|
|
} else {
|
|
fprintf(stdout, "Usage: %s <name of system user>\n", argv[0]);
|
|
return 1;
|
|
}
|
|
}
|
|
|