1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
#!/usr/bin/python
# ATTENTION: Yes, this can be used as a backdoor, but only for an
# adversary with access to you *physical* serial port, which means
# that you are screwed any way.
from subprocess import Popen, PIPE
from sys import argv
from json import dumps, loads
from pwd import getpwnam
from os import setgid, setuid, environ
from glob import glob
import serial
def mk_switch_user_fn(uid, gid):
def switch_user():
setgid(gid)
setuid(uid)
return switch_user
def run_cmd_as_user(cmd, user):
env = environ.copy()
pwd_user = getpwnam(user)
switch_user_fn = mk_switch_user_fn(pwd_user.pw_uid,
pwd_user.pw_gid)
env['USER'] = user
env['LOGNAME'] = user
env['USERNAME'] = user
env['HOME'] = pwd_user.pw_dir
env['MAIL'] = "/var/mail/" + user
env['PWD'] = env['HOME']
env['DISPLAY'] = ':0.0'
try:
env['XAUTHORITY'] = glob("/var/run/gdm3/auth-for-amnesia-*/database")[0]
except IndexError:
pass
cwd = env['HOME']
return Popen(cmd, stdout=PIPE, stderr=PIPE, shell=True, env=env, cwd=cwd,
preexec_fn=switch_user_fn)
def main():
dev = argv[1]
port = serial.Serial(port = dev, baudrate = 4000000)
port.open()
while True:
try:
line = port.readline()
except Exception as e:
# port must be opened wrong, so we restart everything and pray
# that it works.
print str(e)
port.close()
return main()
try:
cmd_type, user, cmd = loads(line)
except Exception as e:
# We had a parse/pack error, so we just send a \0 as an ACK,
# releasing the client from blocking.
print str(e)
port.write("\0")
continue
p = run_cmd_as_user(cmd, user)
if cmd_type == "spawn":
returncode, stdout, stderr = 0, "", ""
else:
stdout, stderr = p.communicate()
returncode = p.returncode
port.write(dumps([returncode, stdout, stderr]) + "\0")
if __name__ == "__main__":
main()
|