Annotation of src/usr.bin/sudo/set_perms.c, Revision 1.1
1.1 ! millert 1: /*
! 2: * Copyright (c) 1994-1996,1998-2001 Todd C. Miller <Todd.Miller@courtesan.com>
! 3: * All rights reserved.
! 4: *
! 5: * Redistribution and use in source and binary forms, with or without
! 6: * modification, are permitted provided that the following conditions
! 7: * are met:
! 8: *
! 9: * 1. Redistributions of source code must retain the above copyright
! 10: * notice, this list of conditions and the following disclaimer.
! 11: *
! 12: * 2. Redistributions in binary form must reproduce the above copyright
! 13: * notice, this list of conditions and the following disclaimer in the
! 14: * documentation and/or other materials provided with the distribution.
! 15: *
! 16: * 3. The name of the author may not be used to endorse or promote products
! 17: * derived from this software without specific prior written permission.
! 18: *
! 19: * 4. Products derived from this software may not be called "Sudo" nor
! 20: * may "Sudo" appear in their names without specific prior written
! 21: * permission from the author.
! 22: *
! 23: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
! 24: * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
! 25: * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
! 26: * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
! 27: * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
! 28: * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
! 29: * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
! 30: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
! 31: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
! 32: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 33: */
! 34:
! 35: #include "config.h"
! 36:
! 37: #include <sys/types.h>
! 38: #include <sys/param.h>
! 39: #include <sys/stat.h>
! 40: #include <stdio.h>
! 41: #ifdef STDC_HEADERS
! 42: # include <stdlib.h>
! 43: # include <stddef.h>
! 44: #else
! 45: # ifdef HAVE_STDLIB_H
! 46: # include <stdlib.h>
! 47: # endif
! 48: #endif /* STDC_HEADERS */
! 49: #ifdef HAVE_STRING_H
! 50: # include <string.h>
! 51: #else
! 52: # ifdef HAVE_STRINGS_H
! 53: # include <strings.h>
! 54: # endif
! 55: #endif /* HAVE_STRING_H */
! 56: #ifdef HAVE_UNISTD_H
! 57: # include <unistd.h>
! 58: #endif /* HAVE_UNISTD_H */
! 59: #include <pwd.h>
! 60: #include <errno.h>
! 61: #include <grp.h>
! 62: #ifdef HAVE_LOGIN_CAP_H
! 63: # include <login_cap.h>
! 64: #endif
! 65:
! 66: #include "sudo.h"
! 67:
! 68: #ifndef lint
! 69: static const char rcsid[] = "$Sudo: set_perms.c,v 1.8 2001/12/31 17:18:05 millert Exp $";
! 70: #endif /* lint */
! 71:
! 72: /*
! 73: * Prototypes
! 74: */
! 75: static void runas_setup __P((void));
! 76: static void fatal __P((char *));
! 77:
! 78: #if defined(_SC_SAVED_IDS) && defined(_SC_VERSION)
! 79: /*
! 80: * Set real and effective uids and gids based on perm.
! 81: * Since we have POSIX saved IDs we can get away with just
! 82: * toggling the effective uid/gid unless we are headed for an exec().
! 83: */
! 84: void
! 85: set_perms_posix(perm, sudo_mode)
! 86: int perm;
! 87: int sudo_mode;
! 88: {
! 89: int error;
! 90:
! 91: switch (perm) {
! 92: case PERM_ROOT:
! 93: if (seteuid(0))
! 94: fatal("seteuid(0)");
! 95: break;
! 96: case PERM_USER:
! 97: (void) setegid(user_gid);
! 98: if (seteuid(user_uid))
! 99: fatal("seteuid(user_uid)");
! 100: break;
! 101:
! 102: case PERM_FULL_USER:
! 103: /* headed for exec() */
! 104: (void) setgid(user_gid);
! 105: if (setuid(user_uid))
! 106: fatal("setuid(user_uid)");
! 107: break;
! 108:
! 109: case PERM_RUNAS:
! 110: /* headed for exec(), assume euid == 0 */
! 111: runas_setup();
! 112: if (def_flag(I_STAY_SETUID))
! 113: error = seteuid(runas_pw->pw_uid);
! 114: else
! 115: error = setuid(runas_pw->pw_uid);
! 116: if (error)
! 117: fatal("unable to change to runas uid");
! 118: break;
! 119:
! 120: case PERM_SUDOERS:
! 121: /* assume euid == 0, ruid == user */
! 122: if (setegid(SUDOERS_GID))
! 123: fatal("unable to change to sudoers gid");
! 124:
! 125: /*
! 126: * If SUDOERS_UID == 0 and SUDOERS_MODE
! 127: * is group readable we use a non-zero
! 128: * uid in order to avoid NFS lossage.
! 129: * Using uid 1 is a bit bogus but should
! 130: * work on all OS's.
! 131: */
! 132: if (SUDOERS_UID == 0) {
! 133: if ((SUDOERS_MODE & 040) && seteuid(1))
! 134: fatal("seteuid(1)");
! 135: } else {
! 136: if (seteuid(SUDOERS_UID))
! 137: fatal("seteuid(SUDOERS_UID)");
! 138: }
! 139: break;
! 140: }
! 141: }
! 142: #endif /* _SC_SAVED_IDS && _SC_VERSION */
! 143:
! 144: #ifdef HAVE_SETREUID
! 145: /*
! 146: * Set real and effective uids and gids based on perm.
! 147: * We always retain a real or effective uid of 0 unless
! 148: * we are headed for an exec().
! 149: */
! 150: void
! 151: set_perms_fallback(perm, sudo_mode)
! 152: int perm;
! 153: int sudo_mode;
! 154: {
! 155: int error;
! 156:
! 157: switch (perm) {
! 158: case PERM_ROOT:
! 159: if (setuid(0))
! 160: fatal("setuid(0)");
! 161: break;
! 162: case PERM_USER:
! 163: (void) setegid(user_gid);
! 164: if (setreuid(0, user_uid))
! 165: fatal("setreuid(0, user_uid)");
! 166: break;
! 167:
! 168: case PERM_FULL_USER:
! 169: /* headed for exec() */
! 170: (void) setgid(user_gid);
! 171: if (setuid(user_uid)) {
! 172: fatal("setuid(user_uid)");
! 173: exit(1);
! 174: }
! 175: break;
! 176:
! 177: case PERM_RUNAS:
! 178: /* headed for exec(), assume euid == 0 */
! 179: runas_setup();
! 180: if (def_flag(I_STAY_SETUID))
! 181: error = setreuid(user_uid, runas_pw->pw_uid);
! 182: else
! 183: error = setuid(runas_pw->pw_uid);
! 184: if (error)
! 185: fatal("unable to change to runas uid");
! 186: break;
! 187:
! 188: case PERM_SUDOERS:
! 189: /* assume euid == 0, ruid == user */
! 190: if (setegid(SUDOERS_GID))
! 191: fatal("unable to change to sudoers gid");
! 192:
! 193: /*
! 194: * If SUDOERS_UID == 0 and SUDOERS_MODE
! 195: * is group readable we use a non-zero
! 196: * uid in order to avoid NFS lossage.
! 197: * Using uid 1 is a bit bogus but should
! 198: * work on all OS's.
! 199: */
! 200: if (SUDOERS_UID == 0) {
! 201: if ((SUDOERS_MODE & 040) && setreuid(0, 1))
! 202: fatal("setreuid(0, 1)");
! 203: } else {
! 204: if (setreuid(0, SUDOERS_UID))
! 205: fatal("setreuid(0, SUDOERS_UID)");
! 206: }
! 207: break;
! 208: }
! 209: }
! 210:
! 211: #else
! 212:
! 213: /*
! 214: * Set real and effective uids and gids based on perm.
! 215: * NOTE: does not support the "stay_setuid" option.
! 216: */
! 217: void
! 218: set_perms_fallback(perm, sudo_mode)
! 219: int perm;
! 220: int sudo_mode;
! 221: {
! 222:
! 223: /*
! 224: * Since we only have setuid() and seteuid() we have to set
! 225: * real and effective uidss to 0 initially.
! 226: */
! 227: if (setuid(0))
! 228: fatal("setuid(0)");
! 229:
! 230: switch (perm) {
! 231: case PERM_USER:
! 232: (void) setegid(user_gid);
! 233: if (seteuid(user_uid))
! 234: fatal("seteuid(user_uid)");
! 235: break;
! 236:
! 237: case PERM_FULL_USER:
! 238: /* headed for exec() */
! 239: (void) setgid(user_gid);
! 240: if (setuid(user_uid))
! 241: fatal("setuid(user_uid)");
! 242: break;
! 243:
! 244: case PERM_RUNAS:
! 245: /* headed for exec(), assume euid == 0 */
! 246: runas_setup();
! 247: if (setuid(runas_pw->pw_uid))
! 248: fatal("unable to change to runas uid");
! 249: break;
! 250:
! 251: case PERM_SUDOERS:
! 252: /* assume euid == 0, ruid == user */
! 253: if (setegid(SUDOERS_GID))
! 254: fatal("unable to change to sudoers gid");
! 255:
! 256: /*
! 257: * If SUDOERS_UID == 0 and SUDOERS_MODE
! 258: * is group readable we use a non-zero
! 259: * uid in order to avoid NFS lossage.
! 260: * Using uid 1 is a bit bogus but should
! 261: * work on all OS's.
! 262: */
! 263: if (SUDOERS_UID == 0) {
! 264: if ((SUDOERS_MODE & 040) && seteuid(1))
! 265: fatal("seteuid(1)");
! 266: } else {
! 267: if (seteuid(SUDOERS_UID))
! 268: fatal("seteuid(SUDOERS_UID)");
! 269: }
! 270: break;
! 271: }
! 272: }
! 273: #endif /* HAVE_SETREUID */
! 274:
! 275: static void
! 276: runas_setup()
! 277: {
! 278: #ifdef HAVE_LOGIN_CAP_H
! 279: int error, flags;
! 280: extern login_cap_t *lc;
! 281: #endif
! 282:
! 283: if (runas_pw->pw_name != NULL) {
! 284: #ifdef HAVE_PAM
! 285: pam_prep_user(runas_pw);
! 286: #endif /* HAVE_PAM */
! 287:
! 288: #ifdef HAVE_LOGIN_CAP_H
! 289: if (def_flag(I_USE_LOGINCLASS)) {
! 290: /*
! 291: * We don't have setusercontext() set the user since we
! 292: * may only want to set the effective uid. Depending on
! 293: * sudoers and/or command line arguments we may not want
! 294: * setusercontext() to call initgroups().
! 295: */
! 296: flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
! 297: if (!def_flag(I_PRESERVE_GROUPS))
! 298: flags |= LOGIN_SETGROUP;
! 299: else if (setgid(runas_pw->pw_gid))
! 300: perror("cannot set gid to runas gid");
! 301: error = setusercontext(lc, runas_pw,
! 302: runas_pw->pw_uid, flags);
! 303: if (error)
! 304: perror("unable to set user context");
! 305: } else
! 306: #endif /* HAVE_LOGIN_CAP_H */
! 307: {
! 308: if (setgid(runas_pw->pw_gid))
! 309: perror("cannot set gid to runas gid");
! 310: #ifdef HAVE_INITGROUPS
! 311: /*
! 312: * Initialize group vector unless asked not to.
! 313: */
! 314: if (!def_flag(I_PRESERVE_GROUPS) &&
! 315: initgroups(*user_runas, runas_pw->pw_gid) < 0)
! 316: perror("cannot set group vector");
! 317: #endif /* HAVE_INITGROUPS */
! 318: }
! 319: }
! 320: }
! 321:
! 322: static void
! 323: fatal(str)
! 324: char *str;
! 325: {
! 326:
! 327: if (str)
! 328: perror(str);
! 329: exit(1);
! 330: }