xref: /freebsd/crypto/krb5/src/util/support/secure_getenv.c (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* util/support/secure_getenv.c - secure_getenv() portability support */
3 /*
4  * Copyright (C) 2019 by the Massachusetts Institute of Technology.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * * Redistributions of source code must retain the above copyright
12  *   notice, this list of conditions and the following disclaimer.
13  *
14  * * Redistributions in binary form must reproduce the above copyright
15  *   notice, this list of conditions and the following disclaimer in
16  *   the documentation and/or other materials provided with the
17  *   distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23  * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30  * OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 /*
34  * This file contains the fallback implementation for secure_getenv(), which is
35  * currently only provided by glibc 2.17 and later.  The goal is to ignore the
36  * environment if this process is (or previously was) running at elevated
37  * privilege compared to the calling process.
38  *
39  * In this fallback version we compare the real and effective uid/gid, and also
40  * compare the saved uid/gid if possible.  These comparisons detect a setuid or
41  * setgid process which is still running with elevated privilege; if we can
42  * fetch the saved uid/gid, we also detect a process which has temporarily
43  * dropped privilege with seteuid() or setegid().  These comparisons do not
44  * detect the case where a setuid or setgid process has permanently dropped
45  * privilege before the library initializer ran; this is not ideal because such
46  * a process may possess a privileged resource or have privileged information
47  * in its address space.
48  *
49  * Heimdal also looks at the ELF aux vector in /proc/self/auxv to determine the
50  * starting uid/euid/gid/euid on Solaris/Illumos and NetBSD.  On FreeBSD this
51  * approach can determine the executable path to do a stat() check.  We do not
52  * go to this length due to the amount of code required.
53  *
54  * The BSDs and Solaris provide issetugid(), but the FreeBSD and NetBSD
55  * versions are not useful; they return true if a non-setuid/setgid executable
56  * is run by root and drops privilege, such as Apache httpd.  We do not want to
57  * ignore the process environment in this case.
58  *
59  * On some platforms a process may have elevated privilege via mechanisms other
60  * than setuid/setgid.  glibc's secure_getenv() should detect these cases on
61  * Linux; we do not detect them in this fallback version.
62  */
63 
64 #include "k5-platform.h"
65 
66 static int elevated_privilege = 0;
67 
68 MAKE_INIT_FUNCTION(k5_secure_getenv_init);
69 
70 int
k5_secure_getenv_init()71 k5_secure_getenv_init()
72 {
73     int saved_errno = errno;
74 
75 #ifdef HAVE_GETRESUID
76     {
77         uid_t r, e, s;
78         if (getresuid(&r, &e, &s) == 0) {
79             if (r != e || r != s)
80                 elevated_privilege = 1;
81         }
82     }
83 #else
84     if (getuid() != geteuid())
85         elevated_privilege = 1;
86 #endif
87 
88 #ifdef HAVE_GETRESGID
89     {
90         gid_t r, e, s;
91         if (!elevated_privilege && getresgid(&r, &e, &s) == 0) {
92             if (r != e || r != s)
93                 elevated_privilege = 1;
94         }
95     }
96 #else
97     if (!elevated_privilege && getgid() != getegid())
98         elevated_privilege = 1;
99 #endif
100 
101     errno = saved_errno;
102     return 0;
103 }
104 
105 char *
k5_secure_getenv(const char * name)106 k5_secure_getenv(const char *name)
107 {
108     if (CALL_INIT_FUNCTION(k5_secure_getenv_init) != 0)
109         return NULL;
110     return elevated_privilege ? NULL : getenv(name);
111 }
112