19454b2d8SWarner Losh /*- 2df8bae1dSRodney W. Grimes * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3ef08c420SRobert Watson * The Regents of the University of California. 4df8bae1dSRodney W. Grimes * (c) UNIX System Laboratories, Inc. 5ef08c420SRobert Watson * Copyright (c) 2000-2001 Robert N. M. Watson. 6ef08c420SRobert Watson * All rights reserved. 7ef08c420SRobert Watson * 8df8bae1dSRodney W. Grimes * All or some portions of this file are derived from material licensed 9df8bae1dSRodney W. Grimes * to the University of California by American Telephone and Telegraph 10df8bae1dSRodney W. Grimes * Co. or Unix System Laboratories, Inc. and are reproduced herein with 11df8bae1dSRodney W. Grimes * the permission of UNIX System Laboratories, Inc. 12df8bae1dSRodney W. Grimes * 13df8bae1dSRodney W. Grimes * Redistribution and use in source and binary forms, with or without 14df8bae1dSRodney W. Grimes * modification, are permitted provided that the following conditions 15df8bae1dSRodney W. Grimes * are met: 16df8bae1dSRodney W. Grimes * 1. Redistributions of source code must retain the above copyright 17df8bae1dSRodney W. Grimes * notice, this list of conditions and the following disclaimer. 18df8bae1dSRodney W. Grimes * 2. Redistributions in binary form must reproduce the above copyright 19df8bae1dSRodney W. Grimes * notice, this list of conditions and the following disclaimer in the 20df8bae1dSRodney W. Grimes * documentation and/or other materials provided with the distribution. 21df8bae1dSRodney W. Grimes * 4. Neither the name of the University nor the names of its contributors 22df8bae1dSRodney W. Grimes * may be used to endorse or promote products derived from this software 23df8bae1dSRodney W. Grimes * without specific prior written permission. 24df8bae1dSRodney W. Grimes * 25df8bae1dSRodney W. Grimes * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26df8bae1dSRodney W. Grimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27df8bae1dSRodney W. Grimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28df8bae1dSRodney W. Grimes * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29df8bae1dSRodney W. Grimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30df8bae1dSRodney W. Grimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31df8bae1dSRodney W. Grimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32df8bae1dSRodney W. Grimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33df8bae1dSRodney W. Grimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34df8bae1dSRodney W. Grimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35df8bae1dSRodney W. Grimes * SUCH DAMAGE. 36df8bae1dSRodney W. Grimes * 37df8bae1dSRodney W. Grimes * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38df8bae1dSRodney W. Grimes */ 39df8bae1dSRodney W. Grimes 40df8bae1dSRodney W. Grimes /* 41df8bae1dSRodney W. Grimes * System calls related to processes and protection 42df8bae1dSRodney W. Grimes */ 43df8bae1dSRodney W. Grimes 44677b542eSDavid E. O'Brien #include <sys/cdefs.h> 45677b542eSDavid E. O'Brien __FBSDID("$FreeBSD$"); 46677b542eSDavid E. O'Brien 475591b823SEivind Eklund #include "opt_compat.h" 48f08ef6c5SBjoern A. Zeeb #include "opt_inet.h" 49f08ef6c5SBjoern A. Zeeb #include "opt_inet6.h" 5040244964SRobert Watson #include "opt_mac.h" 515591b823SEivind Eklund 52df8bae1dSRodney W. Grimes #include <sys/param.h> 53df8bae1dSRodney W. Grimes #include <sys/systm.h> 54fb919e4dSMark Murray #include <sys/acct.h> 55df04411aSRobert Watson #include <sys/kdb.h> 561c5bb3eaSPeter Wemm #include <sys/kernel.h> 5798f03f90SJake Burkholder #include <sys/lock.h> 58f9d0d524SRobert Watson #include <sys/malloc.h> 59fb919e4dSMark Murray #include <sys/mutex.h> 607e9e371fSJohn Baldwin #include <sys/refcount.h> 615b29d6e9SJohn Baldwin #include <sys/sx.h> 62800c9408SRobert Watson #include <sys/priv.h> 63f591779bSSeigo Tanimura #include <sys/proc.h> 64fb919e4dSMark Murray #include <sys/sysproto.h> 65eb725b4eSRobert Watson #include <sys/jail.h> 66d5f81602SSean Eric Fagan #include <sys/pioctl.h> 67f535380cSDon Lewis #include <sys/resourcevar.h> 6829dc1288SRobert Watson #include <sys/socket.h> 6929dc1288SRobert Watson #include <sys/socketvar.h> 703cb83e71SJohn Baldwin #include <sys/syscallsubr.h> 71579f4eb4SRobert Watson #include <sys/sysctl.h> 72df8bae1dSRodney W. Grimes 73f08ef6c5SBjoern A. Zeeb #if defined(INET) || defined(INET6) 74f08ef6c5SBjoern A. Zeeb #include <netinet/in.h> 75f08ef6c5SBjoern A. Zeeb #include <netinet/in_pcb.h> 76f08ef6c5SBjoern A. Zeeb #endif 77f08ef6c5SBjoern A. Zeeb 782f8a46d5SWayne Salamon #include <security/audit/audit.h> 79aed55708SRobert Watson #include <security/mac/mac_framework.h> 802f8a46d5SWayne Salamon 81a1c995b6SPoul-Henning Kamp static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 82a1c995b6SPoul-Henning Kamp 835702e096SRobert Watson SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 8448713bdcSRobert Watson 85d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 86ad7507e2SSteven Wallace struct getpid_args { 87df8bae1dSRodney W. Grimes int dummy; 88df8bae1dSRodney W. Grimes }; 89d2d3e875SBruce Evans #endif 90df8bae1dSRodney W. Grimes /* ARGSUSED */ 9126f9a767SRodney W. Grimes int 924c44ad8eSJohn Baldwin getpid(struct thread *td, struct getpid_args *uap) 93df8bae1dSRodney W. Grimes { 94b40ce416SJulian Elischer struct proc *p = td->td_proc; 95df8bae1dSRodney W. Grimes 96b40ce416SJulian Elischer td->td_retval[0] = p->p_pid; 971930e303SPoul-Henning Kamp #if defined(COMPAT_43) 98bae3a80bSJohn Baldwin PROC_LOCK(p); 99b40ce416SJulian Elischer td->td_retval[1] = p->p_pptr->p_pid; 100bae3a80bSJohn Baldwin PROC_UNLOCK(p); 101df8bae1dSRodney W. Grimes #endif 102df8bae1dSRodney W. Grimes return (0); 103df8bae1dSRodney W. Grimes } 104df8bae1dSRodney W. Grimes 105d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 106ad7507e2SSteven Wallace struct getppid_args { 107ad7507e2SSteven Wallace int dummy; 108ad7507e2SSteven Wallace }; 109d2d3e875SBruce Evans #endif 110df8bae1dSRodney W. Grimes /* ARGSUSED */ 11126f9a767SRodney W. Grimes int 1124c44ad8eSJohn Baldwin getppid(struct thread *td, struct getppid_args *uap) 113df8bae1dSRodney W. Grimes { 114b40ce416SJulian Elischer struct proc *p = td->td_proc; 115df8bae1dSRodney W. Grimes 116bae3a80bSJohn Baldwin PROC_LOCK(p); 117b40ce416SJulian Elischer td->td_retval[0] = p->p_pptr->p_pid; 118bae3a80bSJohn Baldwin PROC_UNLOCK(p); 119df8bae1dSRodney W. Grimes return (0); 120df8bae1dSRodney W. Grimes } 121df8bae1dSRodney W. Grimes 12236e9f877SMatthew Dillon /* 123eb725b4eSRobert Watson * Get process group ID; note that POSIX getpgrp takes no parameter. 12436e9f877SMatthew Dillon */ 125d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 126ad7507e2SSteven Wallace struct getpgrp_args { 127ad7507e2SSteven Wallace int dummy; 128ad7507e2SSteven Wallace }; 129d2d3e875SBruce Evans #endif 13026f9a767SRodney W. Grimes int 1314c44ad8eSJohn Baldwin getpgrp(struct thread *td, struct getpgrp_args *uap) 132df8bae1dSRodney W. Grimes { 133b40ce416SJulian Elischer struct proc *p = td->td_proc; 134df8bae1dSRodney W. Grimes 135f591779bSSeigo Tanimura PROC_LOCK(p); 136b40ce416SJulian Elischer td->td_retval[0] = p->p_pgrp->pg_id; 137f591779bSSeigo Tanimura PROC_UNLOCK(p); 138df8bae1dSRodney W. Grimes return (0); 139df8bae1dSRodney W. Grimes } 140df8bae1dSRodney W. Grimes 1411a5018a0SPeter Wemm /* Get an arbitary pid's process group id */ 1421a5018a0SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 1431a5018a0SPeter Wemm struct getpgid_args { 1441a5018a0SPeter Wemm pid_t pid; 1451a5018a0SPeter Wemm }; 1461a5018a0SPeter Wemm #endif 1471a5018a0SPeter Wemm int 1484c44ad8eSJohn Baldwin getpgid(struct thread *td, struct getpgid_args *uap) 1491a5018a0SPeter Wemm { 150a70a2b74SJohn Baldwin struct proc *p; 151f2ae7368SJohn Baldwin int error; 15265de0c7aSDon Lewis 153f591779bSSeigo Tanimura if (uap->pid == 0) { 154a70a2b74SJohn Baldwin p = td->td_proc; 155f591779bSSeigo Tanimura PROC_LOCK(p); 156a70a2b74SJohn Baldwin } else { 157a70a2b74SJohn Baldwin p = pfind(uap->pid); 158a70a2b74SJohn Baldwin if (p == NULL) 159a70a2b74SJohn Baldwin return (ESRCH); 160a70a2b74SJohn Baldwin error = p_cansee(td, p); 161a70a2b74SJohn Baldwin if (error) { 162a70a2b74SJohn Baldwin PROC_UNLOCK(p); 163a70a2b74SJohn Baldwin return (error); 164a70a2b74SJohn Baldwin } 165a70a2b74SJohn Baldwin } 166b40ce416SJulian Elischer td->td_retval[0] = p->p_pgrp->pg_id; 167f591779bSSeigo Tanimura PROC_UNLOCK(p); 168a70a2b74SJohn Baldwin return (0); 1691a5018a0SPeter Wemm } 1701a5018a0SPeter Wemm 1711a5018a0SPeter Wemm /* 1721a5018a0SPeter Wemm * Get an arbitary pid's session id. 1731a5018a0SPeter Wemm */ 1741a5018a0SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 1751a5018a0SPeter Wemm struct getsid_args { 1761a5018a0SPeter Wemm pid_t pid; 1771a5018a0SPeter Wemm }; 1781a5018a0SPeter Wemm #endif 1791a5018a0SPeter Wemm int 1804c44ad8eSJohn Baldwin getsid(struct thread *td, struct getsid_args *uap) 1811a5018a0SPeter Wemm { 182a70a2b74SJohn Baldwin struct proc *p; 183eb725b4eSRobert Watson int error; 18465de0c7aSDon Lewis 185f591779bSSeigo Tanimura if (uap->pid == 0) { 186a70a2b74SJohn Baldwin p = td->td_proc; 187f591779bSSeigo Tanimura PROC_LOCK(p); 188a70a2b74SJohn Baldwin } else { 189a70a2b74SJohn Baldwin p = pfind(uap->pid); 190a70a2b74SJohn Baldwin if (p == NULL) 191a70a2b74SJohn Baldwin return (ESRCH); 192a70a2b74SJohn Baldwin error = p_cansee(td, p); 193a70a2b74SJohn Baldwin if (error) { 194a70a2b74SJohn Baldwin PROC_UNLOCK(p); 195a70a2b74SJohn Baldwin return (error); 196a70a2b74SJohn Baldwin } 197a70a2b74SJohn Baldwin } 198b40ce416SJulian Elischer td->td_retval[0] = p->p_session->s_sid; 199f591779bSSeigo Tanimura PROC_UNLOCK(p); 200a70a2b74SJohn Baldwin return (0); 2011a5018a0SPeter Wemm } 2021a5018a0SPeter Wemm 203d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 204ad7507e2SSteven Wallace struct getuid_args { 205ad7507e2SSteven Wallace int dummy; 206ad7507e2SSteven Wallace }; 207d2d3e875SBruce Evans #endif 208df8bae1dSRodney W. Grimes /* ARGSUSED */ 20926f9a767SRodney W. Grimes int 2104c44ad8eSJohn Baldwin getuid(struct thread *td, struct getuid_args *uap) 211df8bae1dSRodney W. Grimes { 212df8bae1dSRodney W. Grimes 213d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_ruid; 2141930e303SPoul-Henning Kamp #if defined(COMPAT_43) 215d846883bSJohn Baldwin td->td_retval[1] = td->td_ucred->cr_uid; 216df8bae1dSRodney W. Grimes #endif 217df8bae1dSRodney W. Grimes return (0); 218df8bae1dSRodney W. Grimes } 219df8bae1dSRodney W. Grimes 220d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 221ad7507e2SSteven Wallace struct geteuid_args { 222ad7507e2SSteven Wallace int dummy; 223ad7507e2SSteven Wallace }; 224d2d3e875SBruce Evans #endif 225df8bae1dSRodney W. Grimes /* ARGSUSED */ 22626f9a767SRodney W. Grimes int 2274c44ad8eSJohn Baldwin geteuid(struct thread *td, struct geteuid_args *uap) 228df8bae1dSRodney W. Grimes { 229d846883bSJohn Baldwin 230d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_uid; 231df8bae1dSRodney W. Grimes return (0); 232df8bae1dSRodney W. Grimes } 233df8bae1dSRodney W. Grimes 234d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 235ad7507e2SSteven Wallace struct getgid_args { 236ad7507e2SSteven Wallace int dummy; 237ad7507e2SSteven Wallace }; 238d2d3e875SBruce Evans #endif 239df8bae1dSRodney W. Grimes /* ARGSUSED */ 24026f9a767SRodney W. Grimes int 2414c44ad8eSJohn Baldwin getgid(struct thread *td, struct getgid_args *uap) 242df8bae1dSRodney W. Grimes { 243df8bae1dSRodney W. Grimes 244d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_rgid; 2451930e303SPoul-Henning Kamp #if defined(COMPAT_43) 246d846883bSJohn Baldwin td->td_retval[1] = td->td_ucred->cr_groups[0]; 247df8bae1dSRodney W. Grimes #endif 248df8bae1dSRodney W. Grimes return (0); 249df8bae1dSRodney W. Grimes } 250df8bae1dSRodney W. Grimes 251df8bae1dSRodney W. Grimes /* 252df8bae1dSRodney W. Grimes * Get effective group ID. The "egid" is groups[0], and could be obtained 253df8bae1dSRodney W. Grimes * via getgroups. This syscall exists because it is somewhat painful to do 254df8bae1dSRodney W. Grimes * correctly in a library function. 255df8bae1dSRodney W. Grimes */ 256d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 257ad7507e2SSteven Wallace struct getegid_args { 258ad7507e2SSteven Wallace int dummy; 259ad7507e2SSteven Wallace }; 260d2d3e875SBruce Evans #endif 261df8bae1dSRodney W. Grimes /* ARGSUSED */ 26226f9a767SRodney W. Grimes int 2634c44ad8eSJohn Baldwin getegid(struct thread *td, struct getegid_args *uap) 264df8bae1dSRodney W. Grimes { 265df8bae1dSRodney W. Grimes 266d846883bSJohn Baldwin td->td_retval[0] = td->td_ucred->cr_groups[0]; 267df8bae1dSRodney W. Grimes return (0); 268df8bae1dSRodney W. Grimes } 269df8bae1dSRodney W. Grimes 270d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 271df8bae1dSRodney W. Grimes struct getgroups_args { 272df8bae1dSRodney W. Grimes u_int gidsetsize; 273df8bae1dSRodney W. Grimes gid_t *gidset; 274df8bae1dSRodney W. Grimes }; 275d2d3e875SBruce Evans #endif 27626f9a767SRodney W. Grimes int 2774c44ad8eSJohn Baldwin getgroups(struct thread *td, register struct getgroups_args *uap) 278df8bae1dSRodney W. Grimes { 2793cb83e71SJohn Baldwin gid_t groups[NGROUPS]; 280b1fc0ec1SRobert Watson u_int ngrp; 281eb725b4eSRobert Watson int error; 282df8bae1dSRodney W. Grimes 2833cb83e71SJohn Baldwin ngrp = MIN(uap->gidsetsize, NGROUPS); 2843cb83e71SJohn Baldwin error = kern_getgroups(td, &ngrp, groups); 2853cb83e71SJohn Baldwin if (error) 2863cb83e71SJohn Baldwin return (error); 2873cb83e71SJohn Baldwin if (uap->gidsetsize > 0) 2883cb83e71SJohn Baldwin error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); 289d74ac681SMatthew Dillon if (error == 0) 290d846883bSJohn Baldwin td->td_retval[0] = ngrp; 291d74ac681SMatthew Dillon return (error); 292df8bae1dSRodney W. Grimes } 293df8bae1dSRodney W. Grimes 2943cb83e71SJohn Baldwin int 2953cb83e71SJohn Baldwin kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) 2963cb83e71SJohn Baldwin { 2973cb83e71SJohn Baldwin struct ucred *cred; 2983cb83e71SJohn Baldwin 2993cb83e71SJohn Baldwin cred = td->td_ucred; 3003cb83e71SJohn Baldwin if (*ngrp == 0) { 3013cb83e71SJohn Baldwin *ngrp = cred->cr_ngroups; 3023cb83e71SJohn Baldwin return (0); 3033cb83e71SJohn Baldwin } 3043cb83e71SJohn Baldwin if (*ngrp < cred->cr_ngroups) 3053cb83e71SJohn Baldwin return (EINVAL); 3063cb83e71SJohn Baldwin *ngrp = cred->cr_ngroups; 3073cb83e71SJohn Baldwin bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); 3083cb83e71SJohn Baldwin return (0); 3093cb83e71SJohn Baldwin } 3103cb83e71SJohn Baldwin 311d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 31282970b81SBruce Evans struct setsid_args { 313ad7507e2SSteven Wallace int dummy; 314ad7507e2SSteven Wallace }; 315d2d3e875SBruce Evans #endif 316df8bae1dSRodney W. Grimes /* ARGSUSED */ 31726f9a767SRodney W. Grimes int 3184c44ad8eSJohn Baldwin setsid(register struct thread *td, struct setsid_args *uap) 319df8bae1dSRodney W. Grimes { 320f591779bSSeigo Tanimura struct pgrp *pgrp; 321835a82eeSMatthew Dillon int error; 322b40ce416SJulian Elischer struct proc *p = td->td_proc; 323f591779bSSeigo Tanimura struct pgrp *newpgrp; 324f591779bSSeigo Tanimura struct session *newsess; 325f591779bSSeigo Tanimura 326f591779bSSeigo Tanimura error = 0; 327f591779bSSeigo Tanimura pgrp = NULL; 328df8bae1dSRodney W. Grimes 329a163d034SWarner Losh MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 330a163d034SWarner Losh MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 331f591779bSSeigo Tanimura 332c8b1829dSJohn Baldwin sx_xlock(&proctree_lock); 333f591779bSSeigo Tanimura 334f591779bSSeigo Tanimura if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 335f591779bSSeigo Tanimura if (pgrp != NULL) 336f591779bSSeigo Tanimura PGRP_UNLOCK(pgrp); 337835a82eeSMatthew Dillon error = EPERM; 338f591779bSSeigo Tanimura } else { 339f591779bSSeigo Tanimura (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 340b40ce416SJulian Elischer td->td_retval[0] = p->p_pid; 341c8b1829dSJohn Baldwin newpgrp = NULL; 342c8b1829dSJohn Baldwin newsess = NULL; 343df8bae1dSRodney W. Grimes } 344f591779bSSeigo Tanimura 345c8b1829dSJohn Baldwin sx_xunlock(&proctree_lock); 346f591779bSSeigo Tanimura 347c8b1829dSJohn Baldwin if (newpgrp != NULL) 348f591779bSSeigo Tanimura FREE(newpgrp, M_PGRP); 349c8b1829dSJohn Baldwin if (newsess != NULL) 350f591779bSSeigo Tanimura FREE(newsess, M_SESSION); 3511c2451c2SSeigo Tanimura 352c8b1829dSJohn Baldwin return (error); 353df8bae1dSRodney W. Grimes } 354df8bae1dSRodney W. Grimes 355df8bae1dSRodney W. Grimes /* 356df8bae1dSRodney W. Grimes * set process group (setpgid/old setpgrp) 357df8bae1dSRodney W. Grimes * 358df8bae1dSRodney W. Grimes * caller does setpgid(targpid, targpgid) 359df8bae1dSRodney W. Grimes * 360df8bae1dSRodney W. Grimes * pid must be caller or child of caller (ESRCH) 361df8bae1dSRodney W. Grimes * if a child 362df8bae1dSRodney W. Grimes * pid must be in same session (EPERM) 363df8bae1dSRodney W. Grimes * pid can't have done an exec (EACCES) 364df8bae1dSRodney W. Grimes * if pgid != pid 365df8bae1dSRodney W. Grimes * there must exist some pid in same session having pgid (EPERM) 366df8bae1dSRodney W. Grimes * pid must not be session leader (EPERM) 367df8bae1dSRodney W. Grimes */ 368d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 369df8bae1dSRodney W. Grimes struct setpgid_args { 370df8bae1dSRodney W. Grimes int pid; /* target process id */ 371df8bae1dSRodney W. Grimes int pgid; /* target pgrp id */ 372df8bae1dSRodney W. Grimes }; 373d2d3e875SBruce Evans #endif 374df8bae1dSRodney W. Grimes /* ARGSUSED */ 37526f9a767SRodney W. Grimes int 3764c44ad8eSJohn Baldwin setpgid(struct thread *td, register struct setpgid_args *uap) 377df8bae1dSRodney W. Grimes { 378b40ce416SJulian Elischer struct proc *curp = td->td_proc; 379df8bae1dSRodney W. Grimes register struct proc *targp; /* target process */ 380df8bae1dSRodney W. Grimes register struct pgrp *pgrp; /* target pgrp */ 381eb9e5c1dSRobert Watson int error; 382f591779bSSeigo Tanimura struct pgrp *newpgrp; 383df8bae1dSRodney W. Grimes 38478f64bccSBruce Evans if (uap->pgid < 0) 38578f64bccSBruce Evans return (EINVAL); 386f591779bSSeigo Tanimura 387f591779bSSeigo Tanimura error = 0; 388f591779bSSeigo Tanimura 389a163d034SWarner Losh MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 390f591779bSSeigo Tanimura 391c8b1829dSJohn Baldwin sx_xlock(&proctree_lock); 392df8bae1dSRodney W. Grimes if (uap->pid != 0 && uap->pid != curp->p_pid) { 393f591779bSSeigo Tanimura if ((targp = pfind(uap->pid)) == NULL) { 394835a82eeSMatthew Dillon error = ESRCH; 395c8b1829dSJohn Baldwin goto done; 39633a9ed9dSJohn Baldwin } 397f591779bSSeigo Tanimura if (!inferior(targp)) { 398f591779bSSeigo Tanimura PROC_UNLOCK(targp); 3992f932587SSeigo Tanimura error = ESRCH; 400c8b1829dSJohn Baldwin goto done; 401f591779bSSeigo Tanimura } 40271a057bcSRobert Watson if ((error = p_cansee(td, targp))) { 40333a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 404c8b1829dSJohn Baldwin goto done; 40533a9ed9dSJohn Baldwin } 40633a9ed9dSJohn Baldwin if (targp->p_pgrp == NULL || 40733a9ed9dSJohn Baldwin targp->p_session != curp->p_session) { 40833a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 409835a82eeSMatthew Dillon error = EPERM; 410c8b1829dSJohn Baldwin goto done; 41133a9ed9dSJohn Baldwin } 41233a9ed9dSJohn Baldwin if (targp->p_flag & P_EXEC) { 41333a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 414835a82eeSMatthew Dillon error = EACCES; 415c8b1829dSJohn Baldwin goto done; 41633a9ed9dSJohn Baldwin } 41733a9ed9dSJohn Baldwin PROC_UNLOCK(targp); 418f591779bSSeigo Tanimura } else 419f591779bSSeigo Tanimura targp = curp; 420f591779bSSeigo Tanimura if (SESS_LEADER(targp)) { 421835a82eeSMatthew Dillon error = EPERM; 422c8b1829dSJohn Baldwin goto done; 42333a9ed9dSJohn Baldwin } 424eb725b4eSRobert Watson if (uap->pgid == 0) 425df8bae1dSRodney W. Grimes uap->pgid = targp->p_pid; 426a10d5f02SOlivier Houchard if ((pgrp = pgfind(uap->pgid)) == NULL) { 427f591779bSSeigo Tanimura if (uap->pgid == targp->p_pid) { 428a10d5f02SOlivier Houchard error = enterpgrp(targp, uap->pgid, newpgrp, 429a10d5f02SOlivier Houchard NULL); 430f591779bSSeigo Tanimura if (error == 0) 431f591779bSSeigo Tanimura newpgrp = NULL; 432a10d5f02SOlivier Houchard } else 433835a82eeSMatthew Dillon error = EPERM; 434a10d5f02SOlivier Houchard } else { 435f591779bSSeigo Tanimura if (pgrp == targp->p_pgrp) { 436f591779bSSeigo Tanimura PGRP_UNLOCK(pgrp); 437f591779bSSeigo Tanimura goto done; 43833a9ed9dSJohn Baldwin } 439a10d5f02SOlivier Houchard if (pgrp->pg_id != targp->p_pid && 440a10d5f02SOlivier Houchard pgrp->pg_session != curp->p_session) { 441a10d5f02SOlivier Houchard PGRP_UNLOCK(pgrp); 442a10d5f02SOlivier Houchard error = EPERM; 443a10d5f02SOlivier Houchard goto done; 444a10d5f02SOlivier Houchard } 445f591779bSSeigo Tanimura PGRP_UNLOCK(pgrp); 446f591779bSSeigo Tanimura error = enterthispgrp(targp, pgrp); 447f591779bSSeigo Tanimura } 448f591779bSSeigo Tanimura done: 449c8b1829dSJohn Baldwin sx_xunlock(&proctree_lock); 450c8b1829dSJohn Baldwin KASSERT((error == 0) || (newpgrp != NULL), 451c8b1829dSJohn Baldwin ("setpgid failed and newpgrp is NULL")); 4526041fa0aSSeigo Tanimura if (newpgrp != NULL) 453f591779bSSeigo Tanimura FREE(newpgrp, M_PGRP); 454835a82eeSMatthew Dillon return (error); 455df8bae1dSRodney W. Grimes } 456df8bae1dSRodney W. Grimes 457a08f4bf6SPeter Wemm /* 458a08f4bf6SPeter Wemm * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 4592fa72ea7SJeroen Ruigrok van der Werven * compatible. It says that setting the uid/gid to euid/egid is a special 460a08f4bf6SPeter Wemm * case of "appropriate privilege". Once the rules are expanded out, this 461a08f4bf6SPeter Wemm * basically means that setuid(nnn) sets all three id's, in all permitted 462a08f4bf6SPeter Wemm * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 463a08f4bf6SPeter Wemm * does not set the saved id - this is dangerous for traditional BSD 464a08f4bf6SPeter Wemm * programs. For this reason, we *really* do not want to set 465a08f4bf6SPeter Wemm * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 466a08f4bf6SPeter Wemm */ 467a08f4bf6SPeter Wemm #define POSIX_APPENDIX_B_4_2_2 468a08f4bf6SPeter Wemm 469d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 470df8bae1dSRodney W. Grimes struct setuid_args { 471df8bae1dSRodney W. Grimes uid_t uid; 472df8bae1dSRodney W. Grimes }; 473d2d3e875SBruce Evans #endif 474df8bae1dSRodney W. Grimes /* ARGSUSED */ 47526f9a767SRodney W. Grimes int 4764c44ad8eSJohn Baldwin setuid(struct thread *td, struct setuid_args *uap) 477df8bae1dSRodney W. Grimes { 478b40ce416SJulian Elischer struct proc *p = td->td_proc; 479b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 480b1fc0ec1SRobert Watson uid_t uid; 4811419eacbSAlfred Perlstein struct uidinfo *uip; 482eb725b4eSRobert Watson int error; 483df8bae1dSRodney W. Grimes 48407f3485dSJohn Baldwin uid = uap->uid; 4852f8a46d5SWayne Salamon AUDIT_ARG(uid, uid); 48607f3485dSJohn Baldwin newcred = crget(); 4871419eacbSAlfred Perlstein uip = uifind(uid); 48807f3485dSJohn Baldwin PROC_LOCK(p); 489f605567cSRobert Watson oldcred = p->p_ucred; 4905a92ee3cSRobert Watson 491030a28b3SRobert Watson #ifdef MAC 49230d239bcSRobert Watson error = mac_proc_check_setuid(p, oldcred, uid); 493030a28b3SRobert Watson if (error) 494030a28b3SRobert Watson goto fail; 495030a28b3SRobert Watson #endif 496030a28b3SRobert Watson 497a08f4bf6SPeter Wemm /* 498a08f4bf6SPeter Wemm * See if we have "permission" by POSIX 1003.1 rules. 499a08f4bf6SPeter Wemm * 500a08f4bf6SPeter Wemm * Note that setuid(geteuid()) is a special case of 501a08f4bf6SPeter Wemm * "appropriate privileges" in appendix B.4.2.2. We need 5022fa72ea7SJeroen Ruigrok van der Werven * to use this clause to be compatible with traditional BSD 503a08f4bf6SPeter Wemm * semantics. Basically, it means that "setuid(xx)" sets all 504a08f4bf6SPeter Wemm * three id's (assuming you have privs). 505a08f4bf6SPeter Wemm * 506a08f4bf6SPeter Wemm * Notes on the logic. We do things in three steps. 507a08f4bf6SPeter Wemm * 1: We determine if the euid is going to change, and do EPERM 508a08f4bf6SPeter Wemm * right away. We unconditionally change the euid later if this 509a08f4bf6SPeter Wemm * test is satisfied, simplifying that part of the logic. 510eb725b4eSRobert Watson * 2: We determine if the real and/or saved uids are going to 511a08f4bf6SPeter Wemm * change. Determined by compile options. 512a08f4bf6SPeter Wemm * 3: Change euid last. (after tests in #2 for "appropriate privs") 513a08f4bf6SPeter Wemm */ 514b1fc0ec1SRobert Watson if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 5153f246666SAndrey A. Chernov #ifdef _POSIX_SAVED_IDS 516b1fc0ec1SRobert Watson uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 517a08f4bf6SPeter Wemm #endif 518a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 519b1fc0ec1SRobert Watson uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 5203f246666SAndrey A. Chernov #endif 52132f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) 522030a28b3SRobert Watson goto fail; 523a08f4bf6SPeter Wemm 5241419eacbSAlfred Perlstein /* 5251419eacbSAlfred Perlstein * Copy credentials so other references do not see our changes. 5261419eacbSAlfred Perlstein */ 52707f3485dSJohn Baldwin crcopy(newcred, oldcred); 528a08f4bf6SPeter Wemm #ifdef _POSIX_SAVED_IDS 529df8bae1dSRodney W. Grimes /* 530a08f4bf6SPeter Wemm * Do we have "appropriate privileges" (are we root or uid == euid) 531a08f4bf6SPeter Wemm * If so, we are changing the real uid and/or saved uid. 532df8bae1dSRodney W. Grimes */ 5333f246666SAndrey A. Chernov if ( 534a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 535b1fc0ec1SRobert Watson uid == oldcred->cr_uid || 5363f246666SAndrey A. Chernov #endif 537800c9408SRobert Watson /* We are using privs. */ 53832f9753cSRobert Watson priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) 539a08f4bf6SPeter Wemm #endif 540a08f4bf6SPeter Wemm { 541a08f4bf6SPeter Wemm /* 542f535380cSDon Lewis * Set the real uid and transfer proc count to new user. 543a08f4bf6SPeter Wemm */ 544b1fc0ec1SRobert Watson if (uid != oldcred->cr_ruid) { 5451419eacbSAlfred Perlstein change_ruid(newcred, uip); 546f535380cSDon Lewis setsugid(p); 547d3cdb93dSAndrey A. Chernov } 548a08f4bf6SPeter Wemm /* 549a08f4bf6SPeter Wemm * Set saved uid 550a08f4bf6SPeter Wemm * 551a08f4bf6SPeter Wemm * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 552a08f4bf6SPeter Wemm * the security of seteuid() depends on it. B.4.2.2 says it 553a08f4bf6SPeter Wemm * is important that we should do this. 554a08f4bf6SPeter Wemm */ 555b1fc0ec1SRobert Watson if (uid != oldcred->cr_svuid) { 556b1fc0ec1SRobert Watson change_svuid(newcred, uid); 557d5f81602SSean Eric Fagan setsugid(p); 558a08f4bf6SPeter Wemm } 559a08f4bf6SPeter Wemm } 560a08f4bf6SPeter Wemm 561a08f4bf6SPeter Wemm /* 562a08f4bf6SPeter Wemm * In all permitted cases, we are changing the euid. 563a08f4bf6SPeter Wemm */ 564b1fc0ec1SRobert Watson if (uid != oldcred->cr_uid) { 5651419eacbSAlfred Perlstein change_euid(newcred, uip); 566d5f81602SSean Eric Fagan setsugid(p); 567a08f4bf6SPeter Wemm } 568b1fc0ec1SRobert Watson p->p_ucred = newcred; 56907f3485dSJohn Baldwin PROC_UNLOCK(p); 5701419eacbSAlfred Perlstein uifree(uip); 571b1fc0ec1SRobert Watson crfree(oldcred); 57207f3485dSJohn Baldwin return (0); 573030a28b3SRobert Watson 574030a28b3SRobert Watson fail: 575030a28b3SRobert Watson PROC_UNLOCK(p); 576030a28b3SRobert Watson uifree(uip); 577030a28b3SRobert Watson crfree(newcred); 578030a28b3SRobert Watson return (error); 579df8bae1dSRodney W. Grimes } 580df8bae1dSRodney W. Grimes 581d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 582df8bae1dSRodney W. Grimes struct seteuid_args { 583df8bae1dSRodney W. Grimes uid_t euid; 584df8bae1dSRodney W. Grimes }; 585d2d3e875SBruce Evans #endif 586df8bae1dSRodney W. Grimes /* ARGSUSED */ 58726f9a767SRodney W. Grimes int 5884c44ad8eSJohn Baldwin seteuid(struct thread *td, struct seteuid_args *uap) 589df8bae1dSRodney W. Grimes { 590b40ce416SJulian Elischer struct proc *p = td->td_proc; 591b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 592b1fc0ec1SRobert Watson uid_t euid; 5931419eacbSAlfred Perlstein struct uidinfo *euip; 594eb725b4eSRobert Watson int error; 595df8bae1dSRodney W. Grimes 596df8bae1dSRodney W. Grimes euid = uap->euid; 5972f8a46d5SWayne Salamon AUDIT_ARG(euid, euid); 59807f3485dSJohn Baldwin newcred = crget(); 5991419eacbSAlfred Perlstein euip = uifind(euid); 60007f3485dSJohn Baldwin PROC_LOCK(p); 601b1fc0ec1SRobert Watson oldcred = p->p_ucred; 602030a28b3SRobert Watson 603030a28b3SRobert Watson #ifdef MAC 60430d239bcSRobert Watson error = mac_proc_check_seteuid(p, oldcred, euid); 605030a28b3SRobert Watson if (error) 606030a28b3SRobert Watson goto fail; 607030a28b3SRobert Watson #endif 608030a28b3SRobert Watson 609b1fc0ec1SRobert Watson if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 610b1fc0ec1SRobert Watson euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 61132f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) 612030a28b3SRobert Watson goto fail; 613030a28b3SRobert Watson 614df8bae1dSRodney W. Grimes /* 615df8bae1dSRodney W. Grimes * Everything's okay, do it. Copy credentials so other references do 616df8bae1dSRodney W. Grimes * not see our changes. 617df8bae1dSRodney W. Grimes */ 61807f3485dSJohn Baldwin crcopy(newcred, oldcred); 619b1fc0ec1SRobert Watson if (oldcred->cr_uid != euid) { 6201419eacbSAlfred Perlstein change_euid(newcred, euip); 621d5f81602SSean Eric Fagan setsugid(p); 622229a15f0SPeter Wemm } 623b1fc0ec1SRobert Watson p->p_ucred = newcred; 62407f3485dSJohn Baldwin PROC_UNLOCK(p); 6251419eacbSAlfred Perlstein uifree(euip); 626b1fc0ec1SRobert Watson crfree(oldcred); 62707f3485dSJohn Baldwin return (0); 628030a28b3SRobert Watson 629030a28b3SRobert Watson fail: 630030a28b3SRobert Watson PROC_UNLOCK(p); 631030a28b3SRobert Watson uifree(euip); 632030a28b3SRobert Watson crfree(newcred); 633030a28b3SRobert Watson return (error); 634df8bae1dSRodney W. Grimes } 635df8bae1dSRodney W. Grimes 636d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 637df8bae1dSRodney W. Grimes struct setgid_args { 638df8bae1dSRodney W. Grimes gid_t gid; 639df8bae1dSRodney W. Grimes }; 640d2d3e875SBruce Evans #endif 641df8bae1dSRodney W. Grimes /* ARGSUSED */ 64226f9a767SRodney W. Grimes int 6434c44ad8eSJohn Baldwin setgid(struct thread *td, struct setgid_args *uap) 644df8bae1dSRodney W. Grimes { 645b40ce416SJulian Elischer struct proc *p = td->td_proc; 646b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 647b1fc0ec1SRobert Watson gid_t gid; 648eb725b4eSRobert Watson int error; 649df8bae1dSRodney W. Grimes 650b1fc0ec1SRobert Watson gid = uap->gid; 6512f8a46d5SWayne Salamon AUDIT_ARG(gid, gid); 65207f3485dSJohn Baldwin newcred = crget(); 65307f3485dSJohn Baldwin PROC_LOCK(p); 654b1fc0ec1SRobert Watson oldcred = p->p_ucred; 6555a92ee3cSRobert Watson 656030a28b3SRobert Watson #ifdef MAC 65730d239bcSRobert Watson error = mac_proc_check_setgid(p, oldcred, gid); 658030a28b3SRobert Watson if (error) 659030a28b3SRobert Watson goto fail; 660030a28b3SRobert Watson #endif 661030a28b3SRobert Watson 662a08f4bf6SPeter Wemm /* 663a08f4bf6SPeter Wemm * See if we have "permission" by POSIX 1003.1 rules. 664a08f4bf6SPeter Wemm * 665a08f4bf6SPeter Wemm * Note that setgid(getegid()) is a special case of 666a08f4bf6SPeter Wemm * "appropriate privileges" in appendix B.4.2.2. We need 6672fa72ea7SJeroen Ruigrok van der Werven * to use this clause to be compatible with traditional BSD 668a08f4bf6SPeter Wemm * semantics. Basically, it means that "setgid(xx)" sets all 669a08f4bf6SPeter Wemm * three id's (assuming you have privs). 670a08f4bf6SPeter Wemm * 671a08f4bf6SPeter Wemm * For notes on the logic here, see setuid() above. 672a08f4bf6SPeter Wemm */ 673b1fc0ec1SRobert Watson if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 6743f246666SAndrey A. Chernov #ifdef _POSIX_SAVED_IDS 675b1fc0ec1SRobert Watson gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 676a08f4bf6SPeter Wemm #endif 677a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 678b1fc0ec1SRobert Watson gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 6793f246666SAndrey A. Chernov #endif 68032f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) 681030a28b3SRobert Watson goto fail; 682a08f4bf6SPeter Wemm 68307f3485dSJohn Baldwin crcopy(newcred, oldcred); 684a08f4bf6SPeter Wemm #ifdef _POSIX_SAVED_IDS 685a08f4bf6SPeter Wemm /* 686a08f4bf6SPeter Wemm * Do we have "appropriate privileges" (are we root or gid == egid) 687a08f4bf6SPeter Wemm * If so, we are changing the real uid and saved gid. 688a08f4bf6SPeter Wemm */ 689a08f4bf6SPeter Wemm if ( 690a08f4bf6SPeter Wemm #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 691b1fc0ec1SRobert Watson gid == oldcred->cr_groups[0] || 692a08f4bf6SPeter Wemm #endif 693800c9408SRobert Watson /* We are using privs. */ 69432f9753cSRobert Watson priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) 695a08f4bf6SPeter Wemm #endif 696a08f4bf6SPeter Wemm { 697a08f4bf6SPeter Wemm /* 698a08f4bf6SPeter Wemm * Set real gid 699a08f4bf6SPeter Wemm */ 700b1fc0ec1SRobert Watson if (oldcred->cr_rgid != gid) { 701b1fc0ec1SRobert Watson change_rgid(newcred, gid); 702d5f81602SSean Eric Fagan setsugid(p); 703a08f4bf6SPeter Wemm } 704a08f4bf6SPeter Wemm /* 705a08f4bf6SPeter Wemm * Set saved gid 706a08f4bf6SPeter Wemm * 707a08f4bf6SPeter Wemm * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 708a08f4bf6SPeter Wemm * the security of setegid() depends on it. B.4.2.2 says it 709a08f4bf6SPeter Wemm * is important that we should do this. 710a08f4bf6SPeter Wemm */ 711b1fc0ec1SRobert Watson if (oldcred->cr_svgid != gid) { 712b1fc0ec1SRobert Watson change_svgid(newcred, gid); 713d5f81602SSean Eric Fagan setsugid(p); 714a08f4bf6SPeter Wemm } 715a08f4bf6SPeter Wemm } 716a08f4bf6SPeter Wemm /* 717a08f4bf6SPeter Wemm * In all cases permitted cases, we are changing the egid. 718a08f4bf6SPeter Wemm * Copy credentials so other references do not see our changes. 719a08f4bf6SPeter Wemm */ 720b1fc0ec1SRobert Watson if (oldcred->cr_groups[0] != gid) { 721b1fc0ec1SRobert Watson change_egid(newcred, gid); 722d5f81602SSean Eric Fagan setsugid(p); 723a08f4bf6SPeter Wemm } 724b1fc0ec1SRobert Watson p->p_ucred = newcred; 72507f3485dSJohn Baldwin PROC_UNLOCK(p); 726b1fc0ec1SRobert Watson crfree(oldcred); 72707f3485dSJohn Baldwin return (0); 728030a28b3SRobert Watson 729030a28b3SRobert Watson fail: 730030a28b3SRobert Watson PROC_UNLOCK(p); 731030a28b3SRobert Watson crfree(newcred); 732030a28b3SRobert Watson return (error); 733df8bae1dSRodney W. Grimes } 734df8bae1dSRodney W. Grimes 735d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 736df8bae1dSRodney W. Grimes struct setegid_args { 737df8bae1dSRodney W. Grimes gid_t egid; 738df8bae1dSRodney W. Grimes }; 739d2d3e875SBruce Evans #endif 740df8bae1dSRodney W. Grimes /* ARGSUSED */ 74126f9a767SRodney W. Grimes int 7424c44ad8eSJohn Baldwin setegid(struct thread *td, struct setegid_args *uap) 743df8bae1dSRodney W. Grimes { 744b40ce416SJulian Elischer struct proc *p = td->td_proc; 745b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 746b1fc0ec1SRobert Watson gid_t egid; 747eb725b4eSRobert Watson int error; 748df8bae1dSRodney W. Grimes 749df8bae1dSRodney W. Grimes egid = uap->egid; 7502f8a46d5SWayne Salamon AUDIT_ARG(egid, egid); 75107f3485dSJohn Baldwin newcred = crget(); 75207f3485dSJohn Baldwin PROC_LOCK(p); 753b1fc0ec1SRobert Watson oldcred = p->p_ucred; 754030a28b3SRobert Watson 755030a28b3SRobert Watson #ifdef MAC 75630d239bcSRobert Watson error = mac_proc_check_setegid(p, oldcred, egid); 757030a28b3SRobert Watson if (error) 758030a28b3SRobert Watson goto fail; 759030a28b3SRobert Watson #endif 760030a28b3SRobert Watson 761b1fc0ec1SRobert Watson if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 762b1fc0ec1SRobert Watson egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 76332f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) 764030a28b3SRobert Watson goto fail; 765030a28b3SRobert Watson 76607f3485dSJohn Baldwin crcopy(newcred, oldcred); 767b1fc0ec1SRobert Watson if (oldcred->cr_groups[0] != egid) { 768b1fc0ec1SRobert Watson change_egid(newcred, egid); 769d5f81602SSean Eric Fagan setsugid(p); 770229a15f0SPeter Wemm } 771b1fc0ec1SRobert Watson p->p_ucred = newcred; 77207f3485dSJohn Baldwin PROC_UNLOCK(p); 773b1fc0ec1SRobert Watson crfree(oldcred); 77407f3485dSJohn Baldwin return (0); 775030a28b3SRobert Watson 776030a28b3SRobert Watson fail: 777030a28b3SRobert Watson PROC_UNLOCK(p); 778030a28b3SRobert Watson crfree(newcred); 779030a28b3SRobert Watson return (error); 780df8bae1dSRodney W. Grimes } 781df8bae1dSRodney W. Grimes 782d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 783df8bae1dSRodney W. Grimes struct setgroups_args { 784df8bae1dSRodney W. Grimes u_int gidsetsize; 785df8bae1dSRodney W. Grimes gid_t *gidset; 786df8bae1dSRodney W. Grimes }; 787d2d3e875SBruce Evans #endif 788df8bae1dSRodney W. Grimes /* ARGSUSED */ 78926f9a767SRodney W. Grimes int 7904c44ad8eSJohn Baldwin setgroups(struct thread *td, struct setgroups_args *uap) 791df8bae1dSRodney W. Grimes { 7923cb83e71SJohn Baldwin gid_t groups[NGROUPS]; 793df8bae1dSRodney W. Grimes int error; 794df8bae1dSRodney W. Grimes 7953cb83e71SJohn Baldwin if (uap->gidsetsize > NGROUPS) 7963cb83e71SJohn Baldwin return (EINVAL); 7973cb83e71SJohn Baldwin error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); 7983cb83e71SJohn Baldwin if (error) 7993cb83e71SJohn Baldwin return (error); 8003cb83e71SJohn Baldwin return (kern_setgroups(td, uap->gidsetsize, groups)); 8013cb83e71SJohn Baldwin } 8023cb83e71SJohn Baldwin 8033cb83e71SJohn Baldwin int 8043cb83e71SJohn Baldwin kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 8053cb83e71SJohn Baldwin { 8063cb83e71SJohn Baldwin struct proc *p = td->td_proc; 8073cb83e71SJohn Baldwin struct ucred *newcred, *oldcred; 8083cb83e71SJohn Baldwin int error; 8093cb83e71SJohn Baldwin 81007f3485dSJohn Baldwin if (ngrp > NGROUPS) 81107f3485dSJohn Baldwin return (EINVAL); 8123cb83e71SJohn Baldwin AUDIT_ARG(groupset, groups, ngrp); 81307f3485dSJohn Baldwin newcred = crget(); 81407f3485dSJohn Baldwin PROC_LOCK(p); 81507f3485dSJohn Baldwin oldcred = p->p_ucred; 816030a28b3SRobert Watson 817030a28b3SRobert Watson #ifdef MAC 81830d239bcSRobert Watson error = mac_proc_check_setgroups(p, oldcred, ngrp, groups); 819030a28b3SRobert Watson if (error) 820030a28b3SRobert Watson goto fail; 821030a28b3SRobert Watson #endif 822030a28b3SRobert Watson 82332f9753cSRobert Watson error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); 824030a28b3SRobert Watson if (error) 825030a28b3SRobert Watson goto fail; 82607f3485dSJohn Baldwin 8278a5d815aSPeter Wemm /* 8288a5d815aSPeter Wemm * XXX A little bit lazy here. We could test if anything has 8298a5d815aSPeter Wemm * changed before crcopy() and setting P_SUGID. 8308a5d815aSPeter Wemm */ 83107f3485dSJohn Baldwin crcopy(newcred, oldcred); 8328a5d815aSPeter Wemm if (ngrp < 1) { 8338a5d815aSPeter Wemm /* 8348a5d815aSPeter Wemm * setgroups(0, NULL) is a legitimate way of clearing the 8358a5d815aSPeter Wemm * groups vector on non-BSD systems (which generally do not 8368a5d815aSPeter Wemm * have the egid in the groups[0]). We risk security holes 8378a5d815aSPeter Wemm * when running non-BSD software if we do not do the same. 8388a5d815aSPeter Wemm */ 839b1fc0ec1SRobert Watson newcred->cr_ngroups = 1; 8408a5d815aSPeter Wemm } else { 8413cb83e71SJohn Baldwin bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t)); 842b1fc0ec1SRobert Watson newcred->cr_ngroups = ngrp; 8438a5d815aSPeter Wemm } 844d5f81602SSean Eric Fagan setsugid(p); 845b1fc0ec1SRobert Watson p->p_ucred = newcred; 84607f3485dSJohn Baldwin PROC_UNLOCK(p); 847b1fc0ec1SRobert Watson crfree(oldcred); 84807f3485dSJohn Baldwin return (0); 849030a28b3SRobert Watson 850030a28b3SRobert Watson fail: 851030a28b3SRobert Watson PROC_UNLOCK(p); 852030a28b3SRobert Watson crfree(newcred); 853030a28b3SRobert Watson return (error); 854df8bae1dSRodney W. Grimes } 855df8bae1dSRodney W. Grimes 856d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 857df8bae1dSRodney W. Grimes struct setreuid_args { 85800999cd6SAndrey A. Chernov uid_t ruid; 85900999cd6SAndrey A. Chernov uid_t euid; 860df8bae1dSRodney W. Grimes }; 861d2d3e875SBruce Evans #endif 862df8bae1dSRodney W. Grimes /* ARGSUSED */ 86326f9a767SRodney W. Grimes int 8644c44ad8eSJohn Baldwin setreuid(register struct thread *td, struct setreuid_args *uap) 865df8bae1dSRodney W. Grimes { 866b40ce416SJulian Elischer struct proc *p = td->td_proc; 867b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 868eb725b4eSRobert Watson uid_t euid, ruid; 8691419eacbSAlfred Perlstein struct uidinfo *euip, *ruip; 870eb725b4eSRobert Watson int error; 871df8bae1dSRodney W. Grimes 87200999cd6SAndrey A. Chernov euid = uap->euid; 873eb725b4eSRobert Watson ruid = uap->ruid; 8742f8a46d5SWayne Salamon AUDIT_ARG(euid, euid); 8752f8a46d5SWayne Salamon AUDIT_ARG(ruid, ruid); 87607f3485dSJohn Baldwin newcred = crget(); 8771419eacbSAlfred Perlstein euip = uifind(euid); 8781419eacbSAlfred Perlstein ruip = uifind(ruid); 87907f3485dSJohn Baldwin PROC_LOCK(p); 880b1fc0ec1SRobert Watson oldcred = p->p_ucred; 881030a28b3SRobert Watson 882030a28b3SRobert Watson #ifdef MAC 88330d239bcSRobert Watson error = mac_proc_check_setreuid(p, oldcred, ruid, euid); 884030a28b3SRobert Watson if (error) 885030a28b3SRobert Watson goto fail; 886030a28b3SRobert Watson #endif 887030a28b3SRobert Watson 888b1fc0ec1SRobert Watson if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 889b1fc0ec1SRobert Watson ruid != oldcred->cr_svuid) || 890b1fc0ec1SRobert Watson (euid != (uid_t)-1 && euid != oldcred->cr_uid && 891b1fc0ec1SRobert Watson euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 89232f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) 893030a28b3SRobert Watson goto fail; 894030a28b3SRobert Watson 89507f3485dSJohn Baldwin crcopy(newcred, oldcred); 896b1fc0ec1SRobert Watson if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 8971419eacbSAlfred Perlstein change_euid(newcred, euip); 898d5f81602SSean Eric Fagan setsugid(p); 899a89a5370SPeter Wemm } 900b1fc0ec1SRobert Watson if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 9011419eacbSAlfred Perlstein change_ruid(newcred, ruip); 902d5f81602SSean Eric Fagan setsugid(p); 90300999cd6SAndrey A. Chernov } 904b1fc0ec1SRobert Watson if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 905b1fc0ec1SRobert Watson newcred->cr_svuid != newcred->cr_uid) { 906b1fc0ec1SRobert Watson change_svuid(newcred, newcred->cr_uid); 907d5f81602SSean Eric Fagan setsugid(p); 908a89a5370SPeter Wemm } 909b1fc0ec1SRobert Watson p->p_ucred = newcred; 91007f3485dSJohn Baldwin PROC_UNLOCK(p); 9111419eacbSAlfred Perlstein uifree(ruip); 9121419eacbSAlfred Perlstein uifree(euip); 913b1fc0ec1SRobert Watson crfree(oldcred); 91407f3485dSJohn Baldwin return (0); 915030a28b3SRobert Watson 916030a28b3SRobert Watson fail: 917030a28b3SRobert Watson PROC_UNLOCK(p); 918030a28b3SRobert Watson uifree(ruip); 919030a28b3SRobert Watson uifree(euip); 920030a28b3SRobert Watson crfree(newcred); 921030a28b3SRobert Watson return (error); 922df8bae1dSRodney W. Grimes } 923df8bae1dSRodney W. Grimes 924d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 925df8bae1dSRodney W. Grimes struct setregid_args { 92600999cd6SAndrey A. Chernov gid_t rgid; 92700999cd6SAndrey A. Chernov gid_t egid; 928df8bae1dSRodney W. Grimes }; 929d2d3e875SBruce Evans #endif 930df8bae1dSRodney W. Grimes /* ARGSUSED */ 93126f9a767SRodney W. Grimes int 9324c44ad8eSJohn Baldwin setregid(register struct thread *td, struct setregid_args *uap) 933df8bae1dSRodney W. Grimes { 934b40ce416SJulian Elischer struct proc *p = td->td_proc; 935b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 936eb725b4eSRobert Watson gid_t egid, rgid; 937eb725b4eSRobert Watson int error; 938df8bae1dSRodney W. Grimes 93900999cd6SAndrey A. Chernov egid = uap->egid; 940eb725b4eSRobert Watson rgid = uap->rgid; 9412f8a46d5SWayne Salamon AUDIT_ARG(egid, egid); 9422f8a46d5SWayne Salamon AUDIT_ARG(rgid, rgid); 94307f3485dSJohn Baldwin newcred = crget(); 94407f3485dSJohn Baldwin PROC_LOCK(p); 945b1fc0ec1SRobert Watson oldcred = p->p_ucred; 946030a28b3SRobert Watson 947030a28b3SRobert Watson #ifdef MAC 94830d239bcSRobert Watson error = mac_proc_check_setregid(p, oldcred, rgid, egid); 949030a28b3SRobert Watson if (error) 950030a28b3SRobert Watson goto fail; 951030a28b3SRobert Watson #endif 952030a28b3SRobert Watson 953b1fc0ec1SRobert Watson if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 954b1fc0ec1SRobert Watson rgid != oldcred->cr_svgid) || 955b1fc0ec1SRobert Watson (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 956b1fc0ec1SRobert Watson egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 95732f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) 958030a28b3SRobert Watson goto fail; 95907f3485dSJohn Baldwin 96007f3485dSJohn Baldwin crcopy(newcred, oldcred); 961b1fc0ec1SRobert Watson if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 962b1fc0ec1SRobert Watson change_egid(newcred, egid); 963d5f81602SSean Eric Fagan setsugid(p); 964a89a5370SPeter Wemm } 965b1fc0ec1SRobert Watson if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 966b1fc0ec1SRobert Watson change_rgid(newcred, rgid); 967d5f81602SSean Eric Fagan setsugid(p); 968a89a5370SPeter Wemm } 969b1fc0ec1SRobert Watson if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 970b1fc0ec1SRobert Watson newcred->cr_svgid != newcred->cr_groups[0]) { 971b1fc0ec1SRobert Watson change_svgid(newcred, newcred->cr_groups[0]); 972d5f81602SSean Eric Fagan setsugid(p); 973a89a5370SPeter Wemm } 9744589be70SRuslan Ermilov p->p_ucred = newcred; 97507f3485dSJohn Baldwin PROC_UNLOCK(p); 9764589be70SRuslan Ermilov crfree(oldcred); 97707f3485dSJohn Baldwin return (0); 978030a28b3SRobert Watson 979030a28b3SRobert Watson fail: 980030a28b3SRobert Watson PROC_UNLOCK(p); 981030a28b3SRobert Watson crfree(newcred); 982030a28b3SRobert Watson return (error); 983df8bae1dSRodney W. Grimes } 984df8bae1dSRodney W. Grimes 9858ccd6334SPeter Wemm /* 986873fbcd7SRobert Watson * setresuid(ruid, euid, suid) is like setreuid except control over the saved 987873fbcd7SRobert Watson * uid is explicit. 9888ccd6334SPeter Wemm */ 9898ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 9908ccd6334SPeter Wemm struct setresuid_args { 9918ccd6334SPeter Wemm uid_t ruid; 9928ccd6334SPeter Wemm uid_t euid; 9938ccd6334SPeter Wemm uid_t suid; 9948ccd6334SPeter Wemm }; 9958ccd6334SPeter Wemm #endif 9968ccd6334SPeter Wemm /* ARGSUSED */ 9978ccd6334SPeter Wemm int 9984c44ad8eSJohn Baldwin setresuid(register struct thread *td, struct setresuid_args *uap) 9998ccd6334SPeter Wemm { 1000b40ce416SJulian Elischer struct proc *p = td->td_proc; 1001b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 1002eb725b4eSRobert Watson uid_t euid, ruid, suid; 10031419eacbSAlfred Perlstein struct uidinfo *euip, *ruip; 10048ccd6334SPeter Wemm int error; 10058ccd6334SPeter Wemm 10068ccd6334SPeter Wemm euid = uap->euid; 1007eb725b4eSRobert Watson ruid = uap->ruid; 10088ccd6334SPeter Wemm suid = uap->suid; 10092f8a46d5SWayne Salamon AUDIT_ARG(euid, euid); 10102f8a46d5SWayne Salamon AUDIT_ARG(ruid, ruid); 10112f8a46d5SWayne Salamon AUDIT_ARG(suid, suid); 101207f3485dSJohn Baldwin newcred = crget(); 10131419eacbSAlfred Perlstein euip = uifind(euid); 10141419eacbSAlfred Perlstein ruip = uifind(ruid); 101507f3485dSJohn Baldwin PROC_LOCK(p); 1016b1fc0ec1SRobert Watson oldcred = p->p_ucred; 1017030a28b3SRobert Watson 1018030a28b3SRobert Watson #ifdef MAC 101930d239bcSRobert Watson error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid); 1020030a28b3SRobert Watson if (error) 1021030a28b3SRobert Watson goto fail; 1022030a28b3SRobert Watson #endif 1023030a28b3SRobert Watson 1024b1fc0ec1SRobert Watson if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1025b1fc0ec1SRobert Watson ruid != oldcred->cr_svuid && 1026b1fc0ec1SRobert Watson ruid != oldcred->cr_uid) || 1027b1fc0ec1SRobert Watson (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1028b1fc0ec1SRobert Watson euid != oldcred->cr_svuid && 1029b1fc0ec1SRobert Watson euid != oldcred->cr_uid) || 1030b1fc0ec1SRobert Watson (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1031b1fc0ec1SRobert Watson suid != oldcred->cr_svuid && 1032b1fc0ec1SRobert Watson suid != oldcred->cr_uid)) && 103332f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) 1034030a28b3SRobert Watson goto fail; 103507f3485dSJohn Baldwin 103607f3485dSJohn Baldwin crcopy(newcred, oldcred); 1037b1fc0ec1SRobert Watson if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 10381419eacbSAlfred Perlstein change_euid(newcred, euip); 10398ccd6334SPeter Wemm setsugid(p); 10408ccd6334SPeter Wemm } 1041b1fc0ec1SRobert Watson if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 10421419eacbSAlfred Perlstein change_ruid(newcred, ruip); 10438ccd6334SPeter Wemm setsugid(p); 10448ccd6334SPeter Wemm } 1045b1fc0ec1SRobert Watson if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1046b1fc0ec1SRobert Watson change_svuid(newcred, suid); 10478ccd6334SPeter Wemm setsugid(p); 10488ccd6334SPeter Wemm } 1049b1fc0ec1SRobert Watson p->p_ucred = newcred; 105007f3485dSJohn Baldwin PROC_UNLOCK(p); 10511419eacbSAlfred Perlstein uifree(ruip); 10521419eacbSAlfred Perlstein uifree(euip); 1053b1fc0ec1SRobert Watson crfree(oldcred); 105407f3485dSJohn Baldwin return (0); 1055030a28b3SRobert Watson 1056030a28b3SRobert Watson fail: 1057030a28b3SRobert Watson PROC_UNLOCK(p); 1058030a28b3SRobert Watson uifree(ruip); 1059030a28b3SRobert Watson uifree(euip); 1060030a28b3SRobert Watson crfree(newcred); 1061030a28b3SRobert Watson return (error); 1062030a28b3SRobert Watson 10638ccd6334SPeter Wemm } 10648ccd6334SPeter Wemm 10658ccd6334SPeter Wemm /* 1066873fbcd7SRobert Watson * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1067873fbcd7SRobert Watson * gid is explicit. 10688ccd6334SPeter Wemm */ 10698ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 10708ccd6334SPeter Wemm struct setresgid_args { 10718ccd6334SPeter Wemm gid_t rgid; 10728ccd6334SPeter Wemm gid_t egid; 10738ccd6334SPeter Wemm gid_t sgid; 10748ccd6334SPeter Wemm }; 10758ccd6334SPeter Wemm #endif 10768ccd6334SPeter Wemm /* ARGSUSED */ 10778ccd6334SPeter Wemm int 10784c44ad8eSJohn Baldwin setresgid(register struct thread *td, struct setresgid_args *uap) 10798ccd6334SPeter Wemm { 1080b40ce416SJulian Elischer struct proc *p = td->td_proc; 1081b1fc0ec1SRobert Watson struct ucred *newcred, *oldcred; 1082eb725b4eSRobert Watson gid_t egid, rgid, sgid; 10838ccd6334SPeter Wemm int error; 10848ccd6334SPeter Wemm 10858ccd6334SPeter Wemm egid = uap->egid; 1086eb725b4eSRobert Watson rgid = uap->rgid; 10878ccd6334SPeter Wemm sgid = uap->sgid; 10882f8a46d5SWayne Salamon AUDIT_ARG(egid, egid); 10892f8a46d5SWayne Salamon AUDIT_ARG(rgid, rgid); 10902f8a46d5SWayne Salamon AUDIT_ARG(sgid, sgid); 109107f3485dSJohn Baldwin newcred = crget(); 109207f3485dSJohn Baldwin PROC_LOCK(p); 1093b1fc0ec1SRobert Watson oldcred = p->p_ucred; 1094030a28b3SRobert Watson 1095030a28b3SRobert Watson #ifdef MAC 109630d239bcSRobert Watson error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid); 1097030a28b3SRobert Watson if (error) 1098030a28b3SRobert Watson goto fail; 1099030a28b3SRobert Watson #endif 1100030a28b3SRobert Watson 1101b1fc0ec1SRobert Watson if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1102b1fc0ec1SRobert Watson rgid != oldcred->cr_svgid && 1103b1fc0ec1SRobert Watson rgid != oldcred->cr_groups[0]) || 1104b1fc0ec1SRobert Watson (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1105b1fc0ec1SRobert Watson egid != oldcred->cr_svgid && 1106b1fc0ec1SRobert Watson egid != oldcred->cr_groups[0]) || 1107b1fc0ec1SRobert Watson (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1108b1fc0ec1SRobert Watson sgid != oldcred->cr_svgid && 1109b1fc0ec1SRobert Watson sgid != oldcred->cr_groups[0])) && 111032f9753cSRobert Watson (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) 1111030a28b3SRobert Watson goto fail; 111207f3485dSJohn Baldwin 111307f3485dSJohn Baldwin crcopy(newcred, oldcred); 1114b1fc0ec1SRobert Watson if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1115b1fc0ec1SRobert Watson change_egid(newcred, egid); 11168ccd6334SPeter Wemm setsugid(p); 11178ccd6334SPeter Wemm } 1118b1fc0ec1SRobert Watson if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1119b1fc0ec1SRobert Watson change_rgid(newcred, rgid); 11208ccd6334SPeter Wemm setsugid(p); 11218ccd6334SPeter Wemm } 1122b1fc0ec1SRobert Watson if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1123b1fc0ec1SRobert Watson change_svgid(newcred, sgid); 11248ccd6334SPeter Wemm setsugid(p); 11258ccd6334SPeter Wemm } 1126b1fc0ec1SRobert Watson p->p_ucred = newcred; 112707f3485dSJohn Baldwin PROC_UNLOCK(p); 1128b1fc0ec1SRobert Watson crfree(oldcred); 112907f3485dSJohn Baldwin return (0); 1130030a28b3SRobert Watson 1131030a28b3SRobert Watson fail: 1132030a28b3SRobert Watson PROC_UNLOCK(p); 1133030a28b3SRobert Watson crfree(newcred); 1134030a28b3SRobert Watson return (error); 11358ccd6334SPeter Wemm } 11368ccd6334SPeter Wemm 11378ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 11388ccd6334SPeter Wemm struct getresuid_args { 11398ccd6334SPeter Wemm uid_t *ruid; 11408ccd6334SPeter Wemm uid_t *euid; 11418ccd6334SPeter Wemm uid_t *suid; 11428ccd6334SPeter Wemm }; 11438ccd6334SPeter Wemm #endif 11448ccd6334SPeter Wemm /* ARGSUSED */ 11458ccd6334SPeter Wemm int 11464c44ad8eSJohn Baldwin getresuid(register struct thread *td, struct getresuid_args *uap) 11478ccd6334SPeter Wemm { 1148835a82eeSMatthew Dillon struct ucred *cred; 11498ccd6334SPeter Wemm int error1 = 0, error2 = 0, error3 = 0; 11508ccd6334SPeter Wemm 1151d74ac681SMatthew Dillon cred = td->td_ucred; 11528ccd6334SPeter Wemm if (uap->ruid) 11537f05b035SAlfred Perlstein error1 = copyout(&cred->cr_ruid, 11547f05b035SAlfred Perlstein uap->ruid, sizeof(cred->cr_ruid)); 11558ccd6334SPeter Wemm if (uap->euid) 11567f05b035SAlfred Perlstein error2 = copyout(&cred->cr_uid, 11577f05b035SAlfred Perlstein uap->euid, sizeof(cred->cr_uid)); 11588ccd6334SPeter Wemm if (uap->suid) 11597f05b035SAlfred Perlstein error3 = copyout(&cred->cr_svuid, 11607f05b035SAlfred Perlstein uap->suid, sizeof(cred->cr_svuid)); 1161eb725b4eSRobert Watson return (error1 ? error1 : error2 ? error2 : error3); 11628ccd6334SPeter Wemm } 11638ccd6334SPeter Wemm 11648ccd6334SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 11658ccd6334SPeter Wemm struct getresgid_args { 11668ccd6334SPeter Wemm gid_t *rgid; 11678ccd6334SPeter Wemm gid_t *egid; 11688ccd6334SPeter Wemm gid_t *sgid; 11698ccd6334SPeter Wemm }; 11708ccd6334SPeter Wemm #endif 11718ccd6334SPeter Wemm /* ARGSUSED */ 11728ccd6334SPeter Wemm int 11734c44ad8eSJohn Baldwin getresgid(register struct thread *td, struct getresgid_args *uap) 11748ccd6334SPeter Wemm { 1175835a82eeSMatthew Dillon struct ucred *cred; 11768ccd6334SPeter Wemm int error1 = 0, error2 = 0, error3 = 0; 11778ccd6334SPeter Wemm 1178d74ac681SMatthew Dillon cred = td->td_ucred; 11798ccd6334SPeter Wemm if (uap->rgid) 11807f05b035SAlfred Perlstein error1 = copyout(&cred->cr_rgid, 11817f05b035SAlfred Perlstein uap->rgid, sizeof(cred->cr_rgid)); 11828ccd6334SPeter Wemm if (uap->egid) 11837f05b035SAlfred Perlstein error2 = copyout(&cred->cr_groups[0], 11847f05b035SAlfred Perlstein uap->egid, sizeof(cred->cr_groups[0])); 11858ccd6334SPeter Wemm if (uap->sgid) 11867f05b035SAlfred Perlstein error3 = copyout(&cred->cr_svgid, 11877f05b035SAlfred Perlstein uap->sgid, sizeof(cred->cr_svgid)); 1188eb725b4eSRobert Watson return (error1 ? error1 : error2 ? error2 : error3); 11898ccd6334SPeter Wemm } 11908ccd6334SPeter Wemm 1191b67cbc65SPeter Wemm #ifndef _SYS_SYSPROTO_H_ 1192b67cbc65SPeter Wemm struct issetugid_args { 1193b67cbc65SPeter Wemm int dummy; 1194b67cbc65SPeter Wemm }; 1195b67cbc65SPeter Wemm #endif 1196b67cbc65SPeter Wemm /* ARGSUSED */ 1197b67cbc65SPeter Wemm int 11984c44ad8eSJohn Baldwin issetugid(register struct thread *td, struct issetugid_args *uap) 1199b67cbc65SPeter Wemm { 1200b40ce416SJulian Elischer struct proc *p = td->td_proc; 1201b40ce416SJulian Elischer 1202b67cbc65SPeter Wemm /* 1203b67cbc65SPeter Wemm * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1204b67cbc65SPeter Wemm * we use P_SUGID because we consider changing the owners as 1205b67cbc65SPeter Wemm * "tainting" as well. 1206b67cbc65SPeter Wemm * This is significant for procs that start as root and "become" 1207b67cbc65SPeter Wemm * a user without an exec - programs cannot know *everything* 1208b67cbc65SPeter Wemm * that libc *might* have put in their data segment. 1209b67cbc65SPeter Wemm */ 1210f591779bSSeigo Tanimura PROC_LOCK(p); 1211b40ce416SJulian Elischer td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1212f591779bSSeigo Tanimura PROC_UNLOCK(p); 1213b67cbc65SPeter Wemm return (0); 1214b67cbc65SPeter Wemm } 1215b67cbc65SPeter Wemm 1216130d0157SRobert Watson int 12174c44ad8eSJohn Baldwin __setugid(struct thread *td, struct __setugid_args *uap) 1218130d0157SRobert Watson { 1219130d0157SRobert Watson #ifdef REGRESSION 122007f3485dSJohn Baldwin struct proc *p; 1221835a82eeSMatthew Dillon 122207f3485dSJohn Baldwin p = td->td_proc; 1223130d0157SRobert Watson switch (uap->flag) { 1224130d0157SRobert Watson case 0: 122507f3485dSJohn Baldwin PROC_LOCK(p); 122607f3485dSJohn Baldwin p->p_flag &= ~P_SUGID; 122707f3485dSJohn Baldwin PROC_UNLOCK(p); 122807f3485dSJohn Baldwin return (0); 122907f3485dSJohn Baldwin case 1: 123007f3485dSJohn Baldwin PROC_LOCK(p); 123107f3485dSJohn Baldwin p->p_flag |= P_SUGID; 123207f3485dSJohn Baldwin PROC_UNLOCK(p); 123307f3485dSJohn Baldwin return (0); 123407f3485dSJohn Baldwin default: 123507f3485dSJohn Baldwin return (EINVAL); 123607f3485dSJohn Baldwin } 1237130d0157SRobert Watson #else /* !REGRESSION */ 1238eb725b4eSRobert Watson 1239130d0157SRobert Watson return (ENOSYS); 1240eb725b4eSRobert Watson #endif /* REGRESSION */ 1241130d0157SRobert Watson } 1242130d0157SRobert Watson 1243df8bae1dSRodney W. Grimes /* 1244df8bae1dSRodney W. Grimes * Check if gid is a member of the group set. 1245df8bae1dSRodney W. Grimes */ 124626f9a767SRodney W. Grimes int 12474c44ad8eSJohn Baldwin groupmember(gid_t gid, struct ucred *cred) 1248df8bae1dSRodney W. Grimes { 1249df8bae1dSRodney W. Grimes register gid_t *gp; 1250df8bae1dSRodney W. Grimes gid_t *egp; 1251df8bae1dSRodney W. Grimes 1252df8bae1dSRodney W. Grimes egp = &(cred->cr_groups[cred->cr_ngroups]); 1253df8bae1dSRodney W. Grimes for (gp = cred->cr_groups; gp < egp; gp++) 1254df8bae1dSRodney W. Grimes if (*gp == gid) 1255df8bae1dSRodney W. Grimes return (1); 1256df8bae1dSRodney W. Grimes return (0); 1257df8bae1dSRodney W. Grimes } 1258df8bae1dSRodney W. Grimes 12593b243b72SRobert Watson /* 1260eb725b4eSRobert Watson * Test the active securelevel against a given level. securelevel_gt() 1261eb725b4eSRobert Watson * implements (securelevel > level). securelevel_ge() implements 1262eb725b4eSRobert Watson * (securelevel >= level). Note that the logic is inverted -- these 1263eb725b4eSRobert Watson * functions return EPERM on "success" and 0 on "failure". 12643ca719f1SRobert Watson * 1265800c9408SRobert Watson * XXXRW: Possibly since this has to do with privilege, it should move to 1266800c9408SRobert Watson * kern_priv.c. 12673ca719f1SRobert Watson */ 12683ca719f1SRobert Watson int 12693ca719f1SRobert Watson securelevel_gt(struct ucred *cr, int level) 12703ca719f1SRobert Watson { 1271eb725b4eSRobert Watson int active_securelevel; 12723ca719f1SRobert Watson 1273eb725b4eSRobert Watson active_securelevel = securelevel; 127470499328SJohn Baldwin KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1275471135a3SRobert Watson if (cr->cr_prison != NULL) 1276eb725b4eSRobert Watson active_securelevel = imax(cr->cr_prison->pr_securelevel, 1277eb725b4eSRobert Watson active_securelevel); 1278eb725b4eSRobert Watson return (active_securelevel > level ? EPERM : 0); 12793ca719f1SRobert Watson } 12803ca719f1SRobert Watson 12813ca719f1SRobert Watson int 12823ca719f1SRobert Watson securelevel_ge(struct ucred *cr, int level) 12833ca719f1SRobert Watson { 1284eb725b4eSRobert Watson int active_securelevel; 12853ca719f1SRobert Watson 1286eb725b4eSRobert Watson active_securelevel = securelevel; 128770499328SJohn Baldwin KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1288471135a3SRobert Watson if (cr->cr_prison != NULL) 1289eb725b4eSRobert Watson active_securelevel = imax(cr->cr_prison->pr_securelevel, 1290eb725b4eSRobert Watson active_securelevel); 1291eb725b4eSRobert Watson return (active_securelevel >= level ? EPERM : 0); 12923ca719f1SRobert Watson } 12933ca719f1SRobert Watson 12948a7d8cc6SRobert Watson /* 1295e409590dSRobert Watson * 'see_other_uids' determines whether or not visibility of processes 1296eb725b4eSRobert Watson * and sockets with credentials holding different real uids is possible 129748713bdcSRobert Watson * using a variety of system MIBs. 1298eb725b4eSRobert Watson * XXX: data declarations should be together near the beginning of the file. 12998a7d8cc6SRobert Watson */ 1300e409590dSRobert Watson static int see_other_uids = 1; 1301d0615c64SAndrew R. Reiter SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1302eb725b4eSRobert Watson &see_other_uids, 0, 13038a7d8cc6SRobert Watson "Unprivileged processes may see subjects/objects with different real uid"); 13048a7d8cc6SRobert Watson 13057fd6a959SRobert Watson /*- 13061b350b45SRobert Watson * Determine if u1 "can see" the subject specified by u2, according to the 13071b350b45SRobert Watson * 'see_other_uids' policy. 13081b350b45SRobert Watson * Returns: 0 for permitted, ESRCH otherwise 13091b350b45SRobert Watson * Locks: none 13101b350b45SRobert Watson * References: *u1 and *u2 must not change during the call 13111b350b45SRobert Watson * u1 may equal u2, in which case only one reference is required 13121b350b45SRobert Watson */ 13131b350b45SRobert Watson static int 13141b350b45SRobert Watson cr_seeotheruids(struct ucred *u1, struct ucred *u2) 13151b350b45SRobert Watson { 13161b350b45SRobert Watson 13171b350b45SRobert Watson if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 131832f9753cSRobert Watson if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) 13191b350b45SRobert Watson return (ESRCH); 13201b350b45SRobert Watson } 13211b350b45SRobert Watson return (0); 13221b350b45SRobert Watson } 13231b350b45SRobert Watson 132464d19c2eSRobert Watson /* 132564d19c2eSRobert Watson * 'see_other_gids' determines whether or not visibility of processes 132664d19c2eSRobert Watson * and sockets with credentials holding different real gids is possible 132764d19c2eSRobert Watson * using a variety of system MIBs. 132864d19c2eSRobert Watson * XXX: data declarations should be together near the beginning of the file. 132964d19c2eSRobert Watson */ 133064d19c2eSRobert Watson static int see_other_gids = 1; 133164d19c2eSRobert Watson SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 133264d19c2eSRobert Watson &see_other_gids, 0, 133364d19c2eSRobert Watson "Unprivileged processes may see subjects/objects with different real gid"); 133464d19c2eSRobert Watson 133564d19c2eSRobert Watson /* 133664d19c2eSRobert Watson * Determine if u1 can "see" the subject specified by u2, according to the 133764d19c2eSRobert Watson * 'see_other_gids' policy. 133864d19c2eSRobert Watson * Returns: 0 for permitted, ESRCH otherwise 133964d19c2eSRobert Watson * Locks: none 134064d19c2eSRobert Watson * References: *u1 and *u2 must not change during the call 134164d19c2eSRobert Watson * u1 may equal u2, in which case only one reference is required 134264d19c2eSRobert Watson */ 134364d19c2eSRobert Watson static int 134464d19c2eSRobert Watson cr_seeothergids(struct ucred *u1, struct ucred *u2) 134564d19c2eSRobert Watson { 134664d19c2eSRobert Watson int i, match; 134764d19c2eSRobert Watson 134864d19c2eSRobert Watson if (!see_other_gids) { 134964d19c2eSRobert Watson match = 0; 135064d19c2eSRobert Watson for (i = 0; i < u1->cr_ngroups; i++) { 135164d19c2eSRobert Watson if (groupmember(u1->cr_groups[i], u2)) 135264d19c2eSRobert Watson match = 1; 135364d19c2eSRobert Watson if (match) 135464d19c2eSRobert Watson break; 135564d19c2eSRobert Watson } 135664d19c2eSRobert Watson if (!match) { 135732f9753cSRobert Watson if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) 135864d19c2eSRobert Watson return (ESRCH); 135964d19c2eSRobert Watson } 136064d19c2eSRobert Watson } 136164d19c2eSRobert Watson return (0); 136264d19c2eSRobert Watson } 136364d19c2eSRobert Watson 13641b350b45SRobert Watson /*- 13657fd6a959SRobert Watson * Determine if u1 "can see" the subject specified by u2. 1366ed639720SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1367ed639720SRobert Watson * Locks: none 1368eb725b4eSRobert Watson * References: *u1 and *u2 must not change during the call 1369ed639720SRobert Watson * u1 may equal u2, in which case only one reference is required 1370ed639720SRobert Watson */ 1371ed639720SRobert Watson int 137294088977SRobert Watson cr_cansee(struct ucred *u1, struct ucred *u2) 1373a9e0361bSPoul-Henning Kamp { 137491421ba2SRobert Watson int error; 1375a9e0361bSPoul-Henning Kamp 1376ed639720SRobert Watson if ((error = prison_check(u1, u2))) 137791421ba2SRobert Watson return (error); 13788a1d977dSRobert Watson #ifdef MAC 137930d239bcSRobert Watson if ((error = mac_cred_check_visible(u1, u2))) 13808a1d977dSRobert Watson return (error); 13818a1d977dSRobert Watson #endif 13821b350b45SRobert Watson if ((error = cr_seeotheruids(u1, u2))) 13831b350b45SRobert Watson return (error); 138464d19c2eSRobert Watson if ((error = cr_seeothergids(u1, u2))) 138564d19c2eSRobert Watson return (error); 1386387d2c03SRobert Watson return (0); 1387387d2c03SRobert Watson } 1388387d2c03SRobert Watson 13897fd6a959SRobert Watson /*- 1390f44d9e24SJohn Baldwin * Determine if td "can see" the subject specified by p. 13913b243b72SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1392f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1393f44d9e24SJohn Baldwin * should be curthread. 1394f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 13953b243b72SRobert Watson */ 1396a0f75161SRobert Watson int 1397f44d9e24SJohn Baldwin p_cansee(struct thread *td, struct proc *p) 1398ed639720SRobert Watson { 1399ed639720SRobert Watson 140094088977SRobert Watson /* Wrap cr_cansee() for all functionality. */ 1401f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1402f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1403f44d9e24SJohn Baldwin return (cr_cansee(td->td_ucred, p->p_ucred)); 1404ed639720SRobert Watson } 1405ed639720SRobert Watson 140662c45ef4SRobert Watson /* 140762c45ef4SRobert Watson * 'conservative_signals' prevents the delivery of a broad class of 140862c45ef4SRobert Watson * signals by unprivileged processes to processes that have changed their 140962c45ef4SRobert Watson * credentials since the last invocation of execve(). This can prevent 141062c45ef4SRobert Watson * the leakage of cached information or retained privileges as a result 141162c45ef4SRobert Watson * of a common class of signal-related vulnerabilities. However, this 141262c45ef4SRobert Watson * may interfere with some applications that expect to be able to 141362c45ef4SRobert Watson * deliver these signals to peer processes after having given up 141462c45ef4SRobert Watson * privilege. 141562c45ef4SRobert Watson */ 141662c45ef4SRobert Watson static int conservative_signals = 1; 141762c45ef4SRobert Watson SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 141862c45ef4SRobert Watson &conservative_signals, 0, "Unprivileged processes prevented from " 141962c45ef4SRobert Watson "sending certain signals to processes whose credentials have changed"); 14207fd6a959SRobert Watson /*- 1421c83f8015SRobert Watson * Determine whether cred may deliver the specified signal to proc. 1422c83f8015SRobert Watson * Returns: 0 for permitted, an errno value otherwise. 1423c83f8015SRobert Watson * Locks: A lock must be held for proc. 1424c83f8015SRobert Watson * References: cred and proc must be valid for the lifetime of the call. 14254c5eb9c3SRobert Watson */ 14264c5eb9c3SRobert Watson int 14271a88a252SMaxim Sobolev cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1428387d2c03SRobert Watson { 142991421ba2SRobert Watson int error; 1430387d2c03SRobert Watson 1431f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(proc, MA_OWNED); 14324c5eb9c3SRobert Watson /* 1433c83f8015SRobert Watson * Jail semantics limit the scope of signalling to proc in the 1434c83f8015SRobert Watson * same jail as cred, if cred is in jail. 14354c5eb9c3SRobert Watson */ 1436c83f8015SRobert Watson error = prison_check(cred, proc->p_ucred); 1437c83f8015SRobert Watson if (error) 143891421ba2SRobert Watson return (error); 14398a1d977dSRobert Watson #ifdef MAC 144030d239bcSRobert Watson if ((error = mac_proc_check_signal(cred, proc, signum))) 14418a1d977dSRobert Watson return (error); 14428a1d977dSRobert Watson #endif 144364d19c2eSRobert Watson if ((error = cr_seeotheruids(cred, proc->p_ucred))) 144464d19c2eSRobert Watson return (error); 144564d19c2eSRobert Watson if ((error = cr_seeothergids(cred, proc->p_ucred))) 14461b350b45SRobert Watson return (error); 1447387d2c03SRobert Watson 1448387d2c03SRobert Watson /* 14493b243b72SRobert Watson * UNIX signal semantics depend on the status of the P_SUGID 14503b243b72SRobert Watson * bit on the target process. If the bit is set, then additional 14513b243b72SRobert Watson * restrictions are placed on the set of available signals. 14524c5eb9c3SRobert Watson */ 14531a88a252SMaxim Sobolev if (conservative_signals && (proc->p_flag & P_SUGID)) { 14544c5eb9c3SRobert Watson switch (signum) { 14554c5eb9c3SRobert Watson case 0: 14564c5eb9c3SRobert Watson case SIGKILL: 14574c5eb9c3SRobert Watson case SIGINT: 14584c5eb9c3SRobert Watson case SIGTERM: 145962c45ef4SRobert Watson case SIGALRM: 14604c5eb9c3SRobert Watson case SIGSTOP: 14614c5eb9c3SRobert Watson case SIGTTIN: 14624c5eb9c3SRobert Watson case SIGTTOU: 14634c5eb9c3SRobert Watson case SIGTSTP: 14644c5eb9c3SRobert Watson case SIGHUP: 14654c5eb9c3SRobert Watson case SIGUSR1: 14664c5eb9c3SRobert Watson case SIGUSR2: 14677fd6a959SRobert Watson /* 14687fd6a959SRobert Watson * Generally, permit job and terminal control 14697fd6a959SRobert Watson * signals. 14707fd6a959SRobert Watson */ 14714c5eb9c3SRobert Watson break; 14724c5eb9c3SRobert Watson default: 1473c83f8015SRobert Watson /* Not permitted without privilege. */ 147432f9753cSRobert Watson error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); 14754c5eb9c3SRobert Watson if (error) 14764c5eb9c3SRobert Watson return (error); 14774c5eb9c3SRobert Watson } 1478e9e7ff5bSRobert Watson } 1479e9e7ff5bSRobert Watson 14804c5eb9c3SRobert Watson /* 14813b243b72SRobert Watson * Generally, the target credential's ruid or svuid must match the 1482e9e7ff5bSRobert Watson * subject credential's ruid or euid. 14834c5eb9c3SRobert Watson */ 1484c83f8015SRobert Watson if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1485c83f8015SRobert Watson cred->cr_ruid != proc->p_ucred->cr_svuid && 1486c83f8015SRobert Watson cred->cr_uid != proc->p_ucred->cr_ruid && 1487c83f8015SRobert Watson cred->cr_uid != proc->p_ucred->cr_svuid) { 148832f9753cSRobert Watson error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); 14894c5eb9c3SRobert Watson if (error) 14904c5eb9c3SRobert Watson return (error); 14914c5eb9c3SRobert Watson } 1492387d2c03SRobert Watson 1493387d2c03SRobert Watson return (0); 1494387d2c03SRobert Watson } 1495a9e0361bSPoul-Henning Kamp 1496c83f8015SRobert Watson /*- 1497f44d9e24SJohn Baldwin * Determine whether td may deliver the specified signal to p. 1498c83f8015SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1499f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect various components of td and p 1500f44d9e24SJohn Baldwin * must be held. td must be curthread, and a lock must be 1501f44d9e24SJohn Baldwin * held for p. 1502f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 1503c83f8015SRobert Watson */ 1504c83f8015SRobert Watson int 15051a88a252SMaxim Sobolev p_cansignal(struct thread *td, struct proc *p, int signum) 1506c83f8015SRobert Watson { 1507c83f8015SRobert Watson 1508f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1509f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1510f44d9e24SJohn Baldwin if (td->td_proc == p) 1511c83f8015SRobert Watson return (0); 1512c83f8015SRobert Watson 1513c83f8015SRobert Watson /* 1514c83f8015SRobert Watson * UNIX signalling semantics require that processes in the same 1515c83f8015SRobert Watson * session always be able to deliver SIGCONT to one another, 1516c83f8015SRobert Watson * overriding the remaining protections. 1517c83f8015SRobert Watson */ 1518f44d9e24SJohn Baldwin /* XXX: This will require an additional lock of some sort. */ 1519f44d9e24SJohn Baldwin if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1520c83f8015SRobert Watson return (0); 15214b178336SMaxim Sobolev /* 1522f9cd63d4SMaxim Sobolev * Some compat layers use SIGTHR and higher signals for 1523f9cd63d4SMaxim Sobolev * communication between different kernel threads of the same 1524f9cd63d4SMaxim Sobolev * process, so that they expect that it's always possible to 1525f9cd63d4SMaxim Sobolev * deliver them, even for suid applications where cr_cansignal() can 15264b178336SMaxim Sobolev * deny such ability for security consideration. It should be 15274b178336SMaxim Sobolev * pretty safe to do since the only way to create two processes 15284b178336SMaxim Sobolev * with the same p_leader is via rfork(2). 15294b178336SMaxim Sobolev */ 15302322a0a7SMaxim Sobolev if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 15312322a0a7SMaxim Sobolev signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 15324b178336SMaxim Sobolev return (0); 1533c83f8015SRobert Watson 15341a88a252SMaxim Sobolev return (cr_cansignal(td->td_ucred, p, signum)); 1535c83f8015SRobert Watson } 1536c83f8015SRobert Watson 15377fd6a959SRobert Watson /*- 1538f44d9e24SJohn Baldwin * Determine whether td may reschedule p. 15397fd6a959SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1540f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect various components of td and p 1541f44d9e24SJohn Baldwin * must be held. td must be curthread, and a lock must 1542f44d9e24SJohn Baldwin * be held for p. 1543f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 15443b243b72SRobert Watson */ 1545a0f75161SRobert Watson int 1546f44d9e24SJohn Baldwin p_cansched(struct thread *td, struct proc *p) 1547387d2c03SRobert Watson { 154891421ba2SRobert Watson int error; 1549387d2c03SRobert Watson 1550f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1551f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1552f44d9e24SJohn Baldwin if (td->td_proc == p) 1553387d2c03SRobert Watson return (0); 1554f44d9e24SJohn Baldwin if ((error = prison_check(td->td_ucred, p->p_ucred))) 155591421ba2SRobert Watson return (error); 15568a1d977dSRobert Watson #ifdef MAC 155730d239bcSRobert Watson if ((error = mac_proc_check_sched(td->td_ucred, p))) 15588a1d977dSRobert Watson return (error); 15598a1d977dSRobert Watson #endif 1560f44d9e24SJohn Baldwin if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 15611b350b45SRobert Watson return (error); 156264d19c2eSRobert Watson if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 156364d19c2eSRobert Watson return (error); 1564800c9408SRobert Watson if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1565800c9408SRobert Watson td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 156632f9753cSRobert Watson error = priv_check(td, PRIV_SCHED_DIFFCRED); 1567800c9408SRobert Watson if (error) 1568800c9408SRobert Watson return (error); 1569800c9408SRobert Watson } 1570387d2c03SRobert Watson return (0); 1571387d2c03SRobert Watson } 1572387d2c03SRobert Watson 15733b243b72SRobert Watson /* 15745d476e73SRobert Watson * The 'unprivileged_proc_debug' flag may be used to disable a variety of 15755d476e73SRobert Watson * unprivileged inter-process debugging services, including some procfs 15765d476e73SRobert Watson * functionality, ptrace(), and ktrace(). In the past, inter-process 15775d476e73SRobert Watson * debugging has been involved in a variety of security problems, and sites 15785d476e73SRobert Watson * not requiring the service might choose to disable it when hardening 15795d476e73SRobert Watson * systems. 15803b243b72SRobert Watson * 15813b243b72SRobert Watson * XXX: Should modifying and reading this variable require locking? 1582eb725b4eSRobert Watson * XXX: data declarations should be together near the beginning of the file. 15833b243b72SRobert Watson */ 1584e409590dSRobert Watson static int unprivileged_proc_debug = 1; 1585d0615c64SAndrew R. Reiter SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1586eb725b4eSRobert Watson &unprivileged_proc_debug, 0, 15870ef5652eSRobert Watson "Unprivileged processes may use process debugging facilities"); 15880ef5652eSRobert Watson 15897fd6a959SRobert Watson /*- 1590f44d9e24SJohn Baldwin * Determine whether td may debug p. 15917fd6a959SRobert Watson * Returns: 0 for permitted, an errno value otherwise 1592f44d9e24SJohn Baldwin * Locks: Sufficient locks to protect various components of td and p 1593f44d9e24SJohn Baldwin * must be held. td must be curthread, and a lock must 1594f44d9e24SJohn Baldwin * be held for p. 1595f44d9e24SJohn Baldwin * References: td and p must be valid for the lifetime of the call 15963b243b72SRobert Watson */ 1597a0f75161SRobert Watson int 1598f44d9e24SJohn Baldwin p_candebug(struct thread *td, struct proc *p) 1599387d2c03SRobert Watson { 1600eb725b4eSRobert Watson int credentialchanged, error, grpsubset, i, uidsubset; 1601387d2c03SRobert Watson 1602f44d9e24SJohn Baldwin KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1603f44d9e24SJohn Baldwin PROC_LOCK_ASSERT(p, MA_OWNED); 1604e409590dSRobert Watson if (!unprivileged_proc_debug) { 160532f9753cSRobert Watson error = priv_check(td, PRIV_DEBUG_UNPRIV); 160632d18604SRobert Watson if (error) 160732d18604SRobert Watson return (error); 160832d18604SRobert Watson } 1609f44d9e24SJohn Baldwin if (td->td_proc == p) 161023fad5b6SDag-Erling Smørgrav return (0); 1611f44d9e24SJohn Baldwin if ((error = prison_check(td->td_ucred, p->p_ucred))) 161291421ba2SRobert Watson return (error); 16138a1d977dSRobert Watson #ifdef MAC 161430d239bcSRobert Watson if ((error = mac_proc_check_debug(td->td_ucred, p))) 16158a1d977dSRobert Watson return (error); 16168a1d977dSRobert Watson #endif 1617f44d9e24SJohn Baldwin if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 16181b350b45SRobert Watson return (error); 161964d19c2eSRobert Watson if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 162064d19c2eSRobert Watson return (error); 1621387d2c03SRobert Watson 16227fd6a959SRobert Watson /* 1623f44d9e24SJohn Baldwin * Is p's group set a subset of td's effective group set? This 1624f44d9e24SJohn Baldwin * includes p's egid, group access list, rgid, and svgid. 16257fd6a959SRobert Watson */ 1626db42a33dSRobert Watson grpsubset = 1; 1627f44d9e24SJohn Baldwin for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1628f44d9e24SJohn Baldwin if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1629db42a33dSRobert Watson grpsubset = 0; 1630db42a33dSRobert Watson break; 1631db42a33dSRobert Watson } 1632db42a33dSRobert Watson } 1633db42a33dSRobert Watson grpsubset = grpsubset && 1634f44d9e24SJohn Baldwin groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1635f44d9e24SJohn Baldwin groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1636db42a33dSRobert Watson 1637db42a33dSRobert Watson /* 1638f44d9e24SJohn Baldwin * Are the uids present in p's credential equal to td's 1639f44d9e24SJohn Baldwin * effective uid? This includes p's euid, svuid, and ruid. 1640db42a33dSRobert Watson */ 1641f44d9e24SJohn Baldwin uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1642f44d9e24SJohn Baldwin td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1643f44d9e24SJohn Baldwin td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1644db42a33dSRobert Watson 1645db42a33dSRobert Watson /* 1646db42a33dSRobert Watson * Has the credential of the process changed since the last exec()? 1647db42a33dSRobert Watson */ 1648f44d9e24SJohn Baldwin credentialchanged = (p->p_flag & P_SUGID); 1649db42a33dSRobert Watson 1650db42a33dSRobert Watson /* 1651f44d9e24SJohn Baldwin * If p's gids aren't a subset, or the uids aren't a subset, 1652db42a33dSRobert Watson * or the credential has changed, require appropriate privilege 1653800c9408SRobert Watson * for td to debug p. 1654db42a33dSRobert Watson */ 1655800c9408SRobert Watson if (!grpsubset || !uidsubset) { 165632f9753cSRobert Watson error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1657800c9408SRobert Watson if (error) 1658800c9408SRobert Watson return (error); 1659800c9408SRobert Watson } 1660800c9408SRobert Watson 1661800c9408SRobert Watson if (credentialchanged) { 166232f9753cSRobert Watson error = priv_check(td, PRIV_DEBUG_SUGID); 166332d18604SRobert Watson if (error) 1664387d2c03SRobert Watson return (error); 16657fd6a959SRobert Watson } 1666387d2c03SRobert Watson 1667eb725b4eSRobert Watson /* Can't trace init when securelevel > 0. */ 1668f44d9e24SJohn Baldwin if (p == initproc) { 1669f44d9e24SJohn Baldwin error = securelevel_gt(td->td_ucred, 0); 16703ca719f1SRobert Watson if (error) 16713ca719f1SRobert Watson return (error); 16723ca719f1SRobert Watson } 1673387d2c03SRobert Watson 16745fab7614SRobert Watson /* 16755fab7614SRobert Watson * Can't trace a process that's currently exec'ing. 1676800c9408SRobert Watson * 16775fab7614SRobert Watson * XXX: Note, this is not a security policy decision, it's a 16785fab7614SRobert Watson * basic correctness/functionality decision. Therefore, this check 16795fab7614SRobert Watson * should be moved to the caller's of p_candebug(). 16805fab7614SRobert Watson */ 1681f44d9e24SJohn Baldwin if ((p->p_flag & P_INEXEC) != 0) 16829ca45e81SDag-Erling Smørgrav return (EAGAIN); 16839ca45e81SDag-Erling Smørgrav 1684387d2c03SRobert Watson return (0); 1685387d2c03SRobert Watson } 1686387d2c03SRobert Watson 168729dc1288SRobert Watson /*- 168829dc1288SRobert Watson * Determine whether the subject represented by cred can "see" a socket. 168929dc1288SRobert Watson * Returns: 0 for permitted, ENOENT otherwise. 169029dc1288SRobert Watson */ 169129dc1288SRobert Watson int 169229dc1288SRobert Watson cr_canseesocket(struct ucred *cred, struct socket *so) 169329dc1288SRobert Watson { 169429dc1288SRobert Watson int error; 169529dc1288SRobert Watson 169629dc1288SRobert Watson error = prison_check(cred, so->so_cred); 169729dc1288SRobert Watson if (error) 169829dc1288SRobert Watson return (ENOENT); 16998a1d977dSRobert Watson #ifdef MAC 1700310e7cebSRobert Watson SOCK_LOCK(so); 170130d239bcSRobert Watson error = mac_socket_check_visible(cred, so); 1702310e7cebSRobert Watson SOCK_UNLOCK(so); 17038a1d977dSRobert Watson if (error) 17048a1d977dSRobert Watson return (error); 17058a1d977dSRobert Watson #endif 170629dc1288SRobert Watson if (cr_seeotheruids(cred, so->so_cred)) 170729dc1288SRobert Watson return (ENOENT); 170864d19c2eSRobert Watson if (cr_seeothergids(cred, so->so_cred)) 170964d19c2eSRobert Watson return (ENOENT); 171029dc1288SRobert Watson 171129dc1288SRobert Watson return (0); 171229dc1288SRobert Watson } 171329dc1288SRobert Watson 1714f08ef6c5SBjoern A. Zeeb #if defined(INET) || defined(INET6) 1715f08ef6c5SBjoern A. Zeeb /*- 1716f08ef6c5SBjoern A. Zeeb * Determine whether the subject represented by cred can "see" a socket. 1717f08ef6c5SBjoern A. Zeeb * Returns: 0 for permitted, ENOENT otherwise. 1718f08ef6c5SBjoern A. Zeeb */ 1719f08ef6c5SBjoern A. Zeeb int 1720f08ef6c5SBjoern A. Zeeb cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) 1721f08ef6c5SBjoern A. Zeeb { 1722f08ef6c5SBjoern A. Zeeb int error; 1723f08ef6c5SBjoern A. Zeeb 1724f08ef6c5SBjoern A. Zeeb error = prison_check(cred, inp->inp_cred); 1725f08ef6c5SBjoern A. Zeeb if (error) 1726f08ef6c5SBjoern A. Zeeb return (ENOENT); 1727f08ef6c5SBjoern A. Zeeb #ifdef MAC 1728f08ef6c5SBjoern A. Zeeb INP_LOCK_ASSERT(inp); 1729f08ef6c5SBjoern A. Zeeb error = mac_inpcb_check_visible(cred, inp); 1730f08ef6c5SBjoern A. Zeeb if (error) 1731f08ef6c5SBjoern A. Zeeb return (error); 1732f08ef6c5SBjoern A. Zeeb #endif 1733f08ef6c5SBjoern A. Zeeb if (cr_seeotheruids(cred, inp->inp_cred)) 1734f08ef6c5SBjoern A. Zeeb return (ENOENT); 1735f08ef6c5SBjoern A. Zeeb if (cr_seeothergids(cred, inp->inp_cred)) 1736f08ef6c5SBjoern A. Zeeb return (ENOENT); 1737f08ef6c5SBjoern A. Zeeb 1738f08ef6c5SBjoern A. Zeeb return (0); 1739f08ef6c5SBjoern A. Zeeb } 1740f08ef6c5SBjoern A. Zeeb #endif 1741f08ef6c5SBjoern A. Zeeb 1742babe9a2bSRobert Watson /*- 1743babe9a2bSRobert Watson * Determine whether td can wait for the exit of p. 1744babe9a2bSRobert Watson * Returns: 0 for permitted, an errno value otherwise 1745babe9a2bSRobert Watson * Locks: Sufficient locks to protect various components of td and p 1746babe9a2bSRobert Watson * must be held. td must be curthread, and a lock must 1747babe9a2bSRobert Watson * be held for p. 1748babe9a2bSRobert Watson * References: td and p must be valid for the lifetime of the call 1749babe9a2bSRobert Watson 1750babe9a2bSRobert Watson */ 1751babe9a2bSRobert Watson int 1752babe9a2bSRobert Watson p_canwait(struct thread *td, struct proc *p) 1753babe9a2bSRobert Watson { 1754babe9a2bSRobert Watson int error; 1755babe9a2bSRobert Watson 1756babe9a2bSRobert Watson KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1757babe9a2bSRobert Watson PROC_LOCK_ASSERT(p, MA_OWNED); 1758babe9a2bSRobert Watson if ((error = prison_check(td->td_ucred, p->p_ucred))) 1759babe9a2bSRobert Watson return (error); 1760babe9a2bSRobert Watson #ifdef MAC 176130d239bcSRobert Watson if ((error = mac_proc_check_wait(td->td_ucred, p))) 1762babe9a2bSRobert Watson return (error); 1763babe9a2bSRobert Watson #endif 1764babe9a2bSRobert Watson #if 0 1765babe9a2bSRobert Watson /* XXXMAC: This could have odd effects on some shells. */ 1766babe9a2bSRobert Watson if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1767babe9a2bSRobert Watson return (error); 1768babe9a2bSRobert Watson #endif 1769babe9a2bSRobert Watson 1770babe9a2bSRobert Watson return (0); 1771babe9a2bSRobert Watson } 1772babe9a2bSRobert Watson 1773a9e0361bSPoul-Henning Kamp /* 1774df8bae1dSRodney W. Grimes * Allocate a zeroed cred structure. 1775df8bae1dSRodney W. Grimes */ 1776df8bae1dSRodney W. Grimes struct ucred * 17774c44ad8eSJohn Baldwin crget(void) 1778df8bae1dSRodney W. Grimes { 1779df8bae1dSRodney W. Grimes register struct ucred *cr; 1780df8bae1dSRodney W. Grimes 1781a163d034SWarner Losh MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 17827e9e371fSJohn Baldwin refcount_init(&cr->cr_ref, 1); 1783faef5371SRobert Watson #ifdef AUDIT 1784faef5371SRobert Watson audit_cred_init(cr); 1785faef5371SRobert Watson #endif 178640244964SRobert Watson #ifdef MAC 178730d239bcSRobert Watson mac_cred_init(cr); 178840244964SRobert Watson #endif 1789df8bae1dSRodney W. Grimes return (cr); 1790df8bae1dSRodney W. Grimes } 1791df8bae1dSRodney W. Grimes 1792df8bae1dSRodney W. Grimes /* 17937fd6a959SRobert Watson * Claim another reference to a ucred structure. 17945c3f70d7SAlfred Perlstein */ 1795bd78ceceSJohn Baldwin struct ucred * 17964c44ad8eSJohn Baldwin crhold(struct ucred *cr) 17975c3f70d7SAlfred Perlstein { 17985c3f70d7SAlfred Perlstein 17997e9e371fSJohn Baldwin refcount_acquire(&cr->cr_ref); 1800bd78ceceSJohn Baldwin return (cr); 18015c3f70d7SAlfred Perlstein } 18025c3f70d7SAlfred Perlstein 18035c3f70d7SAlfred Perlstein /* 18040c14ff0eSRobert Watson * Free a cred structure. Throws away space when ref count gets to 0. 1805df8bae1dSRodney W. Grimes */ 180626f9a767SRodney W. Grimes void 18074c44ad8eSJohn Baldwin crfree(struct ucred *cr) 1808df8bae1dSRodney W. Grimes { 18091e5d626aSAlfred Perlstein 1810e04670b7SAlfred Perlstein KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 18117e9e371fSJohn Baldwin KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 18127e9e371fSJohn Baldwin if (refcount_release(&cr->cr_ref)) { 1813f535380cSDon Lewis /* 1814f535380cSDon Lewis * Some callers of crget(), such as nfs_statfs(), 1815f535380cSDon Lewis * allocate a temporary credential, but don't 1816f535380cSDon Lewis * allocate a uidinfo structure. 1817f535380cSDon Lewis */ 1818f535380cSDon Lewis if (cr->cr_uidinfo != NULL) 1819f535380cSDon Lewis uifree(cr->cr_uidinfo); 1820823c224eSRobert Watson if (cr->cr_ruidinfo != NULL) 1821823c224eSRobert Watson uifree(cr->cr_ruidinfo); 182291421ba2SRobert Watson /* 182391421ba2SRobert Watson * Free a prison, if any. 182491421ba2SRobert Watson */ 182591421ba2SRobert Watson if (jailed(cr)) 182691421ba2SRobert Watson prison_free(cr->cr_prison); 1827faef5371SRobert Watson #ifdef AUDIT 1828faef5371SRobert Watson audit_cred_destroy(cr); 1829faef5371SRobert Watson #endif 183040244964SRobert Watson #ifdef MAC 183130d239bcSRobert Watson mac_cred_destroy(cr); 183240244964SRobert Watson #endif 18337f05b035SAlfred Perlstein FREE(cr, M_CRED); 1834e1bca29fSMatthew Dillon } 1835df8bae1dSRodney W. Grimes } 1836df8bae1dSRodney W. Grimes 1837df8bae1dSRodney W. Grimes /* 1838bd78ceceSJohn Baldwin * Check to see if this ucred is shared. 1839df8bae1dSRodney W. Grimes */ 1840bd78ceceSJohn Baldwin int 18414c44ad8eSJohn Baldwin crshared(struct ucred *cr) 1842df8bae1dSRodney W. Grimes { 1843df8bae1dSRodney W. Grimes 18447e9e371fSJohn Baldwin return (cr->cr_ref > 1); 18451e5d626aSAlfred Perlstein } 1846bd78ceceSJohn Baldwin 1847bd78ceceSJohn Baldwin /* 1848bd78ceceSJohn Baldwin * Copy a ucred's contents from a template. Does not block. 1849bd78ceceSJohn Baldwin */ 1850bd78ceceSJohn Baldwin void 18514c44ad8eSJohn Baldwin crcopy(struct ucred *dest, struct ucred *src) 1852bd78ceceSJohn Baldwin { 1853bd78ceceSJohn Baldwin 1854bd78ceceSJohn Baldwin KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1855bd78ceceSJohn Baldwin bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1856bd78ceceSJohn Baldwin (unsigned)((caddr_t)&src->cr_endcopy - 1857bd78ceceSJohn Baldwin (caddr_t)&src->cr_startcopy)); 1858bd78ceceSJohn Baldwin uihold(dest->cr_uidinfo); 1859bd78ceceSJohn Baldwin uihold(dest->cr_ruidinfo); 1860bd78ceceSJohn Baldwin if (jailed(dest)) 1861bd78ceceSJohn Baldwin prison_hold(dest->cr_prison); 1862faef5371SRobert Watson #ifdef AUDIT 1863faef5371SRobert Watson audit_cred_copy(src, dest); 1864faef5371SRobert Watson #endif 186540244964SRobert Watson #ifdef MAC 186630d239bcSRobert Watson mac_cred_copy(src, dest); 186740244964SRobert Watson #endif 1868df8bae1dSRodney W. Grimes } 1869df8bae1dSRodney W. Grimes 1870df8bae1dSRodney W. Grimes /* 1871df8bae1dSRodney W. Grimes * Dup cred struct to a new held one. 1872df8bae1dSRodney W. Grimes */ 1873df8bae1dSRodney W. Grimes struct ucred * 18744c44ad8eSJohn Baldwin crdup(struct ucred *cr) 1875df8bae1dSRodney W. Grimes { 1876df8bae1dSRodney W. Grimes struct ucred *newcr; 1877df8bae1dSRodney W. Grimes 1878bd78ceceSJohn Baldwin newcr = crget(); 1879bd78ceceSJohn Baldwin crcopy(newcr, cr); 1880df8bae1dSRodney W. Grimes return (newcr); 1881df8bae1dSRodney W. Grimes } 1882df8bae1dSRodney W. Grimes 1883df8bae1dSRodney W. Grimes /* 188476183f34SDima Dorfman * Fill in a struct xucred based on a struct ucred. 188576183f34SDima Dorfman */ 188676183f34SDima Dorfman void 18874c44ad8eSJohn Baldwin cru2x(struct ucred *cr, struct xucred *xcr) 188876183f34SDima Dorfman { 188976183f34SDima Dorfman 189076183f34SDima Dorfman bzero(xcr, sizeof(*xcr)); 189176183f34SDima Dorfman xcr->cr_version = XUCRED_VERSION; 189276183f34SDima Dorfman xcr->cr_uid = cr->cr_uid; 189376183f34SDima Dorfman xcr->cr_ngroups = cr->cr_ngroups; 189476183f34SDima Dorfman bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 189576183f34SDima Dorfman } 189676183f34SDima Dorfman 189776183f34SDima Dorfman /* 18980c14ff0eSRobert Watson * small routine to swap a thread's current ucred for the correct one taken 18990c14ff0eSRobert Watson * from the process. 19002eb927e2SJulian Elischer */ 19012eb927e2SJulian Elischer void 19022eb927e2SJulian Elischer cred_update_thread(struct thread *td) 19032eb927e2SJulian Elischer { 19042eb927e2SJulian Elischer struct proc *p; 190565e3406dSJohn Baldwin struct ucred *cred; 19062eb927e2SJulian Elischer 19072eb927e2SJulian Elischer p = td->td_proc; 190865e3406dSJohn Baldwin cred = td->td_ucred; 19092eb927e2SJulian Elischer PROC_LOCK(p); 19102eb927e2SJulian Elischer td->td_ucred = crhold(p->p_ucred); 19112eb927e2SJulian Elischer PROC_UNLOCK(p); 191265e3406dSJohn Baldwin if (cred != NULL) 191365e3406dSJohn Baldwin crfree(cred); 19142eb927e2SJulian Elischer } 19152eb927e2SJulian Elischer 19162eb927e2SJulian Elischer /* 1917df8bae1dSRodney W. Grimes * Get login name, if available. 1918df8bae1dSRodney W. Grimes */ 1919d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 1920df8bae1dSRodney W. Grimes struct getlogin_args { 1921df8bae1dSRodney W. Grimes char *namebuf; 1922df8bae1dSRodney W. Grimes u_int namelen; 1923df8bae1dSRodney W. Grimes }; 1924d2d3e875SBruce Evans #endif 1925df8bae1dSRodney W. Grimes /* ARGSUSED */ 192626f9a767SRodney W. Grimes int 19274c44ad8eSJohn Baldwin getlogin(struct thread *td, struct getlogin_args *uap) 1928df8bae1dSRodney W. Grimes { 1929835a82eeSMatthew Dillon int error; 1930f591779bSSeigo Tanimura char login[MAXLOGNAME]; 1931b40ce416SJulian Elischer struct proc *p = td->td_proc; 1932df8bae1dSRodney W. Grimes 193330cf3ac4SAndrey A. Chernov if (uap->namelen > MAXLOGNAME) 193453490b76SAndrey A. Chernov uap->namelen = MAXLOGNAME; 1935f591779bSSeigo Tanimura PROC_LOCK(p); 1936f591779bSSeigo Tanimura SESS_LOCK(p->p_session); 1937f591779bSSeigo Tanimura bcopy(p->p_session->s_login, login, uap->namelen); 1938f591779bSSeigo Tanimura SESS_UNLOCK(p->p_session); 1939f591779bSSeigo Tanimura PROC_UNLOCK(p); 19407f05b035SAlfred Perlstein error = copyout(login, uap->namebuf, uap->namelen); 1941835a82eeSMatthew Dillon return(error); 1942df8bae1dSRodney W. Grimes } 1943df8bae1dSRodney W. Grimes 1944df8bae1dSRodney W. Grimes /* 1945df8bae1dSRodney W. Grimes * Set login name. 1946df8bae1dSRodney W. Grimes */ 1947d2d3e875SBruce Evans #ifndef _SYS_SYSPROTO_H_ 1948df8bae1dSRodney W. Grimes struct setlogin_args { 1949df8bae1dSRodney W. Grimes char *namebuf; 1950df8bae1dSRodney W. Grimes }; 1951d2d3e875SBruce Evans #endif 1952df8bae1dSRodney W. Grimes /* ARGSUSED */ 195326f9a767SRodney W. Grimes int 19544c44ad8eSJohn Baldwin setlogin(struct thread *td, struct setlogin_args *uap) 1955df8bae1dSRodney W. Grimes { 1956b40ce416SJulian Elischer struct proc *p = td->td_proc; 1957df8bae1dSRodney W. Grimes int error; 1958964ca0caSAndrey A. Chernov char logintmp[MAXLOGNAME]; 1959df8bae1dSRodney W. Grimes 196032f9753cSRobert Watson error = priv_check(td, PRIV_PROC_SETLOGIN); 196107f3485dSJohn Baldwin if (error) 196207f3485dSJohn Baldwin return (error); 19637f05b035SAlfred Perlstein error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 1964eb725b4eSRobert Watson if (error == ENAMETOOLONG) 1965df8bae1dSRodney W. Grimes error = EINVAL; 1966f591779bSSeigo Tanimura else if (!error) { 1967f591779bSSeigo Tanimura PROC_LOCK(p); 1968f591779bSSeigo Tanimura SESS_LOCK(p->p_session); 1969f591779bSSeigo Tanimura (void) memcpy(p->p_session->s_login, logintmp, 1970964ca0caSAndrey A. Chernov sizeof(logintmp)); 1971f591779bSSeigo Tanimura SESS_UNLOCK(p->p_session); 1972f591779bSSeigo Tanimura PROC_UNLOCK(p); 1973f591779bSSeigo Tanimura } 1974df8bae1dSRodney W. Grimes return (error); 1975df8bae1dSRodney W. Grimes } 1976d5f81602SSean Eric Fagan 1977d5f81602SSean Eric Fagan void 19784c44ad8eSJohn Baldwin setsugid(struct proc *p) 1979d5f81602SSean Eric Fagan { 1980f2102dadSAlfred Perlstein 1981f2102dadSAlfred Perlstein PROC_LOCK_ASSERT(p, MA_OWNED); 1982d5f81602SSean Eric Fagan p->p_flag |= P_SUGID; 198389361835SSean Eric Fagan if (!(p->p_pfsflags & PF_ISUGID)) 1984d5f81602SSean Eric Fagan p->p_stops = 0; 1985d5f81602SSean Eric Fagan } 1986f535380cSDon Lewis 19877fd6a959SRobert Watson /*- 19887fd6a959SRobert Watson * Change a process's effective uid. 1989b1fc0ec1SRobert Watson * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1990b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 1991b1fc0ec1SRobert Watson * duration of the call. 1992f535380cSDon Lewis */ 1993f535380cSDon Lewis void 19941419eacbSAlfred Perlstein change_euid(struct ucred *newcred, struct uidinfo *euip) 1995f535380cSDon Lewis { 1996f535380cSDon Lewis 19971419eacbSAlfred Perlstein newcred->cr_uid = euip->ui_uid; 19981419eacbSAlfred Perlstein uihold(euip); 1999b1fc0ec1SRobert Watson uifree(newcred->cr_uidinfo); 20001419eacbSAlfred Perlstein newcred->cr_uidinfo = euip; 2001f535380cSDon Lewis } 2002f535380cSDon Lewis 20037fd6a959SRobert Watson /*- 20047fd6a959SRobert Watson * Change a process's effective gid. 2005b1fc0ec1SRobert Watson * Side effects: newcred->cr_gid will be modified. 2006b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2007b1fc0ec1SRobert Watson * duration of the call. 2008f535380cSDon Lewis */ 2009810bfc8eSAndrew Gallatin void 20104c44ad8eSJohn Baldwin change_egid(struct ucred *newcred, gid_t egid) 2011b1fc0ec1SRobert Watson { 2012b1fc0ec1SRobert Watson 2013b1fc0ec1SRobert Watson newcred->cr_groups[0] = egid; 2014b1fc0ec1SRobert Watson } 2015b1fc0ec1SRobert Watson 20167fd6a959SRobert Watson /*- 20177fd6a959SRobert Watson * Change a process's real uid. 2018b1fc0ec1SRobert Watson * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2019b1fc0ec1SRobert Watson * will be updated, and the old and new cr_ruidinfo proc 2020b1fc0ec1SRobert Watson * counts will be updated. 2021b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2022b1fc0ec1SRobert Watson * duration of the call. 2023b1fc0ec1SRobert Watson */ 2024b1fc0ec1SRobert Watson void 20251419eacbSAlfred Perlstein change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2026f535380cSDon Lewis { 2027f535380cSDon Lewis 2028b1fc0ec1SRobert Watson (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 20291419eacbSAlfred Perlstein newcred->cr_ruid = ruip->ui_uid; 20301419eacbSAlfred Perlstein uihold(ruip); 2031b1fc0ec1SRobert Watson uifree(newcred->cr_ruidinfo); 20321419eacbSAlfred Perlstein newcred->cr_ruidinfo = ruip; 2033b1fc0ec1SRobert Watson (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2034b1fc0ec1SRobert Watson } 2035b1fc0ec1SRobert Watson 20367fd6a959SRobert Watson /*- 20377fd6a959SRobert Watson * Change a process's real gid. 2038b1fc0ec1SRobert Watson * Side effects: newcred->cr_rgid will be updated. 2039b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2040b1fc0ec1SRobert Watson * duration of the call. 2041b1fc0ec1SRobert Watson */ 2042b1fc0ec1SRobert Watson void 20434c44ad8eSJohn Baldwin change_rgid(struct ucred *newcred, gid_t rgid) 2044b1fc0ec1SRobert Watson { 2045b1fc0ec1SRobert Watson 2046b1fc0ec1SRobert Watson newcred->cr_rgid = rgid; 2047b1fc0ec1SRobert Watson } 2048b1fc0ec1SRobert Watson 20497fd6a959SRobert Watson /*- 20507fd6a959SRobert Watson * Change a process's saved uid. 2051b1fc0ec1SRobert Watson * Side effects: newcred->cr_svuid will be updated. 2052b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2053b1fc0ec1SRobert Watson * duration of the call. 2054b1fc0ec1SRobert Watson */ 2055b1fc0ec1SRobert Watson void 20564c44ad8eSJohn Baldwin change_svuid(struct ucred *newcred, uid_t svuid) 2057b1fc0ec1SRobert Watson { 2058b1fc0ec1SRobert Watson 2059b1fc0ec1SRobert Watson newcred->cr_svuid = svuid; 2060b1fc0ec1SRobert Watson } 2061b1fc0ec1SRobert Watson 20627fd6a959SRobert Watson /*- 20637fd6a959SRobert Watson * Change a process's saved gid. 2064b1fc0ec1SRobert Watson * Side effects: newcred->cr_svgid will be updated. 2065b1fc0ec1SRobert Watson * References: newcred must be an exclusive credential reference for the 2066b1fc0ec1SRobert Watson * duration of the call. 2067b1fc0ec1SRobert Watson */ 2068b1fc0ec1SRobert Watson void 20694c44ad8eSJohn Baldwin change_svgid(struct ucred *newcred, gid_t svgid) 2070b1fc0ec1SRobert Watson { 2071b1fc0ec1SRobert Watson 2072b1fc0ec1SRobert Watson newcred->cr_svgid = svgid; 2073f535380cSDon Lewis } 2074