1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * Copyright (c) 2000, 2001 Robert N. M. Watson. All rights reserved. 5 * (c) UNIX System Laboratories, Inc. 6 * All or some portions of this file are derived from material licensed 7 * to the University of California by American Telephone and Telegraph 8 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 9 * the permission of UNIX System Laboratories, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 #include "opt_global.h" 49 50 #include <sys/param.h> 51 #include <sys/systm.h> 52 #include <sys/acct.h> 53 #include <sys/kernel.h> 54 #include <sys/lock.h> 55 #include <sys/mutex.h> 56 #include <sys/proc.h> 57 #include <sys/sysproto.h> 58 #include <sys/malloc.h> 59 #include <sys/pioctl.h> 60 #include <sys/resourcevar.h> 61 #include <sys/sysctl.h> 62 #include <sys/jail.h> 63 64 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 65 66 SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, 67 "Kernel security policy"); 68 69 #ifndef _SYS_SYSPROTO_H_ 70 struct getpid_args { 71 int dummy; 72 }; 73 #endif 74 75 /* 76 * getpid 77 */ 78 79 /* 80 * MPSAFE 81 */ 82 /* ARGSUSED */ 83 int 84 getpid(p, uap) 85 struct proc *p; 86 struct getpid_args *uap; 87 { 88 89 mtx_lock(&Giant); 90 p->p_retval[0] = p->p_pid; 91 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 92 PROC_LOCK(p); 93 p->p_retval[1] = p->p_pptr->p_pid; 94 PROC_UNLOCK(p); 95 #endif 96 mtx_unlock(&Giant); 97 return (0); 98 } 99 100 /* 101 * getppid 102 */ 103 104 #ifndef _SYS_SYSPROTO_H_ 105 struct getppid_args { 106 int dummy; 107 }; 108 #endif 109 /* 110 * MPSAFE 111 */ 112 /* ARGSUSED */ 113 int 114 getppid(p, uap) 115 struct proc *p; 116 struct getppid_args *uap; 117 { 118 119 mtx_lock(&Giant); 120 PROC_LOCK(p); 121 p->p_retval[0] = p->p_pptr->p_pid; 122 PROC_UNLOCK(p); 123 mtx_unlock(&Giant); 124 return (0); 125 } 126 127 /* 128 * Get process group ID; note that POSIX getpgrp takes no parameter 129 * 130 * MP SAFE 131 */ 132 #ifndef _SYS_SYSPROTO_H_ 133 struct getpgrp_args { 134 int dummy; 135 }; 136 #endif 137 /* 138 * MPSAFE 139 */ 140 int 141 getpgrp(p, uap) 142 struct proc *p; 143 struct getpgrp_args *uap; 144 { 145 146 mtx_lock(&Giant); 147 p->p_retval[0] = p->p_pgrp->pg_id; 148 mtx_unlock(&Giant); 149 return (0); 150 } 151 152 /* Get an arbitary pid's process group id */ 153 #ifndef _SYS_SYSPROTO_H_ 154 struct getpgid_args { 155 pid_t pid; 156 }; 157 #endif 158 159 /* 160 * MPSAFE 161 */ 162 int 163 getpgid(p, uap) 164 struct proc *p; 165 struct getpgid_args *uap; 166 { 167 struct proc *pt; 168 int error = 0; 169 170 mtx_lock(&Giant); 171 if (uap->pid == 0) 172 p->p_retval[0] = p->p_pgrp->pg_id; 173 else { 174 if ((pt = pfind(uap->pid)) == NULL) { 175 error = ESRCH; 176 goto done2; 177 } 178 if ((error = p_cansee(p, pt))) { 179 PROC_UNLOCK(pt); 180 goto done2; 181 } 182 p->p_retval[0] = pt->p_pgrp->pg_id; 183 PROC_UNLOCK(pt); 184 } 185 done2: 186 mtx_unlock(&Giant); 187 return (error); 188 } 189 190 /* 191 * Get an arbitary pid's session id. 192 */ 193 #ifndef _SYS_SYSPROTO_H_ 194 struct getsid_args { 195 pid_t pid; 196 }; 197 #endif 198 199 /* 200 * MPSAFE 201 */ 202 int 203 getsid(p, uap) 204 struct proc *p; 205 struct getsid_args *uap; 206 { 207 struct proc *pt; 208 int error = 0; 209 210 mtx_lock(&Giant); 211 if (uap->pid == 0) { 212 p->p_retval[0] = p->p_session->s_sid; 213 } else { 214 if ((pt = pfind(uap->pid)) == NULL) { 215 error = ESRCH; 216 goto done2; 217 } 218 if ((error = p_cansee(p, pt))) { 219 PROC_UNLOCK(pt); 220 goto done2; 221 } 222 p->p_retval[0] = pt->p_session->s_sid; 223 PROC_UNLOCK(pt); 224 } 225 done2: 226 mtx_unlock(&Giant); 227 return (error); 228 } 229 230 231 /* 232 * getuid() - MP SAFE 233 */ 234 #ifndef _SYS_SYSPROTO_H_ 235 struct getuid_args { 236 int dummy; 237 }; 238 #endif 239 240 /* 241 * MPSAFE 242 */ 243 /* ARGSUSED */ 244 int 245 getuid(p, uap) 246 struct proc *p; 247 struct getuid_args *uap; 248 { 249 250 mtx_lock(&Giant); 251 p->p_retval[0] = p->p_ucred->cr_ruid; 252 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 253 p->p_retval[1] = p->p_ucred->cr_uid; 254 #endif 255 mtx_unlock(&Giant); 256 return (0); 257 } 258 259 /* 260 * geteuid() - MP SAFE 261 */ 262 #ifndef _SYS_SYSPROTO_H_ 263 struct geteuid_args { 264 int dummy; 265 }; 266 #endif 267 268 /* ARGSUSED */ 269 int 270 geteuid(p, uap) 271 struct proc *p; 272 struct geteuid_args *uap; 273 { 274 275 mtx_lock(&Giant); 276 p->p_retval[0] = p->p_ucred->cr_uid; 277 mtx_unlock(&Giant); 278 return (0); 279 } 280 281 /* 282 * getgid() - MP SAFE 283 */ 284 #ifndef _SYS_SYSPROTO_H_ 285 struct getgid_args { 286 int dummy; 287 }; 288 #endif 289 290 /* 291 * MPSAFE 292 */ 293 /* ARGSUSED */ 294 int 295 getgid(p, uap) 296 struct proc *p; 297 struct getgid_args *uap; 298 { 299 300 mtx_lock(&Giant); 301 p->p_retval[0] = p->p_ucred->cr_rgid; 302 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 303 p->p_retval[1] = p->p_ucred->cr_groups[0]; 304 #endif 305 mtx_unlock(&Giant); 306 return (0); 307 } 308 309 /* 310 * Get effective group ID. The "egid" is groups[0], and could be obtained 311 * via getgroups. This syscall exists because it is somewhat painful to do 312 * correctly in a library function. 313 */ 314 #ifndef _SYS_SYSPROTO_H_ 315 struct getegid_args { 316 int dummy; 317 }; 318 #endif 319 320 /* 321 * MPSAFE 322 */ 323 /* ARGSUSED */ 324 int 325 getegid(p, uap) 326 struct proc *p; 327 struct getegid_args *uap; 328 { 329 330 mtx_lock(&Giant); 331 p->p_retval[0] = p->p_ucred->cr_groups[0]; 332 mtx_unlock(&Giant); 333 return (0); 334 } 335 336 #ifndef _SYS_SYSPROTO_H_ 337 struct getgroups_args { 338 u_int gidsetsize; 339 gid_t *gidset; 340 }; 341 #endif 342 /* 343 * MPSAFE 344 */ 345 int 346 getgroups(p, uap) 347 struct proc *p; 348 register struct getgroups_args *uap; 349 { 350 struct ucred *cred; 351 u_int ngrp; 352 int error = 0; 353 354 mtx_lock(&Giant); 355 cred = p->p_ucred; 356 if ((ngrp = uap->gidsetsize) == 0) { 357 p->p_retval[0] = cred->cr_ngroups; 358 error = 0; 359 goto done2; 360 } 361 if (ngrp < cred->cr_ngroups) { 362 error = EINVAL; 363 goto done2; 364 } 365 ngrp = cred->cr_ngroups; 366 if ((error = copyout((caddr_t)cred->cr_groups, 367 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) { 368 goto done2; 369 } 370 p->p_retval[0] = ngrp; 371 done2: 372 mtx_unlock(&Giant); 373 return (error); 374 } 375 376 #ifndef _SYS_SYSPROTO_H_ 377 struct setsid_args { 378 int dummy; 379 }; 380 #endif 381 382 /* 383 * MPSAFE 384 */ 385 /* ARGSUSED */ 386 int 387 setsid(p, uap) 388 register struct proc *p; 389 struct setsid_args *uap; 390 { 391 int error; 392 393 mtx_lock(&Giant); 394 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) { 395 error = EPERM; 396 } else { 397 (void)enterpgrp(p, p->p_pid, 1); 398 p->p_retval[0] = p->p_pid; 399 error = 0; 400 } 401 mtx_unlock(&Giant); 402 return (error); 403 } 404 405 /* 406 * set process group (setpgid/old setpgrp) 407 * 408 * caller does setpgid(targpid, targpgid) 409 * 410 * pid must be caller or child of caller (ESRCH) 411 * if a child 412 * pid must be in same session (EPERM) 413 * pid can't have done an exec (EACCES) 414 * if pgid != pid 415 * there must exist some pid in same session having pgid (EPERM) 416 * pid must not be session leader (EPERM) 417 */ 418 #ifndef _SYS_SYSPROTO_H_ 419 struct setpgid_args { 420 int pid; /* target process id */ 421 int pgid; /* target pgrp id */ 422 }; 423 #endif 424 /* 425 * MPSAFE 426 */ 427 /* ARGSUSED */ 428 int 429 setpgid(curp, uap) 430 struct proc *curp; 431 register struct setpgid_args *uap; 432 { 433 register struct proc *targp; /* target process */ 434 register struct pgrp *pgrp; /* target pgrp */ 435 int error; 436 437 if (uap->pgid < 0) 438 return (EINVAL); 439 440 mtx_lock(&Giant); 441 442 if (uap->pid != 0 && uap->pid != curp->p_pid) { 443 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 444 if (targp) 445 PROC_UNLOCK(targp); 446 error = ESRCH; 447 goto done2; 448 } 449 if ((error = p_cansee(curproc, targp))) { 450 PROC_UNLOCK(targp); 451 goto done2; 452 } 453 if (targp->p_pgrp == NULL || 454 targp->p_session != curp->p_session) { 455 PROC_UNLOCK(targp); 456 error = EPERM; 457 goto done2; 458 } 459 if (targp->p_flag & P_EXEC) { 460 PROC_UNLOCK(targp); 461 error = EACCES; 462 goto done2; 463 } 464 } else { 465 targp = curp; 466 PROC_LOCK(curp); /* XXX: not needed */ 467 } 468 if (SESS_LEADER(targp)) { 469 PROC_UNLOCK(targp); 470 error = EPERM; 471 goto done2; 472 } 473 if (uap->pgid == 0) { 474 uap->pgid = targp->p_pid; 475 } else if (uap->pgid != targp->p_pid) { 476 if ((pgrp = pgfind(uap->pgid)) == 0 || 477 pgrp->pg_session != curp->p_session) { 478 PROC_UNLOCK(targp); 479 error = EPERM; 480 goto done2; 481 } 482 } 483 /* XXX: We should probably hold the lock across enterpgrp. */ 484 PROC_UNLOCK(targp); 485 error = enterpgrp(targp, uap->pgid, 0); 486 done2: 487 mtx_unlock(&Giant); 488 return (error); 489 } 490 491 /* 492 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 493 * compatible. It says that setting the uid/gid to euid/egid is a special 494 * case of "appropriate privilege". Once the rules are expanded out, this 495 * basically means that setuid(nnn) sets all three id's, in all permitted 496 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 497 * does not set the saved id - this is dangerous for traditional BSD 498 * programs. For this reason, we *really* do not want to set 499 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 500 */ 501 #define POSIX_APPENDIX_B_4_2_2 502 503 #ifndef _SYS_SYSPROTO_H_ 504 struct setuid_args { 505 uid_t uid; 506 }; 507 #endif 508 /* 509 * MPSAFE 510 */ 511 /* ARGSUSED */ 512 int 513 setuid(p, uap) 514 struct proc *p; 515 struct setuid_args *uap; 516 { 517 struct ucred *newcred, *oldcred; 518 uid_t uid; 519 int error = 0; 520 521 uid = uap->uid; 522 oldcred = p->p_ucred; 523 mtx_lock(&Giant); 524 525 /* 526 * See if we have "permission" by POSIX 1003.1 rules. 527 * 528 * Note that setuid(geteuid()) is a special case of 529 * "appropriate privileges" in appendix B.4.2.2. We need 530 * to use this clause to be compatible with traditional BSD 531 * semantics. Basically, it means that "setuid(xx)" sets all 532 * three id's (assuming you have privs). 533 * 534 * Notes on the logic. We do things in three steps. 535 * 1: We determine if the euid is going to change, and do EPERM 536 * right away. We unconditionally change the euid later if this 537 * test is satisfied, simplifying that part of the logic. 538 * 2: We determine if the real and/or saved uid's are going to 539 * change. Determined by compile options. 540 * 3: Change euid last. (after tests in #2 for "appropriate privs") 541 */ 542 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 543 #ifdef _POSIX_SAVED_IDS 544 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 545 #endif 546 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 547 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 548 #endif 549 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 550 goto done2; 551 552 newcred = crdup(oldcred); 553 #ifdef _POSIX_SAVED_IDS 554 /* 555 * Do we have "appropriate privileges" (are we root or uid == euid) 556 * If so, we are changing the real uid and/or saved uid. 557 */ 558 if ( 559 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 560 uid == oldcred->cr_uid || 561 #endif 562 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 563 #endif 564 { 565 /* 566 * Set the real uid and transfer proc count to new user. 567 */ 568 if (uid != oldcred->cr_ruid) { 569 change_ruid(newcred, uid); 570 setsugid(p); 571 } 572 /* 573 * Set saved uid 574 * 575 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 576 * the security of seteuid() depends on it. B.4.2.2 says it 577 * is important that we should do this. 578 */ 579 if (uid != oldcred->cr_svuid) { 580 change_svuid(newcred, uid); 581 setsugid(p); 582 } 583 } 584 585 /* 586 * In all permitted cases, we are changing the euid. 587 * Copy credentials so other references do not see our changes. 588 */ 589 if (uid != oldcred->cr_uid) { 590 change_euid(newcred, uid); 591 setsugid(p); 592 } 593 p->p_ucred = newcred; 594 crfree(oldcred); 595 done2: 596 mtx_unlock(&Giant); 597 return (error); 598 } 599 600 #ifndef _SYS_SYSPROTO_H_ 601 struct seteuid_args { 602 uid_t euid; 603 }; 604 #endif 605 /* 606 * MPSAFE 607 */ 608 /* ARGSUSED */ 609 int 610 seteuid(p, uap) 611 struct proc *p; 612 struct seteuid_args *uap; 613 { 614 struct ucred *newcred, *oldcred; 615 uid_t euid; 616 int error = 0; 617 618 euid = uap->euid; 619 620 mtx_lock(&Giant); 621 oldcred = p->p_ucred; 622 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 623 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 624 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 625 goto done2; 626 } 627 /* 628 * Everything's okay, do it. Copy credentials so other references do 629 * not see our changes. 630 */ 631 newcred = crdup(oldcred); 632 if (oldcred->cr_uid != euid) { 633 change_euid(newcred, euid); 634 setsugid(p); 635 } 636 p->p_ucred = newcred; 637 crfree(oldcred); 638 done2: 639 mtx_unlock(&Giant); 640 return (error); 641 } 642 643 #ifndef _SYS_SYSPROTO_H_ 644 struct setgid_args { 645 gid_t gid; 646 }; 647 #endif 648 /* 649 * MPSAFE 650 */ 651 /* ARGSUSED */ 652 int 653 setgid(p, uap) 654 struct proc *p; 655 struct setgid_args *uap; 656 { 657 struct ucred *newcred, *oldcred; 658 gid_t gid; 659 int error = 0; 660 661 gid = uap->gid; 662 663 mtx_lock(&Giant); 664 oldcred = p->p_ucred; 665 /* 666 * See if we have "permission" by POSIX 1003.1 rules. 667 * 668 * Note that setgid(getegid()) is a special case of 669 * "appropriate privileges" in appendix B.4.2.2. We need 670 * to use this clause to be compatible with traditional BSD 671 * semantics. Basically, it means that "setgid(xx)" sets all 672 * three id's (assuming you have privs). 673 * 674 * For notes on the logic here, see setuid() above. 675 */ 676 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 677 #ifdef _POSIX_SAVED_IDS 678 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 679 #endif 680 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 681 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 682 #endif 683 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 684 goto done2; 685 } 686 687 newcred = crdup(oldcred); 688 #ifdef _POSIX_SAVED_IDS 689 /* 690 * Do we have "appropriate privileges" (are we root or gid == egid) 691 * If so, we are changing the real uid and saved gid. 692 */ 693 if ( 694 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 695 gid == oldcred->cr_groups[0] || 696 #endif 697 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 698 #endif 699 { 700 /* 701 * Set real gid 702 */ 703 if (oldcred->cr_rgid != gid) { 704 change_rgid(newcred, gid); 705 setsugid(p); 706 } 707 /* 708 * Set saved gid 709 * 710 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 711 * the security of setegid() depends on it. B.4.2.2 says it 712 * is important that we should do this. 713 */ 714 if (oldcred->cr_svgid != gid) { 715 change_svgid(newcred, gid); 716 setsugid(p); 717 } 718 } 719 /* 720 * In all cases permitted cases, we are changing the egid. 721 * Copy credentials so other references do not see our changes. 722 */ 723 if (oldcred->cr_groups[0] != gid) { 724 change_egid(newcred, gid); 725 setsugid(p); 726 } 727 p->p_ucred = newcred; 728 crfree(oldcred); 729 done2: 730 mtx_unlock(&Giant); 731 return (error); 732 } 733 734 #ifndef _SYS_SYSPROTO_H_ 735 struct setegid_args { 736 gid_t egid; 737 }; 738 #endif 739 /* 740 * MPSAFE 741 */ 742 /* ARGSUSED */ 743 int 744 setegid(p, uap) 745 struct proc *p; 746 struct setegid_args *uap; 747 { 748 struct ucred *newcred, *oldcred; 749 gid_t egid; 750 int error = 0; 751 752 egid = uap->egid; 753 754 mtx_lock(&Giant); 755 oldcred = p->p_ucred; 756 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 757 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 758 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 759 goto done2; 760 } 761 newcred = crdup(oldcred); 762 if (oldcred->cr_groups[0] != egid) { 763 change_egid(newcred, egid); 764 setsugid(p); 765 } 766 p->p_ucred = newcred; 767 crfree(oldcred); 768 done2: 769 mtx_unlock(&Giant); 770 return (error); 771 } 772 773 #ifndef _SYS_SYSPROTO_H_ 774 struct setgroups_args { 775 u_int gidsetsize; 776 gid_t *gidset; 777 }; 778 #endif 779 /* 780 * MPSAFE 781 */ 782 /* ARGSUSED */ 783 int 784 setgroups(p, uap) 785 struct proc *p; 786 struct setgroups_args *uap; 787 { 788 struct ucred *newcred, *oldcred; 789 u_int ngrp; 790 int error; 791 792 mtx_lock(&Giant); 793 794 ngrp = uap->gidsetsize; 795 oldcred = p->p_ucred; 796 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 797 goto done2; 798 if (ngrp > NGROUPS) { 799 error = EINVAL; 800 goto done2; 801 } 802 /* 803 * XXX A little bit lazy here. We could test if anything has 804 * changed before crcopy() and setting P_SUGID. 805 */ 806 newcred = crdup(oldcred); 807 if (ngrp < 1) { 808 /* 809 * setgroups(0, NULL) is a legitimate way of clearing the 810 * groups vector on non-BSD systems (which generally do not 811 * have the egid in the groups[0]). We risk security holes 812 * when running non-BSD software if we do not do the same. 813 */ 814 newcred->cr_ngroups = 1; 815 } else { 816 if ((error = copyin((caddr_t)uap->gidset, 817 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 818 crfree(newcred); 819 goto done2; 820 } 821 newcred->cr_ngroups = ngrp; 822 } 823 setsugid(p); 824 p->p_ucred = newcred; 825 crfree(oldcred); 826 done2: 827 mtx_unlock(&Giant); 828 return (error); 829 } 830 831 #ifndef _SYS_SYSPROTO_H_ 832 struct setreuid_args { 833 uid_t ruid; 834 uid_t euid; 835 }; 836 #endif 837 /* 838 * MPSAFE 839 */ 840 /* ARGSUSED */ 841 int 842 setreuid(p, uap) 843 register struct proc *p; 844 struct setreuid_args *uap; 845 { 846 struct ucred *newcred, *oldcred; 847 uid_t ruid, euid; 848 int error = 0; 849 850 ruid = uap->ruid; 851 euid = uap->euid; 852 853 mtx_lock(&Giant); 854 855 oldcred = p->p_ucred; 856 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 857 ruid != oldcred->cr_svuid) || 858 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 859 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 860 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 861 goto done2; 862 } 863 newcred = crdup(oldcred); 864 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 865 change_euid(newcred, euid); 866 setsugid(p); 867 } 868 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 869 change_ruid(newcred, ruid); 870 setsugid(p); 871 } 872 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 873 newcred->cr_svuid != newcred->cr_uid) { 874 change_svuid(newcred, newcred->cr_uid); 875 setsugid(p); 876 } 877 p->p_ucred = newcred; 878 crfree(oldcred); 879 done2: 880 mtx_unlock(&Giant); 881 return (error); 882 } 883 884 #ifndef _SYS_SYSPROTO_H_ 885 struct setregid_args { 886 gid_t rgid; 887 gid_t egid; 888 }; 889 #endif 890 /* 891 * MPSAFE 892 */ 893 /* ARGSUSED */ 894 int 895 setregid(p, uap) 896 register struct proc *p; 897 struct setregid_args *uap; 898 { 899 struct ucred *newcred, *oldcred; 900 gid_t rgid, egid; 901 int error = 0; 902 903 rgid = uap->rgid; 904 egid = uap->egid; 905 906 mtx_lock(&Giant); 907 908 oldcred = p->p_ucred; 909 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 910 rgid != oldcred->cr_svgid) || 911 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 912 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 913 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 914 goto done2; 915 } 916 917 newcred = crdup(oldcred); 918 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 919 change_egid(newcred, egid); 920 setsugid(p); 921 } 922 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 923 change_rgid(newcred, rgid); 924 setsugid(p); 925 } 926 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 927 newcred->cr_svgid != newcred->cr_groups[0]) { 928 change_svgid(newcred, newcred->cr_groups[0]); 929 setsugid(p); 930 } 931 p->p_ucred = newcred; 932 crfree(oldcred); 933 done2: 934 mtx_unlock(&Giant); 935 return (error); 936 } 937 938 /* 939 * setresuid(ruid, euid, suid) is like setreuid except control over the 940 * saved uid is explicit. 941 */ 942 943 #ifndef _SYS_SYSPROTO_H_ 944 struct setresuid_args { 945 uid_t ruid; 946 uid_t euid; 947 uid_t suid; 948 }; 949 #endif 950 /* 951 * MPSAFE 952 */ 953 /* ARGSUSED */ 954 int 955 setresuid(p, uap) 956 register struct proc *p; 957 struct setresuid_args *uap; 958 { 959 struct ucred *newcred, *oldcred; 960 uid_t ruid, euid, suid; 961 int error; 962 963 ruid = uap->ruid; 964 euid = uap->euid; 965 suid = uap->suid; 966 967 mtx_lock(&Giant); 968 oldcred = p->p_ucred; 969 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 970 ruid != oldcred->cr_svuid && 971 ruid != oldcred->cr_uid) || 972 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 973 euid != oldcred->cr_svuid && 974 euid != oldcred->cr_uid) || 975 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 976 suid != oldcred->cr_svuid && 977 suid != oldcred->cr_uid)) && 978 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 979 goto done2; 980 } 981 982 newcred = crdup(oldcred); 983 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 984 change_euid(newcred, euid); 985 setsugid(p); 986 } 987 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 988 change_ruid(newcred, ruid); 989 setsugid(p); 990 } 991 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 992 change_svuid(newcred, suid); 993 setsugid(p); 994 } 995 p->p_ucred = newcred; 996 crfree(oldcred); 997 error = 0; 998 done2: 999 mtx_unlock(&Giant); 1000 return (error); 1001 } 1002 1003 /* 1004 * setresgid(rgid, egid, sgid) is like setregid except control over the 1005 * saved gid is explicit. 1006 */ 1007 1008 #ifndef _SYS_SYSPROTO_H_ 1009 struct setresgid_args { 1010 gid_t rgid; 1011 gid_t egid; 1012 gid_t sgid; 1013 }; 1014 #endif 1015 /* 1016 * MPSAFE 1017 */ 1018 /* ARGSUSED */ 1019 int 1020 setresgid(p, uap) 1021 register struct proc *p; 1022 struct setresgid_args *uap; 1023 { 1024 struct ucred *newcred, *oldcred; 1025 gid_t rgid, egid, sgid; 1026 int error; 1027 1028 rgid = uap->rgid; 1029 egid = uap->egid; 1030 sgid = uap->sgid; 1031 1032 mtx_lock(&Giant); 1033 oldcred = p->p_ucred; 1034 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1035 rgid != oldcred->cr_svgid && 1036 rgid != oldcred->cr_groups[0]) || 1037 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1038 egid != oldcred->cr_svgid && 1039 egid != oldcred->cr_groups[0]) || 1040 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1041 sgid != oldcred->cr_svgid && 1042 sgid != oldcred->cr_groups[0])) && 1043 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 1044 goto done2; 1045 } 1046 newcred = crdup(oldcred); 1047 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1048 change_egid(newcred, egid); 1049 setsugid(p); 1050 } 1051 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1052 change_rgid(newcred, rgid); 1053 setsugid(p); 1054 } 1055 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1056 change_svgid(newcred, sgid); 1057 setsugid(p); 1058 } 1059 p->p_ucred = newcred; 1060 crfree(oldcred); 1061 error = 0; 1062 done2: 1063 mtx_unlock(&Giant); 1064 return (error); 1065 } 1066 1067 #ifndef _SYS_SYSPROTO_H_ 1068 struct getresuid_args { 1069 uid_t *ruid; 1070 uid_t *euid; 1071 uid_t *suid; 1072 }; 1073 #endif 1074 /* 1075 * MPSAFE 1076 */ 1077 /* ARGSUSED */ 1078 int 1079 getresuid(p, uap) 1080 register struct proc *p; 1081 struct getresuid_args *uap; 1082 { 1083 struct ucred *cred; 1084 int error1 = 0, error2 = 0, error3 = 0; 1085 1086 mtx_lock(&Giant); 1087 cred = p->p_ucred; 1088 1089 if (uap->ruid) 1090 error1 = copyout((caddr_t)&cred->cr_ruid, 1091 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1092 if (uap->euid) 1093 error2 = copyout((caddr_t)&cred->cr_uid, 1094 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1095 if (uap->suid) 1096 error3 = copyout((caddr_t)&cred->cr_svuid, 1097 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1098 mtx_unlock(&Giant); 1099 return error1 ? error1 : (error2 ? error2 : error3); 1100 } 1101 1102 #ifndef _SYS_SYSPROTO_H_ 1103 struct getresgid_args { 1104 gid_t *rgid; 1105 gid_t *egid; 1106 gid_t *sgid; 1107 }; 1108 #endif 1109 /* 1110 * MPSAFE 1111 */ 1112 /* ARGSUSED */ 1113 int 1114 getresgid(p, uap) 1115 register struct proc *p; 1116 struct getresgid_args *uap; 1117 { 1118 struct ucred *cred; 1119 int error1 = 0, error2 = 0, error3 = 0; 1120 1121 mtx_lock(&Giant); 1122 cred = p->p_ucred; 1123 1124 if (uap->rgid) 1125 error1 = copyout((caddr_t)&cred->cr_rgid, 1126 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1127 if (uap->egid) 1128 error2 = copyout((caddr_t)&cred->cr_groups[0], 1129 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1130 if (uap->sgid) 1131 error3 = copyout((caddr_t)&cred->cr_svgid, 1132 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1133 mtx_unlock(&Giant); 1134 return error1 ? error1 : (error2 ? error2 : error3); 1135 } 1136 1137 1138 #ifndef _SYS_SYSPROTO_H_ 1139 struct issetugid_args { 1140 int dummy; 1141 }; 1142 #endif 1143 /* ARGSUSED */ 1144 int 1145 issetugid(p, uap) 1146 register struct proc *p; 1147 struct issetugid_args *uap; 1148 { 1149 /* 1150 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1151 * we use P_SUGID because we consider changing the owners as 1152 * "tainting" as well. 1153 * This is significant for procs that start as root and "become" 1154 * a user without an exec - programs cannot know *everything* 1155 * that libc *might* have put in their data segment. 1156 */ 1157 p->p_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1158 return (0); 1159 } 1160 1161 /* 1162 * MPSAFE 1163 */ 1164 int 1165 __setugid(p, uap) 1166 struct proc *p; 1167 struct __setugid_args *uap; 1168 { 1169 #ifdef REGRESSION 1170 int error = 0; 1171 1172 mtx_lock(&Giant); 1173 switch (uap->flag) { 1174 case 0: 1175 p->p_flag &= ~P_SUGID; 1176 break; 1177 case 1: 1178 p->p_flag |= P_SUGID; 1179 break; 1180 default: 1181 error = EINVAL; 1182 break; 1183 } 1184 mtx_unlock(&Giant); 1185 return (error); 1186 #else /* !REGRESSION */ 1187 return (ENOSYS); 1188 #endif /* !REGRESSION */ 1189 } 1190 1191 /* 1192 * Check if gid is a member of the group set. 1193 */ 1194 int 1195 groupmember(gid, cred) 1196 gid_t gid; 1197 struct ucred *cred; 1198 { 1199 register gid_t *gp; 1200 gid_t *egp; 1201 1202 egp = &(cred->cr_groups[cred->cr_ngroups]); 1203 for (gp = cred->cr_groups; gp < egp; gp++) 1204 if (*gp == gid) 1205 return (1); 1206 return (0); 1207 } 1208 1209 /* 1210 * `suser_enabled' (which can be set by the kern.security.suser_enabled 1211 * sysctl) determines whether the system 'super-user' policy is in effect. 1212 * If it is nonzero, an effective uid of 0 connotes special privilege, 1213 * overriding many mandatory and discretionary protections. If it is zero, 1214 * uid 0 is offered no special privilege in the kernel security policy. 1215 * Setting it to zero may seriously impact the functionality of many 1216 * existing userland programs, and should not be done without careful 1217 * consideration of the consequences. 1218 */ 1219 int suser_enabled = 1; 1220 SYSCTL_INT(_kern_security, OID_AUTO, suser_enabled, CTLFLAG_RW, 1221 &suser_enabled, 0, "processes with uid 0 have privilege"); 1222 1223 /* 1224 * Test whether the specified credentials imply "super-user" privilege. 1225 * Return 0 or EPERM. 1226 */ 1227 int 1228 suser(p) 1229 struct proc *p; 1230 { 1231 return suser_xxx(0, p, 0); 1232 } 1233 1234 int 1235 suser_xxx(cred, proc, flag) 1236 struct ucred *cred; 1237 struct proc *proc; 1238 int flag; 1239 { 1240 if (!suser_enabled) 1241 return (EPERM); 1242 if (!cred && !proc) { 1243 printf("suser_xxx(): THINK!\n"); 1244 return (EPERM); 1245 } 1246 if (!cred) 1247 cred = proc->p_ucred; 1248 if (cred->cr_uid != 0) 1249 return (EPERM); 1250 if (jailed(cred) && !(flag & PRISON_ROOT)) 1251 return (EPERM); 1252 return (0); 1253 } 1254 1255 /*- 1256 * Determine if u1 "can see" the subject specified by u2. 1257 * Returns: 0 for permitted, an errno value otherwise 1258 * Locks: none 1259 * References: u1 and u2 must be immutable credentials 1260 * u1 and u2 must be valid for the lifetime of the call 1261 * u1 may equal u2, in which case only one reference is required 1262 */ 1263 int 1264 u_cansee(struct ucred *u1, struct ucred *u2) 1265 { 1266 int error; 1267 1268 if ((error = prison_check(u1, u2))) 1269 return (error); 1270 if (!ps_showallprocs && u1->cr_ruid != u2->cr_ruid) { 1271 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1272 return (ESRCH); 1273 } 1274 return (0); 1275 } 1276 1277 /*- 1278 * Determine if p1 "can see" the subject specified by p2. 1279 * Returns: 0 for permitted, an errno value otherwise 1280 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1281 * be held. Normally, p1 will be curproc, and a lock must be held 1282 * for p2. 1283 * References: p1 and p2 must be valid for the lifetime of the call 1284 */ 1285 int 1286 p_cansee(struct proc *p1, struct proc *p2) 1287 { 1288 1289 /* Wrap u_cansee() for all functionality. */ 1290 return (u_cansee(p1->p_ucred, p2->p_ucred)); 1291 } 1292 1293 /*- 1294 * Determine whether p1 may deliver the specified signal to p2. 1295 * Returns: 0 for permitted, an errno value otherwise 1296 * Locks: Sufficient locks to protect various components of p1 and p2 1297 * must be held. Normally, p1 will be curproc, and a lock must 1298 * be held for p2. 1299 * References: p1 and p2 must be valid for the lifetime of the call 1300 */ 1301 int 1302 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1303 { 1304 int error; 1305 1306 if (p1 == p2) 1307 return (0); 1308 1309 /* 1310 * Jail semantics limit the scope of signalling to p2 in the same 1311 * jail as p1, if p1 is in jail. 1312 */ 1313 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1314 return (error); 1315 1316 /* 1317 * UNIX signalling semantics require that processes in the same 1318 * session always be able to deliver SIGCONT to one another, 1319 * overriding the remaining protections. 1320 */ 1321 if (signum == SIGCONT && p1->p_session == p2->p_session) 1322 return (0); 1323 1324 /* 1325 * UNIX signal semantics depend on the status of the P_SUGID 1326 * bit on the target process. If the bit is set, then additional 1327 * restrictions are placed on the set of available signals. 1328 */ 1329 if (p2->p_flag & P_SUGID) { 1330 switch (signum) { 1331 case 0: 1332 case SIGKILL: 1333 case SIGINT: 1334 case SIGTERM: 1335 case SIGSTOP: 1336 case SIGTTIN: 1337 case SIGTTOU: 1338 case SIGTSTP: 1339 case SIGHUP: 1340 case SIGUSR1: 1341 case SIGUSR2: 1342 /* 1343 * Generally, permit job and terminal control 1344 * signals. 1345 */ 1346 break; 1347 default: 1348 /* Not permitted, privilege is required. */ 1349 error = suser_xxx(NULL, p1, PRISON_ROOT); 1350 if (error) 1351 return (error); 1352 } 1353 } 1354 1355 /* 1356 * Generally, the target credential's ruid or svuid must match the 1357 * subject credential's ruid or euid. 1358 */ 1359 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid && 1360 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid && 1361 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid && 1362 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) { 1363 /* Not permitted, try privilege. */ 1364 error = suser_xxx(NULL, p1, PRISON_ROOT); 1365 if (error) 1366 return (error); 1367 } 1368 1369 return (0); 1370 } 1371 1372 /*- 1373 * Determine whether p1 may reschedule p2 1374 * Returns: 0 for permitted, an errno value otherwise 1375 * Locks: Sufficient locks to protect various components of p1 and p2 1376 * must be held. Normally, p1 will be curproc, and a lock must 1377 * be held for p2. 1378 * References: p1 and p2 must be valid for the lifetime of the call 1379 */ 1380 int 1381 p_cansched(struct proc *p1, struct proc *p2) 1382 { 1383 int error; 1384 1385 if (p1 == p2) 1386 return (0); 1387 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1388 return (error); 1389 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1390 return (0); 1391 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1392 return (0); 1393 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1394 return (0); 1395 1396 #ifdef CAPABILITIES 1397 if (!cap_check_xxx(0, p1, CAP_SYS_NICE, PRISON_ROOT)) 1398 return (0); 1399 #endif 1400 1401 return (EPERM); 1402 } 1403 1404 /* 1405 * The kern_unprivileged_procdebug_permitted flag may be used to disable 1406 * a variety of unprivileged inter-process debugging services, including 1407 * some procfs functionality, ptrace(), and ktrace(). In the past, 1408 * inter-process debugging has been involved in a variety of security 1409 * problems, and sites not requiring the service might choose to disable it 1410 * when hardening systems. 1411 * 1412 * XXX: Should modifying and reading this variable require locking? 1413 */ 1414 static int kern_unprivileged_procdebug_permitted = 1; 1415 SYSCTL_INT(_kern_security, OID_AUTO, unprivileged_procdebug_permitted, 1416 CTLFLAG_RW, &kern_unprivileged_procdebug_permitted, 0, 1417 "Unprivileged processes may use process debugging facilities"); 1418 1419 /*- 1420 * Determine whether p1 may debug p2. 1421 * Returns: 0 for permitted, an errno value otherwise 1422 * Locks: Sufficient locks to protect various components of p1 and p2 1423 * must be held. Normally, p1 will be curproc, and a lock must 1424 * be held for p2. 1425 * References: p1 and p2 must be valid for the lifetime of the call 1426 */ 1427 int 1428 p_candebug(struct proc *p1, struct proc *p2) 1429 { 1430 int error; 1431 1432 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1433 return (error); 1434 1435 /* 1436 * Not owned by you, has done setuid (unless you're root). 1437 * XXX add a CAP_SYS_PTRACE here? 1438 */ 1439 if (p1->p_ucred->cr_uid != p2->p_ucred->cr_uid || 1440 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid || 1441 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid || 1442 p2->p_flag & P_SUGID || !kern_unprivileged_procdebug_permitted) { 1443 if ((error = suser_xxx(0, p1, PRISON_ROOT)) != 0) 1444 return (error); 1445 } 1446 1447 /* Can't trace init when securelevel > 0. */ 1448 if (securelevel > 0 && p2->p_pid == 1) 1449 return (EPERM); 1450 1451 return (0); 1452 } 1453 1454 /* 1455 * Allocate a zeroed cred structure. 1456 */ 1457 struct ucred * 1458 crget() 1459 { 1460 register struct ucred *cr; 1461 1462 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK|M_ZERO); 1463 cr->cr_ref = 1; 1464 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF); 1465 return (cr); 1466 } 1467 1468 /* 1469 * Claim another reference to a ucred structure. 1470 */ 1471 void 1472 crhold(cr) 1473 struct ucred *cr; 1474 { 1475 1476 mtx_lock(&cr->cr_mtx); 1477 cr->cr_ref++; 1478 mtx_unlock(&(cr)->cr_mtx); 1479 } 1480 1481 1482 /* 1483 * Free a cred structure. 1484 * Throws away space when ref count gets to 0. 1485 */ 1486 void 1487 crfree(cr) 1488 struct ucred *cr; 1489 { 1490 1491 mtx_lock(&cr->cr_mtx); 1492 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1493 if (--cr->cr_ref == 0) { 1494 mtx_destroy(&cr->cr_mtx); 1495 /* 1496 * Some callers of crget(), such as nfs_statfs(), 1497 * allocate a temporary credential, but don't 1498 * allocate a uidinfo structure. 1499 */ 1500 if (cr->cr_uidinfo != NULL) 1501 uifree(cr->cr_uidinfo); 1502 if (cr->cr_ruidinfo != NULL) 1503 uifree(cr->cr_ruidinfo); 1504 /* 1505 * Free a prison, if any. 1506 */ 1507 if (jailed(cr)) 1508 prison_free(cr->cr_prison); 1509 FREE((caddr_t)cr, M_CRED); 1510 } else { 1511 mtx_unlock(&cr->cr_mtx); 1512 } 1513 } 1514 1515 /* 1516 * Copy cred structure to a new one and free the old one. 1517 */ 1518 struct ucred * 1519 crcopy(cr) 1520 struct ucred *cr; 1521 { 1522 struct ucred *newcr; 1523 1524 mtx_lock(&cr->cr_mtx); 1525 if (cr->cr_ref == 1) { 1526 mtx_unlock(&cr->cr_mtx); 1527 return (cr); 1528 } 1529 mtx_unlock(&cr->cr_mtx); 1530 newcr = crdup(cr); 1531 crfree(cr); 1532 return (newcr); 1533 } 1534 1535 /* 1536 * Dup cred struct to a new held one. 1537 */ 1538 struct ucred * 1539 crdup(cr) 1540 struct ucred *cr; 1541 { 1542 struct ucred *newcr; 1543 1544 MALLOC(newcr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK); 1545 *newcr = *cr; 1546 mtx_init(&newcr->cr_mtx, "ucred", MTX_DEF); 1547 uihold(newcr->cr_uidinfo); 1548 uihold(newcr->cr_ruidinfo); 1549 if (jailed(newcr)) 1550 prison_hold(newcr->cr_prison); 1551 newcr->cr_ref = 1; 1552 return (newcr); 1553 } 1554 1555 /* 1556 * Get login name, if available. 1557 */ 1558 #ifndef _SYS_SYSPROTO_H_ 1559 struct getlogin_args { 1560 char *namebuf; 1561 u_int namelen; 1562 }; 1563 #endif 1564 /* 1565 * MPSAFE 1566 */ 1567 /* ARGSUSED */ 1568 int 1569 getlogin(p, uap) 1570 struct proc *p; 1571 struct getlogin_args *uap; 1572 { 1573 int error; 1574 1575 mtx_lock(&Giant); 1576 if (uap->namelen > MAXLOGNAME) 1577 uap->namelen = MAXLOGNAME; 1578 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1579 (caddr_t) uap->namebuf, uap->namelen); 1580 mtx_unlock(&Giant); 1581 return(error); 1582 } 1583 1584 /* 1585 * Set login name. 1586 */ 1587 #ifndef _SYS_SYSPROTO_H_ 1588 struct setlogin_args { 1589 char *namebuf; 1590 }; 1591 #endif 1592 /* 1593 * MPSAFE 1594 */ 1595 /* ARGSUSED */ 1596 int 1597 setlogin(p, uap) 1598 struct proc *p; 1599 struct setlogin_args *uap; 1600 { 1601 int error; 1602 char logintmp[MAXLOGNAME]; 1603 1604 mtx_lock(&Giant); 1605 if ((error = suser_xxx(0, p, PRISON_ROOT))) 1606 goto done2; 1607 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1608 sizeof(logintmp), (size_t *)0); 1609 if (error == ENAMETOOLONG) { 1610 error = EINVAL; 1611 } else if (!error) { 1612 (void) memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1613 sizeof(logintmp)); 1614 } 1615 done2: 1616 mtx_unlock(&Giant); 1617 return (error); 1618 } 1619 1620 void 1621 setsugid(p) 1622 struct proc *p; 1623 { 1624 p->p_flag |= P_SUGID; 1625 if (!(p->p_pfsflags & PF_ISUGID)) 1626 p->p_stops = 0; 1627 } 1628 1629 /*- 1630 * Change a process's effective uid. 1631 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1632 * References: newcred must be an exclusive credential reference for the 1633 * duration of the call. 1634 */ 1635 void 1636 change_euid(newcred, euid) 1637 struct ucred *newcred; 1638 uid_t euid; 1639 { 1640 1641 newcred->cr_uid = euid; 1642 uifree(newcred->cr_uidinfo); 1643 newcred->cr_uidinfo = uifind(euid); 1644 } 1645 1646 /*- 1647 * Change a process's effective gid. 1648 * Side effects: newcred->cr_gid will be modified. 1649 * References: newcred must be an exclusive credential reference for the 1650 * duration of the call. 1651 */ 1652 void 1653 change_egid(newcred, egid) 1654 struct ucred *newcred; 1655 gid_t egid; 1656 { 1657 1658 newcred->cr_groups[0] = egid; 1659 } 1660 1661 /*- 1662 * Change a process's real uid. 1663 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1664 * will be updated, and the old and new cr_ruidinfo proc 1665 * counts will be updated. 1666 * References: newcred must be an exclusive credential reference for the 1667 * duration of the call. 1668 */ 1669 void 1670 change_ruid(newcred, ruid) 1671 struct ucred *newcred; 1672 uid_t ruid; 1673 { 1674 1675 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1676 newcred->cr_ruid = ruid; 1677 uifree(newcred->cr_ruidinfo); 1678 newcred->cr_ruidinfo = uifind(ruid); 1679 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1680 } 1681 1682 /*- 1683 * Change a process's real gid. 1684 * Side effects: newcred->cr_rgid will be updated. 1685 * References: newcred must be an exclusive credential reference for the 1686 * duration of the call. 1687 */ 1688 void 1689 change_rgid(newcred, rgid) 1690 struct ucred *newcred; 1691 gid_t rgid; 1692 { 1693 1694 newcred->cr_rgid = rgid; 1695 } 1696 1697 /*- 1698 * Change a process's saved uid. 1699 * Side effects: newcred->cr_svuid will be updated. 1700 * References: newcred must be an exclusive credential reference for the 1701 * duration of the call. 1702 */ 1703 void 1704 change_svuid(newcred, svuid) 1705 struct ucred *newcred; 1706 uid_t svuid; 1707 { 1708 1709 newcred->cr_svuid = svuid; 1710 } 1711 1712 /*- 1713 * Change a process's saved gid. 1714 * Side effects: newcred->cr_svgid will be updated. 1715 * References: newcred must be an exclusive credential reference for the 1716 * duration of the call. 1717 */ 1718 void 1719 change_svgid(newcred, svgid) 1720 struct ucred *newcred; 1721 gid_t svgid; 1722 { 1723 1724 newcred->cr_svgid = svgid; 1725 } 1726