1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD$ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/acct.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/mutex.h> 55 #include <sys/proc.h> 56 #include <sys/sx.h> 57 #include <sys/sysproto.h> 58 #include <sys/jail.h> 59 #include <sys/malloc.h> 60 #include <sys/pioctl.h> 61 #include <sys/resourcevar.h> 62 #include <sys/sysctl.h> 63 64 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 65 66 SYSCTL_DECL(_security); 67 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 68 "BSD security policy"); 69 70 #ifndef _SYS_SYSPROTO_H_ 71 struct getpid_args { 72 int dummy; 73 }; 74 #endif 75 /* 76 * MPSAFE 77 */ 78 /* ARGSUSED */ 79 int 80 getpid(td, uap) 81 struct thread *td; 82 struct getpid_args *uap; 83 { 84 struct proc *p = td->td_proc; 85 int s; 86 87 s = mtx_lock_giant(kern_giant_proc); 88 td->td_retval[0] = p->p_pid; 89 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 90 PROC_LOCK(p); 91 td->td_retval[1] = p->p_pptr->p_pid; 92 PROC_UNLOCK(p); 93 #endif 94 mtx_unlock_giant(s); 95 return (0); 96 } 97 98 #ifndef _SYS_SYSPROTO_H_ 99 struct getppid_args { 100 int dummy; 101 }; 102 #endif 103 /* 104 * MPSAFE 105 */ 106 /* ARGSUSED */ 107 int 108 getppid(td, uap) 109 struct thread *td; 110 struct getppid_args *uap; 111 { 112 struct proc *p = td->td_proc; 113 int s; 114 115 s = mtx_lock_giant(kern_giant_proc); 116 PROC_LOCK(p); 117 td->td_retval[0] = p->p_pptr->p_pid; 118 PROC_UNLOCK(p); 119 mtx_unlock_giant(s); 120 return (0); 121 } 122 123 /* 124 * Get process group ID; note that POSIX getpgrp takes no parameter. 125 */ 126 #ifndef _SYS_SYSPROTO_H_ 127 struct getpgrp_args { 128 int dummy; 129 }; 130 #endif 131 /* 132 * MPSAFE 133 */ 134 int 135 getpgrp(td, uap) 136 struct thread *td; 137 struct getpgrp_args *uap; 138 { 139 struct proc *p = td->td_proc; 140 141 mtx_lock(&Giant); 142 td->td_retval[0] = p->p_pgrp->pg_id; 143 mtx_unlock(&Giant); 144 return (0); 145 } 146 147 /* Get an arbitary pid's process group id */ 148 #ifndef _SYS_SYSPROTO_H_ 149 struct getpgid_args { 150 pid_t pid; 151 }; 152 #endif 153 /* 154 * MPSAFE 155 */ 156 int 157 getpgid(td, uap) 158 struct thread *td; 159 struct getpgid_args *uap; 160 { 161 struct proc *p = td->td_proc; 162 struct proc *pt; 163 int error, s; 164 165 s = mtx_lock_giant(kern_giant_proc); 166 error = 0; 167 if (uap->pid == 0) 168 td->td_retval[0] = p->p_pgrp->pg_id; 169 else if ((pt = pfind(uap->pid)) == NULL) 170 error = ESRCH; 171 else { 172 error = p_cansee(p, pt); 173 if (error == 0) 174 td->td_retval[0] = pt->p_pgrp->pg_id; 175 PROC_UNLOCK(pt); 176 } 177 mtx_unlock_giant(s); 178 return (error); 179 } 180 181 /* 182 * Get an arbitary pid's session id. 183 */ 184 #ifndef _SYS_SYSPROTO_H_ 185 struct getsid_args { 186 pid_t pid; 187 }; 188 #endif 189 /* 190 * MPSAFE 191 */ 192 int 193 getsid(td, uap) 194 struct thread *td; 195 struct getsid_args *uap; 196 { 197 struct proc *p = td->td_proc; 198 struct proc *pt; 199 int error; 200 201 mtx_lock(&Giant); 202 error = 0; 203 if (uap->pid == 0) 204 td->td_retval[0] = p->p_session->s_sid; 205 else if ((pt = pfind(uap->pid)) == NULL) 206 error = ESRCH; 207 else { 208 error = p_cansee(p, pt); 209 if (error == 0) 210 td->td_retval[0] = pt->p_session->s_sid; 211 PROC_UNLOCK(pt); 212 } 213 mtx_unlock(&Giant); 214 return (error); 215 } 216 217 #ifndef _SYS_SYSPROTO_H_ 218 struct getuid_args { 219 int dummy; 220 }; 221 #endif 222 /* 223 * MPSAFE 224 */ 225 /* ARGSUSED */ 226 int 227 getuid(td, uap) 228 struct thread *td; 229 struct getuid_args *uap; 230 { 231 struct proc *p = td->td_proc; 232 233 mtx_lock(&Giant); 234 td->td_retval[0] = p->p_ucred->cr_ruid; 235 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 236 td->td_retval[1] = p->p_ucred->cr_uid; 237 #endif 238 mtx_unlock(&Giant); 239 return (0); 240 } 241 242 #ifndef _SYS_SYSPROTO_H_ 243 struct geteuid_args { 244 int dummy; 245 }; 246 #endif 247 /* 248 * MPSAFE 249 */ 250 /* ARGSUSED */ 251 int 252 geteuid(td, uap) 253 struct thread *td; 254 struct geteuid_args *uap; 255 { 256 mtx_lock(&Giant); 257 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 258 mtx_unlock(&Giant); 259 return (0); 260 } 261 262 #ifndef _SYS_SYSPROTO_H_ 263 struct getgid_args { 264 int dummy; 265 }; 266 #endif 267 /* 268 * MPSAFE 269 */ 270 /* ARGSUSED */ 271 int 272 getgid(td, uap) 273 struct thread *td; 274 struct getgid_args *uap; 275 { 276 struct proc *p = td->td_proc; 277 278 mtx_lock(&Giant); 279 td->td_retval[0] = p->p_ucred->cr_rgid; 280 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 281 td->td_retval[1] = p->p_ucred->cr_groups[0]; 282 #endif 283 mtx_unlock(&Giant); 284 return (0); 285 } 286 287 /* 288 * Get effective group ID. The "egid" is groups[0], and could be obtained 289 * via getgroups. This syscall exists because it is somewhat painful to do 290 * correctly in a library function. 291 */ 292 #ifndef _SYS_SYSPROTO_H_ 293 struct getegid_args { 294 int dummy; 295 }; 296 #endif 297 /* 298 * MPSAFE 299 */ 300 /* ARGSUSED */ 301 int 302 getegid(td, uap) 303 struct thread *td; 304 struct getegid_args *uap; 305 { 306 struct proc *p = td->td_proc; 307 308 mtx_lock(&Giant); 309 td->td_retval[0] = p->p_ucred->cr_groups[0]; 310 mtx_unlock(&Giant); 311 return (0); 312 } 313 314 #ifndef _SYS_SYSPROTO_H_ 315 struct getgroups_args { 316 u_int gidsetsize; 317 gid_t *gidset; 318 }; 319 #endif 320 /* 321 * MPSAFE 322 */ 323 int 324 getgroups(td, uap) 325 struct thread *td; 326 register struct getgroups_args *uap; 327 { 328 struct ucred *cred; 329 struct proc *p = td->td_proc; 330 u_int ngrp; 331 int error; 332 333 mtx_lock(&Giant); 334 error = 0; 335 cred = p->p_ucred; 336 if ((ngrp = uap->gidsetsize) == 0) { 337 td->td_retval[0] = cred->cr_ngroups; 338 goto done2; 339 } 340 if (ngrp < cred->cr_ngroups) { 341 error = EINVAL; 342 goto done2; 343 } 344 ngrp = cred->cr_ngroups; 345 if ((error = copyout((caddr_t)cred->cr_groups, 346 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) 347 goto done2; 348 td->td_retval[0] = ngrp; 349 done2: 350 mtx_unlock(&Giant); 351 return (error); 352 } 353 354 #ifndef _SYS_SYSPROTO_H_ 355 struct setsid_args { 356 int dummy; 357 }; 358 #endif 359 /* 360 * MPSAFE 361 */ 362 /* ARGSUSED */ 363 int 364 setsid(td, uap) 365 register struct thread *td; 366 struct setsid_args *uap; 367 { 368 int error; 369 struct proc *p = td->td_proc; 370 371 mtx_lock(&Giant); 372 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) 373 error = EPERM; 374 else { 375 (void)enterpgrp(p, p->p_pid, 1); 376 td->td_retval[0] = p->p_pid; 377 error = 0; 378 } 379 mtx_unlock(&Giant); 380 return (error); 381 } 382 383 /* 384 * set process group (setpgid/old setpgrp) 385 * 386 * caller does setpgid(targpid, targpgid) 387 * 388 * pid must be caller or child of caller (ESRCH) 389 * if a child 390 * pid must be in same session (EPERM) 391 * pid can't have done an exec (EACCES) 392 * if pgid != pid 393 * there must exist some pid in same session having pgid (EPERM) 394 * pid must not be session leader (EPERM) 395 */ 396 #ifndef _SYS_SYSPROTO_H_ 397 struct setpgid_args { 398 int pid; /* target process id */ 399 int pgid; /* target pgrp id */ 400 }; 401 #endif 402 /* 403 * MPSAFE 404 */ 405 /* ARGSUSED */ 406 int 407 setpgid(td, uap) 408 struct thread *td; 409 register struct setpgid_args *uap; 410 { 411 struct proc *curp = td->td_proc; 412 register struct proc *targp; /* target process */ 413 register struct pgrp *pgrp; /* target pgrp */ 414 int error; 415 416 if (uap->pgid < 0) 417 return (EINVAL); 418 mtx_lock(&Giant); 419 sx_slock(&proctree_lock); 420 if (uap->pid != 0 && uap->pid != curp->p_pid) { 421 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 422 if (targp) 423 PROC_UNLOCK(targp); 424 error = ESRCH; 425 goto done2; 426 } 427 if ((error = p_cansee(curproc, targp))) { 428 PROC_UNLOCK(targp); 429 goto done2; 430 } 431 if (targp->p_pgrp == NULL || 432 targp->p_session != curp->p_session) { 433 PROC_UNLOCK(targp); 434 error = EPERM; 435 goto done2; 436 } 437 if (targp->p_flag & P_EXEC) { 438 PROC_UNLOCK(targp); 439 error = EACCES; 440 goto done2; 441 } 442 } else { 443 targp = curp; 444 PROC_LOCK(curp); /* XXX: not needed */ 445 } 446 if (SESS_LEADER(targp)) { 447 PROC_UNLOCK(targp); 448 error = EPERM; 449 goto done2; 450 } 451 if (uap->pgid == 0) 452 uap->pgid = targp->p_pid; 453 else if (uap->pgid != targp->p_pid) { 454 if ((pgrp = pgfind(uap->pgid)) == 0 || 455 pgrp->pg_session != curp->p_session) { 456 PROC_UNLOCK(targp); 457 error = EPERM; 458 goto done2; 459 } 460 } 461 /* XXX: We should probably hold the lock across enterpgrp. */ 462 PROC_UNLOCK(targp); 463 error = enterpgrp(targp, uap->pgid, 0); 464 done2: 465 sx_sunlock(&proctree_lock); 466 mtx_unlock(&Giant); 467 return (error); 468 } 469 470 /* 471 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 472 * compatible. It says that setting the uid/gid to euid/egid is a special 473 * case of "appropriate privilege". Once the rules are expanded out, this 474 * basically means that setuid(nnn) sets all three id's, in all permitted 475 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 476 * does not set the saved id - this is dangerous for traditional BSD 477 * programs. For this reason, we *really* do not want to set 478 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 479 */ 480 #define POSIX_APPENDIX_B_4_2_2 481 482 #ifndef _SYS_SYSPROTO_H_ 483 struct setuid_args { 484 uid_t uid; 485 }; 486 #endif 487 /* 488 * MPSAFE 489 */ 490 /* ARGSUSED */ 491 int 492 setuid(td, uap) 493 struct thread *td; 494 struct setuid_args *uap; 495 { 496 struct proc *p = td->td_proc; 497 struct ucred *newcred, *oldcred; 498 uid_t uid; 499 int error; 500 501 uid = uap->uid; 502 mtx_lock(&Giant); 503 error = 0; 504 oldcred = p->p_ucred; 505 506 /* 507 * See if we have "permission" by POSIX 1003.1 rules. 508 * 509 * Note that setuid(geteuid()) is a special case of 510 * "appropriate privileges" in appendix B.4.2.2. We need 511 * to use this clause to be compatible with traditional BSD 512 * semantics. Basically, it means that "setuid(xx)" sets all 513 * three id's (assuming you have privs). 514 * 515 * Notes on the logic. We do things in three steps. 516 * 1: We determine if the euid is going to change, and do EPERM 517 * right away. We unconditionally change the euid later if this 518 * test is satisfied, simplifying that part of the logic. 519 * 2: We determine if the real and/or saved uids are going to 520 * change. Determined by compile options. 521 * 3: Change euid last. (after tests in #2 for "appropriate privs") 522 */ 523 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 524 #ifdef _POSIX_SAVED_IDS 525 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 526 #endif 527 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 528 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 529 #endif 530 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 531 goto done2; 532 533 newcred = crdup(oldcred); 534 #ifdef _POSIX_SAVED_IDS 535 /* 536 * Do we have "appropriate privileges" (are we root or uid == euid) 537 * If so, we are changing the real uid and/or saved uid. 538 */ 539 if ( 540 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 541 uid == oldcred->cr_uid || 542 #endif 543 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 544 #endif 545 { 546 /* 547 * Set the real uid and transfer proc count to new user. 548 */ 549 if (uid != oldcred->cr_ruid) { 550 change_ruid(newcred, uid); 551 setsugid(p); 552 } 553 /* 554 * Set saved uid 555 * 556 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 557 * the security of seteuid() depends on it. B.4.2.2 says it 558 * is important that we should do this. 559 */ 560 if (uid != oldcred->cr_svuid) { 561 change_svuid(newcred, uid); 562 setsugid(p); 563 } 564 } 565 566 /* 567 * In all permitted cases, we are changing the euid. 568 * Copy credentials so other references do not see our changes. 569 */ 570 if (uid != oldcred->cr_uid) { 571 change_euid(newcred, uid); 572 setsugid(p); 573 } 574 p->p_ucred = newcred; 575 crfree(oldcred); 576 done2: 577 mtx_unlock(&Giant); 578 return (error); 579 } 580 581 #ifndef _SYS_SYSPROTO_H_ 582 struct seteuid_args { 583 uid_t euid; 584 }; 585 #endif 586 /* 587 * MPSAFE 588 */ 589 /* ARGSUSED */ 590 int 591 seteuid(td, uap) 592 struct thread *td; 593 struct seteuid_args *uap; 594 { 595 struct proc *p = td->td_proc; 596 struct ucred *newcred, *oldcred; 597 uid_t euid; 598 int error; 599 600 euid = uap->euid; 601 mtx_lock(&Giant); 602 error = 0; 603 oldcred = p->p_ucred; 604 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 605 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 606 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 607 goto done2; 608 /* 609 * Everything's okay, do it. Copy credentials so other references do 610 * not see our changes. 611 */ 612 newcred = crdup(oldcred); 613 if (oldcred->cr_uid != euid) { 614 change_euid(newcred, euid); 615 setsugid(p); 616 } 617 p->p_ucred = newcred; 618 crfree(oldcred); 619 done2: 620 mtx_unlock(&Giant); 621 return (error); 622 } 623 624 #ifndef _SYS_SYSPROTO_H_ 625 struct setgid_args { 626 gid_t gid; 627 }; 628 #endif 629 /* 630 * MPSAFE 631 */ 632 /* ARGSUSED */ 633 int 634 setgid(td, uap) 635 struct thread *td; 636 struct setgid_args *uap; 637 { 638 struct proc *p = td->td_proc; 639 struct ucred *newcred, *oldcred; 640 gid_t gid; 641 int error; 642 643 gid = uap->gid; 644 mtx_lock(&Giant); 645 error = 0; 646 oldcred = p->p_ucred; 647 648 /* 649 * See if we have "permission" by POSIX 1003.1 rules. 650 * 651 * Note that setgid(getegid()) is a special case of 652 * "appropriate privileges" in appendix B.4.2.2. We need 653 * to use this clause to be compatible with traditional BSD 654 * semantics. Basically, it means that "setgid(xx)" sets all 655 * three id's (assuming you have privs). 656 * 657 * For notes on the logic here, see setuid() above. 658 */ 659 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 660 #ifdef _POSIX_SAVED_IDS 661 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 662 #endif 663 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 664 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 665 #endif 666 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 667 goto done2; 668 669 newcred = crdup(oldcred); 670 #ifdef _POSIX_SAVED_IDS 671 /* 672 * Do we have "appropriate privileges" (are we root or gid == egid) 673 * If so, we are changing the real uid and saved gid. 674 */ 675 if ( 676 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 677 gid == oldcred->cr_groups[0] || 678 #endif 679 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 680 #endif 681 { 682 /* 683 * Set real gid 684 */ 685 if (oldcred->cr_rgid != gid) { 686 change_rgid(newcred, gid); 687 setsugid(p); 688 } 689 /* 690 * Set saved gid 691 * 692 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 693 * the security of setegid() depends on it. B.4.2.2 says it 694 * is important that we should do this. 695 */ 696 if (oldcred->cr_svgid != gid) { 697 change_svgid(newcred, gid); 698 setsugid(p); 699 } 700 } 701 /* 702 * In all cases permitted cases, we are changing the egid. 703 * Copy credentials so other references do not see our changes. 704 */ 705 if (oldcred->cr_groups[0] != gid) { 706 change_egid(newcred, gid); 707 setsugid(p); 708 } 709 p->p_ucred = newcred; 710 crfree(oldcred); 711 done2: 712 mtx_unlock(&Giant); 713 return (error); 714 } 715 716 #ifndef _SYS_SYSPROTO_H_ 717 struct setegid_args { 718 gid_t egid; 719 }; 720 #endif 721 /* 722 * MPSAFE 723 */ 724 /* ARGSUSED */ 725 int 726 setegid(td, uap) 727 struct thread *td; 728 struct setegid_args *uap; 729 { 730 struct proc *p = td->td_proc; 731 struct ucred *newcred, *oldcred; 732 gid_t egid; 733 int error; 734 735 egid = uap->egid; 736 mtx_lock(&Giant); 737 error = 0; 738 oldcred = p->p_ucred; 739 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 740 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 741 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 742 goto done2; 743 newcred = crdup(oldcred); 744 if (oldcred->cr_groups[0] != egid) { 745 change_egid(newcred, egid); 746 setsugid(p); 747 } 748 p->p_ucred = newcred; 749 crfree(oldcred); 750 done2: 751 mtx_unlock(&Giant); 752 return (error); 753 } 754 755 #ifndef _SYS_SYSPROTO_H_ 756 struct setgroups_args { 757 u_int gidsetsize; 758 gid_t *gidset; 759 }; 760 #endif 761 /* 762 * MPSAFE 763 */ 764 /* ARGSUSED */ 765 int 766 setgroups(td, uap) 767 struct thread *td; 768 struct setgroups_args *uap; 769 { 770 struct proc *p = td->td_proc; 771 struct ucred *newcred, *oldcred; 772 u_int ngrp; 773 int error; 774 775 ngrp = uap->gidsetsize; 776 mtx_lock(&Giant); 777 oldcred = p->p_ucred; 778 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 779 goto done2; 780 if (ngrp > NGROUPS) { 781 error = EINVAL; 782 goto done2; 783 } 784 /* 785 * XXX A little bit lazy here. We could test if anything has 786 * changed before crcopy() and setting P_SUGID. 787 */ 788 newcred = crdup(oldcred); 789 if (ngrp < 1) { 790 /* 791 * setgroups(0, NULL) is a legitimate way of clearing the 792 * groups vector on non-BSD systems (which generally do not 793 * have the egid in the groups[0]). We risk security holes 794 * when running non-BSD software if we do not do the same. 795 */ 796 newcred->cr_ngroups = 1; 797 } else { 798 if ((error = copyin((caddr_t)uap->gidset, 799 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 800 crfree(newcred); 801 goto done2; 802 } 803 newcred->cr_ngroups = ngrp; 804 } 805 setsugid(p); 806 p->p_ucred = newcred; 807 crfree(oldcred); 808 done2: 809 mtx_unlock(&Giant); 810 return (error); 811 } 812 813 #ifndef _SYS_SYSPROTO_H_ 814 struct setreuid_args { 815 uid_t ruid; 816 uid_t euid; 817 }; 818 #endif 819 /* 820 * MPSAFE 821 */ 822 /* ARGSUSED */ 823 int 824 setreuid(td, uap) 825 register struct thread *td; 826 struct setreuid_args *uap; 827 { 828 struct proc *p = td->td_proc; 829 struct ucred *newcred, *oldcred; 830 uid_t euid, ruid; 831 int error; 832 833 euid = uap->euid; 834 ruid = uap->ruid; 835 mtx_lock(&Giant); 836 error = 0; 837 oldcred = p->p_ucred; 838 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 839 ruid != oldcred->cr_svuid) || 840 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 841 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 842 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 843 goto done2; 844 newcred = crdup(oldcred); 845 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 846 change_euid(newcred, euid); 847 setsugid(p); 848 } 849 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 850 change_ruid(newcred, ruid); 851 setsugid(p); 852 } 853 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 854 newcred->cr_svuid != newcred->cr_uid) { 855 change_svuid(newcred, newcred->cr_uid); 856 setsugid(p); 857 } 858 p->p_ucred = newcred; 859 crfree(oldcred); 860 done2: 861 mtx_unlock(&Giant); 862 return (error); 863 } 864 865 #ifndef _SYS_SYSPROTO_H_ 866 struct setregid_args { 867 gid_t rgid; 868 gid_t egid; 869 }; 870 #endif 871 /* 872 * MPSAFE 873 */ 874 /* ARGSUSED */ 875 int 876 setregid(td, uap) 877 register struct thread *td; 878 struct setregid_args *uap; 879 { 880 struct proc *p = td->td_proc; 881 struct ucred *newcred, *oldcred; 882 gid_t egid, rgid; 883 int error; 884 885 egid = uap->egid; 886 rgid = uap->rgid; 887 mtx_lock(&Giant); 888 error = 0; 889 oldcred = p->p_ucred; 890 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 891 rgid != oldcred->cr_svgid) || 892 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 893 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 894 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 895 goto done2; 896 newcred = crdup(oldcred); 897 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 898 change_egid(newcred, egid); 899 setsugid(p); 900 } 901 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 902 change_rgid(newcred, rgid); 903 setsugid(p); 904 } 905 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 906 newcred->cr_svgid != newcred->cr_groups[0]) { 907 change_svgid(newcred, newcred->cr_groups[0]); 908 setsugid(p); 909 } 910 p->p_ucred = newcred; 911 crfree(oldcred); 912 done2: 913 mtx_unlock(&Giant); 914 return (error); 915 } 916 917 /* 918 * setresuid(ruid, euid, suid) is like setreuid except control over the 919 * saved uid is explicit. 920 */ 921 922 #ifndef _SYS_SYSPROTO_H_ 923 struct setresuid_args { 924 uid_t ruid; 925 uid_t euid; 926 uid_t suid; 927 }; 928 #endif 929 /* 930 * MPSAFE 931 */ 932 /* ARGSUSED */ 933 int 934 setresuid(td, uap) 935 register struct thread *td; 936 struct setresuid_args *uap; 937 { 938 struct proc *p = td->td_proc; 939 struct ucred *newcred, *oldcred; 940 uid_t euid, ruid, suid; 941 int error; 942 943 euid = uap->euid; 944 ruid = uap->ruid; 945 suid = uap->suid; 946 mtx_lock(&Giant); 947 oldcred = p->p_ucred; 948 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 949 ruid != oldcred->cr_svuid && 950 ruid != oldcred->cr_uid) || 951 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 952 euid != oldcred->cr_svuid && 953 euid != oldcred->cr_uid) || 954 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 955 suid != oldcred->cr_svuid && 956 suid != oldcred->cr_uid)) && 957 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 958 goto done2; 959 newcred = crdup(oldcred); 960 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 961 change_euid(newcred, euid); 962 setsugid(p); 963 } 964 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 965 change_ruid(newcred, ruid); 966 setsugid(p); 967 } 968 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 969 change_svuid(newcred, suid); 970 setsugid(p); 971 } 972 p->p_ucred = newcred; 973 crfree(oldcred); 974 error = 0; 975 done2: 976 mtx_unlock(&Giant); 977 return (error); 978 } 979 980 /* 981 * setresgid(rgid, egid, sgid) is like setregid except control over the 982 * saved gid is explicit. 983 */ 984 985 #ifndef _SYS_SYSPROTO_H_ 986 struct setresgid_args { 987 gid_t rgid; 988 gid_t egid; 989 gid_t sgid; 990 }; 991 #endif 992 /* 993 * MPSAFE 994 */ 995 /* ARGSUSED */ 996 int 997 setresgid(td, uap) 998 register struct thread *td; 999 struct setresgid_args *uap; 1000 { 1001 struct proc *p = td->td_proc; 1002 struct ucred *newcred, *oldcred; 1003 gid_t egid, rgid, sgid; 1004 int error; 1005 1006 egid = uap->egid; 1007 rgid = uap->rgid; 1008 sgid = uap->sgid; 1009 mtx_lock(&Giant); 1010 oldcred = p->p_ucred; 1011 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1012 rgid != oldcred->cr_svgid && 1013 rgid != oldcred->cr_groups[0]) || 1014 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1015 egid != oldcred->cr_svgid && 1016 egid != oldcred->cr_groups[0]) || 1017 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1018 sgid != oldcred->cr_svgid && 1019 sgid != oldcred->cr_groups[0])) && 1020 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 1021 goto done2; 1022 newcred = crdup(oldcred); 1023 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1024 change_egid(newcred, egid); 1025 setsugid(p); 1026 } 1027 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1028 change_rgid(newcred, rgid); 1029 setsugid(p); 1030 } 1031 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1032 change_svgid(newcred, sgid); 1033 setsugid(p); 1034 } 1035 p->p_ucred = newcred; 1036 crfree(oldcred); 1037 error = 0; 1038 done2: 1039 mtx_unlock(&Giant); 1040 return (error); 1041 } 1042 1043 #ifndef _SYS_SYSPROTO_H_ 1044 struct getresuid_args { 1045 uid_t *ruid; 1046 uid_t *euid; 1047 uid_t *suid; 1048 }; 1049 #endif 1050 /* 1051 * MPSAFE 1052 */ 1053 /* ARGSUSED */ 1054 int 1055 getresuid(td, uap) 1056 register struct thread *td; 1057 struct getresuid_args *uap; 1058 { 1059 struct ucred *cred; 1060 struct proc *p = td->td_proc; 1061 int error1 = 0, error2 = 0, error3 = 0; 1062 1063 mtx_lock(&Giant); 1064 cred = p->p_ucred; 1065 if (uap->ruid) 1066 error1 = copyout((caddr_t)&cred->cr_ruid, 1067 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1068 if (uap->euid) 1069 error2 = copyout((caddr_t)&cred->cr_uid, 1070 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1071 if (uap->suid) 1072 error3 = copyout((caddr_t)&cred->cr_svuid, 1073 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1074 mtx_unlock(&Giant); 1075 return (error1 ? error1 : error2 ? error2 : error3); 1076 } 1077 1078 #ifndef _SYS_SYSPROTO_H_ 1079 struct getresgid_args { 1080 gid_t *rgid; 1081 gid_t *egid; 1082 gid_t *sgid; 1083 }; 1084 #endif 1085 /* 1086 * MPSAFE 1087 */ 1088 /* ARGSUSED */ 1089 int 1090 getresgid(td, uap) 1091 register struct thread *td; 1092 struct getresgid_args *uap; 1093 { 1094 struct ucred *cred; 1095 struct proc *p = td->td_proc; 1096 int error1 = 0, error2 = 0, error3 = 0; 1097 1098 mtx_lock(&Giant); 1099 cred = p->p_ucred; 1100 if (uap->rgid) 1101 error1 = copyout((caddr_t)&cred->cr_rgid, 1102 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1103 if (uap->egid) 1104 error2 = copyout((caddr_t)&cred->cr_groups[0], 1105 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1106 if (uap->sgid) 1107 error3 = copyout((caddr_t)&cred->cr_svgid, 1108 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1109 mtx_unlock(&Giant); 1110 return (error1 ? error1 : error2 ? error2 : error3); 1111 } 1112 1113 #ifndef _SYS_SYSPROTO_H_ 1114 struct issetugid_args { 1115 int dummy; 1116 }; 1117 #endif 1118 /* 1119 * NOT MPSAFE? 1120 */ 1121 /* ARGSUSED */ 1122 int 1123 issetugid(td, uap) 1124 register struct thread *td; 1125 struct issetugid_args *uap; 1126 { 1127 struct proc *p = td->td_proc; 1128 1129 /* 1130 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1131 * we use P_SUGID because we consider changing the owners as 1132 * "tainting" as well. 1133 * This is significant for procs that start as root and "become" 1134 * a user without an exec - programs cannot know *everything* 1135 * that libc *might* have put in their data segment. 1136 */ 1137 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1138 return (0); 1139 } 1140 1141 /* 1142 * MPSAFE 1143 */ 1144 int 1145 __setugid(td, uap) 1146 struct thread *td; 1147 struct __setugid_args *uap; 1148 { 1149 #ifdef REGRESSION 1150 int error; 1151 1152 mtx_lock(&Giant); 1153 error = 0; 1154 switch (uap->flag) { 1155 case 0: 1156 td->td_proc->p_flag &= ~P_SUGID; 1157 break; 1158 case 1: 1159 td->td_proc->p_flag |= P_SUGID; 1160 break; 1161 default: 1162 error = EINVAL; 1163 break; 1164 } 1165 mtx_unlock(&Giant); 1166 return (error); 1167 #else /* !REGRESSION */ 1168 1169 return (ENOSYS); 1170 #endif /* REGRESSION */ 1171 } 1172 1173 /* 1174 * Check if gid is a member of the group set. 1175 */ 1176 int 1177 groupmember(gid, cred) 1178 gid_t gid; 1179 struct ucred *cred; 1180 { 1181 register gid_t *gp; 1182 gid_t *egp; 1183 1184 egp = &(cred->cr_groups[cred->cr_ngroups]); 1185 for (gp = cred->cr_groups; gp < egp; gp++) 1186 if (*gp == gid) 1187 return (1); 1188 return (0); 1189 } 1190 1191 /* 1192 * `suser_enabled' (which can be set by the security.suser_enabled 1193 * sysctl) determines whether the system 'super-user' policy is in effect. 1194 * If it is nonzero, an effective uid of 0 connotes special privilege, 1195 * overriding many mandatory and discretionary protections. If it is zero, 1196 * uid 0 is offered no special privilege in the kernel security policy. 1197 * Setting it to zero may seriously impact the functionality of many 1198 * existing userland programs, and should not be done without careful 1199 * consideration of the consequences. 1200 */ 1201 int suser_enabled = 1; 1202 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1203 &suser_enabled, 0, "processes with uid 0 have privilege"); 1204 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1205 1206 /* 1207 * Test whether the specified credentials imply "super-user" privilege. 1208 * Return 0 or EPERM. 1209 */ 1210 int 1211 suser(p) 1212 struct proc *p; 1213 { 1214 1215 return (suser_xxx(0, p, 0)); 1216 } 1217 1218 /* 1219 * version for when the thread pointer is available and not the proc. 1220 * (saves having to include proc.h into every file that needs to do the change.) 1221 */ 1222 int 1223 suser_td(td) 1224 struct thread *td; 1225 { 1226 return (suser_xxx(0, td->td_proc, 0)); 1227 } 1228 1229 /* 1230 * wrapper to use if you have the thread on hand but not the proc. 1231 */ 1232 int 1233 suser_xxx_td(cred, td, flag) 1234 struct ucred *cred; 1235 struct thread *td; 1236 int flag; 1237 { 1238 return(suser_xxx(cred, td->td_proc, flag)); 1239 } 1240 1241 int 1242 suser_xxx(cred, proc, flag) 1243 struct ucred *cred; 1244 struct proc *proc; 1245 int flag; 1246 { 1247 if (!suser_enabled) 1248 return (EPERM); 1249 if (!cred && !proc) { 1250 printf("suser_xxx(): THINK!\n"); 1251 return (EPERM); 1252 } 1253 if (cred == NULL) 1254 cred = proc->p_ucred; 1255 if (cred->cr_uid != 0) 1256 return (EPERM); 1257 if (jailed(cred) && !(flag & PRISON_ROOT)) 1258 return (EPERM); 1259 return (0); 1260 } 1261 1262 /* 1263 * Test the active securelevel against a given level. securelevel_gt() 1264 * implements (securelevel > level). securelevel_ge() implements 1265 * (securelevel >= level). Note that the logic is inverted -- these 1266 * functions return EPERM on "success" and 0 on "failure". 1267 * 1268 * cr is permitted to be NULL for the time being, as there were some 1269 * existing securelevel checks that occurred without a process/credential 1270 * context. In the future this will be disallowed, so a kernel message 1271 * is displayed. 1272 */ 1273 int 1274 securelevel_gt(struct ucred *cr, int level) 1275 { 1276 int active_securelevel; 1277 1278 active_securelevel = securelevel; 1279 if (cr == NULL) 1280 printf("securelevel_gt: cr is NULL\n"); 1281 if (cr->cr_prison != NULL) { 1282 mtx_lock(&cr->cr_prison->pr_mtx); 1283 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1284 active_securelevel); 1285 mtx_unlock(&cr->cr_prison->pr_mtx); 1286 } 1287 return (active_securelevel > level ? EPERM : 0); 1288 } 1289 1290 int 1291 securelevel_ge(struct ucred *cr, int level) 1292 { 1293 int active_securelevel; 1294 1295 active_securelevel = securelevel; 1296 if (cr == NULL) 1297 printf("securelevel_gt: cr is NULL\n"); 1298 if (cr->cr_prison != NULL) { 1299 mtx_lock(&cr->cr_prison->pr_mtx); 1300 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1301 active_securelevel); 1302 mtx_unlock(&cr->cr_prison->pr_mtx); 1303 } 1304 return (active_securelevel >= level ? EPERM : 0); 1305 } 1306 1307 /* 1308 * 'see_other_uids' determines whether or not visibility of processes 1309 * and sockets with credentials holding different real uids is possible 1310 * using a variety of system MIBs. 1311 * XXX: data declarations should be together near the beginning of the file. 1312 */ 1313 static int see_other_uids = 1; 1314 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1315 &see_other_uids, 0, 1316 "Unprivileged processes may see subjects/objects with different real uid"); 1317 1318 /*- 1319 * Determine if u1 "can see" the subject specified by u2. 1320 * Returns: 0 for permitted, an errno value otherwise 1321 * Locks: none 1322 * References: *u1 and *u2 must not change during the call 1323 * u1 may equal u2, in which case only one reference is required 1324 */ 1325 int 1326 cr_cansee(struct ucred *u1, struct ucred *u2) 1327 { 1328 int error; 1329 1330 if ((error = prison_check(u1, u2))) 1331 return (error); 1332 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1333 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1334 return (ESRCH); 1335 } 1336 return (0); 1337 } 1338 1339 /*- 1340 * Determine if p1 "can see" the subject specified by p2. 1341 * Returns: 0 for permitted, an errno value otherwise 1342 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1343 * be held. Normally, p1 will be curproc, and a lock must be held 1344 * for p2. 1345 * References: p1 and p2 must be valid for the lifetime of the call 1346 */ 1347 int 1348 p_cansee(struct proc *p1, struct proc *p2) 1349 { 1350 1351 /* Wrap cr_cansee() for all functionality. */ 1352 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1353 } 1354 1355 /*- 1356 * Determine whether cred may deliver the specified signal to proc. 1357 * Returns: 0 for permitted, an errno value otherwise. 1358 * Locks: A lock must be held for proc. 1359 * References: cred and proc must be valid for the lifetime of the call. 1360 */ 1361 int 1362 cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1363 { 1364 int error; 1365 1366 /* 1367 * Jail semantics limit the scope of signalling to proc in the 1368 * same jail as cred, if cred is in jail. 1369 */ 1370 error = prison_check(cred, proc->p_ucred); 1371 if (error) 1372 return (error); 1373 1374 /* 1375 * UNIX signal semantics depend on the status of the P_SUGID 1376 * bit on the target process. If the bit is set, then additional 1377 * restrictions are placed on the set of available signals. 1378 */ 1379 if (proc->p_flag & P_SUGID) { 1380 switch (signum) { 1381 case 0: 1382 case SIGKILL: 1383 case SIGINT: 1384 case SIGTERM: 1385 case SIGSTOP: 1386 case SIGTTIN: 1387 case SIGTTOU: 1388 case SIGTSTP: 1389 case SIGHUP: 1390 case SIGUSR1: 1391 case SIGUSR2: 1392 /* 1393 * Generally, permit job and terminal control 1394 * signals. 1395 */ 1396 break; 1397 default: 1398 /* Not permitted without privilege. */ 1399 error = suser_xxx(cred, NULL, PRISON_ROOT); 1400 if (error) 1401 return (error); 1402 } 1403 } 1404 1405 /* 1406 * Generally, the target credential's ruid or svuid must match the 1407 * subject credential's ruid or euid. 1408 */ 1409 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1410 cred->cr_ruid != proc->p_ucred->cr_svuid && 1411 cred->cr_uid != proc->p_ucred->cr_ruid && 1412 cred->cr_uid != proc->p_ucred->cr_svuid) { 1413 /* Not permitted without privilege. */ 1414 error = suser_xxx(cred, NULL, PRISON_ROOT); 1415 if (error) 1416 return (error); 1417 } 1418 1419 return (0); 1420 } 1421 1422 1423 /*- 1424 * Determine whether p1 may deliver the specified signal to p2. 1425 * Returns: 0 for permitted, an errno value otherwise 1426 * Locks: Sufficient locks to protect various components of p1 and p2 1427 * must be held. Normally, p1 will be curproc, and a lock must 1428 * be held for p2. 1429 * References: p1 and p2 must be valid for the lifetime of the call 1430 */ 1431 int 1432 p_cansignal(struct proc *p1, struct proc *p2, int signum) 1433 { 1434 1435 if (p1 == p2) 1436 return (0); 1437 1438 /* 1439 * UNIX signalling semantics require that processes in the same 1440 * session always be able to deliver SIGCONT to one another, 1441 * overriding the remaining protections. 1442 */ 1443 if (signum == SIGCONT && p1->p_session == p2->p_session) 1444 return (0); 1445 1446 return (cr_cansignal(p1->p_ucred, p2, signum)); 1447 } 1448 1449 /*- 1450 * Determine whether p1 may reschedule p2. 1451 * Returns: 0 for permitted, an errno value otherwise 1452 * Locks: Sufficient locks to protect various components of p1 and p2 1453 * must be held. Normally, p1 will be curproc, and a lock must 1454 * be held for p2. 1455 * References: p1 and p2 must be valid for the lifetime of the call 1456 */ 1457 int 1458 p_cansched(struct proc *p1, struct proc *p2) 1459 { 1460 int error; 1461 1462 if (p1 == p2) 1463 return (0); 1464 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1465 return (error); 1466 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1467 return (0); 1468 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1469 return (0); 1470 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1471 return (0); 1472 1473 #ifdef CAPABILITIES 1474 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1475 return (0); 1476 #endif 1477 1478 return (EPERM); 1479 } 1480 1481 /* 1482 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1483 * unprivileged inter-process debugging services, including some procfs 1484 * functionality, ptrace(), and ktrace(). In the past, inter-process 1485 * debugging has been involved in a variety of security problems, and sites 1486 * not requiring the service might choose to disable it when hardening 1487 * systems. 1488 * 1489 * XXX: Should modifying and reading this variable require locking? 1490 * XXX: data declarations should be together near the beginning of the file. 1491 */ 1492 static int unprivileged_proc_debug = 1; 1493 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1494 &unprivileged_proc_debug, 0, 1495 "Unprivileged processes may use process debugging facilities"); 1496 1497 /*- 1498 * Determine whether p1 may debug p2. 1499 * Returns: 0 for permitted, an errno value otherwise 1500 * Locks: Sufficient locks to protect various components of p1 and p2 1501 * must be held. Normally, p1 will be curproc, and a lock must 1502 * be held for p2. 1503 * References: p1 and p2 must be valid for the lifetime of the call 1504 */ 1505 int 1506 p_candebug(struct proc *p1, struct proc *p2) 1507 { 1508 int credentialchanged, error, grpsubset, i, uidsubset; 1509 1510 if (!unprivileged_proc_debug) { 1511 error = suser_xxx(NULL, p1, PRISON_ROOT); 1512 if (error) 1513 return (error); 1514 } 1515 if (p1 == p2) 1516 return (0); 1517 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1518 return (error); 1519 1520 /* 1521 * Is p2's group set a subset of p1's effective group set? This 1522 * includes p2's egid, group access list, rgid, and svgid. 1523 */ 1524 grpsubset = 1; 1525 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1526 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1527 grpsubset = 0; 1528 break; 1529 } 1530 } 1531 grpsubset = grpsubset && 1532 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1533 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1534 1535 /* 1536 * Are the uids present in p2's credential equal to p1's 1537 * effective uid? This includes p2's euid, svuid, and ruid. 1538 */ 1539 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1540 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1541 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1542 1543 /* 1544 * Has the credential of the process changed since the last exec()? 1545 */ 1546 credentialchanged = (p2->p_flag & P_SUGID); 1547 1548 /* 1549 * If p2's gids aren't a subset, or the uids aren't a subset, 1550 * or the credential has changed, require appropriate privilege 1551 * for p1 to debug p2. For POSIX.1e capabilities, this will 1552 * require CAP_SYS_PTRACE. 1553 */ 1554 if (!grpsubset || !uidsubset || credentialchanged) { 1555 error = suser_xxx(NULL, p1, PRISON_ROOT); 1556 if (error) 1557 return (error); 1558 } 1559 1560 /* Can't trace init when securelevel > 0. */ 1561 if (p2 == initproc) { 1562 error = securelevel_gt(p1->p_ucred, 0); 1563 if (error) 1564 return (error); 1565 } 1566 1567 /* 1568 * Can't trace a process that's currently exec'ing. 1569 * XXX: Note, this is not a security policy decision, it's a 1570 * basic correctness/functionality decision. Therefore, this check 1571 * should be moved to the caller's of p_candebug(). 1572 */ 1573 if ((p2->p_flag & P_INEXEC) != 0) 1574 return (EAGAIN); 1575 1576 return (0); 1577 } 1578 1579 /* 1580 * Allocate a zeroed cred structure. 1581 */ 1582 struct ucred * 1583 crget() 1584 { 1585 register struct ucred *cr; 1586 1587 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1588 cr->cr_ref = 1; 1589 cr->cr_mtxp = mtx_pool_find(cr); 1590 return (cr); 1591 } 1592 1593 /* 1594 * Claim another reference to a ucred structure. 1595 */ 1596 struct ucred * 1597 crhold(cr) 1598 struct ucred *cr; 1599 { 1600 1601 mtx_lock(cr->cr_mtxp); 1602 cr->cr_ref++; 1603 mtx_unlock(cr->cr_mtxp); 1604 return (cr); 1605 } 1606 1607 /* 1608 * Free a cred structure. 1609 * Throws away space when ref count gets to 0. 1610 */ 1611 void 1612 crfree(cr) 1613 struct ucred *cr; 1614 { 1615 struct mtx *mtxp = cr->cr_mtxp; 1616 1617 mtx_lock(mtxp); 1618 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1619 if (--cr->cr_ref == 0) { 1620 /* 1621 * Some callers of crget(), such as nfs_statfs(), 1622 * allocate a temporary credential, but don't 1623 * allocate a uidinfo structure. 1624 */ 1625 mtx_unlock(mtxp); 1626 if (cr->cr_uidinfo != NULL) 1627 uifree(cr->cr_uidinfo); 1628 if (cr->cr_ruidinfo != NULL) 1629 uifree(cr->cr_ruidinfo); 1630 /* 1631 * Free a prison, if any. 1632 */ 1633 if (jailed(cr)) 1634 prison_free(cr->cr_prison); 1635 FREE((caddr_t)cr, M_CRED); 1636 } else { 1637 mtx_unlock(mtxp); 1638 } 1639 } 1640 1641 /* 1642 * Check to see if this ucred is shared. 1643 */ 1644 int 1645 crshared(cr) 1646 struct ucred *cr; 1647 { 1648 int shared; 1649 1650 mtx_lock(cr->cr_mtxp); 1651 shared = (cr->cr_ref > 1); 1652 mtx_unlock(cr->cr_mtxp); 1653 return (shared); 1654 } 1655 1656 /* 1657 * Copy a ucred's contents from a template. Does not block. 1658 */ 1659 void 1660 crcopy(dest, src) 1661 struct ucred *dest, *src; 1662 { 1663 1664 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1665 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1666 (unsigned)((caddr_t)&src->cr_endcopy - 1667 (caddr_t)&src->cr_startcopy)); 1668 uihold(dest->cr_uidinfo); 1669 uihold(dest->cr_ruidinfo); 1670 if (jailed(dest)) 1671 prison_hold(dest->cr_prison); 1672 } 1673 1674 /* 1675 * Dup cred struct to a new held one. 1676 */ 1677 struct ucred * 1678 crdup(cr) 1679 struct ucred *cr; 1680 { 1681 struct ucred *newcr; 1682 1683 newcr = crget(); 1684 crcopy(newcr, cr); 1685 return (newcr); 1686 } 1687 1688 /* 1689 * small routine to swap a thread's current ucred for the correct one 1690 * taken from the process. 1691 */ 1692 void 1693 cred_update_thread(struct thread *td) 1694 { 1695 struct proc *p; 1696 1697 p = td->td_proc; 1698 if (td->td_ucred != NULL) { 1699 mtx_lock(&Giant); 1700 crfree(td->td_ucred); 1701 mtx_unlock(&Giant); 1702 td->td_ucred = NULL; 1703 } 1704 PROC_LOCK(p); 1705 td->td_ucred = crhold(p->p_ucred); 1706 PROC_UNLOCK(p); 1707 } 1708 1709 /* 1710 * Get login name, if available. 1711 */ 1712 #ifndef _SYS_SYSPROTO_H_ 1713 struct getlogin_args { 1714 char *namebuf; 1715 u_int namelen; 1716 }; 1717 #endif 1718 /* 1719 * MPSAFE 1720 */ 1721 /* ARGSUSED */ 1722 int 1723 getlogin(td, uap) 1724 struct thread *td; 1725 struct getlogin_args *uap; 1726 { 1727 int error; 1728 struct proc *p = td->td_proc; 1729 1730 mtx_lock(&Giant); 1731 if (uap->namelen > MAXLOGNAME) 1732 uap->namelen = MAXLOGNAME; 1733 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1734 (caddr_t) uap->namebuf, uap->namelen); 1735 mtx_unlock(&Giant); 1736 return(error); 1737 } 1738 1739 /* 1740 * Set login name. 1741 */ 1742 #ifndef _SYS_SYSPROTO_H_ 1743 struct setlogin_args { 1744 char *namebuf; 1745 }; 1746 #endif 1747 /* 1748 * MPSAFE 1749 */ 1750 /* ARGSUSED */ 1751 int 1752 setlogin(td, uap) 1753 struct thread *td; 1754 struct setlogin_args *uap; 1755 { 1756 struct proc *p = td->td_proc; 1757 int error; 1758 char logintmp[MAXLOGNAME]; 1759 1760 mtx_lock(&Giant); 1761 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0) 1762 goto done2; 1763 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1764 sizeof(logintmp), (size_t *)0); 1765 if (error == ENAMETOOLONG) 1766 error = EINVAL; 1767 else if (!error) 1768 (void)memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1769 sizeof(logintmp)); 1770 done2: 1771 mtx_unlock(&Giant); 1772 return (error); 1773 } 1774 1775 void 1776 setsugid(p) 1777 struct proc *p; 1778 { 1779 p->p_flag |= P_SUGID; 1780 if (!(p->p_pfsflags & PF_ISUGID)) 1781 p->p_stops = 0; 1782 } 1783 1784 /*- 1785 * Change a process's effective uid. 1786 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1787 * References: newcred must be an exclusive credential reference for the 1788 * duration of the call. 1789 */ 1790 void 1791 change_euid(newcred, euid) 1792 struct ucred *newcred; 1793 uid_t euid; 1794 { 1795 1796 newcred->cr_uid = euid; 1797 uifree(newcred->cr_uidinfo); 1798 newcred->cr_uidinfo = uifind(euid); 1799 } 1800 1801 /*- 1802 * Change a process's effective gid. 1803 * Side effects: newcred->cr_gid will be modified. 1804 * References: newcred must be an exclusive credential reference for the 1805 * duration of the call. 1806 */ 1807 void 1808 change_egid(newcred, egid) 1809 struct ucred *newcred; 1810 gid_t egid; 1811 { 1812 1813 newcred->cr_groups[0] = egid; 1814 } 1815 1816 /*- 1817 * Change a process's real uid. 1818 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1819 * will be updated, and the old and new cr_ruidinfo proc 1820 * counts will be updated. 1821 * References: newcred must be an exclusive credential reference for the 1822 * duration of the call. 1823 */ 1824 void 1825 change_ruid(newcred, ruid) 1826 struct ucred *newcred; 1827 uid_t ruid; 1828 { 1829 1830 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1831 newcred->cr_ruid = ruid; 1832 uifree(newcred->cr_ruidinfo); 1833 newcred->cr_ruidinfo = uifind(ruid); 1834 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1835 } 1836 1837 /*- 1838 * Change a process's real gid. 1839 * Side effects: newcred->cr_rgid will be updated. 1840 * References: newcred must be an exclusive credential reference for the 1841 * duration of the call. 1842 */ 1843 void 1844 change_rgid(newcred, rgid) 1845 struct ucred *newcred; 1846 gid_t rgid; 1847 { 1848 1849 newcred->cr_rgid = rgid; 1850 } 1851 1852 /*- 1853 * Change a process's saved uid. 1854 * Side effects: newcred->cr_svuid will be updated. 1855 * References: newcred must be an exclusive credential reference for the 1856 * duration of the call. 1857 */ 1858 void 1859 change_svuid(newcred, svuid) 1860 struct ucred *newcred; 1861 uid_t svuid; 1862 { 1863 1864 newcred->cr_svuid = svuid; 1865 } 1866 1867 /*- 1868 * Change a process's saved gid. 1869 * Side effects: newcred->cr_svgid will be updated. 1870 * References: newcred must be an exclusive credential reference for the 1871 * duration of the call. 1872 */ 1873 void 1874 change_svgid(newcred, svgid) 1875 struct ucred *newcred; 1876 gid_t svgid; 1877 { 1878 1879 newcred->cr_svgid = svgid; 1880 } 1881