1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * Privilege implementation. 28 * 29 * This file provides the infrastructure for privilege sets and limits 30 * the number of files that requires to include <sys/cred_impl.h> and/or 31 * <sys/priv_impl.h>. 32 * 33 * The Solaris privilege mechanism has been designed in a 34 * future proof manner. While the kernel may use fixed size arrays 35 * and fixed bitmasks and bit values, the representation of those 36 * is kernel private. All external interfaces as well as K-to-K interfaces 37 * have been constructed in a manner to provide the maximum flexibility. 38 * 39 * There can be X privilege sets each containing Y 32 bit words. 40 * <X, Y> are constant for a kernel invocation. 41 * 42 * As a consequence, all privilege set manipulation happens in functions 43 * below. 44 * 45 */ 46 47 #include <sys/systm.h> 48 #include <sys/ddi.h> 49 #include <sys/kmem.h> 50 #include <sys/sunddi.h> 51 #include <sys/errno.h> 52 #include <sys/debug.h> 53 #include <sys/priv_impl.h> 54 #include <sys/procfs.h> 55 #include <sys/policy.h> 56 #include <sys/cred_impl.h> 57 #include <sys/devpolicy.h> 58 #include <sys/atomic.h> 59 60 /* 61 * Privilege name to number mapping table consists in the generated 62 * priv_const.c file. This lock protects against updates of the privilege 63 * names and counts; all other priv_info fields are read-only. 64 * The actual protected values are: 65 * global variable nprivs 66 * the priv_max field 67 * the priv_names field 68 * the priv names info item (cnt/strings) 69 */ 70 krwlock_t privinfo_lock; 71 72 static boolean_t priv_valid(const cred_t *); 73 74 priv_set_t priv_fullset; /* set of all privileges */ 75 priv_set_t priv_unsafe; /* unsafe to exec set-uid root if these are not in L */ 76 77 /* 78 * Privilege initialization functions. 79 * Called from common/os/cred.c when cred_init is called. 80 */ 81 82 void 83 priv_init(void) 84 { 85 rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL); 86 87 PRIV_BASIC_ASSERT(priv_basic); 88 PRIV_UNSAFE_ASSERT(&priv_unsafe); 89 priv_fillset(&priv_fullset); 90 91 /* 92 * When booting with priv_debug set, then we'll add an additional 93 * basic privilege and we verify that it is always present in E. 94 */ 95 if (priv_debug == 1 && 96 (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) { 97 priv_addset(priv_basic, priv_basic_test); 98 } 99 100 devpolicy_init(); 101 } 102 103 /* Utility functions: privilege sets as opaque data types */ 104 105 /* 106 * Guts of prgetprivsize. 107 */ 108 int 109 priv_prgetprivsize(prpriv_t *tmpl) 110 { 111 return (sizeof (prpriv_t) + 112 PRIV_SETBYTES - sizeof (priv_chunk_t) + 113 (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize)); 114 } 115 116 /* 117 * Guts of prgetpriv. 118 */ 119 void 120 cred2prpriv(const cred_t *cp, prpriv_t *pr) 121 { 122 priv_set_t *psa; 123 int i; 124 125 pr->pr_nsets = PRIV_NSET; 126 pr->pr_setsize = PRIV_SETSIZE; 127 pr->pr_infosize = priv_info->priv_infosize; 128 129 psa = (priv_set_t *)pr->pr_sets; 130 131 for (i = 0; i < PRIV_NSET; i++) 132 psa[i] = *priv_getset(cp, i); 133 134 priv_getinfo(cp, (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr)); 135 } 136 137 /* 138 * Guts of pr_spriv: 139 * 140 * Set the privileges of a process. 141 * 142 * In order to set the privileges, the setting process will need to 143 * have those privileges in its effective set in order to prevent 144 * specially privileged processes to easily gain additional privileges. 145 * Pre-existing privileges can be retained. To change any privileges, 146 * PRIV_PROC_OWNER needs to be asserted. 147 * 148 * In formula: 149 * 150 * S' <= S || S' <= S + Ea 151 * 152 * the new set must either be subset of the old set or a subset of 153 * the oldset merged with the effective set of the acting process; or just: 154 * 155 * S' <= S + Ea 156 * 157 * It's not legal to grow the limit set this way. 158 * 159 */ 160 int 161 priv_pr_spriv(proc_t *p, prpriv_t *prpriv, const cred_t *cr) 162 { 163 cred_t *oldcred; 164 cred_t *newcred; 165 int i; 166 int err = EPERM; 167 cred_priv_t *cp, *ocp; 168 priv_set_t eset; 169 170 ASSERT(MUTEX_HELD(&p->p_lock)); 171 172 /* 173 * Set must have proper dimension; infosize must be absent 174 * or properly sized. 175 */ 176 if (prpriv->pr_nsets != PRIV_NSET || 177 prpriv->pr_setsize != PRIV_SETSIZE || 178 (prpriv->pr_infosize & (sizeof (uint32_t) - 1)) != 0 || 179 prpriv->pr_infosize > priv_info->priv_infosize || 180 prpriv->pr_infosize < 0) 181 return (EINVAL); 182 183 mutex_exit(&p->p_lock); 184 185 if (priv_proc_cred_perm(cr, p, &oldcred, VWRITE) != 0) { 186 mutex_enter(&p->p_lock); 187 return (EPERM); 188 } 189 190 newcred = crdup(oldcred); 191 192 /* Copy the privilege sets from prpriv to newcred */ 193 bcopy(prpriv->pr_sets, CR_PRIVSETS(newcred), PRIV_SETBYTES); 194 195 cp = &newcred->cr_priv; 196 ocp = &oldcred->cr_priv; 197 eset = CR_OEPRIV(cr); 198 199 priv_intersect(&CR_LPRIV(oldcred), &eset); 200 201 /* 202 * Verify the constraints laid out: 203 * for the limit set, we require that the new set is a subset 204 * of the old limit set. 205 * for all other sets, we require that the new set is either a 206 * subset of the old set or a subset of the intersection of 207 * the old limit set and the effective set of the acting process. 208 */ 209 for (i = 0; i < PRIV_NSET; i++) 210 if (!priv_issubset(&cp->crprivs[i], &ocp->crprivs[i]) && 211 (i == PRIV_LIMIT || !priv_issubset(&cp->crprivs[i], &eset))) 212 break; 213 214 crfree(oldcred); 215 216 if (i < PRIV_NSET || !priv_valid(newcred)) 217 goto err; 218 219 /* Load the settable privilege information */ 220 if (prpriv->pr_infosize > 0) { 221 char *x = (char *)prpriv + PRIV_PRPRIV_INFO_OFFSET(prpriv); 222 char *lastx = x + prpriv->pr_infosize; 223 224 while (x < lastx) { 225 priv_info_t *pi = (priv_info_t *)x; 226 priv_info_uint_t *pii; 227 228 switch (pi->priv_info_type) { 229 case PRIV_INFO_FLAGS: 230 pii = (priv_info_uint_t *)x; 231 if (pii->info.priv_info_size != sizeof (*pii)) { 232 err = EINVAL; 233 goto err; 234 } 235 CR_FLAGS(newcred) &= ~PRIV_USER; 236 CR_FLAGS(newcred) |= (pii->val & PRIV_USER); 237 break; 238 default: 239 err = EINVAL; 240 goto err; 241 } 242 /* Guarantee alignment and forward progress */ 243 if ((pi->priv_info_size & (sizeof (uint32_t) - 1)) || 244 pi->priv_info_size < sizeof (*pi) || 245 lastx - x > pi->priv_info_size) { 246 err = EINVAL; 247 goto err; 248 } 249 250 x += pi->priv_info_size; 251 } 252 } 253 254 /* 255 * We'll try to copy the privilege aware flag; but since the 256 * privileges sets are all individually set, they are set 257 * as if we're privilege aware. If PRIV_AWARE wasn't set 258 * or was explicitely unset, we need to set the flag and then 259 * try to get rid of it. 260 */ 261 if ((CR_FLAGS(newcred) & PRIV_AWARE) == 0) { 262 CR_FLAGS(newcred) |= PRIV_AWARE; 263 priv_adjust_PA(newcred); 264 } 265 266 mutex_enter(&p->p_crlock); 267 oldcred = p->p_cred; 268 p->p_cred = newcred; 269 mutex_exit(&p->p_crlock); 270 crfree(oldcred); 271 272 mutex_enter(&p->p_lock); 273 return (0); 274 275 err: 276 crfree(newcred); 277 mutex_enter(&p->p_lock); 278 return (err); 279 } 280 281 priv_impl_info_t 282 *priv_hold_implinfo(void) 283 { 284 rw_enter(&privinfo_lock, RW_READER); 285 return (priv_info); 286 } 287 288 void 289 priv_release_implinfo(void) 290 { 291 rw_exit(&privinfo_lock); 292 } 293 294 size_t 295 priv_get_implinfo_size(void) 296 { 297 return (privinfosize); 298 } 299 300 301 /* 302 * Return the nth privilege set 303 */ 304 const priv_set_t * 305 priv_getset(const cred_t *cr, int set) 306 { 307 ASSERT(PRIV_VALIDSET(set)); 308 309 if ((CR_FLAGS(cr) & PRIV_AWARE) == 0) 310 switch (set) { 311 case PRIV_EFFECTIVE: 312 return (&CR_OEPRIV(cr)); 313 case PRIV_PERMITTED: 314 return (&CR_OPPRIV(cr)); 315 } 316 return (&CR_PRIVS(cr)->crprivs[set]); 317 } 318 319 /* 320 * Buf must be allocated by caller and contain sufficient space to 321 * contain all additional info structures using priv_info.priv_infosize. 322 * The buffer must be properly aligned. 323 */ 324 /*ARGSUSED*/ 325 void 326 priv_getinfo(const cred_t *cr, void *buf) 327 { 328 struct priv_info_uint *ii; 329 330 ii = buf; 331 ii->val = CR_FLAGS(cr); 332 ii->info.priv_info_size = (uint32_t)sizeof (*ii); 333 ii->info.priv_info_type = PRIV_INFO_FLAGS; 334 } 335 336 int 337 priv_getbyname(const char *name, uint_t flag) 338 { 339 int i; 340 int wheld = 0; 341 int len; 342 char *p; 343 344 if (flag != 0 && flag != PRIV_ALLOC) 345 return (-EINVAL); 346 347 if (strncasecmp(name, "priv_", 5) == 0) 348 name += 5; 349 350 rw_enter(&privinfo_lock, RW_READER); 351 rescan: 352 for (i = 0; i < nprivs; i++) 353 if (strcasecmp(priv_names[i], name) == 0) { 354 rw_exit(&privinfo_lock); 355 return (i); 356 } 357 358 359 if (!wheld) { 360 if (!(flag & PRIV_ALLOC)) { 361 rw_exit(&privinfo_lock); 362 return (-EINVAL); 363 } 364 365 /* check length, validity and available space */ 366 len = strlen(name) + 1; 367 368 if (len > PRIVNAME_MAX) { 369 rw_exit(&privinfo_lock); 370 return (-ENAMETOOLONG); 371 } 372 373 for (p = (char *)name; *p != '\0'; p++) { 374 char c = *p; 375 376 if (!((c >= 'A' && c <= 'Z') || 377 (c >= 'a' && c <= 'z') || 378 (c >= '0' && c <= '9') || 379 c == '_')) { 380 rw_exit(&privinfo_lock); 381 return (-EINVAL); 382 } 383 } 384 385 if (!rw_tryupgrade(&privinfo_lock)) { 386 rw_exit(&privinfo_lock); 387 rw_enter(&privinfo_lock, RW_WRITER); 388 wheld = 1; 389 /* Someone may have added our privilege */ 390 goto rescan; 391 } 392 } 393 394 if (nprivs == MAX_PRIVILEGE || len + privbytes > maxprivbytes) { 395 rw_exit(&privinfo_lock); 396 return (-ENOMEM); 397 } 398 399 priv_names[i] = p = priv_str + privbytes; 400 401 bcopy(name, p, len); 402 403 /* make the priv_names[i] and privilege name globally visible */ 404 membar_producer(); 405 406 /* adjust priv count and bytes count */ 407 priv_ninfo->cnt = priv_info->priv_max = ++nprivs; 408 privbytes += len; 409 410 rw_exit(&privinfo_lock); 411 return (i); 412 } 413 414 /* 415 * We can't afford locking the privileges here because of the locations 416 * we call this from; so we make sure that the privileges table 417 * is visible to us; it is made visible before the value of nprivs is 418 * updated. 419 */ 420 const char * 421 priv_getbynum(int priv) 422 { 423 int maxpriv = nprivs; 424 425 membar_consumer(); 426 427 if (priv >= 0 && priv < maxpriv) 428 return (priv_names[priv]); 429 430 return (NULL); 431 } 432 433 const char * 434 priv_getsetbynum(int setno) 435 { 436 if (!PRIV_VALIDSET(setno)) 437 return (NULL); 438 439 return (priv_setnames[setno]); 440 } 441 442 /* 443 * Privilege sanity checking when setting: E <= P. 444 */ 445 static boolean_t 446 priv_valid(const cred_t *cr) 447 { 448 return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr))); 449 } 450 451 /* 452 * Privilege manipulation functions 453 * 454 * Without knowing the details of the privilege set implementation, 455 * opaque pointers can be used to manipulate sets at will. 456 */ 457 void 458 priv_emptyset(priv_set_t *set) 459 { 460 bzero(set, sizeof (*set)); 461 } 462 463 void 464 priv_fillset(priv_set_t *set) 465 { 466 int i; 467 468 /* memset? */ 469 for (i = 0; i < PRIV_SETSIZE; i++) 470 set->pbits[i] = ~(priv_chunk_t)0; 471 } 472 473 void 474 priv_addset(priv_set_t *set, int priv) 475 { 476 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE); 477 __PRIV_ASSERT(set, priv); 478 } 479 480 void 481 priv_delset(priv_set_t *set, int priv) 482 { 483 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE); 484 __PRIV_CLEAR(set, priv); 485 } 486 487 boolean_t 488 priv_ismember(const priv_set_t *set, int priv) 489 { 490 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE); 491 return (__PRIV_ISASSERT(set, priv) ? B_TRUE : B_FALSE); 492 } 493 494 #define PRIV_TEST_BODY(test) \ 495 int i; \ 496 \ 497 for (i = 0; i < PRIV_SETSIZE; i++) \ 498 if (!(test)) \ 499 return (B_FALSE); \ 500 \ 501 return (B_TRUE) 502 503 boolean_t 504 priv_isequalset(const priv_set_t *a, const priv_set_t *b) 505 { 506 return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0)); 507 } 508 509 boolean_t 510 priv_isemptyset(const priv_set_t *set) 511 { 512 PRIV_TEST_BODY(set->pbits[i] == 0); 513 } 514 515 boolean_t 516 priv_isfullset(const priv_set_t *set) 517 { 518 PRIV_TEST_BODY(set->pbits[i] == ~(priv_chunk_t)0); 519 } 520 521 /* 522 * Return true if a is a subset of b 523 */ 524 boolean_t 525 priv_issubset(const priv_set_t *a, const priv_set_t *b) 526 { 527 PRIV_TEST_BODY((a->pbits[i] | b->pbits[i]) == b->pbits[i]); 528 } 529 530 #define PRIV_CHANGE_BODY(a, op, b) \ 531 int i; \ 532 \ 533 for (i = 0; i < PRIV_SETSIZE; i++) \ 534 a->pbits[i] op b->pbits[i] 535 536 /* B = A ^ B */ 537 void 538 priv_intersect(const priv_set_t *a, priv_set_t *b) 539 { 540 /* CSTYLED */ 541 PRIV_CHANGE_BODY(b, &=, a); 542 } 543 544 /* B = A v B */ 545 void 546 priv_union(const priv_set_t *a, priv_set_t *b) 547 { 548 /* CSTYLED */ 549 PRIV_CHANGE_BODY(b, |=, a); 550 } 551 552 /* A = ! A */ 553 void 554 priv_inverse(priv_set_t *a) 555 { 556 PRIV_CHANGE_BODY(a, = ~, a); 557 } 558 559 /* 560 * Can the source cred act on the target credential? 561 * 562 * We will you allow to gain uids this way but not privileges. 563 */ 564 int 565 priv_proc_cred_perm(const cred_t *scr, proc_t *tp, cred_t **pcr, int mode) 566 { 567 const priv_set_t *eset; 568 int idsmatch; 569 cred_t *tcr; 570 int res = 0; 571 572 /* prevent the cred from going away */ 573 mutex_enter(&tp->p_crlock); 574 crhold(tcr = tp->p_cred); 575 mutex_exit(&tp->p_crlock); 576 577 if (scr == tcr && !(tp->p_flag & SNOCD)) 578 goto out; 579 580 idsmatch = (scr->cr_uid == tcr->cr_uid && 581 scr->cr_uid == tcr->cr_ruid && 582 scr->cr_uid == tcr->cr_suid && 583 scr->cr_gid == tcr->cr_gid && 584 scr->cr_gid == tcr->cr_rgid && 585 scr->cr_gid == tcr->cr_sgid && 586 !(tp->p_flag & SNOCD)); 587 588 /* 589 * Source credential must have the proc_zone privilege if referencing 590 * a process in another zone. 591 */ 592 if (scr->cr_zone != tcr->cr_zone && secpolicy_proc_zone(scr) != 0) { 593 res = EACCES; 594 goto out; 595 } 596 597 if (!(mode & VWRITE)) { 598 if (!idsmatch && secpolicy_proc_owner(scr, tcr, 0) != 0) 599 res = EACCES; 600 goto out; 601 } 602 603 /* 604 * For writing, the effective set of scr must dominate all sets of tcr, 605 * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es 606 * The Limit set of scr must be a superset of the limitset of 607 * tcr. 608 */ 609 eset = &CR_OEPRIV(scr); 610 611 if (!priv_issubset(&CR_IPRIV(tcr), eset) || 612 !priv_issubset(&CR_OPPRIV(tcr), eset) || 613 !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) || 614 !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0) 615 res = EACCES; 616 617 out: 618 if (res == 0 && pcr != NULL) 619 *pcr = tcr; 620 else 621 crfree(tcr); 622 return (res); 623 } 624 625 /* 626 * Set the privilege aware bit, adding L to E/P if necessary. 627 * Each time we set it, we also clear PRIV_AWARE_RESET. 628 */ 629 void 630 priv_set_PA(cred_t *cr) 631 { 632 ASSERT(cr->cr_ref <= 2); 633 634 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) == PRIV_AWARE) 635 return; 636 637 CR_FLAGS(cr) |= PRIV_AWARE; 638 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET; 639 640 if (cr->cr_uid == 0) 641 priv_union(&CR_LPRIV(cr), &CR_EPRIV(cr)); 642 643 if (cr->cr_uid == 0 || cr->cr_suid == 0 || cr->cr_ruid == 0) 644 priv_union(&CR_LPRIV(cr), &CR_PPRIV(cr)); 645 } 646 647 boolean_t 648 priv_can_clear_PA(const cred_t *cr) 649 { 650 /* 651 * We can clear PA in the following cases: 652 * 653 * None of the uids are 0. 654 * Any uid == 0 and P == L and (Euid != 0 or E == L) 655 */ 656 return ((cr->cr_suid != 0 && cr->cr_ruid != 0 && cr->cr_uid != 0) || 657 priv_isequalset(&CR_PPRIV(cr), &CR_LPRIV(cr)) && 658 (cr->cr_uid != 0 || priv_isequalset(&CR_EPRIV(cr), &CR_LPRIV(cr)))); 659 } 660 661 /* 662 * Clear privilege aware bit if it is an idempotent operation and by 663 * clearing it the process cannot get to uid 0 and all privileges. 664 * 665 * This function should be called with caution as it may cause "E" to be 666 * lost once a processes assumes euid 0 again. 667 */ 668 void 669 priv_adjust_PA(cred_t *cr) 670 { 671 ASSERT(cr->cr_ref <= 2); 672 673 if (!(CR_FLAGS(cr) & PRIV_AWARE) || 674 !priv_can_clear_PA(cr)) { 675 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET; 676 return; 677 } 678 679 if (CR_FLAGS(cr) & PRIV_AWARE_INHERIT) 680 return; 681 682 /* 683 * We now need to adjust P/E in those cases when uids 684 * are zero; the rules are P' = I & L, E' = I & L; 685 * but since P = L and E = L, we can use P &= I, E &= I, 686 * depending on which uids are 0. 687 */ 688 if (cr->cr_suid == 0 || cr->cr_ruid == 0 || cr->cr_uid == 0) { 689 if (cr->cr_uid == 0) 690 priv_intersect(&CR_IPRIV(cr), &CR_EPRIV(cr)); 691 priv_intersect(&CR_IPRIV(cr), &CR_PPRIV(cr)); 692 } 693 694 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET); 695 } 696 697 /* 698 * Reset privilege aware bit if so requested by setting the PRIV_AWARE_RESET 699 * flag. 700 */ 701 void 702 priv_reset_PA(cred_t *cr, boolean_t finalize) 703 { 704 ASSERT(cr->cr_ref <= 2); 705 706 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) != 707 (PRIV_AWARE|PRIV_AWARE_RESET)) { 708 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET; 709 return; 710 } 711 712 /* 713 * When PRIV_AWARE_RESET is enabled, any change of uids causes 714 * a change to the P and E sets. Bracketing with 715 * seteuid(0) ... seteuid(uid)/setreuid(-1, 0) .. setreuid(-1, uid) 716 * will cause the privilege sets "do the right thing.". 717 * When the change of the uid is "final", e.g., by using setuid(uid), 718 * or setreuid(uid, uid) or when the last set*uid() call causes all 719 * uids to be the same, we set P and E to I & L, like when you exec. 720 * We make an exception when all the uids are 0; this is required 721 * when we login as root as in that particular case we cannot 722 * make a distinction between seteuid(0) and seteuid(uid). 723 * We rely on seteuid/setreuid/setuid to tell us with the 724 * "finalize" argument that we no longer expect new uid changes, 725 * cf. setreuid(uid, uid) and setuid(uid). 726 */ 727 if (cr->cr_suid == cr->cr_ruid && cr->cr_suid == cr->cr_uid) { 728 if (finalize || cr->cr_uid != 0) { 729 CR_EPRIV(cr) = CR_IPRIV(cr); 730 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr)); 731 CR_PPRIV(cr) = CR_EPRIV(cr); 732 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET); 733 } else { 734 CR_EPRIV(cr) = CR_PPRIV(cr); 735 } 736 } else if (cr->cr_uid != 0 && (cr->cr_ruid == 0 || cr->cr_suid == 0)) { 737 CR_EPRIV(cr) = CR_IPRIV(cr); 738 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr)); 739 } 740 } 741