xref: /titanic_41/usr/src/cmd/ssh/libssh/common/uidswap.c (revision 70025d765b044c6d8594bb965a2247a61e991a99)
1 /*
2  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 /*
6  * Author: Tatu Ylonen <ylo@cs.hut.fi>
7  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8  *                    All rights reserved
9  * Code for uid-swapping.
10  *
11  * As far as I am concerned, the code I have written for this software
12  * can be used freely for any purpose.  Any derived versions of this
13  * software must be clearly marked as such, and if the derived work is
14  * incompatible with the protocol description in the RFC file, it must be
15  * called by a name other than "ssh" or "Secure Shell".
16  */
17 
18 #include "includes.h"
19 RCSID("$OpenBSD: uidswap.c,v 1.23 2002/07/15 17:15:31 stevesk Exp $");
20 
21 #pragma ident	"%Z%%M%	%I%	%E% SMI"
22 
23 #include "log.h"
24 #include "uidswap.h"
25 
26 /*
27  * Note: all these functions must work in all of the following cases:
28  *    1. euid=0, ruid=0
29  *    2. euid=0, ruid!=0
30  *    3. euid!=0, ruid!=0
31  * Additionally, they must work regardless of whether the system has
32  * POSIX saved uids or not.
33  */
34 
35 #if defined(_POSIX_SAVED_IDS) && !defined(BROKEN_SAVED_UIDS)
36 /* Lets assume that posix saved ids also work with seteuid, even though that
37    is not part of the posix specification. */
38 #define SAVED_IDS_WORK
39 /* Saved effective uid. */
40 static uid_t 	saved_euid = 0;
41 static gid_t	saved_egid = 0;
42 #endif
43 
44 /* Saved effective uid. */
45 static int	privileged = 0;
46 static int	temporarily_use_uid_effective = 0;
47 static gid_t	saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX];
48 static int	saved_egroupslen = -1, user_groupslen = -1;
49 
50 /*
51  * Temporarily changes to the given uid.  If the effective user
52  * id is not root, this does nothing.  This call cannot be nested.
53  */
54 void
55 temporarily_use_uid(struct passwd *pw)
56 {
57 	/* Save the current euid, and egroups. */
58 #ifdef SAVED_IDS_WORK
59 	saved_euid = geteuid();
60 	saved_egid = getegid();
61 	debug("temporarily_use_uid: %u/%u (e=%u/%u)",
62 	    (u_int)pw->pw_uid, (u_int)pw->pw_gid,
63 	    (u_int)saved_euid, (u_int)saved_egid);
64 	if (saved_euid != 0) {
65 		privileged = 0;
66 		return;
67 	}
68 #else
69 	if (geteuid() != 0) {
70 		privileged = 0;
71 		return;
72 	}
73 #endif /* SAVED_IDS_WORK */
74 
75 	privileged = 1;
76 	temporarily_use_uid_effective = 1;
77 	saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups);
78 	if (saved_egroupslen < 0)
79 		fatal("getgroups: %.100s", strerror(errno));
80 
81 	/* set and save the user's groups */
82 	if (user_groupslen == -1) {
83 		if (initgroups(pw->pw_name, pw->pw_gid) < 0)
84 			fatal("initgroups: %s: %.100s", pw->pw_name,
85 			    strerror(errno));
86 		user_groupslen = getgroups(NGROUPS_MAX, user_groups);
87 		if (user_groupslen < 0)
88 			fatal("getgroups: %.100s", strerror(errno));
89 	}
90 	/* Set the effective uid to the given (unprivileged) uid. */
91 	if (setgroups(user_groupslen, user_groups) < 0)
92 		fatal("setgroups: %.100s", strerror(errno));
93 #ifdef SAVED_IDS_WORK
94 	/* Set saved gid and set real gid */
95 	if (setregid(pw->pw_gid, -1) == -1)
96 		debug("setregid(%u, -1): %.100s", (uint_t)pw->pw_gid, strerror(errno));
97 	/* Set saved uid and set real uid */
98 	if (setreuid(pw->pw_uid, -1) == -1)
99 		debug("setreuid(%u, -1): %.100s", (uint_t)pw->pw_uid, strerror(errno));
100 #else
101 	/* Propagate the privileged gid to all of our gids. */
102 	if (setgid(getegid()) < 0)
103 		debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno));
104 	/* Propagate the privileged uid to all of our uids. */
105 	if (setuid(geteuid()) < 0)
106 		debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno));
107 #endif /* SAVED_IDS_WORK */
108 	/* Set effective gid */
109 	if (setegid(pw->pw_gid) == -1)
110 		fatal("setegid %u: %.100s", (u_int)pw->pw_uid,
111 		    strerror(errno));
112 	/* Set effective uid */
113 	if (seteuid(pw->pw_uid) == -1)
114 		fatal("seteuid %u: %.100s", (u_int)pw->pw_uid,
115 		    strerror(errno));
116 	/*
117 	 * If saved set ids work then
118 	 *
119 	 *	ruid == euid == pw->pw_uid
120 	 *	saved uid = previous euid
121 	 *	rgid == egid == pw->pw_gid
122 	 *	saved gid = previous egid
123 	 */
124 }
125 
126 /*
127  * Restores to the original (privileged) uid.
128  */
129 void
130 restore_uid(void)
131 {
132 	/* it's a no-op unless privileged */
133 	if (!privileged) {
134 		debug("restore_uid: (unprivileged)");
135 		return;
136 	}
137 	if (!temporarily_use_uid_effective)
138 		fatal("restore_uid: temporarily_use_uid not effective");
139 
140 #ifdef SAVED_IDS_WORK
141 	debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid);
142 	/* Set the effective uid back to the saved privileged uid. */
143 	if (seteuid(saved_euid) < 0)
144 		fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno));
145 	if (setuid(saved_euid) < 0)
146 		fatal("setuid %u: %.100s", (u_int)saved_euid, strerror(errno));
147 	if (setegid(saved_egid) < 0)
148 		fatal("setegid %u: %.100s", (u_int)saved_egid, strerror(errno));
149 	if (setgid(saved_egid) < 0)
150 		fatal("setgid %u: %.100s", (u_int)saved_egid, strerror(errno));
151 #else /* SAVED_IDS_WORK */
152 	/*
153 	 * We are unable to restore the real uid to its unprivileged value.
154 	 * Propagate the real uid (usually more privileged) to effective uid
155 	 * as well.
156 	 */
157 	setuid(getuid());
158 	setgid(getgid());
159 #endif /* SAVED_IDS_WORK */
160 
161 	if (setgroups(saved_egroupslen, saved_egroups) < 0)
162 		fatal("setgroups: %.100s", strerror(errno));
163 	temporarily_use_uid_effective = 0;
164 }
165 
166 /*
167  * Permanently sets all uids to the given uid.  This cannot be
168  * called while temporarily_use_uid is effective.
169  */
170 void
171 permanently_set_uid(struct passwd *pw)
172 {
173 	if (temporarily_use_uid_effective)
174 		fatal("permanently_set_uid: temporarily_use_uid effective");
175 	debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
176 	    (u_int)pw->pw_gid);
177 	if (initgroups(pw->pw_name, pw->pw_gid) < 0)
178 		fatal("initgroups: %s: %.100s", pw->pw_name,
179 		    strerror(errno));
180 	if (setgid(pw->pw_gid) < 0)
181 		fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
182 	if (setuid(pw->pw_uid) < 0)
183 		fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
184 }
185