summaryrefslogtreecommitdiff
path: root/uidswap.c
diff options
context:
space:
mode:
Diffstat (limited to 'uidswap.c')
-rw-r--r--uidswap.c38
1 files changed, 20 insertions, 18 deletions
diff --git a/uidswap.c b/uidswap.c
index 49f76d818..40e121503 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: uidswap.c,v 1.41 2018/07/18 11:34:04 dtucker Exp $ */ 1/* $OpenBSD: uidswap.c,v 1.42 2019/06/28 13:35:04 deraadt Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -84,12 +84,12 @@ temporarily_use_uid(struct passwd *pw)
84 temporarily_use_uid_effective = 1; 84 temporarily_use_uid_effective = 1;
85 85
86 saved_egroupslen = getgroups(0, NULL); 86 saved_egroupslen = getgroups(0, NULL);
87 if (saved_egroupslen < 0) 87 if (saved_egroupslen == -1)
88 fatal("getgroups: %.100s", strerror(errno)); 88 fatal("getgroups: %.100s", strerror(errno));
89 if (saved_egroupslen > 0) { 89 if (saved_egroupslen > 0) {
90 saved_egroups = xreallocarray(saved_egroups, 90 saved_egroups = xreallocarray(saved_egroups,
91 saved_egroupslen, sizeof(gid_t)); 91 saved_egroupslen, sizeof(gid_t));
92 if (getgroups(saved_egroupslen, saved_egroups) < 0) 92 if (getgroups(saved_egroupslen, saved_egroups) == -1)
93 fatal("getgroups: %.100s", strerror(errno)); 93 fatal("getgroups: %.100s", strerror(errno));
94 } else { /* saved_egroupslen == 0 */ 94 } else { /* saved_egroupslen == 0 */
95 free(saved_egroups); 95 free(saved_egroups);
@@ -98,17 +98,17 @@ temporarily_use_uid(struct passwd *pw)
98 98
99 /* set and save the user's groups */ 99 /* set and save the user's groups */
100 if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) { 100 if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
101 if (initgroups(pw->pw_name, pw->pw_gid) < 0) 101 if (initgroups(pw->pw_name, pw->pw_gid) == -1)
102 fatal("initgroups: %s: %.100s", pw->pw_name, 102 fatal("initgroups: %s: %.100s", pw->pw_name,
103 strerror(errno)); 103 strerror(errno));
104 104
105 user_groupslen = getgroups(0, NULL); 105 user_groupslen = getgroups(0, NULL);
106 if (user_groupslen < 0) 106 if (user_groupslen == -1)
107 fatal("getgroups: %.100s", strerror(errno)); 107 fatal("getgroups: %.100s", strerror(errno));
108 if (user_groupslen > 0) { 108 if (user_groupslen > 0) {
109 user_groups = xreallocarray(user_groups, 109 user_groups = xreallocarray(user_groups,
110 user_groupslen, sizeof(gid_t)); 110 user_groupslen, sizeof(gid_t));
111 if (getgroups(user_groupslen, user_groups) < 0) 111 if (getgroups(user_groupslen, user_groups) == -1)
112 fatal("getgroups: %.100s", strerror(errno)); 112 fatal("getgroups: %.100s", strerror(errno));
113 } else { /* user_groupslen == 0 */ 113 } else { /* user_groupslen == 0 */
114 free(user_groups); 114 free(user_groups);
@@ -117,17 +117,17 @@ temporarily_use_uid(struct passwd *pw)
117 user_groups_uid = pw->pw_uid; 117 user_groups_uid = pw->pw_uid;
118 } 118 }
119 /* Set the effective uid to the given (unprivileged) uid. */ 119 /* Set the effective uid to the given (unprivileged) uid. */
120 if (setgroups(user_groupslen, user_groups) < 0) 120 if (setgroups(user_groupslen, user_groups) == -1)
121 fatal("setgroups: %.100s", strerror(errno)); 121 fatal("setgroups: %.100s", strerror(errno));
122#ifndef SAVED_IDS_WORK_WITH_SETEUID 122#ifndef SAVED_IDS_WORK_WITH_SETEUID
123 /* Propagate the privileged gid to all of our gids. */ 123 /* Propagate the privileged gid to all of our gids. */
124 if (setgid(getegid()) < 0) 124 if (setgid(getegid()) == -1)
125 debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno)); 125 debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno));
126 /* Propagate the privileged uid to all of our uids. */ 126 /* Propagate the privileged uid to all of our uids. */
127 if (setuid(geteuid()) < 0) 127 if (setuid(geteuid()) == -1)
128 debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno)); 128 debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno));
129#endif /* SAVED_IDS_WORK_WITH_SETEUID */ 129#endif /* SAVED_IDS_WORK_WITH_SETEUID */
130 if (setegid(pw->pw_gid) < 0) 130 if (setegid(pw->pw_gid) == -1)
131 fatal("setegid %u: %.100s", (u_int)pw->pw_gid, 131 fatal("setegid %u: %.100s", (u_int)pw->pw_gid,
132 strerror(errno)); 132 strerror(errno));
133 if (seteuid(pw->pw_uid) == -1) 133 if (seteuid(pw->pw_uid) == -1)
@@ -152,9 +152,9 @@ restore_uid(void)
152#ifdef SAVED_IDS_WORK_WITH_SETEUID 152#ifdef SAVED_IDS_WORK_WITH_SETEUID
153 debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid); 153 debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid);
154 /* Set the effective uid back to the saved privileged uid. */ 154 /* Set the effective uid back to the saved privileged uid. */
155 if (seteuid(saved_euid) < 0) 155 if (seteuid(saved_euid) == -1)
156 fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno)); 156 fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno));
157 if (setegid(saved_egid) < 0) 157 if (setegid(saved_egid) == -1)
158 fatal("setegid %u: %.100s", (u_int)saved_egid, strerror(errno)); 158 fatal("setegid %u: %.100s", (u_int)saved_egid, strerror(errno));
159#else /* SAVED_IDS_WORK_WITH_SETEUID */ 159#else /* SAVED_IDS_WORK_WITH_SETEUID */
160 /* 160 /*
@@ -162,11 +162,13 @@ restore_uid(void)
162 * Propagate the real uid (usually more privileged) to effective uid 162 * Propagate the real uid (usually more privileged) to effective uid
163 * as well. 163 * as well.
164 */ 164 */
165 setuid(getuid()); 165 if (setuid(getuid()) == -1)
166 setgid(getgid()); 166 fatal("%s: setuid failed: %s", __func__, strerror(errno));
167 if (setgid(getgid()) == -1)
168 fatal("%s: setgid failed: %s", __func__, strerror(errno));
167#endif /* SAVED_IDS_WORK_WITH_SETEUID */ 169#endif /* SAVED_IDS_WORK_WITH_SETEUID */
168 170
169 if (setgroups(saved_egroupslen, saved_egroups) < 0) 171 if (setgroups(saved_egroupslen, saved_egroups) == -1)
170 fatal("setgroups: %.100s", strerror(errno)); 172 fatal("setgroups: %.100s", strerror(errno));
171 temporarily_use_uid_effective = 0; 173 temporarily_use_uid_effective = 0;
172} 174}
@@ -190,7 +192,7 @@ permanently_set_uid(struct passwd *pw)
190 debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, 192 debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
191 (u_int)pw->pw_gid); 193 (u_int)pw->pw_gid);
192 194
193 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) 195 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1)
194 fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); 196 fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
195 197
196#ifdef __APPLE__ 198#ifdef __APPLE__
@@ -198,12 +200,12 @@ permanently_set_uid(struct passwd *pw)
198 * OS X requires initgroups after setgid to opt back into 200 * OS X requires initgroups after setgid to opt back into
199 * memberd support for >16 supplemental groups. 201 * memberd support for >16 supplemental groups.
200 */ 202 */
201 if (initgroups(pw->pw_name, pw->pw_gid) < 0) 203 if (initgroups(pw->pw_name, pw->pw_gid) == -1)
202 fatal("initgroups %.100s %u: %.100s", 204 fatal("initgroups %.100s %u: %.100s",
203 pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); 205 pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
204#endif 206#endif
205 207
206 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) 208 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
207 fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); 209 fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
208 210
209#ifndef NO_UID_RESTORATION_TEST 211#ifndef NO_UID_RESTORATION_TEST
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-11 11:32:17 +0000