summaryrefslogtreecommitdiff
path: root/uidswap.c
diff options
context:
space:
mode:
Diffstat (limited to 'uidswap.c')
-rw-r--r--uidswap.c52
1 files changed, 49 insertions, 3 deletions
diff --git a/uidswap.c b/uidswap.c
index aab7064eb..91d878c30 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -1,3 +1,4 @@
1/* $OpenBSD: uidswap.c,v 1.35 2006/08/03 03:34:42 deraadt Exp $ */
1/* 2/*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -12,7 +13,15 @@
12 */ 13 */
13 14
14#include "includes.h" 15#include "includes.h"
15RCSID("$OpenBSD: uidswap.c,v 1.24 2003/05/29 16:58:45 deraadt Exp $"); 16
17#include <sys/param.h>
18#include <errno.h>
19#include <pwd.h>
20#include <string.h>
21#include <unistd.h>
22#include <stdarg.h>
23
24#include <grp.h>
16 25
17#include "log.h" 26#include "log.h"
18#include "uidswap.h" 27#include "uidswap.h"
@@ -77,7 +86,7 @@ temporarily_use_uid(struct passwd *pw)
77 fatal("getgroups: %.100s", strerror(errno)); 86 fatal("getgroups: %.100s", strerror(errno));
78 if (saved_egroupslen > 0) { 87 if (saved_egroupslen > 0) {
79 saved_egroups = xrealloc(saved_egroups, 88 saved_egroups = xrealloc(saved_egroups,
80 saved_egroupslen * sizeof(gid_t)); 89 saved_egroupslen, sizeof(gid_t));
81 if (getgroups(saved_egroupslen, saved_egroups) < 0) 90 if (getgroups(saved_egroupslen, saved_egroups) < 0)
82 fatal("getgroups: %.100s", strerror(errno)); 91 fatal("getgroups: %.100s", strerror(errno));
83 } else { /* saved_egroupslen == 0 */ 92 } else { /* saved_egroupslen == 0 */
@@ -96,7 +105,7 @@ temporarily_use_uid(struct passwd *pw)
96 fatal("getgroups: %.100s", strerror(errno)); 105 fatal("getgroups: %.100s", strerror(errno));
97 if (user_groupslen > 0) { 106 if (user_groupslen > 0) {
98 user_groups = xrealloc(user_groups, 107 user_groups = xrealloc(user_groups,
99 user_groupslen * sizeof(gid_t)); 108 user_groupslen, sizeof(gid_t));
100 if (getgroups(user_groupslen, user_groups) < 0) 109 if (getgroups(user_groupslen, user_groups) < 0)
101 fatal("getgroups: %.100s", strerror(errno)); 110 fatal("getgroups: %.100s", strerror(errno));
102 } else { /* user_groupslen == 0 */ 111 } else { /* user_groupslen == 0 */
@@ -123,6 +132,41 @@ temporarily_use_uid(struct passwd *pw)
123 strerror(errno)); 132 strerror(errno));
124} 133}
125 134
135void
136permanently_drop_suid(uid_t uid)
137{
138 uid_t old_uid = getuid();
139
140 debug("permanently_drop_suid: %u", (u_int)uid);
141#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
142 if (setresuid(uid, uid, uid) < 0)
143 fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
144#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
145 if (setreuid(uid, uid) < 0)
146 fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno));
147#else
148# ifndef SETEUID_BREAKS_SETUID
149 if (seteuid(uid) < 0)
150 fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno));
151# endif
152 if (setuid(uid) < 0)
153 fatal("setuid %u: %.100s", (u_int)uid, strerror(errno));
154#endif
155
156#ifndef HAVE_CYGWIN
157 /* Try restoration of UID if changed (test clearing of saved uid) */
158 if (old_uid != uid &&
159 (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
160 fatal("%s: was able to restore old [e]uid", __func__);
161#endif
162
163 /* Verify UID drop was successful */
164 if (getuid() != uid || geteuid() != uid) {
165 fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
166 __func__, (u_int)getuid(), (u_int)geteuid(), (u_int)uid);
167 }
168}
169
126/* 170/*
127 * Restores to the original (privileged) uid. 171 * Restores to the original (privileged) uid.
128 */ 172 */
@@ -169,6 +213,8 @@ permanently_set_uid(struct passwd *pw)
169 uid_t old_uid = getuid(); 213 uid_t old_uid = getuid();
170 gid_t old_gid = getgid(); 214 gid_t old_gid = getgid();
171 215
216 if (pw == NULL)
217 fatal("permanently_set_uid: no user given");
172 if (temporarily_use_uid_effective) 218 if (temporarily_use_uid_effective)
173 fatal("permanently_set_uid: temporarily_use_uid effective"); 219 fatal("permanently_set_uid: temporarily_use_uid effective");
174 debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, 220 debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,