diff options
author | Jeremy Allison <jra@samba.org> | 2012-06-28 11:59:51 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2012-06-28 17:15:16 -0700 |
commit | 821bd95156e8cc6d843aecb0a27d4a08761b7dac (patch) | |
tree | a35f1f0059005555bc3fe548760a9cf01e896d55 /lib | |
parent | 7630fe50bd7d0783d1f6b253cbee46cccca3f774 (diff) | |
download | samba-821bd95156e8cc6d843aecb0a27d4a08761b7dac.tar.gz samba-821bd95156e8cc6d843aecb0a27d4a08761b7dac.tar.bz2 samba-821bd95156e8cc6d843aecb0a27d4a08761b7dac.zip |
Replace all uses of setXX[ug]id() and setgroups with samba_setXX[ug]id() calls.
Will allow thread-specific credentials to be added by modifying
the central definitions. Deliberately left the setXX[ug]id()
call in popt as this is not used in Samba.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/uid_wrapper/uid_wrapper.c | 15 | ||||
-rw-r--r-- | lib/uid_wrapper/uid_wrapper.h | 42 | ||||
-rw-r--r-- | lib/uid_wrapper/wscript_build | 2 | ||||
-rw-r--r-- | lib/util/setid.c | 182 | ||||
-rw-r--r-- | lib/util/setid.h | 43 | ||||
-rw-r--r-- | lib/util/unix_privs.c | 5 | ||||
-rwxr-xr-x | lib/util/wscript_build | 7 |
7 files changed, 264 insertions, 32 deletions
diff --git a/lib/uid_wrapper/uid_wrapper.c b/lib/uid_wrapper/uid_wrapper.c index 898d1afbb9..7a85a9563a 100644 --- a/lib/uid_wrapper/uid_wrapper.c +++ b/lib/uid_wrapper/uid_wrapper.c @@ -22,6 +22,7 @@ #include "replace.h" #include "system/passwd.h" #include <talloc.h> +#include "../lib/util/setid.h" #else /* _SAMBA_BUILD_ */ @@ -72,7 +73,7 @@ _PUBLIC_ int uwrap_seteuid(uid_t euid) { uwrap_init(); if (!uwrap.enabled) { - return seteuid(euid); + return samba_seteuid(euid); } /* assume for now that the ruid stays as root */ if (euid == 0) { @@ -89,7 +90,7 @@ _PUBLIC_ int uwrap_setreuid(uid_t ruid, uid_t euid) { uwrap_init(); if (!uwrap.enabled) { - return setreuid(ruid, euid); + return samba_setreuid(ruid, euid); } /* assume for now that the ruid stays as root */ if (euid == 0) { @@ -106,7 +107,7 @@ _PUBLIC_ int uwrap_setresuid(uid_t ruid, uid_t euid, uid_t suid) { uwrap_init(); if (!uwrap.enabled) { - return setresuid(ruid, euid, suid); + return samba_setresuid(ruid, euid, suid); } /* assume for now that the ruid stays as root */ if (euid == 0) { @@ -132,7 +133,7 @@ _PUBLIC_ int uwrap_setegid(gid_t egid) { uwrap_init(); if (!uwrap.enabled) { - return setegid(egid); + return samba_setegid(egid); } /* assume for now that the ruid stays as root */ if (egid == 0) { @@ -149,7 +150,7 @@ _PUBLIC_ int uwrap_setregid(gid_t rgid, gid_t egid) { uwrap_init(); if (!uwrap.enabled) { - return setregid(rgid, egid); + return samba_setregid(rgid, egid); } /* assume for now that the ruid stays as root */ if (egid == 0) { @@ -166,7 +167,7 @@ _PUBLIC_ int uwrap_setresgid(gid_t rgid, gid_t egid, gid_t sgid) { uwrap_init(); if (!uwrap.enabled) { - return setresgid(rgid, egid, sgid); + return samba_setresgid(rgid, egid, sgid); } /* assume for now that the ruid stays as root */ if (egid == 0) { @@ -191,7 +192,7 @@ _PUBLIC_ int uwrap_setgroups(size_t size, const gid_t *list) { uwrap_init(); if (!uwrap.enabled) { - return setgroups(size, list); + return samba_setgroups(size, list); } talloc_free(uwrap.groups); diff --git a/lib/uid_wrapper/uid_wrapper.h b/lib/uid_wrapper/uid_wrapper.h index c59749379a..21d0795d41 100644 --- a/lib/uid_wrapper/uid_wrapper.h +++ b/lib/uid_wrapper/uid_wrapper.h @@ -36,35 +36,35 @@ gid_t uwrap_getgid(void); #ifdef UID_WRAPPER_REPLACE -#ifdef seteuid -#undef seteuid +#ifdef samba_seteuid +#undef samba_seteuid #endif -#define seteuid uwrap_seteuid +#define samba_seteuid uwrap_seteuid -#ifdef setreuid -#undef setreuid +#ifdef samba_setreuid +#undef samba_setreuid #endif -#define setreuid uwrap_setreuid +#define samba_setreuid uwrap_setreuid -#ifdef setresuid -#undef setresuid +#ifdef samba_setresuid +#undef samba_setresuid #endif -#define setresuid uwrap_setresuid +#define samba_setresuid uwrap_setresuid -#ifdef setegid -#undef setegid +#ifdef samba_setegid +#undef samba_setegid #endif -#define setegid uwrap_setegid +#define samba_setegid uwrap_setegid -#ifdef setregid -#undef setregid +#ifdef samba_setregid +#undef samba_setregid #endif -#define setregid uwrap_setregid +#define samba_setregid uwrap_setregid -#ifdef setresgid -#undef setresgid +#ifdef samba_setresgid +#undef samba_setresgid #endif -#define setresgid uwrap_setresgid +#define samba_setresgid uwrap_setresgid #ifdef geteuid #undef geteuid @@ -76,10 +76,10 @@ gid_t uwrap_getgid(void); #endif #define getegid uwrap_getegid -#ifdef setgroups -#undef setgroups +#ifdef samba_setgroups +#undef samba_setgroups #endif -#define setgroups uwrap_setgroups +#define samba_setgroups uwrap_setgroups #ifdef getgroups #undef getgroups diff --git a/lib/uid_wrapper/wscript_build b/lib/uid_wrapper/wscript_build index 54e5b80f43..76d4b17fce 100644 --- a/lib/uid_wrapper/wscript_build +++ b/lib/uid_wrapper/wscript_build @@ -3,7 +3,7 @@ bld.SAMBA_LIBRARY('uid_wrapper', source='uid_wrapper.c', - deps='talloc', + deps='talloc util_setid', private_library=True, enabled=bld.CONFIG_SET("UID_WRAPPER"), ) diff --git a/lib/util/setid.c b/lib/util/setid.c new file mode 100644 index 0000000000..8b2efc076f --- /dev/null +++ b/lib/util/setid.c @@ -0,0 +1,182 @@ +/* + Unix SMB/CIFS implementation. + setXXid() functions for Samba. + Copyright (C) Jeremy Allison 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef AUTOCONF_TEST +#include "replace.h" +#include "system/passwd.h" +#include "include/includes.h" + +#ifdef UID_WRAPPER_REPLACE + +#ifdef samba_seteuid +#undef samba_seteuid +#endif + +#ifdef samba_setreuid +#undef samba_setreuid +#endif + +#ifdef samba_setresuid +#undef samba_setresuid +#endif + +#ifdef samba_setegid +#undef samba_setegid +#endif + +#ifdef samba_setregid +#undef samba_setregid +#endif + +#ifdef samba_setresgid +#undef samba_setresgid +#endif + +#ifdef samba_setgroups +#undef samba_setgroups +#endif + +/* uid_wrapper will have redefined these. */ +int samba_setresuid(uid_t ruid, uid_t euid, uid_t suid); +int samba_setresgid(gid_t rgid, gid_t egid, gid_t sgid); +int samba_setreuid(uid_t ruid, uid_t euid); +int samba_setregid(gid_t rgid, gid_t egid); +int samba_seteuid(uid_t euid); +int samba_setegid(gid_t egid); +int samba_setuid(uid_t uid); +int samba_setgid(gid_t gid); +int samba_setuidx(int flags, uid_t uid); +int samba_setgidx(int flags, gid_t gid); +int samba_setgroups(size_t setlen, const gid_t *gidset); + +#endif +#endif + +#include "../lib/util/setid.h" + +/* All the setXX[ug]id functions and setgroups Samba uses. */ +int samba_setresuid(uid_t ruid, uid_t euid, uid_t suid) +{ +#if defined(HAVE_SETRESUID) + return setresuid(ruid, euid, suid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setresgid(gid_t rgid, gid_t egid, gid_t sgid) +{ +#if defined(HAVE_SETRESGID) + return setresgid(rgid, egid, sgid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setreuid(uid_t ruid, uid_t euid) +{ +#if defined(HAVE_SETREUID) + return setreuid(ruid, euid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setregid(gid_t rgid, gid_t egid) +{ +#if defined(HAVE_SETREGID) + return setregid(rgid, egid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_seteuid(uid_t euid) +{ +#if defined(HAVE_SETEUID) + return seteuid(euid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setegid(gid_t egid) +{ +#if defined(HAVE_SETEGID) + return setegid(egid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setuid(uid_t uid) +{ +#if defined(HAVE_SETUID) + return setuid(uid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setgid(gid_t gid) +{ +#if defined(HAVE_SETGID) + return setgid(gid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setuidx(int flags, uid_t uid) +{ +#if defined(HAVE_SETUIDX) + return setuidx(flags, uid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setgidx(int flags, gid_t gid) +{ +#if defined(HAVE_SETGIDX) + return setgidx(flags, gid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setgroups(size_t setlen, const gid_t *gidset) +{ +#if defined(HAVE_SETGROUPS) + return setgroups(setlen, gidset); +#else + errno = ENOSYS; + return -1; +#endif +} diff --git a/lib/util/setid.h b/lib/util/setid.h new file mode 100644 index 0000000000..59ae44c4d2 --- /dev/null +++ b/lib/util/setid.h @@ -0,0 +1,43 @@ +/* + Unix SMB/CIFS implementation. + setXXid() functions for Samba. + Copyright (C) Jeremy Allison 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _SETID_H +#define _SETID_H + +/* + * NB. We don't wrap initgroups although on some systems + * this can call setgroups. On systems with thread-specific + * credentials (Linux so far) we know they have getgrouplist() + * which doesn't make a system call. + */ + +/* All the setXX[ug]id functions and setgroups Samba uses. */ +int samba_setresuid(uid_t ruid, uid_t euid, uid_t suid); +int samba_setresgid(gid_t rgid, gid_t egid, gid_t sgid); +int samba_setreuid(uid_t ruid, uid_t euid); +int samba_setregid(gid_t rgid, gid_t egid); +int samba_seteuid(uid_t euid); +int samba_setegid(gid_t egid); +int samba_setuid(uid_t uid); +int samba_setgid(gid_t gid); +int samba_setuidx(int flags, uid_t uid); +int samba_setgidx(int flags, gid_t gid); +int samba_setgroups(size_t setlen, const gid_t *gidset); + +#endif diff --git a/lib/util/unix_privs.c b/lib/util/unix_privs.c index baa54fd558..3dd244dad1 100644 --- a/lib/util/unix_privs.c +++ b/lib/util/unix_privs.c @@ -22,6 +22,7 @@ #include "includes.h" #include "system/passwd.h" #include "../lib/util/unix_privs.h" +#include "../lib/util/setid.h" /** * @file @@ -52,7 +53,7 @@ struct saved_state { static int privileges_destructor(struct saved_state *s) { if (geteuid() != s->uid && - seteuid(s->uid) != 0) { + samba_seteuid(s->uid) != 0) { smb_panic("Failed to restore privileges"); } return 0; @@ -71,7 +72,7 @@ void *root_privileges(void) if (!s) return NULL; s->uid = geteuid(); if (s->uid != 0) { - seteuid(0); + samba_seteuid(0); } talloc_set_destructor(s, privileges_destructor); return s; diff --git a/lib/util/wscript_build b/lib/util/wscript_build index 82943a08f2..e601ecd4ed 100755 --- a/lib/util/wscript_build +++ b/lib/util/wscript_build @@ -9,7 +9,7 @@ bld.SAMBA_LIBRARY('samba-util', util_str.c util_str_common.c substitute.c ms_fnmatch.c server_id.c dprintf.c parmlist.c bitmap.c''', deps='DYNCONFIG', - public_deps='talloc execinfo uid_wrapper pthread LIBCRYPTO charset', + public_deps='talloc execinfo uid_wrapper pthread LIBCRYPTO charset util_setid', public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h', header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ], local_include=False, @@ -62,6 +62,11 @@ bld.SAMBA_LIBRARY('tevent-util', vnum='0.0.1' ) +bld.SAMBA_LIBRARY('util_setid', + source='setid.c', + local_include=False, + private_library=True + ) bld.SAMBA_SUBSYSTEM('util_ldb', source='util_ldb.c', |