From 821bd95156e8cc6d843aecb0a27d4a08761b7dac Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 28 Jun 2012 11:59:51 -0700 Subject: Replace all uses of setXX[ug]id() and setgroups with samba_setXX[ug]id() calls. Will allow thread-specific credentials to be added by modifying the central definitions. Deliberately left the setXX[ug]id() call in popt as this is not used in Samba. --- lib/util/setid.c | 182 +++++++++++++++++++++++++++++++++++++++++++++++++ lib/util/setid.h | 43 ++++++++++++ lib/util/unix_privs.c | 5 +- lib/util/wscript_build | 7 +- 4 files changed, 234 insertions(+), 3 deletions(-) create mode 100644 lib/util/setid.c create mode 100644 lib/util/setid.h (limited to 'lib/util') diff --git a/lib/util/setid.c b/lib/util/setid.c new file mode 100644 index 0000000000..8b2efc076f --- /dev/null +++ b/lib/util/setid.c @@ -0,0 +1,182 @@ +/* + Unix SMB/CIFS implementation. + setXXid() functions for Samba. + Copyright (C) Jeremy Allison 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef AUTOCONF_TEST +#include "replace.h" +#include "system/passwd.h" +#include "include/includes.h" + +#ifdef UID_WRAPPER_REPLACE + +#ifdef samba_seteuid +#undef samba_seteuid +#endif + +#ifdef samba_setreuid +#undef samba_setreuid +#endif + +#ifdef samba_setresuid +#undef samba_setresuid +#endif + +#ifdef samba_setegid +#undef samba_setegid +#endif + +#ifdef samba_setregid +#undef samba_setregid +#endif + +#ifdef samba_setresgid +#undef samba_setresgid +#endif + +#ifdef samba_setgroups +#undef samba_setgroups +#endif + +/* uid_wrapper will have redefined these. */ +int samba_setresuid(uid_t ruid, uid_t euid, uid_t suid); +int samba_setresgid(gid_t rgid, gid_t egid, gid_t sgid); +int samba_setreuid(uid_t ruid, uid_t euid); +int samba_setregid(gid_t rgid, gid_t egid); +int samba_seteuid(uid_t euid); +int samba_setegid(gid_t egid); +int samba_setuid(uid_t uid); +int samba_setgid(gid_t gid); +int samba_setuidx(int flags, uid_t uid); +int samba_setgidx(int flags, gid_t gid); +int samba_setgroups(size_t setlen, const gid_t *gidset); + +#endif +#endif + +#include "../lib/util/setid.h" + +/* All the setXX[ug]id functions and setgroups Samba uses. */ +int samba_setresuid(uid_t ruid, uid_t euid, uid_t suid) +{ +#if defined(HAVE_SETRESUID) + return setresuid(ruid, euid, suid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setresgid(gid_t rgid, gid_t egid, gid_t sgid) +{ +#if defined(HAVE_SETRESGID) + return setresgid(rgid, egid, sgid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setreuid(uid_t ruid, uid_t euid) +{ +#if defined(HAVE_SETREUID) + return setreuid(ruid, euid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setregid(gid_t rgid, gid_t egid) +{ +#if defined(HAVE_SETREGID) + return setregid(rgid, egid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_seteuid(uid_t euid) +{ +#if defined(HAVE_SETEUID) + return seteuid(euid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setegid(gid_t egid) +{ +#if defined(HAVE_SETEGID) + return setegid(egid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setuid(uid_t uid) +{ +#if defined(HAVE_SETUID) + return setuid(uid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setgid(gid_t gid) +{ +#if defined(HAVE_SETGID) + return setgid(gid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setuidx(int flags, uid_t uid) +{ +#if defined(HAVE_SETUIDX) + return setuidx(flags, uid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setgidx(int flags, gid_t gid) +{ +#if defined(HAVE_SETGIDX) + return setgidx(flags, gid); +#else + errno = ENOSYS; + return -1; +#endif +} + +int samba_setgroups(size_t setlen, const gid_t *gidset) +{ +#if defined(HAVE_SETGROUPS) + return setgroups(setlen, gidset); +#else + errno = ENOSYS; + return -1; +#endif +} diff --git a/lib/util/setid.h b/lib/util/setid.h new file mode 100644 index 0000000000..59ae44c4d2 --- /dev/null +++ b/lib/util/setid.h @@ -0,0 +1,43 @@ +/* + Unix SMB/CIFS implementation. + setXXid() functions for Samba. + Copyright (C) Jeremy Allison 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SETID_H +#define _SETID_H + +/* + * NB. We don't wrap initgroups although on some systems + * this can call setgroups. On systems with thread-specific + * credentials (Linux so far) we know they have getgrouplist() + * which doesn't make a system call. + */ + +/* All the setXX[ug]id functions and setgroups Samba uses. */ +int samba_setresuid(uid_t ruid, uid_t euid, uid_t suid); +int samba_setresgid(gid_t rgid, gid_t egid, gid_t sgid); +int samba_setreuid(uid_t ruid, uid_t euid); +int samba_setregid(gid_t rgid, gid_t egid); +int samba_seteuid(uid_t euid); +int samba_setegid(gid_t egid); +int samba_setuid(uid_t uid); +int samba_setgid(gid_t gid); +int samba_setuidx(int flags, uid_t uid); +int samba_setgidx(int flags, gid_t gid); +int samba_setgroups(size_t setlen, const gid_t *gidset); + +#endif diff --git a/lib/util/unix_privs.c b/lib/util/unix_privs.c index baa54fd558..3dd244dad1 100644 --- a/lib/util/unix_privs.c +++ b/lib/util/unix_privs.c @@ -22,6 +22,7 @@ #include "includes.h" #include "system/passwd.h" #include "../lib/util/unix_privs.h" +#include "../lib/util/setid.h" /** * @file @@ -52,7 +53,7 @@ struct saved_state { static int privileges_destructor(struct saved_state *s) { if (geteuid() != s->uid && - seteuid(s->uid) != 0) { + samba_seteuid(s->uid) != 0) { smb_panic("Failed to restore privileges"); } return 0; @@ -71,7 +72,7 @@ void *root_privileges(void) if (!s) return NULL; s->uid = geteuid(); if (s->uid != 0) { - seteuid(0); + samba_seteuid(0); } talloc_set_destructor(s, privileges_destructor); return s; diff --git a/lib/util/wscript_build b/lib/util/wscript_build index 82943a08f2..e601ecd4ed 100755 --- a/lib/util/wscript_build +++ b/lib/util/wscript_build @@ -9,7 +9,7 @@ bld.SAMBA_LIBRARY('samba-util', util_str.c util_str_common.c substitute.c ms_fnmatch.c server_id.c dprintf.c parmlist.c bitmap.c''', deps='DYNCONFIG', - public_deps='talloc execinfo uid_wrapper pthread LIBCRYPTO charset', + public_deps='talloc execinfo uid_wrapper pthread LIBCRYPTO charset util_setid', public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h', header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ], local_include=False, @@ -62,6 +62,11 @@ bld.SAMBA_LIBRARY('tevent-util', vnum='0.0.1' ) +bld.SAMBA_LIBRARY('util_setid', + source='setid.c', + local_include=False, + private_library=True + ) bld.SAMBA_SUBSYSTEM('util_ldb', source='util_ldb.c', -- cgit