From 173f7e66dc84c28b46abf1ce44bfe3a641a87136 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 17 Dec 1999 01:39:47 +0000 Subject: util_sec.c from 2.0.6 (This used to be commit 955d187139365d16f3fca1abd3853ca4e49f244c) --- source3/lib/util_sec.c | 326 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 326 insertions(+) create mode 100644 source3/lib/util_sec.c (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c new file mode 100644 index 0000000000..4a2ac2565e --- /dev/null +++ b/source3/lib/util_sec.c @@ -0,0 +1,326 @@ +/* + Unix SMB/Netbios implementation. + Version 2.0 + Copyright (C) Jeremy Allison 1998. + rewritten for version 2.0.6 by Tridge + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#ifndef AUTOCONF_TEST +#include "includes.h" +extern int DEBUGLEVEL; +#else +/* we are running this code in autoconf test mode to see which type of setuid + function works */ +#if defined(HAVE_UNISTD_H) +#include +#endif +#include +#include + +#ifdef HAVE_SYS_PRIV_H +#include +#endif +#ifdef HAVE_SYS_ID_H +#include +#endif + +#define DEBUG(x, y) printf y +#define smb_panic(x) exit(1) +#endif + +/**************************************************************************** +abort if we haven't set the uid correctly +****************************************************************************/ +static void assert_uid(uid_t ruid, uid_t euid) +{ + if ((euid != (uid_t)-1 && geteuid() != euid) || + (ruid != (uid_t)-1 && getuid() != ruid)) { + DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n", + (int)ruid, (int)euid, + (int)getuid(), (int)geteuid())); + smb_panic("failed to set uid\n"); + exit(1); + } +} + +/**************************************************************************** +abort if we haven't set the gid correctly +****************************************************************************/ +static void assert_gid(gid_t rgid, gid_t egid) +{ + if ((egid != (gid_t)-1 && getegid() != egid) || + (rgid != (gid_t)-1 && getgid() != rgid)) { + DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n", + (int)rgid, (int)egid, + (int)getgid(), (int)getegid(), + (int)getuid(), (int)geteuid())); + smb_panic("failed to set gid\n"); + exit(1); + } +} + +/**************************************************************************** + Gain root privilege before doing something. + We want to end up with ruid==euid==0 +****************************************************************************/ +void gain_root_privilege(void) +{ +#if USE_SETRESUID + setresuid(0,0,0); +#endif + +#if USE_SETEUID + seteuid(0); +#endif + +#if USE_SETREUID + setreuid(0, 0); +#endif + +#if USE_SETUIDX + setuidx(ID_EFFECTIVE, 0); + setuidx(ID_REAL, 0); +#endif + + /* this is needed on some systems */ + setuid(0); + + assert_uid(0, 0); +} + + +/**************************************************************************** + Ensure our real and effective groups are zero. + we want to end up with rgid==egid==0 +****************************************************************************/ +void gain_root_group_privilege(void) +{ +#if USE_SETRESUID + setresgid(0,0,0); +#endif + +#if USE_SETREUID + setregid(0,0); +#endif + +#if USE_SETEUID + setegid(0); +#endif + +#if USE_SETUIDX + setgidx(ID_EFFECTIVE, 0); + setgidx(ID_REAL, 0); +#endif + + setgid(0); + + assert_gid(0, 0); +} + + +/**************************************************************************** + Set *only* the effective uid. + we want to end up with ruid==0 and euid==uid +****************************************************************************/ +void set_effective_uid(uid_t uid) +{ +#if USE_SETRESUID + setresuid(-1,uid,-1); +#endif + +#if USE_SETREUID + setreuid(-1,uid); +#endif + +#if USE_SETEUID + seteuid(uid); +#endif + +#if USE_SETUIDX + setuidx(ID_EFFECTIVE, uid); +#endif + + assert_uid(-1, uid); +} + +/**************************************************************************** + Set *only* the effective gid. + we want to end up with rgid==0 and egid==gid +****************************************************************************/ +void set_effective_gid(gid_t gid) +{ +#if USE_SETRESUID + setresgid(-1,gid,-1); +#endif + +#if USE_SETREUID + setregid(-1,gid); +#endif + +#if USE_SETEUID + setegid(gid); +#endif + +#if USE_SETUIDX + setgidx(ID_EFFECTIVE, gid); +#endif + + assert_gid(-1, gid); +} + +static uid_t saved_euid, saved_ruid; + +/**************************************************************************** + save the real and effective uid for later restoration. Used by the quotas + code +****************************************************************************/ +void save_re_uid(void) +{ + saved_ruid = getuid(); + saved_euid = geteuid(); +} + + +/**************************************************************************** + and restore them! +****************************************************************************/ +void restore_re_uid(void) +{ + set_effective_uid(0); + set_effective_uid(saved_euid); + if (getuid() != saved_ruid) setuid(saved_ruid); + set_effective_uid(saved_euid); + + assert_uid(saved_ruid, saved_euid); +} + +/**************************************************************************** + set the real AND effective uid to the current effective uid in a way that + allows root to be regained. + This is only possible on some platforms. +****************************************************************************/ +int set_re_uid(void) +{ + uid_t uid = geteuid(); + +#if USE_SETRESUID + setresuid(geteuid(), -1, -1); +#endif + +#if USE_SETREUID + setreuid(0, 0); + setreuid(uid, -1); + setreuid(-1, uid); +#endif + +#if USE_SETEUID + /* can't be done */ + return -1; +#endif + +#if USE_SETUIDX + /* can't be done */ + return -1; +#endif + + assert_uid(uid, uid); + return 0; +} + + +/**************************************************************************** + Become the specified uid and gid - permanently ! + there should be no way back if possible +****************************************************************************/ +void become_user_permanently(uid_t uid, gid_t gid) +{ + /* + * First - gain root privilege. We do this to ensure + * we can lose it again. + */ + + gain_root_privilege(); + gain_root_group_privilege(); + +#if USE_SETRESUID + setresgid(gid,gid,gid); + setgid(gid); + setresuid(uid,uid,uid); + setuid(uid); +#endif + +#if USE_SETREUID + setregid(gid,gid); + setgid(gid); + setreuid(uid,uid); + setuid(uid); +#endif + +#if USE_SETEUID + setegid(gid); + setgid(gid); + setuid(uid); + seteuid(uid); + setuid(uid); +#endif + +#if USE_SETUIDX + setgidx(ID_REAL, gid); + setgidx(ID_EFFECTIVE, gid); + setgid(gid); + setuidx(ID_REAL, uid); + setuidx(ID_EFFECTIVE, uid); + setuid(uid); +#endif + + assert_uid(uid, uid); + assert_gid(gid, gid); +} + +#ifdef AUTOCONF_TEST +main() +{ + if (getuid() != 0) { +#if (defined(AIX) && defined(USE_SETREUID)) + /* setreuid is badly broken on AIX 4.1, we avoid it completely */ + fprintf(stderr,"avoiding possibly broken setreuid\n"); + exit(1); +#endif + + /* assume that if we have the functions then they work */ + fprintf(stderr,"not running as root: assuming OK\n"); + exit(0); + } + + gain_root_privilege(); + gain_root_group_privilege(); + set_effective_gid(1); + set_effective_uid(1); + gain_root_privilege(); + gain_root_group_privilege(); + become_user_permanently(1, 1); + setuid(0); + if (getuid() == 0) { + fprintf(stderr,"uid not set permanently\n"); + exit(1); + } + + printf("OK\n"); + + exit(0); +} +#endif -- cgit From 27ce49e3e62a6c5134c1e5c35483f2f245f0e1b1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 8 Feb 2000 11:32:43 +0000 Subject: Moved over lib/util_sec (with added fixes) as the HEAD source seems to have drifted a little. Jeremy. (This used to be commit ebcdb4afee04cc3b94e60b1de86c2b534d4e233e) --- source3/lib/util_sec.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 4 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 4a2ac2565e..4306a94191 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -30,6 +30,8 @@ extern int DEBUGLEVEL; #endif #include #include +#include +#include #ifdef HAVE_SYS_PRIV_H #include @@ -201,9 +203,21 @@ void save_re_uid(void) void restore_re_uid(void) { set_effective_uid(0); + +#if USE_SETRESUID + setresuid(saved_ruid, saved_euid, -1); +#elif USE_SETREUID + setreuid(saved_ruid, -1); + setreuid(-1,saved_euid); +#elif USE_SETUIDX + setuidx(ID_REAL, saved_ruid); + setuidx(ID_EFFECTIVE, saved_euid); +#else set_effective_uid(saved_euid); - if (getuid() != saved_ruid) setuid(saved_ruid); + if (getuid() != saved_ruid) + setuid(saved_ruid); set_effective_uid(saved_euid); +#endif assert_uid(saved_ruid, saved_euid); } @@ -291,6 +305,35 @@ void become_user_permanently(uid_t uid, gid_t gid) assert_gid(gid, gid); } + +/**************************************************************************** +this function just checks that we don't get ENOSYS back +****************************************************************************/ +static int have_syscall(void) +{ + errno = 0; + +#if USE_SETRESUID + setresuid(-1,-1,-1); +#endif + +#if USE_SETREUID + setreuid(-1,-1); +#endif + +#if USE_SETEUID + seteuid(-1); +#endif + +#if USE_SETUIDX + setuidx(ID_EFFECTIVE, -1); +#endif + + if (errno == ENOSYS) return -1; + + return 0; +} + #ifdef AUTOCONF_TEST main() { @@ -301,15 +344,18 @@ main() exit(1); #endif - /* assume that if we have the functions then they work */ - fprintf(stderr,"not running as root: assuming OK\n"); - exit(0); + /* if not running as root then at least check to see if we get ENOSYS - this + handles Linux 2.0.x with glibc 2.1 */ + fprintf(stderr,"not running as root: checking for ENOSYS\n"); + exit(have_syscall()); } gain_root_privilege(); gain_root_group_privilege(); set_effective_gid(1); set_effective_uid(1); + save_re_uid(); + restore_re_uid(); gain_root_privilege(); gain_root_group_privilege(); become_user_permanently(1, 1); -- cgit From 4cf7fcc505ea80d6096dcc7a7bb7d85f92432c11 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 6 Dec 2000 02:52:54 +0000 Subject: Fixed compiler warning. (This used to be commit 6553f1d02792d81987dda51af76b4fc06d73a787) --- source3/lib/util_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 4306a94191..068be684f3 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -305,6 +305,7 @@ void become_user_permanently(uid_t uid, gid_t gid) assert_gid(gid, gid); } +#ifdef AUTOCONF_TEST /**************************************************************************** this function just checks that we don't get ENOSYS back @@ -334,7 +335,6 @@ static int have_syscall(void) return 0; } -#ifdef AUTOCONF_TEST main() { if (getuid() != 0) { -- cgit From 868d010aa1b614109b54928e46eb626a1d320a2d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 22 Jun 2001 15:14:45 +0000 Subject: added the ability to test smbd safely as an ordinary user. The way it works is that libsmb/ creates a local tcp socket then launches smbd as a subprocess attached to that socket. smbd thinks it is being launched from inetd. to use it do the following: - compile with -DSMB_REGRESSION_TEST - run like this (also works with smbtorture etc) export SMBD_TEST=1 export LIBSMB_PROG=bin/smbd smbclient //server/share -Uuser%pass obviously you need to setup a smb.conf etc. Using --prefix to configure is useful. The aim of all this stuff is to add a decent set of regression tests to the build farm, so we know if smbd actually runs correctly on all the platforms, not just builds. We can run smbtorture, masktest, locktest etc, plus a bunch of smbclient scripts and any new tests we write. This doesn't help much with nmbd (at least not yet) but its a good start. (This used to be commit 7e8e6ae9a88c4d2587eb4e7f0501cd71bd36ebb2) --- source3/lib/util_sec.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 068be684f3..164e6ab506 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -51,11 +51,13 @@ static void assert_uid(uid_t ruid, uid_t euid) { if ((euid != (uid_t)-1 && geteuid() != euid) || (ruid != (uid_t)-1 && getuid() != ruid)) { +#ifndef SMB_REGRESSION_TEST DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n", (int)ruid, (int)euid, (int)getuid(), (int)geteuid())); smb_panic("failed to set uid\n"); exit(1); +#endif } } @@ -66,12 +68,14 @@ static void assert_gid(gid_t rgid, gid_t egid) { if ((egid != (gid_t)-1 && getegid() != egid) || (rgid != (gid_t)-1 && getgid() != rgid)) { +#ifndef SMB_REGRESSION_TEST DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n", (int)rgid, (int)egid, (int)getgid(), (int)getegid(), (int)getuid(), (int)geteuid())); smb_panic("failed to set gid\n"); exit(1); +#endif } } -- cgit From 8b79a473faf2ff25acb220500158920490c71576 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 25 Jun 2001 00:46:34 +0000 Subject: - make the regresison test mode code build in by default. This should allow us to have test targets without special configure options - fixed make proto so that it actually does something (This used to be commit 55109a752578e9389d853cb27ec17c2114ecff77) --- source3/lib/util_sec.c | 55 ++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 15 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 164e6ab506..c62df82396 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -44,6 +44,31 @@ extern int DEBUGLEVEL; #define smb_panic(x) exit(1) #endif +/* are we running as non-root? This is used by the regresison test code, + and potentially also for sites that want non-root smbd */ +static uid_t initial_uid; + +/**************************************************************************** +remember what uid we got started as - this allows us to run correctly +as non-root while catching trapdoor systems +****************************************************************************/ +void sec_init(void) +{ + initial_uid = geteuid(); + if (initial_uid != (uid_t)0) { + /* the DEBUG() subsystem has not been initialised when this is called */ + fprintf(stderr, "WARNING: running as non-root. Some functionality will be missing\n"); + } +} + +/**************************************************************************** +are we running in non-root mode? +****************************************************************************/ +BOOL non_root_mode(void) +{ + return (initial_uid != (uid_t)0); +} + /**************************************************************************** abort if we haven't set the uid correctly ****************************************************************************/ @@ -51,13 +76,13 @@ static void assert_uid(uid_t ruid, uid_t euid) { if ((euid != (uid_t)-1 && geteuid() != euid) || (ruid != (uid_t)-1 && getuid() != ruid)) { -#ifndef SMB_REGRESSION_TEST - DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n", - (int)ruid, (int)euid, - (int)getuid(), (int)geteuid())); - smb_panic("failed to set uid\n"); - exit(1); -#endif + if (!non_root_mode()) { + DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n", + (int)ruid, (int)euid, + (int)getuid(), (int)geteuid())); + smb_panic("failed to set uid\n"); + exit(1); + } } } @@ -68,14 +93,14 @@ static void assert_gid(gid_t rgid, gid_t egid) { if ((egid != (gid_t)-1 && getegid() != egid) || (rgid != (gid_t)-1 && getgid() != rgid)) { -#ifndef SMB_REGRESSION_TEST - DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n", - (int)rgid, (int)egid, - (int)getgid(), (int)getegid(), - (int)getuid(), (int)geteuid())); - smb_panic("failed to set gid\n"); - exit(1); -#endif + if (!non_root_mode()) { + DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n", + (int)rgid, (int)egid, + (int)getgid(), (int)getegid(), + (int)getuid(), (int)geteuid())); + smb_panic("failed to set gid\n"); + exit(1); + } } } -- cgit From 413ad23faff509332985d6972c931900af2fd5f5 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 25 Jun 2001 01:20:47 +0000 Subject: make sure we have BOOL in autoconf usage of util_sec.c (This used to be commit 72f63f5144ececdef31c659ab645eb71a88943b5) --- source3/lib/util_sec.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index c62df82396..54b819b1cc 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -42,6 +42,7 @@ extern int DEBUGLEVEL; #define DEBUG(x, y) printf y #define smb_panic(x) exit(1) +#define BOOL int #endif /* are we running as non-root? This is used by the regresison test code, -- cgit From 85a310c7f3607d4ec433b3072ff707a3bc41e2d8 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 6 Jul 2001 02:25:03 +0000 Subject: fixed inetd operation as non-root (This used to be commit 9a9da44455fc35cb9b1625ffefd12a9c5fe48d6b) --- source3/lib/util_sec.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 54b819b1cc..5b8bdb44c1 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -56,10 +56,6 @@ as non-root while catching trapdoor systems void sec_init(void) { initial_uid = geteuid(); - if (initial_uid != (uid_t)0) { - /* the DEBUG() subsystem has not been initialised when this is called */ - fprintf(stderr, "WARNING: running as non-root. Some functionality will be missing\n"); - } } /**************************************************************************** -- cgit From 03efd16d3465473f58dc7b91b7c45396dfa89f5a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 8 Jul 2001 18:22:46 +0000 Subject: added sec_initial_uid() function so we can ask if a file is owned by the initial uid (This used to be commit 9449544428c9c3153f9e757c57bccda382fa2882) --- source3/lib/util_sec.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 5b8bdb44c1..985b07f421 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -58,6 +58,14 @@ void sec_init(void) initial_uid = geteuid(); } +/**************************************************************************** +some code (eg. winbindd) needs to know what uid we started as +****************************************************************************/ +uid_t sec_initial_uid(void) +{ + return initial_uid; +} + /**************************************************************************** are we running in non-root mode? ****************************************************************************/ -- cgit From 9a846daf441c3d82e4fc750382fd12fcb8fb9a6d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 15 Sep 2001 02:10:22 +0000 Subject: Restore the profiling data shmem parinoia. This whole area needs to be fixed - an mmaped file or the like would be a good idea. (This used to be commit bc1385fc5e55eeed626615fad92877296064a27e) --- source3/lib/util_sec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 985b07f421..231f0b178d 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -48,6 +48,7 @@ extern int DEBUGLEVEL; /* are we running as non-root? This is used by the regresison test code, and potentially also for sites that want non-root smbd */ static uid_t initial_uid; +static gid_t initial_gid; /**************************************************************************** remember what uid we got started as - this allows us to run correctly @@ -56,6 +57,7 @@ as non-root while catching trapdoor systems void sec_init(void) { initial_uid = geteuid(); + initial_gid = getegid(); } /**************************************************************************** @@ -66,6 +68,14 @@ uid_t sec_initial_uid(void) return initial_uid; } +/**************************************************************************** +some code (eg. winbindd, profiling shm) needs to know what gid we started as +****************************************************************************/ +gid_t sec_initial_gid(void) +{ + return initial_gid; +} + /**************************************************************************** are we running in non-root mode? ****************************************************************************/ -- cgit From dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Oct 2001 04:29:50 +0000 Subject: Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header. (This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e) --- source3/lib/util_sec.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 231f0b178d..a07e7d0e1a 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -21,7 +21,6 @@ #ifndef AUTOCONF_TEST #include "includes.h" -extern int DEBUGLEVEL; #else /* we are running this code in autoconf test mode to see which type of setuid function works */ -- cgit From 2fc8e32ad342e3285e0d30a3a102e06ec4af5199 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Oct 2001 01:52:34 +0000 Subject: Parionia to ensure people don't install libsmb based programs setuid root. libsmb has not been written to be setuid, with things like LIBSMB_PROG allowing all sort of fun and games. Andrew Bartlett (This used to be commit 0c8e9339d8238de92e9146d04091694b62874c33) --- source3/lib/util_sec.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index a07e7d0e1a..c559647bf4 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -413,3 +413,11 @@ main() exit(0); } #endif + +/**************************************************************************** +Check if we are setuid root. Used in libsmb and smbpasswd parinoia checks. +****************************************************************************/ +BOOL is_setuid_root(void) +{ + return (geteuid() == (uid_t)0) && (getuid() != (uid_t)0); +} -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/lib/util_sec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index c559647bf4..dd9a64d534 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 2.0 + Unix SMB/CIFS implementation. Copyright (C) Jeremy Allison 1998. rewritten for version 2.0.6 by Tridge -- cgit From d159876d64ad33eccdc56a6eb1afba96f9863a5d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 17 Feb 2002 18:32:59 +0000 Subject: Do a smb_panic() if sec_initial_[ug]id() or non_root_mode() is called without before sec_init(). This should avoid the formation of another magic function club. (-: (This used to be commit 1b941e2c637e41049932945607149094342359c5) --- source3/lib/util_sec.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index dd9a64d534..ac808b7fef 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -48,6 +48,8 @@ static uid_t initial_uid; static gid_t initial_gid; +static BOOL sec_initialised; + /**************************************************************************** remember what uid we got started as - this allows us to run correctly as non-root while catching trapdoor systems @@ -56,6 +58,8 @@ void sec_init(void) { initial_uid = geteuid(); initial_gid = getegid(); + + sec_initialise = True; } /**************************************************************************** @@ -63,6 +67,9 @@ some code (eg. winbindd) needs to know what uid we started as ****************************************************************************/ uid_t sec_initial_uid(void) { + if (!sec_initialise) + smb_panic("sec_initial_uid() called before sec_init()\n"); + return initial_uid; } @@ -71,6 +78,9 @@ some code (eg. winbindd, profiling shm) needs to know what gid we started as ****************************************************************************/ gid_t sec_initial_gid(void) { + if (!sec_initialise) + smb_panic("sec_initial_gid() called before sec_init()\n"); + return initial_gid; } @@ -79,6 +89,9 @@ are we running in non-root mode? ****************************************************************************/ BOOL non_root_mode(void) { + if (!sec_initialise) + smb_panic("non_root_mode() called before sec_init()\n"); + return (initial_uid != (uid_t)0); } -- cgit From 606fdc7c5c82ab10349fd2a594c06225932b3966 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 17 Feb 2002 18:56:30 +0000 Subject: Whoops, typo. (This used to be commit e7abb79fb304b34aeb369dc6deafa96dfd1e02f3) --- source3/lib/util_sec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index ac808b7fef..f79da8d2e4 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -59,7 +59,7 @@ void sec_init(void) initial_uid = geteuid(); initial_gid = getegid(); - sec_initialise = True; + sec_initialised = True; } /**************************************************************************** @@ -67,7 +67,7 @@ some code (eg. winbindd) needs to know what uid we started as ****************************************************************************/ uid_t sec_initial_uid(void) { - if (!sec_initialise) + if (!sec_initialised) smb_panic("sec_initial_uid() called before sec_init()\n"); return initial_uid; @@ -78,7 +78,7 @@ some code (eg. winbindd, profiling shm) needs to know what gid we started as ****************************************************************************/ gid_t sec_initial_gid(void) { - if (!sec_initialise) + if (!sec_initialised) smb_panic("sec_initial_gid() called before sec_init()\n"); return initial_gid; @@ -89,7 +89,7 @@ are we running in non-root mode? ****************************************************************************/ BOOL non_root_mode(void) { - if (!sec_initialise) + if (!sec_initialised) smb_panic("non_root_mode() called before sec_init()\n"); return (initial_uid != (uid_t)0); -- cgit From 1736b99a50bf3f6a082df94a1f94bc1e9796dea8 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 18 Feb 2002 10:23:02 +0000 Subject: reverted tims patch that broke configure why does anything but smbd care about sec_init() anyway?? (This used to be commit 569505b77140c2688aeab4df058b864464f23c1d) --- source3/lib/util_sec.c | 13 ------------- 1 file changed, 13 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index f79da8d2e4..dd9a64d534 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -48,8 +48,6 @@ static uid_t initial_uid; static gid_t initial_gid; -static BOOL sec_initialised; - /**************************************************************************** remember what uid we got started as - this allows us to run correctly as non-root while catching trapdoor systems @@ -58,8 +56,6 @@ void sec_init(void) { initial_uid = geteuid(); initial_gid = getegid(); - - sec_initialised = True; } /**************************************************************************** @@ -67,9 +63,6 @@ some code (eg. winbindd) needs to know what uid we started as ****************************************************************************/ uid_t sec_initial_uid(void) { - if (!sec_initialised) - smb_panic("sec_initial_uid() called before sec_init()\n"); - return initial_uid; } @@ -78,9 +71,6 @@ some code (eg. winbindd, profiling shm) needs to know what gid we started as ****************************************************************************/ gid_t sec_initial_gid(void) { - if (!sec_initialised) - smb_panic("sec_initial_gid() called before sec_init()\n"); - return initial_gid; } @@ -89,9 +79,6 @@ are we running in non-root mode? ****************************************************************************/ BOOL non_root_mode(void) { - if (!sec_initialised) - smb_panic("non_root_mode() called before sec_init()\n"); - return (initial_uid != (uid_t)0); } -- cgit From 1d582af3c0dcbfad9a158f3ed38219c95424b045 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 24 Mar 2002 23:25:05 +0000 Subject: Spelling fixes. (This used to be commit a5ac2ac4ada48ee3be061a32ba40bd8c4b3b3865) --- source3/lib/util_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index dd9a64d534..d59b1b0471 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -414,7 +414,7 @@ main() #endif /**************************************************************************** -Check if we are setuid root. Used in libsmb and smbpasswd parinoia checks. +Check if we are setuid root. Used in libsmb and smbpasswd paranoia checks. ****************************************************************************/ BOOL is_setuid_root(void) { -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/lib/util_sec.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index d59b1b0471..132748ce13 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -227,6 +227,7 @@ void set_effective_gid(gid_t gid) } static uid_t saved_euid, saved_ruid; +static gid_t saved_egid, saved_rgid; /**************************************************************************** save the real and effective uid for later restoration. Used by the quotas @@ -264,6 +265,41 @@ void restore_re_uid(void) assert_uid(saved_ruid, saved_euid); } + +/**************************************************************************** + save the real and effective gid for later restoration. Used by the + getgroups code +****************************************************************************/ +void save_re_gid(void) +{ + saved_rgid = getgid(); + saved_egid = getegid(); +} + +/**************************************************************************** + and restore them! +****************************************************************************/ +void restore_re_gid(void) +{ +#if USE_SETRESUID + setresgid(saved_rgid, saved_egid, -1); +#elif USE_SETREUID + setregid(saved_rgid, -1); + setregid(-1,saved_egid); +#elif USE_SETUIDX + setgidx(ID_REAL, saved_rgid); + setgidx(ID_EFFECTIVE, saved_egid); +#else + set_effective_gid(saved_egid); + if (getgid() != saved_rgid) + setgid(saved_rgid); + set_effective_gid(saved_egid); +#endif + + assert_gid(saved_rgid, saved_egid); +} + + /**************************************************************************** set the real AND effective uid to the current effective uid in a way that allows root to be regained. -- cgit From ee868462a0fadcb7a0b18568069dd9190e246d9a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 23 Sep 2003 14:49:17 +0000 Subject: Add a descriptive comment to our usage of setresuid. lib/afs.c needs to be changed if we decide to set our real uid. Jeremy? Volker (This used to be commit 1fed55aa781bcf9efdd42f361c972b69152137a4) --- source3/lib/util_sec.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 132748ce13..1980b8bfb7 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -183,6 +183,10 @@ void gain_root_group_privilege(void) void set_effective_uid(uid_t uid) { #if USE_SETRESUID + /* On Systems which have this function, would it not be more + * appropriate to also set the real uid by doing + * setresuid(uid,uid,-1)? This would make patching AFS + * unnecessary. See comment in lib/afs.c. */ setresuid(-1,uid,-1); #endif -- cgit From 4f62277d89bacff1f42e73bd86342f25116d8643 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 23 Oct 2003 16:49:46 +0000 Subject: After a phonecall with jra finally commit this. This changes our behaviour when the setresuid call is available. We now not only change the effective uid but also the real uid when becoming unprivileged. This is mainly for improved AFS compatibility, as AFS selects the token to send to the server based on the real uid of the process. I tested this with a W2k server with two non-root 'runas' sessions. They come in via a single smbd as two different users using two session setups. Samba on Linux can still switch between the two uids, proved by two different files created via those sessions. Volker (This used to be commit 556c62f93535c606122b22e7e843d9da9a1cd438) --- source3/lib/util_sec.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 1980b8bfb7..7c2576ed91 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -183,11 +183,8 @@ void gain_root_group_privilege(void) void set_effective_uid(uid_t uid) { #if USE_SETRESUID - /* On Systems which have this function, would it not be more - * appropriate to also set the real uid by doing - * setresuid(uid,uid,-1)? This would make patching AFS - * unnecessary. See comment in lib/afs.c. */ - setresuid(-1,uid,-1); + /* Set the effective as well as the real uid. */ + setresuid(uid,uid,-1); #endif #if USE_SETREUID -- cgit From e2d301accfc0977fa3c647900b5e1e2315c3f639 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 27 Jan 2004 10:01:30 +0000 Subject: Clarify comment on set_effective_uid() Andrew Bartlett (This used to be commit ca24ae50ea37942dde335e97019880b6ce518a6a) --- source3/lib/util_sec.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 7c2576ed91..26be27ea51 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -177,8 +177,16 @@ void gain_root_group_privilege(void) /**************************************************************************** - Set *only* the effective uid. - we want to end up with ruid==0 and euid==uid + Set effective uid, and possibly the real uid too. + We want to end up with either: + + ruid==uid and euid==uid + + or + + ruid==0 and euid==uid + + depending on what the local OS will allow us to regain root from. ****************************************************************************/ void set_effective_uid(uid_t uid) { -- cgit From a093a76dc14303fd1c42fb2c0b87faf3748815e4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 28 Jul 2006 22:42:39 +0000 Subject: r17293: After the results from the cluster tests in Germany, fix the messaging code to call the efficient calls : save_re_uid() set_effective_uid(0); messaging_op restore_re_uid(); instead of using heavyweight become_root()/unbecome_root() pairs around all messaging code. Fixup the messaging code to ensure sec_init() is called (only once) so that non-root processes still work when sending messages. This is a lighter weight solution to become_root()/unbecome_root() (which swaps all the supplemental groups) and should be more efficient. I will migrate all server code over to using this (a similar technique should be used in the passdb backend where needed). Jeremy. (This used to be commit 4ace291278d9a44f5c577bdd3b282c1231e543df) --- source3/lib/util_sec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 26be27ea51..c13b20ec92 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -52,10 +52,16 @@ static gid_t initial_gid; remember what uid we got started as - this allows us to run correctly as non-root while catching trapdoor systems ****************************************************************************/ + void sec_init(void) { - initial_uid = geteuid(); - initial_gid = getegid(); + static int initialized; + + if (!initialized) { + initial_uid = geteuid(); + initial_gid = getegid(); + initialized = 1; + } } /**************************************************************************** -- cgit From e4e2be0d8b5778ecc5c521b9e0e0b4c05ac87394 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 28 Jul 2006 22:56:41 +0000 Subject: r17294: Make the code a little cleaner. Instead of using the two calls make it : become_root_uid_only() operation unbecome_root_uid_only() saving errno across the second call. Most of our internal change calls can be replaced with these simple calls. Jeremy (This used to be commit 4143aa83c029848d8ec741d9218b3fa6e3fd28dd) --- source3/lib/util_sec.c | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index c13b20ec92..3f8cb690cd 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -258,10 +258,9 @@ void save_re_uid(void) /**************************************************************************** and restore them! ****************************************************************************/ -void restore_re_uid(void) -{ - set_effective_uid(0); +static void restore_re_uid_fromroot(void) +{ #if USE_SETRESUID setresuid(saved_ruid, saved_euid, -1); #elif USE_SETREUID @@ -280,6 +279,33 @@ void restore_re_uid(void) assert_uid(saved_ruid, saved_euid); } +void restore_re_uid(void) +{ + set_effective_uid(0); + restore_re_uid_fromroot(); +} + +/**************************************************************************** + Lightweight become root - no group change. +****************************************************************************/ + +void become_root_uid_only(void) +{ + save_re_uid(); + set_effective_uid(0); +} + +/**************************************************************************** + Lightweight unbecome root - no group change. Expects we are root already, + saves errno across call boundary. +****************************************************************************/ + +void unbecome_root_uid_only(void) +{ + int saved_errno = errno; + restore_re_uid_fromroot(); + errno = saved_errno; +} /**************************************************************************** save the real and effective gid for later restoration. Used by the -- cgit From a24714b9fd11b6ac166483f0f13deda8d6f7f7cc Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 24 Jan 2007 16:15:29 +0000 Subject: r21005: Add a debug message for EAGAIN error of setresuid. Volker (This used to be commit 70c589a8323637ff8e1f96a56f8acaf550a58dc4) --- source3/lib/util_sec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 3f8cb690cd..3d997ee76a 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -198,7 +198,13 @@ void set_effective_uid(uid_t uid) { #if USE_SETRESUID /* Set the effective as well as the real uid. */ - setresuid(uid,uid,-1); + if (setresuid(uid,uid,-1) == -1) { + if (errno == EAGAIN) { + DEBUG(0, ("setresuid failed with EAGAIN. uid(%d) " + "might be over its NPROC limit\n", + (int)uid)); + } + } #endif #if USE_SETREUID -- cgit From bc45c82904e268327bfbf72cd3f35699ae6e7397 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Apr 2007 23:56:10 +0000 Subject: r22096: become_root_uid_only() is unneeded - it's only used in messages.c. Refactor to use become_root() instead and make it local to messages.c Jeremy. (This used to be commit f3ffb3f98472b69b476b702dfe5c0575b32da018) --- source3/lib/util_sec.c | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 3d997ee76a..1899208697 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -265,7 +265,7 @@ void save_re_uid(void) and restore them! ****************************************************************************/ -static void restore_re_uid_fromroot(void) +void restore_re_uid_fromroot(void) { #if USE_SETRESUID setresuid(saved_ruid, saved_euid, -1); @@ -291,28 +291,6 @@ void restore_re_uid(void) restore_re_uid_fromroot(); } -/**************************************************************************** - Lightweight become root - no group change. -****************************************************************************/ - -void become_root_uid_only(void) -{ - save_re_uid(); - set_effective_uid(0); -} - -/**************************************************************************** - Lightweight unbecome root - no group change. Expects we are root already, - saves errno across call boundary. -****************************************************************************/ - -void unbecome_root_uid_only(void) -{ - int saved_errno = errno; - restore_re_uid_fromroot(); - errno = saved_errno; -} - /**************************************************************************** save the real and effective gid for later restoration. Used by the getgroups code -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/lib/util_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 1899208697..0d928aad3d 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -5,7 +5,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/lib/util_sec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 0d928aad3d..7723d294fa 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -14,8 +14,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #ifndef AUTOCONF_TEST -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/lib/util_sec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/lib/util_sec.c') diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 7723d294fa..d7984ac999 100644 --- a/source3/lib/util_sec.c +++ b/source3/lib/util_sec.c @@ -39,7 +39,7 @@ #define DEBUG(x, y) printf y #define smb_panic(x) exit(1) -#define BOOL int +#define bool int #endif /* are we running as non-root? This is used by the regresison test code, @@ -82,7 +82,7 @@ gid_t sec_initial_gid(void) /**************************************************************************** are we running in non-root mode? ****************************************************************************/ -BOOL non_root_mode(void) +bool non_root_mode(void) { return (initial_uid != (uid_t)0); } @@ -476,7 +476,7 @@ main() /**************************************************************************** Check if we are setuid root. Used in libsmb and smbpasswd paranoia checks. ****************************************************************************/ -BOOL is_setuid_root(void) +bool is_setuid_root(void) { return (geteuid() == (uid_t)0) && (getuid() != (uid_t)0); } -- cgit