diff options
author | Simo Sorce <simo@redhat.com> | 2013-08-28 21:19:32 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2013-09-09 15:11:45 -0400 |
commit | 0371fbcf60d4dd8e25b9bb0a83029c812b66f3d6 (patch) | |
tree | 86ee3a2f3d7fb734dc434cece43a485297e2a0b4 /src/providers | |
parent | 36ccdecd053a9ad88dce86b8c84770dc2aa11d21 (diff) | |
download | sssd-0371fbcf60d4dd8e25b9bb0a83029c812b66f3d6.tar.gz sssd-0371fbcf60d4dd8e25b9bb0a83029c812b66f3d6.tar.bz2 sssd-0371fbcf60d4dd8e25b9bb0a83029c812b66f3d6.zip |
krb5: Add calls to change and restore credentials
In some cases we want to temporarily assume user credentials but allow the
process to regain back the original credentials (normally regaining uid 0).
Related:
https://fedorahosted.org/sssd/ticket/2061
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_become_user.c | 125 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.h | 6 |
2 files changed, 131 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_become_user.c b/src/providers/krb5/krb5_become_user.c index 70bc5630..567cf237 100644 --- a/src/providers/krb5/krb5_become_user.c +++ b/src/providers/krb5/krb5_become_user.c @@ -70,3 +70,128 @@ errno_t become_user(uid_t uid, gid_t gid) return EOK; } +struct sss_creds { + uid_t uid; + gid_t gid; + int num_gids; + gid_t gids[]; +}; + +errno_t restore_creds(struct sss_creds *saved_creds); + +/* This is a reversible version of become_user, and returns the saved + * credentials so that creds can be switched back calling restore_creds */ +errno_t switch_creds(TALLOC_CTX *mem_ctx, + uid_t uid, gid_t gid, + int num_gids, gid_t *gids, + struct sss_creds **saved_creds) +{ + struct sss_creds *ssc = NULL; + int size; + int ret; + + DEBUG(SSSDBG_FUNC_DATA, ("Switch user to [%d][%d].\n", uid, gid)); + + if (saved_creds) { + /* save current user credentials */ + size = getgroups(0, NULL); + if (size == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, ("Getgroups failed! (%d, %s)\n", + ret, strerror(ret))); + goto done; + } + + ssc = talloc_size(mem_ctx, + (sizeof(struct sss_creds) + size * sizeof(gid_t))); + if (!ssc) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Allocation failed!\n")); + ret = ENOMEM; + goto done; + } + ssc->num_gids = size; + + size = getgroups(ssc->num_gids, ssc->gids); + if (size == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, ("Getgroups failed! (%d, %s)\n", + ret, strerror(ret))); + /* free ssc immediately otherwise the code will try to restore + * wrong creds */ + talloc_zfree(ssc); + goto done; + } + + /* we care only about effective ids */ + ssc->uid = geteuid(); + ssc->gid = getegid(); + } + + /* if we are regaining root set euid first so that we have CAP_SETUID back, + * ane the other calls work too, otherwise call it last so that we can + * change groups before we loose CAP_SETUID */ + if (uid == 0) { + ret = setresuid(0, 0, 0); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + ("setresuid failed [%d][%s].\n", ret, strerror(ret))); + goto done; + } + } + + /* TODO: use prctl to get/set capabilities too ? */ + + /* try to setgroups first should always work if CAP_SETUID is set, + * otherwise it will always fail, failure is not critical though as + * generally we only really care about uid and at mot primary gid */ + ret = setgroups(num_gids, gids); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_TRACE_FUNC, + ("setgroups failed [%d][%s].\n", ret, strerror(ret))); + } + + /* change gid now, (leaves saved gid to current, so we can restore) */ + ret = setresgid(-1, gid, -1); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + ("setresgid failed [%d][%s].\n", ret, strerror(ret))); + goto done; + } + + if (uid != 0) { + /* change uid, (leaves saved uid to current, so we can restore) */ + ret = setresuid(-1, uid, -1); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + ("setresuid failed [%d][%s].\n", ret, strerror(ret))); + goto done; + } + } + + ret = 0; + +done: + if (ret) { + if (ssc) { + /* attempt to restore creds first */ + restore_creds(ssc); + talloc_free(ssc); + } + } else if (saved_creds) { + *saved_creds = ssc; + } + return ret; +} + +errno_t restore_creds(struct sss_creds *saved_creds) +{ + return switch_creds(saved_creds, + saved_creds->uid, + saved_creds->gid, + saved_creds->num_gids, + saved_creds->gids, NULL); +} diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h index cdc9f236..aac3ec72 100644 --- a/src/providers/krb5/krb5_utils.h +++ b/src/providers/krb5/krb5_utils.h @@ -80,6 +80,12 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, bool case_sensitive, bool *private_path); errno_t become_user(uid_t uid, gid_t gid); +struct sss_creds; +errno_t switch_creds(TALLOC_CTX *mem_ctx, + uid_t uid, gid_t gid, + int num_gids, gid_t *gids, + struct sss_creds **saved_creds); +errno_t restore_creds(struct sss_creds *saved_creds); errno_t get_ccache_file_data(const char *ccache_file, const char *client_name, struct tgt_times *tgtt); |