1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
|
/*
Copyright (C) 1993, 1994, 1995 Free Software Foundation
This file is part of the GNU Hurd.
The GNU Hurd is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
The GNU Hurd is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with the GNU Hurd; see the file COPYING. If not, write to
the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. */
/* Written by Michael I. Bushnell. */
#include "priv.h"
#include "fs_S.h"
#include <sys/stat.h>
#include <fcntlbits.h>
#include <hurd/exec.h>
#include <hurd/paths.h>
kern_return_t
diskfs_S_file_exec (struct protid *cred,
task_t task,
int flags,
char *argv,
u_int argvlen,
char *envp,
u_int envplen,
mach_port_t *fds,
u_int fdslen,
mach_port_t *portarray,
u_int portarraylen,
int *intarray,
u_int intarraylen,
mach_port_t *deallocnames,
u_int deallocnameslen,
mach_port_t *destroynames,
u_int destroynameslen)
{
struct node *np;
error_t err;
struct protid *newpi;
if (!cred)
return EOPNOTSUPP;
if (diskfs_exec == MACH_PORT_NULL)
diskfs_exec = file_name_lookup (_SERVERS_EXEC, 0, 0);
if (diskfs_exec == MACH_PORT_NULL)
return EOPNOTSUPP;
np = cred->po->np;
if ((cred->po->openstat & O_EXEC) == 0)
return EBADF;
if (!((np->dn_stat.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH))
|| ((np->dn_stat.st_mode & S_IUSEUNK)
&& (np->dn_stat.st_mode & (S_IEXEC << S_IUNKSHIFT)))))
return EACCES;
/* Handle S_ISUID and S_ISGID uid substitution. */
/* XXX All this complexity should be moved to libfshelp. -mib */
if ((((np->dn_stat.st_mode & S_ISUID)
&& !diskfs_isuid (np->dn_stat.st_uid, cred))
|| ((np->dn_stat.st_mode & S_ISGID)
&& !diskfs_groupmember (np->dn_stat.st_gid, cred)))
&& !diskfs_isuid (0, cred))
{
/* XXX The test above was correct for the code before Roland
changed it; but now it's wrong. This test decides when
permission is increasing, and therefore we need to
protect the exec with NEWTASK and SECURE. If permission
isn't increasing, then we still substitute id's, but we
don't to the SECURE or NEWTASK protection. -mib */
/* XXX Perhaps if there are errors in reauthenticating,
we should just run non-setuid? */
mach_port_t newauth, intermediate;
void reauth (mach_port_t *port, int procp)
{
mach_port_t newport, ref;
if (*port == MACH_PORT_NULL)
return;
ref = mach_reply_port ();
err = (procp ? proc_reauthenticate : io_reauthenticate)
(*port, ref, MACH_MSG_TYPE_MAKE_SEND);
if (! err)
err = auth_user_authenticate (newauth, *port,
ref, MACH_MSG_TYPE_MAKE_SEND,
&newport);
if (err)
{
/* Could not reauthenticate. Do not give away the old port. */
mach_port_deallocate (mach_task_self (), *port);
*port = MACH_PORT_NULL; /* XXX ? */
}
else if (newport != MACH_PORT_NULL)
{
mach_port_deallocate (mach_task_self (), *port);
*port = newport;
}
mach_port_destroy (mach_task_self (), ref);
}
uid_t auxuidbuf[2], genuidbuf[10];
uid_t *old_aux_uids = auxuidbuf, *old_gen_uids = genuidbuf;
int nold_aux_uids = 2, nold_gen_uids = 10;
gid_t auxgidbuf[2], gengidbuf[10];
gid_t *old_aux_gids = auxgidbuf, *old_gen_gids = gengidbuf;
int nold_aux_gids = 2, nold_gen_gids = 10;
int ngen_uids = nold_gen_uids ?: 1;
int naux_uids = nold_aux_uids < 2 ? nold_aux_uids : 2;
uid_t gen_uids[ngen_uids], aux_uids[naux_uids];
int ngen_gids = nold_gen_gids ?: 1;
int naux_gids = nold_aux_gids < 2 ? nold_aux_gids : 2;
gid_t gen_gids[ngen_gids], aux_gids[naux_gids];
unsigned int i;
/* Tell the exec server to use secure ports and a new task. */
flags |= EXEC_SECURE|EXEC_NEWTASK;
/* Find the IDs of the old auth handle. */
err = auth_getids (portarray[INIT_PORT_AUTH],
&old_gen_uids, &nold_aux_uids,
&old_aux_uids, &nold_aux_uids,
&old_gen_gids, &nold_gen_gids,
&old_aux_gids, &nold_aux_gids);
if (err == MACH_SEND_INVALID_DEST)
nold_gen_uids = nold_aux_uids = nold_gen_gids = nold_aux_gids = 0;
else if (err)
return err;
/* XXX This is broken; there is no magical "nonexistent ID"
number. The Posix numbering only matters for the exec of a
Posix process; this case can't be a problem, therefore. Just
stuff the ID in slot 0 and nothing in slot 1. */
/* Set up the UIDs for the new auth handle. */
if (nold_aux_uids == 0)
/* No real UID; we must invent one. */
aux_uids[0] = nold_gen_uids ? old_gen_uids[0] : -2; /* XXX */
else
{
aux_uids[0] = old_aux_uids[0];
if (nold_aux_uids > 2)
memcpy (&aux_uids[2], &old_aux_uids[2],
nold_aux_uids * sizeof (uid_t));
}
aux_uids[1] = old_gen_uids[0]; /* Set saved set-UID to effective UID. */
gen_uids[0] = np->dn_stat.st_uid; /* Change effective to file owner. */
memcpy (&gen_uids[1], &old_gen_uids[1],
((nold_gen_uids ?: 1) - 1) * sizeof (uid_t));
/* Set up the GIDs for the new auth handle. */
if (nold_aux_gids == 0)
/* No real GID; we must invent one. */
old_aux_gids[0] = nold_gen_gids ? old_gen_gids[0] : -2; /* XXX */
else
{
aux_gids[0] = old_aux_gids[0];
if (nold_aux_gids > 2)
memcpy (&aux_gids[2], &old_aux_gids[2],
nold_aux_gids * sizeof (gid_t));
}
aux_gids[1] = old_gen_gids[0]; /* Set saved set-GID to effective GID. */
gen_gids[0] = np->dn_stat.st_gid; /* Change effective to file owner. */
memcpy (&gen_gids[1], &old_gen_gids[1],
((nold_gen_gids ?: 1) - 1) * sizeof (gid_t));
/* XXX This is totally wrong. Just do one call to auth_makeauth
with both handles. INTERMEDIATE here has no id's at all, and
so the second auth_makeauth call is guaranteed to fail.
It should give the user as close to the correct privilege as
possible as well; this requires looking inside the uid sets
and doing the "right thing". If we are entirely unable to
increase the task's privilege, then abandon the setuid part,
but don't return an error.
-mib */
/* Create the new auth handle. First we must make a handle that
combines our IDs with those in the original user handle in
portarray[INIT_PORT_AUTH]. Only using that handle will we be
allowed to create the final handle, which contains secondary IDs
from the original user handle that we don't necessarily have. */
{
mach_port_t handles[2] =
{ diskfs_auth_server_port, portarray[INIT_PORT_AUTH] };
err = auth_makeauth (diskfs_auth_server_port,
handles, MACH_MSG_TYPE_COPY_SEND, 2,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
&intermediate);
}
if (err)
return err;
err = auth_makeauth (intermediate,
NULL, MACH_MSG_TYPE_COPY_SEND, 0,
gen_uids, ngen_uids,
aux_uids, naux_uids,
gen_gids, ngen_gids,
aux_gids, naux_gids,
&newauth);
mach_port_deallocate (mach_task_self (), intermediate);
if (err)
return err;
/* Now we must reauthenticate all the ports to other
servers we pass along to it. */
for (i = 0; i < fdslen; ++i)
reauth (&fds[i], 0);
/* XXX The first two are unimportant; EXEC_SECURE is going to
blow them away anyhow. -mib */
reauth (&portarray[INIT_PORT_PROC], 1);
reauth (&portarray[INIT_PORT_CRDIR], 0);
reauth (&portarray[INIT_PORT_CWDIR], 0);
mach_port_deallocate (mach_task_self (), portarray[INIT_PORT_AUTH]);
portarray[INIT_PORT_AUTH] = newauth;
}
/* If the user can't read the file, then we should use a new task,
which would be inaccessible to the user. Actually, this doesn't
work, because the proc server will still give out the task port
to the user. Too many things depend on that that it can't be
changed. So this vague attempt isn't even worth trying. */
#if 0
if (diskfs_access (np, S_IREAD, cred))
flags |= EXEC_NEWTASK;
#endif
newpi = diskfs_make_protid (diskfs_make_peropen (np, O_READ,
cred->po->dotdotport),
cred->uids, cred->nuids,
cred->gids, cred->ngids);
err = exec_exec (diskfs_exec,
ports_get_right (newpi),
MACH_MSG_TYPE_MAKE_SEND,
task, flags, argv, argvlen, envp, envplen,
fds, MACH_MSG_TYPE_COPY_SEND, fdslen,
portarray, MACH_MSG_TYPE_COPY_SEND, portarraylen,
intarray, intarraylen, deallocnames, deallocnameslen,
destroynames, destroynameslen);
ports_port_deref (newpi);
if (!err)
{
unsigned int i;
mach_port_deallocate (mach_task_self (), task);
for (i = 0; i < fdslen; i++)
mach_port_deallocate (mach_task_self (), fds[i]);
for (i = 0; i < portarraylen; i++)
mach_port_deallocate (mach_task_self (), portarray[i]);
}
return err;
}
|