1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
/* Setuid reauthentication for exec
Copyright (C) 1995,96,97,2002 Free Software Foundation, Inc.
Written by Miles Bader <miles@gnu.org>,
from the original by Michael I. Bushnell p/BSG <mib@gnu.org>
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2, or (at
your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
#include <hurd/io.h>
#include <hurd/process.h>
#include <hurd/auth.h>
#include <idvec.h>
#include "fshelp.h"
extern error_t
exec_reauth (auth_t auth, int secure, int must_reauth,
mach_port_t *ports, unsigned num_ports,
mach_port_t *fds, unsigned num_fds);
/* If SUID or SGID is true, adds UID and/or GID respectively to the
authentication in PORTS[INIT_PORT_AUTH], and replaces it with the result.
All the other ports in PORTS and FDS are then reauthenticated, using any
privileges available through AUTH. If GET_FILE_IDS is non-NULL, and the
auth port in PORTS[INIT_PORT_AUTH] is bogus, it is called to get a list of
uids and gids from the file to use as a replacement. If SECURE is
non-NULL, whether not the added ids are new is returned in it. If either
the uid or gid case fails, then the other may still be applied. */
error_t
fshelp_exec_reauth (int suid, uid_t uid, int sgid, gid_t gid,
auth_t auth,
error_t
(*get_file_ids)(struct idvec *uids, struct idvec *gids),
mach_port_t *ports, mach_msg_type_number_t num_ports,
mach_port_t *fds, mach_msg_type_number_t num_fds,
int *secure)
{
error_t err = 0;
int _secure = 0;
if (suid || sgid)
{
int already_root = 0;
auth_t newauth;
/* These variables describe the auth port that the user gave us. */
struct idvec *eff_uids = make_idvec (), *avail_uids = make_idvec ();
struct idvec *eff_gids = make_idvec (), *avail_gids = make_idvec ();
if (!eff_uids || !avail_uids || !eff_gids || !avail_gids)
goto abandon_suid; /* Allocation error; probably toast, but... */
/* STEP 0: Fetch the user's current id's. */
err = idvec_merge_auth (eff_uids, avail_uids, eff_gids, avail_gids,
ports[INIT_PORT_AUTH]);
if (err)
goto abandon_suid;
already_root =
idvec_contains (eff_uids, 0) || idvec_contains (avail_uids, 0);
/* If the user's auth port is fraudulent, then these values will be
wrong. No matter; we will repeat these checks using secure id sets
later if the port turns out to be bogus. */
if (suid)
err = idvec_setid (eff_uids, avail_uids, uid, &_secure);
if (sgid && !err)
err = idvec_setid (eff_gids, avail_gids, gid, &_secure);
if (err)
goto abandon_suid;
/* STEP 3: Attempt to create this new auth handle. */
err = auth_makeauth (auth, &ports[INIT_PORT_AUTH],
MACH_MSG_TYPE_COPY_SEND, 1,
eff_uids->ids, eff_uids->num,
avail_uids->ids, avail_uids->num,
eff_gids->ids, eff_gids->num,
avail_gids->ids, avail_gids->num,
&newauth);
if (err == EINVAL && get_file_ids)
/* The user's auth port was bogus. As we can't trust what the user
has told us about ids, we use the authentication on the file being
execed (which we know is good), as the effective ids, and assume
no aux ids. */
{
/* Get rid of all ids from the bogus auth port. */
idvec_clear (eff_uids);
idvec_clear (avail_uids);
idvec_clear (eff_gids);
idvec_clear (avail_gids);
/* Now add some from a source we trust. */
err = (*get_file_ids)(eff_uids, eff_gids);
already_root = idvec_contains (eff_uids, 0);
if (suid && !err)
err = idvec_setid (eff_uids, avail_uids, uid, &_secure);
if (sgid && !err)
err = idvec_setid (eff_uids, avail_uids, gid, &_secure);
if (err)
goto abandon_suid;
/* Trrrry again... */
err = auth_makeauth (auth, 0, MACH_MSG_TYPE_COPY_SEND, 1,
eff_uids->ids, eff_uids->num,
avail_uids->ids, avail_uids->num,
eff_gids->ids, eff_gids->num,
avail_gids->ids, avail_gids->num,
&newauth);
}
if (err)
goto abandon_suid;
if (already_root)
_secure = 0; /* executive privilege */
/* Re-authenticate the exec parameters. */
exec_reauth (newauth, _secure, 0, ports, num_ports, fds, num_fds);
proc_setowner (ports[INIT_PORT_PROC],
eff_uids->num > 0 ? eff_uids->ids[0] : 0,
!eff_uids->num);
abandon_suid:
if (eff_uids)
idvec_free (eff_uids);
if (avail_uids)
idvec_free (avail_uids);
if (eff_gids)
idvec_free (eff_gids);
if (avail_gids)
idvec_free (avail_gids);
}
if (secure)
*secure = _secure;
return err;
}
|