summaryrefslogtreecommitdiff
path: root/libfshelp/exec-reauth.c
blob: e60098270bd9af93a6b12cc94a215d13952afaf8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
/* Setuid reauthentication for exec

   Copyright (C) 1995, 1996 Free Software Foundation, Inc.

   Written by Miles Bader <miles@gnu.ai.mit.edu>,
     from the original by Michael I. Bushnell p/BSG  <mib@gnu.ai.mit.edu>

   This program is free software; you can redistribute it and/or
   modify it under the terms of the GNU General Public License as
   published by the Free Software Foundation; either version 2, or (at
   your option) any later version.

   This program is distributed in the hope that it will be useful, but
   WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */

#include <hurd/io.h>
#include <hurd/process.h>
#include <hurd/auth.h>
#include <idvec.h>

#include "fshelp.h"

extern error_t
exec_reauth (auth_t auth, int secure, int must_reauth,
	     mach_port_t *ports, unsigned num_ports,
	     mach_port_t *fds, unsigned num_fds);

/* If SUID or SGID is true, adds UID and/or GID respectively to the
   authentication in PORTS[INIT_PORT_AUTH], and replaces it with the result.
   All the other ports in PORTS and FDS are then reauthenticated, using any
   privileges available through AUTH.  If GET_FILE_IDS is non-NULL, and the
   auth port in PORTS[INIT_PORT_AUTH] is bogus, it is called to get a list of
   uids and gids from the file to use as a replacement.  If SECURE is
   non-NULL, whether not the added ids are new is returned in it.  If either
   the uid or gid case fails, then the other may still be applied.  */
error_t
fshelp_exec_reauth (int suid, uid_t uid, int sgid, gid_t gid,
		    auth_t auth,
		    error_t
		      (*get_file_ids)(struct idvec *uids, struct idvec *gids),
		    mach_port_t *ports, mach_msg_type_number_t num_ports,
		    mach_port_t *fds, mach_msg_type_number_t num_fds,
		    int *secure)
{
  error_t err = 0;
  int _secure = 0;

  if (suid || sgid)
    {
      int already_root = 0;
      auth_t newauth;
      /* These variables describe the auth port that the user gave us. */
      struct idvec *eff_uids = make_idvec (), *avail_uids = make_idvec ();
      struct idvec *eff_gids = make_idvec (), *avail_gids = make_idvec ();

      if (!eff_uids || !avail_uids || !eff_gids || !avail_gids)
	goto abandon_suid;	/* Allocation error; probably toast, but... */

      /* STEP 0: Fetch the user's current id's. */
      err = idvec_merge_auth (eff_uids, avail_uids, eff_gids, avail_gids,
			      ports[INIT_PORT_AUTH]);
      if (err)
	goto abandon_suid;

      already_root =
	idvec_contains (eff_uids, 0) || idvec_contains (avail_uids, 0);

      /* If the user's auth port is fraudulent, then these values will be
	 wrong.  No matter; we will repeat these checks using secure id sets
	 later if the port turns out to be bogus.  */
      if (suid)
	err = idvec_setid (eff_uids, avail_uids, uid, &_secure);
      if (sgid && !err)
	err = idvec_setid (eff_gids, avail_gids, gid, &_secure);
      if (err)
	goto abandon_suid;

      /* STEP 3: Attempt to create this new auth handle. */
      err = auth_makeauth (auth, &ports[INIT_PORT_AUTH],
			   MACH_MSG_TYPE_COPY_SEND, 1, 
			   eff_uids->ids, eff_uids->num,
			   avail_uids->ids, avail_uids->num,
			   eff_gids->ids, eff_gids->num,
			   avail_gids->ids, avail_gids->num,
			   &newauth);
      if (err == EINVAL && get_file_ids)
	/* The user's auth port was bogus.  As we can't trust what the user
	   has told us about ids, we use the authentication on the file being
	   execed (which we know is good), as the effective ids, and assume
	   no aux ids.  */
	{
	  /* Get rid of all ids from the bogus auth port.  */
	  idvec_clear (eff_uids);
	  idvec_clear (avail_uids);
	  idvec_clear (eff_gids);
	  idvec_clear (avail_gids);

	  /* Now add some from a source we trust.  */
	  err = (*get_file_ids)(eff_uids, eff_gids);

	  already_root = idvec_contains (eff_uids, 0);
	  if (suid && !err)
	    err = idvec_setid (eff_uids, avail_uids, uid, &_secure);
	  if (sgid && !err)
	    err = idvec_setid (eff_uids, avail_uids, gid, &_secure);
	  if (err)
	    goto abandon_suid;

	  /* Trrrry again...  */
	  err = auth_makeauth (auth, 0, MACH_MSG_TYPE_COPY_SEND, 1, 
			       eff_uids->ids, eff_uids->num,
			       avail_uids->ids, avail_uids->num,
			       eff_gids->ids, eff_gids->num,
			       avail_gids->ids, avail_gids->num,
			       &newauth);
	}

      if (err)
	goto abandon_suid;

      if (already_root)
	_secure = 0;		/* executive privilege */

      /* Re-authenticate the exec parameters.  */
      exec_reauth (newauth, _secure, 0, ports, num_ports, fds, num_fds);

      if (eff_uids->num > 0)
	proc_setowner (ports[INIT_PORT_PROC], eff_uids->ids[0], 0);

    abandon_suid:
      if (eff_uids)
	idvec_free (eff_uids);
      if (avail_uids)
	idvec_free (avail_uids);
      if (eff_gids)
	idvec_free (eff_gids);
      if (avail_gids)
	idvec_free (avail_gids);
    }

  if (_secure && secure)
    *secure = _secure;

  return err;
}