lib/idpriv-drop.c

   1 /* Dropping uid/gid privileges of the current process permanently.
   2    Copyright (C) 2009-2017 Free Software Foundation, Inc.
   3
   4    This program is free software: you can redistribute it and/or modify
   5    it under the terms of the GNU General Public License as published by
   6    the Free Software Foundation; either version 3 of the License, or
   7    (at your option) any later version.
   8
   9    This program is distributed in the hope that it will be useful,
  10    but WITHOUT ANY WARRANTY; without even the implied warranty of
  11    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12    GNU General Public License for more details.
  13
  14    You should have received a copy of the GNU General Public License
  15    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
  16
  17 #include <config.h>
  18
  19 #include "idpriv.h"
  20
  21 #include <stdlib.h>
  22 #include <sys/types.h>
  23 #include <unistd.h>
  24
  25 int
  26 idpriv_drop (void)
  27 {
  28 #if HAVE_GETUID
  29   int uid = getuid ();
  30 #endif
  31 #if HAVE_GETGID
  32   int gid = getgid ();
  33 #endif
  34
  35   /* Drop the gid privilege first, because in some cases the gid privilege
  36      cannot be dropped after the uid privilege has been dropped.  */
  37
  38   /* This is for executables that have the setgid bit set.  */
  39 #if HAVE_SETRESGID /* glibc, FreeBSD, OpenBSD, HP-UX */
  40   /* This code is needed: In particular, on HP-UX 11.11, setregid (gid, gid)
  41      may leave the saved gid as 0.  See also the comment below regarding
  42      setresuid.  */
  43   if (setresgid (gid, gid, gid) < 0)
  44     return -1;
  45 #elif HAVE_SETREGID /* Mac OS X, NetBSD, AIX, IRIX, Solaris, OSF/1, Cygwin */
  46   if (setregid (gid, gid) < 0)
  47     return -1;
  48 #elif HAVE_SETEGID /* Solaris 2.4 */
  49   if (setegid (gid) < 0)
  50     return -1;
  51 #endif
  52
  53   /* This is for executables that have the setuid bit set.  */
  54 #if HAVE_SETRESUID /* glibc, FreeBSD, OpenBSD, HP-UX */
  55   /* On systems which have setresuid(), we use it instead of setreuid(),
  56      because
  57        <http://www.usenix.org/events/sec02/full_papers/chen/chen.pdf>
  58      says about setreuid(): "The rule by which the saved uid id is modified
  59      is complicated." Similarly, <http://unixpapa.com/incnote/setuid.html>
  60      says about setreuid(): "What exactly happens to the saved UID when this
  61      is used seems to vary a lot."  */
  62   if (setresuid (uid, uid, uid) < 0)
  63     return -1;
  64 #elif HAVE_SETREUID /* Mac OS X, NetBSD, AIX, IRIX, Solaris, OSF/1, Cygwin */
  65   if (setreuid (uid, uid) < 0)
  66     return -1;
  67 #elif HAVE_SETEUID /* Solaris 2.4 */
  68   if (seteuid (uid) < 0)
  69     return -1;
  70 #endif
  71
  72   /* Verify that the privileges have really been dropped.
  73      This verification is here for security reasons.  Doesn't matter if it
  74      takes a couple of system calls.
  75      On Solaris (which has saved uids and gids but no getresuid, getresgid
  76      functions), we could read /proc/<pid>/cred and verify the saved uid and
  77      gid found there. But it's not clear to me when to interpret the file as a
  78      'prcred_t' and when as a 'prcred32_t'.
  79      <http://www.usenix.org/events/sec02/full_papers/chen/chen.pdf>
  80      section 8.1.3 also recommends to use a setreuid call as a probe, but
  81      this call would unexpectedly succeed (and the verification thus fail)
  82      on Linux if the process has the CAP_SETUID capability.
  83      When the verification fails, it indicates that we need to use different
  84      API in the code above. Therefore 'abort ()', not 'return -1'.  */
  85 #if HAVE_GETRESUID /* glibc, FreeBSD, OpenBSD, HP-UX */
  86   {
  87     uid_t real;
  88     uid_t effective;
  89     uid_t saved;
  90     if (getresuid (&real, &effective, &saved) < 0
  91         || real != uid
  92         || effective != uid
  93         || saved != uid)
  94       abort ();
  95   }
  96 #else
  97 # if HAVE_GETEUID
  98   if (geteuid () != uid)
  99     abort ();
 100 # endif
 101 # if HAVE_GETUID
 102   if (getuid () != uid)
 103     abort ();
 104 # endif
 105 #endif
 106 #if HAVE_GETRESGID /* glibc, FreeBSD, OpenBSD, HP-UX */
 107   {
 108     gid_t real;
 109     gid_t effective;
 110     gid_t saved;
 111     if (getresgid (&real, &effective, &saved) < 0
 112         || real != gid
 113         || effective != gid
 114         || saved != gid)
 115       abort ();
 116   }
 117 #else
 118 # if HAVE_GETEGID
 119   if (getegid () != gid)
 120     abort ();
 121 # endif
 122 # if HAVE_GETGID
 123   if (getgid () != gid)
 124     abort ();
 125 # endif
 126 #endif
 127
 128   return 0;
 129 }