2 +----------------------------------------------------------------------+
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2010-present Facebook, Inc. (http://www.facebook.com) |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
17 #if !defined(SKIP_USER_CHANGE)
19 #include "hphp/util/capability.h"
20 #include "hphp/util/logger.h"
21 #include "hphp/util/user-info.h"
22 #include <folly/String.h>
23 #include <linux/types.h>
24 #include <sys/capability.h>
25 #include <sys/prctl.h>
26 #include <sys/types.h>
31 ///////////////////////////////////////////////////////////////////////////////
33 static bool setInitialCapabilities() {
34 cap_t cap_d
= cap_init();
35 if (cap_d
!= nullptr) {
36 cap_value_t cap_list
[] = {CAP_NET_BIND_SERVICE
, CAP_SYS_RESOURCE
,
37 CAP_SETUID
, CAP_SETGID
, CAP_SYS_NICE
};
38 constexpr unsigned cap_size
= sizeof(cap_list
)/sizeof(*cap_list
);
42 if (cap_set_flag(cap_d
, CAP_PERMITTED
, cap_size
, cap_list
, CAP_SET
) < 0 ||
43 cap_set_flag(cap_d
, CAP_EFFECTIVE
, cap_size
, cap_list
, CAP_SET
) < 0) {
44 Logger::Error("cap_set_flag failed: %s", folly::errnoStr(errno
).c_str());
48 if (cap_set_proc(cap_d
) == -1) {
49 Logger::Error("cap_set_proc failed: %s", folly::errnoStr(errno
).c_str());
53 if (cap_free(cap_d
) == -1) {
54 Logger::Error("cap_free failed: %s", folly::errnoStr(errno
).c_str());
58 if (prctl(PR_SET_KEEPCAPS
, 1, 0, 0, 0) < 0) {
59 Logger::Error("prctl(PR_SET_KEEPCAPS) failed: %s",
60 folly::errnoStr(errno
).c_str());
63 prctl(PR_SET_DUMPABLE
, 1, 0, 0, 0);
69 static bool setMinimalCapabilities() {
70 cap_t cap_d
= cap_init();
72 if (cap_d
!= nullptr) {
73 cap_value_t cap_list
[] = {CAP_NET_BIND_SERVICE
, CAP_SYS_RESOURCE
,
75 constexpr unsigned cap_size
= sizeof(cap_list
)/sizeof(*cap_list
);
79 if (cap_set_flag(cap_d
, CAP_PERMITTED
, cap_size
, cap_list
, CAP_SET
) < 0 ||
80 cap_set_flag(cap_d
, CAP_EFFECTIVE
, cap_size
, cap_list
, CAP_SET
) < 0) {
81 Logger::Error("cap_set_flag failed: %s", folly::errnoStr(errno
).c_str());
85 if (cap_set_proc(cap_d
) == -1) {
86 Logger::Error("cap_set_proc failed: %s", folly::errnoStr(errno
).c_str());
90 if (cap_free(cap_d
) == -1) {
91 Logger::Error("cap_free failed: %s", folly::errnoStr(errno
).c_str());
95 prctl(PR_SET_DUMPABLE
, 1, 0, 0, 0);
101 bool Capability::ChangeUnixUser(uid_t uid
, bool allowRoot
) {
102 if (uid
== 0 && !allowRoot
) {
103 Logger::Error("unable to change user to root");
107 if (uid
== getuid()) {
111 if (setInitialCapabilities()) {
112 auto buf
= PasswdBuffer
{};
115 if (getpwuid_r(uid
, &buf
.ent
, buf
.data
.get(), buf
.size
, &pw
)) {
116 Logger::Error("unable to getpwuid(%d): %s", uid
,
117 folly::errnoStr(errno
).c_str());
121 Logger::Error("user id %d does not exist", uid
);
125 if (initgroups(pw
->pw_name
, pw
->pw_gid
) < 0) {
126 Logger::Error("unable to drop supplementary group privs: %s",
127 folly::errnoStr(errno
).c_str());
131 if (pw
->pw_gid
== 0 || setgid(pw
->pw_gid
) < 0) {
132 Logger::Error("unable to drop gid privs: %s",
133 folly::errnoStr(errno
).c_str());
137 if (uid
== 0 || setuid(uid
) < 0) {
138 Logger::Error("unable to drop uid privs: %s",
139 folly::errnoStr(errno
).c_str());
143 if (!setMinimalCapabilities()) {
144 Logger::Error("unable to set minimal server capabilities");
152 bool Capability::ChangeUnixUser(const std::string
&username
, bool allowRoot
) {
153 if (!username
.empty()) {
154 auto buf
= PasswdBuffer
{};
156 if (getpwnam_r(username
.c_str(), &buf
.ent
, buf
.data
.get(), buf
.size
, &pw
)) {
157 Logger::Error("Call to getpwnam_r failed for %s: %s",
159 folly::errnoStr(errno
).c_str());
163 Logger::Error("unable to find user %s", username
.c_str());
166 return ChangeUnixUser(pw
->pw_uid
, allowRoot
);
171 bool Capability::SetDumpable() {
172 if (prctl(PR_SET_DUMPABLE
, 1, 0, 0, 0)) {
173 Logger::Error("Unable to make process dumpable: %s",
174 folly::errnoStr(errno
).c_str());
180 ///////////////////////////////////////////////////////////////////////////////