2 * Copyright (c) 1994-1996,1998-2011 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * Sponsored in part by the Defense Advanced Research Projects
17 * Agency (DARPA) and Air Force Research Laboratory, Air Force
18 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 #include <sys/types.h>
24 #include <sys/param.h>
34 #endif /* STDC_HEADERS */
37 #endif /* HAVE_STRING_H */
40 #endif /* HAVE_STRINGS_H */
43 #endif /* HAVE_UNISTD_H */
53 static void runas_setgroups(void);
56 * We keep track of the current permisstions and use a stack to restore
57 * the old permissions. A depth of 16 is overkill.
74 #define PERM_STACK_MAX 16
75 static struct perm_state perm_stack[PERM_STACK_MAX];
76 static int perm_stack_depth = 0;
78 /* XXX - make a runas_user struct? */
79 int runas_ngroups = -1;
81 GETGROUPS_T *runas_groups;
85 #define ID(x) (state->x == ostate->x ? -1 : state->x)
87 #define OID(x) (ostate->x == state->x ? -1 : ostate->x)
92 while (perm_stack_depth > 1)
99 * Set real and effective and saved uids and gids based on perm.
100 * We always retain a saved uid of 0 unless we are headed for an exec().
101 * We only flip the effective gid since it only changes for PERM_SUDOERS.
102 * This version of set_perms() works fine with the "stay_setuid" option.
107 struct perm_state *state, *ostate = NULL;
111 noexit = ISSET(perm, PERM_NOEXIT);
112 CLR(perm, PERM_MASK);
114 if (perm_stack_depth == PERM_STACK_MAX) {
115 errstr = "perm stack overflow";
120 state = &perm_stack[perm_stack_depth];
121 if (perm_stack_depth)
122 ostate = &perm_stack[perm_stack_depth - 1];
124 if (perm != PERM_INITIAL && memcmp(state, ostate, sizeof(*state)) == 0)
129 /* Stash initial state */
130 #ifdef HAVE_GETRESUID
131 if (getresuid(&state->ruid, &state->euid, &state->suid)) {
132 errstr = "getresuid";
136 if (getresgid(&state->rgid, &state->egid, &state->sgid)) {
137 errstr = "getresgid";
141 state->ruid = getuid();
142 state->euid = geteuid();
143 state->suid = state->euid; /* in case we are setuid */
145 state->rgid = getgid();
146 state->egid = getegid();
147 state->sgid = state->egid; /* in case we are setgid */
149 state->groups = user_groups;
150 state->ngroups = user_ngroups;
154 state->ruid = ROOT_UID;
155 state->euid = ROOT_UID;
156 state->suid = ROOT_UID;
157 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
158 errstr = "setresuid(ROOT_UID, ROOT_UID, ROOT_UID)";
164 state->groups = NULL;
169 state->groups = user_groups;
170 state->ngroups = user_ngroups;
171 if (state->ngroups != -1 && state->groups != ostate->groups) {
172 if (setgroups(state->ngroups, state->groups)) {
173 errstr = "setgroups()";
178 state->egid = user_gid;
180 if (setresgid(-1, ID(egid), -1)) {
181 errstr = "setresgid(-1, user_gid, -1)";
184 state->ruid = user_uid;
185 state->euid = user_uid;
186 state->suid = ROOT_UID;
187 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
188 errstr = "setresuid(user_uid, user_uid, ROOT_UID)";
194 /* headed for exec() */
195 state->groups = user_groups;
196 state->ngroups = user_ngroups;
197 if (state->ngroups != -1 && state->groups != ostate->groups) {
198 if (setgroups(state->ngroups, state->groups)) {
199 errstr = "setgroups()";
203 state->rgid = user_gid;
204 state->egid = user_gid;
205 state->sgid = user_gid;
206 if (setresgid(ID(rgid), ID(egid), ID(sgid))) {
207 errstr = "setresgid(user_gid, user_gid, user_gid)";
210 state->ruid = user_uid;
211 state->euid = user_uid;
212 state->suid = user_uid;
213 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
214 errstr = "setresuid(user_uid, user_uid, user_uid)";
221 state->groups = runas_groups;
222 state->ngroups = runas_ngroups;
225 state->egid = runas_gr ? runas_gr->gr_gid : runas_pw->pw_gid;
227 if (setresgid(-1, ID(egid), -1)) {
228 errstr = "unable to change to runas gid";
232 state->euid = runas_pw ? runas_pw->pw_uid : user_uid;
234 if (setresuid(-1, ID(euid), -1)) {
235 errstr = "unable to change to runas uid";
241 state->groups = NULL;
244 /* assumes euid == ROOT_UID, ruid == user */
246 state->egid = sudoers_gid;
248 if (setresgid(-1, ID(egid), -1))
249 error(1, "unable to change to sudoers gid");
251 state->ruid = ROOT_UID;
253 * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
254 * we use a non-zero uid in order to avoid NFS lossage.
255 * Using uid 1 is a bit bogus but should work on all OS's.
257 if (sudoers_uid == ROOT_UID && (sudoers_mode & 040))
260 state->euid = sudoers_uid;
261 state->suid = ROOT_UID;
262 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
263 errstr = "setresuid(ROOT_UID, SUDOERS_UID, ROOT_UID)";
269 state->groups = NULL;
274 state->ruid = ROOT_UID;
275 state->euid = timestamp_uid;
276 state->suid = ROOT_UID;
277 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
278 errstr = "setresuid(ROOT_UID, timestamp_uid, ROOT_UID)";
288 /* XXX - better warnings inline */
289 warningx("%s: %s", errstr,
290 errno == EAGAIN ? "too many processes" : strerror(errno));
299 struct perm_state *state, *ostate;
301 if (perm_stack_depth < 2)
304 state = &perm_stack[perm_stack_depth - 1];
305 ostate = &perm_stack[perm_stack_depth - 2];
308 /* XXX - more cases here where euid != ruid */
309 if (OID(euid) == ROOT_UID && state->euid != ROOT_UID) {
310 if (setresuid(-1, ROOT_UID, -1)) {
311 warning("setresuid() [%d, %d, %d] -> [%d, %d, %d]", state->ruid,
312 state->euid, state->suid, -1, ROOT_UID, -1);
316 if (setresuid(OID(ruid), OID(euid), OID(suid))) {
317 warning("setresuid() [%d, %d, %d] -> [%d, %d, %d]", state->ruid,
318 state->euid, state->suid, OID(ruid), OID(euid), OID(suid));
321 if (setresgid(OID(rgid), OID(egid), OID(sgid))) {
322 warning("setresgid() [%d, %d, %d] -> [%d, %d, %d]", state->rgid,
323 state->egid, state->sgid, OID(rgid), OID(egid), OID(sgid));
326 if (state->ngroups != -1 && state->groups != ostate->groups) {
327 if (setgroups(ostate->ngroups, ostate->groups)) {
328 warning("setgroups()");
339 # ifdef HAVE_SETREUID
342 * Set real and effective uids and gids based on perm.
343 * We always retain a real or effective uid of ROOT_UID unless
344 * we are headed for an exec().
345 * This version of set_perms() works fine with the "stay_setuid" option.
350 struct perm_state *state, *ostate = NULL;
354 noexit = ISSET(perm, PERM_NOEXIT);
355 CLR(perm, PERM_MASK);
357 if (perm_stack_depth == PERM_STACK_MAX) {
358 errstr = "perm stack overflow";
363 state = &perm_stack[perm_stack_depth];
364 if (perm_stack_depth)
365 ostate = &perm_stack[perm_stack_depth - 1];
367 if (perm != PERM_INITIAL && memcmp(state, ostate, sizeof(*state)) == 0)
372 /* Stash initial state */
373 state->ruid = getuid();
374 state->euid = geteuid();
375 state->rgid = getgid();
376 state->egid = getegid();
377 state->groups = user_groups;
378 state->ngroups = user_ngroups;
383 * setreuid(0, 0) may fail on some systems
384 * when the euid is not already 0.
386 if (setreuid(-1, ROOT_UID)) {
387 errstr = "setreuid(-1, ROOT_UID)";
390 if (setuid(ROOT_UID)) {
391 errstr = "setuid(ROOT_UID)";
394 state->ruid = ROOT_UID;
395 state->euid = ROOT_UID;
398 state->groups = NULL;
403 state->groups = user_groups;
404 state->ngroups = user_ngroups;
405 if (state->ngroups != -1 && state->groups != ostate->groups) {
406 if (setgroups(state->ngroups, state->groups)) {
407 errstr = "setgroups()";
412 state->egid = user_gid;
413 if (setregid(-1, ID(egid))) {
414 errstr = "setregid(-1, user_gid)";
417 state->ruid = ROOT_UID;
418 state->euid = user_uid;
419 if (setreuid(ID(ruid), ID(euid))) {
420 errstr = "setreuid(ROOT_UID, user_uid)";
426 /* headed for exec() */
427 state->groups = user_groups;
428 state->ngroups = user_ngroups;
429 if (state->ngroups != -1 && state->groups != ostate->groups) {
430 if (setgroups(state->ngroups, state->groups)) {
431 errstr = "setgroups()";
435 state->rgid = user_gid;
436 state->egid = user_gid;
437 if (setregid(ID(rgid), ID(egid))) {
438 errstr = "setregid(user_gid, user_gid)";
441 state->ruid = user_uid;
442 state->euid = user_uid;
443 if (setreuid(ID(ruid), ID(euid))) {
444 errstr = "setreuid(user_uid, user_uid)";
451 state->groups = runas_groups;
452 state->ngroups = runas_ngroups;
455 state->egid = runas_gr ? runas_gr->gr_gid : runas_pw->pw_gid;
456 if (setregid(ID(rgid), ID(egid))) {
457 errstr = "unable to change to runas gid";
460 state->ruid = ROOT_UID;
461 state->euid = runas_pw ? runas_pw->pw_uid : user_uid;
462 if (setreuid(ID(ruid), ID(euid))) {
463 errstr = "unable to change to runas uid";
469 state->groups = NULL;
472 /* assume euid == ROOT_UID, ruid == user */
474 state->egid = sudoers_gid;
475 if (setregid(-1, ID(egid)))
476 error(1, "unable to change to sudoers gid");
478 state->ruid = ROOT_UID;
480 * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
481 * we use a non-zero uid in order to avoid NFS lossage.
482 * Using uid 1 is a bit bogus but should work on all OS's.
484 if (sudoers_uid == ROOT_UID && (sudoers_mode & 040))
487 state->euid = sudoers_uid;
488 if (setreuid(ID(ruid), ID(euid))) {
489 errstr = "setreuid(ROOT_UID, SUDOERS_UID)";
495 state->groups = NULL;
499 state->ruid = ROOT_UID;
500 state->euid = timestamp_uid;
501 if (setreuid(ID(ruid), ID(euid))) {
502 errstr = "setreuid(ROOT_UID, timestamp_uid)";
512 /* XXX - better warnings inline */
513 warningx("%s: %s", errstr,
514 errno == EAGAIN ? "too many processes" : strerror(errno));
523 struct perm_state *state, *ostate;
525 if (perm_stack_depth < 2)
528 state = &perm_stack[perm_stack_depth - 1];
529 ostate = &perm_stack[perm_stack_depth - 2];
533 * When changing euid to ROOT_UID, setreuid() may fail even if
534 * the ruid is ROOT_UID so call setuid() first.
536 if (OID(euid) == ROOT_UID) {
537 /* setuid() may not set the saved ID unless the euid is ROOT_UID */
538 if (ID(euid) != ROOT_UID)
539 (void)setreuid(-1, ROOT_UID);
540 if (setuid(ROOT_UID)) {
541 warning("setuid(%d)", ROOT_UID);
545 if (setreuid(OID(ruid), OID(euid))) {
546 warning("setreuid() [%d, %d] -> [%d, %d]", state->ruid,
547 state->euid, OID(ruid), OID(euid));
550 if (setregid(OID(rgid), OID(egid))) {
551 warning("setregid() [%d, %d] -> [%d, %d]", state->rgid,
552 state->egid, OID(rgid), OID(egid));
555 if (state->ngroups != -1 && state->groups != ostate->groups) {
556 if (setgroups(ostate->ngroups, ostate->groups)) {
557 warning("setgroups()");
567 # else /* !HAVE_SETRESUID && !HAVE_SETREUID */
571 * Set real and effective uids and gids based on perm.
572 * We always retain a real or effective uid of ROOT_UID unless
573 * we are headed for an exec().
574 * This version of set_perms() works fine with the "stay_setuid" option.
579 struct perm_state *state, *ostate = NULL;
583 noexit = ISSET(perm, PERM_NOEXIT);
584 CLR(perm, PERM_MASK);
586 if (perm_stack_depth == PERM_STACK_MAX) {
587 errstr = "perm stack overflow";
592 state = &perm_stack[perm_stack_depth];
593 if (perm_stack_depth)
594 ostate = &perm_stack[perm_stack_depth - 1];
596 if (perm != PERM_INITIAL && memcmp(state, ostate, sizeof(*state)) == 0)
600 * Since we only have setuid() and seteuid() and semantics
601 * for these calls differ on various systems, we set
602 * real and effective uids to ROOT_UID initially to be safe.
604 if (perm != PERM_INITIAL) {
605 if (seteuid(ROOT_UID)) {
606 errstr = "seteuid(ROOT_UID)";
609 if (setuid(ROOT_UID)) {
610 errstr = "setuid(ROOT_UID)";
617 /* Stash initial state */
618 state->ruid = getuid();
619 state->euid = geteuid();
620 state->rgid = getgid();
621 state->egid = getegid();
622 state->groups = user_groups;
623 state->ngroups = user_ngroups;
627 /* We already set ruid/euid above. */
628 state->ruid = ROOT_UID;
629 state->euid = ROOT_UID;
632 state->groups = NULL;
637 state->groups = user_groups;
638 state->ngroups = user_ngroups;
639 if (state->ngroups != -1 && state->groups != ostate->groups) {
640 if (setgroups(state->ngroups, state->groups)) {
641 errstr = "setgroups()";
646 state->egid = user_gid;
647 if (setegid(ID(egid))) {
648 errstr = "setegid(user_gid)";
651 state->ruid = ROOT_UID;
652 state->euid = user_uid;
653 if (seteuid(ID(euid))) {
654 errstr = "seteuid(user_uid)";
660 /* headed for exec() */
661 state->groups = user_groups;
662 state->ngroups = user_ngroups;
663 if (state->ngroups != -1 && state->groups != ostate->groups) {
664 if (setgroups(state->ngroups, state->groups)) {
665 errstr = "setgroups()";
669 state->rgid = user_gid;
670 state->egid = user_gid;
671 if (setgid(user_gid)) {
672 errstr = "setgid(user_gid)";
675 state->ruid = user_uid;
676 state->euid = user_uid;
677 if (setuid(user_uid)) {
678 errstr = "setuid(user_uid)";
685 state->groups = runas_groups;
686 state->ngroups = runas_ngroups;
689 state->egid = runas_gr ? runas_gr->gr_gid : runas_pw->pw_gid;
690 if (setegid(ID(egid))) {
691 errstr = "unable to change to runas gid";
695 state->euid = runas_pw ? runas_pw->pw_uid : user_uid;
696 if (seteuid(ID(euid))) {
697 errstr = "unable to change to runas uid";
703 state->groups = NULL;
706 /* assume euid == ROOT_UID, ruid == user */
708 state->egid = sudoers_gid;
709 if (setegid(ID(egid)))
710 error(1, "unable to change to sudoers gid");
712 state->ruid = ROOT_UID;
714 * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
715 * we use a non-zero uid in order to avoid NFS lossage.
716 * Using uid 1 is a bit bogus but should work on all OS's.
718 if (sudoers_uid == ROOT_UID && (sudoers_mode & 040))
721 state->euid = sudoers_uid;
722 if (seteuid(ID(euid))) {
723 errstr = "seteuid(SUDOERS_UID)";
729 state->groups = NULL;
733 state->ruid = ROOT_UID;
734 state->euid = timestamp_uid;
735 if (seteuid(ID(euid))) {
736 errstr = "seteuid(timestamp_uid)";
746 /* XXX - better warnings inline */
747 warningx("%s: %s", errstr,
748 errno == EAGAIN ? "too many processes" : strerror(errno));
757 struct perm_state *state, *ostate;
759 if (perm_stack_depth < 2)
762 state = &perm_stack[perm_stack_depth - 1];
763 ostate = &perm_stack[perm_stack_depth - 2];
767 * Since we only have setuid() and seteuid() and semantics
768 * for these calls differ on various systems, we set
769 * real and effective uids to ROOT_UID initially to be safe.
771 if (seteuid(ROOT_UID)) {
772 errstr = "seteuid(ROOT_UID)";
775 if (setuid(ROOT_UID)) {
776 errstr = "setuid(ROOT_UID)";
780 if (setegid(OID(egid))) {
781 warning("setegid(%d)", OID(egid));
784 if (state->ngroups != -1 && state->groups != ostate->groups) {
785 if (setgroups(ostate->ngroups, ostate->groups)) {
786 warning("setgroups()");
790 if (seteuid(OID(euid))) {
791 warning("seteuid(%d)", OID(euid));
800 # else /* !HAVE_SETRESUID && !HAVE_SETREUID && !HAVE_SETEUID */
803 * Set uids and gids based on perm via setuid() and setgid().
804 * NOTE: does not support the "stay_setuid" or timestampowner options.
805 * Also, sudoers_uid and sudoers_gid are not used.
810 struct perm_state *state, *ostate = NULL;
814 noexit = ISSET(perm, PERM_NOEXIT);
815 CLR(perm, PERM_MASK);
817 if (perm_stack_depth == PERM_STACK_MAX) {
818 errstr = "perm stack overflow";
823 state = &perm_stack[perm_stack_depth];
824 if (perm_stack_depth)
825 ostate = &perm_stack[perm_stack_depth - 1];
827 if (perm != PERM_INITIAL && memcmp(state, ostate, sizeof(*state)) == 0)
832 /* Stash initial state */
833 state->ruid = getuid();
834 state->rgid = getgid();
835 state->groups = user_groups;
836 state->ngroups = user_ngroups;
840 state->ruid = ROOT_UID;
842 state->groups = NULL;
844 if (setuid(ROOT_UID)) {
845 errstr = "setuid(ROOT_UID)";
851 state->groups = user_groups;
852 state->ngroups = user_ngroups;
853 if (state->ngroups != -1 && state->groups != ostate->groups) {
854 if (setgroups(state->ngroups, state->groups)) {
855 errstr = "setgroups()";
859 state->rgid = user_gid;
860 (void) setgid(user_gid);
861 state->ruid = user_uid;
862 if (setuid(user_uid)) {
863 errstr = "setuid(user_uid)";
872 /* Unsupported since we can't set euid. */
880 /* XXX - better warnings inline */
881 warningx("%s: %s", errstr,
882 errno == EAGAIN ? "too many processes" : strerror(errno));
891 struct perm_state *state, *ostate;
893 if (perm_stack_depth < 2)
896 state = &perm_stack[perm_stack_depth - 1];
897 ostate = &perm_stack[perm_stack_depth - 2];
900 if (state->ngroups != -1 && state->groups != ostate->groups) {
901 if (setgroups(ostate->ngroups, ostate->groups)) {
902 warning("setgroups()");
906 if (OID(rgid) != -1 && setgid(ostate->rgid)) {
907 warning("setgid(%d)", ostate->rgid);
910 if (OID(ruid) != -1 && setuid(ostate->ruid)) {
911 warning("setuid(%d)", ostate->ruid);
919 # endif /* HAVE_SETEUID */
920 # endif /* HAVE_SETREUID */
921 #endif /* HAVE_SETRESUID */
923 #ifdef HAVE_INITGROUPS
927 static struct passwd *pw;
928 struct passwd *opw = pw;
930 if (def_preserve_groups)
934 * Use stashed copy of runas groups if available, else initgroups and stash.
936 pw = runas_pw ? runas_pw : sudo_user.pw;
938 pw = runas_pw ? runas_pw : sudo_user.pw;
939 # ifdef HAVE_SETAUTHDB
940 aix_setauthdb(pw->pw_name);
942 if (initgroups(pw->pw_name, pw->pw_gid) < 0)
943 log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
944 # ifdef HAVE_GETGROUPS
949 if ((runas_ngroups = getgroups(0, NULL)) > 0) {
950 runas_groups = emalloc2(runas_ngroups, sizeof(GETGROUPS_T));
951 if (getgroups(runas_ngroups, runas_groups) < 0)
952 log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector");
954 # ifdef HAVE_SETAUTHDB
958 if (setgroups(runas_ngroups, runas_groups) < 0)
959 log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
960 # endif /* HAVE_GETGROUPS */
972 #endif /* HAVE_INITGROUPS */