2 * Copyright (c) 1994-1996,1998-2011 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * Sponsored in part by the Defense Advanced Research Projects
17 * Agency (DARPA) and Air Force Research Laboratory, Air Force
18 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 #include <sys/types.h>
24 #include <sys/param.h>
34 #endif /* STDC_HEADERS */
37 #endif /* HAVE_STRING_H */
40 #endif /* HAVE_STRINGS_H */
43 #endif /* HAVE_UNISTD_H */
53 static struct group_list *runas_setgroups(void);
56 * We keep track of the current permisstions and use a stack to restore
57 * the old permissions. A depth of 16 is overkill.
70 struct group_list *grlist;
73 #define PERM_STACK_MAX 16
74 static struct perm_state perm_stack[PERM_STACK_MAX];
75 static int perm_stack_depth = 0;
78 #define ID(x) (state->x == ostate->x ? -1 : state->x)
80 #define OID(x) (ostate->x == state->x ? -1 : ostate->x)
85 debug_decl(rewind_perms, SUDO_DEBUG_PERMS)
87 while (perm_stack_depth > 1)
89 grlist_delref(perm_stack[0].grlist);
97 * Set real and effective and saved uids and gids based on perm.
98 * We always retain a saved uid of 0 unless we are headed for an exec().
99 * We only flip the effective gid since it only changes for PERM_SUDOERS.
100 * This version of set_perms() works fine with the "stay_setuid" option.
105 struct perm_state *state, *ostate = NULL;
108 debug_decl(set_perms, SUDO_DEBUG_PERMS)
110 noexit = ISSET(perm, PERM_NOEXIT);
111 CLR(perm, PERM_MASK);
113 if (perm_stack_depth == PERM_STACK_MAX) {
114 errstr = _("perm stack overflow");
119 state = &perm_stack[perm_stack_depth];
120 if (perm != PERM_INITIAL) {
121 if (perm_stack_depth == 0) {
122 errstr = _("perm stack underflow");
126 ostate = &perm_stack[perm_stack_depth - 1];
127 if (memcmp(state, ostate, sizeof(*state)) == 0)
133 /* Stash initial state */
134 #ifdef HAVE_GETRESUID
135 if (getresuid(&state->ruid, &state->euid, &state->suid)) {
136 errstr = "getresuid";
140 if (getresgid(&state->rgid, &state->egid, &state->sgid)) {
141 errstr = "getresgid";
145 state->ruid = getuid();
146 state->euid = geteuid();
147 state->suid = state->euid; /* in case we are setuid */
149 state->rgid = getgid();
150 state->egid = getegid();
151 state->sgid = state->egid; /* in case we are setgid */
153 state->grlist = user_group_list;
154 grlist_addref(state->grlist);
158 state->ruid = ROOT_UID;
159 state->euid = ROOT_UID;
160 state->suid = ROOT_UID;
161 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
162 errstr = "setresuid(ROOT_UID, ROOT_UID, ROOT_UID)";
168 state->grlist = ostate->grlist;
169 grlist_addref(state->grlist);
174 state->egid = user_gid;
176 if (setresgid(-1, ID(egid), -1)) {
177 errstr = "setresgid(-1, user_gid, -1)";
180 state->grlist = user_group_list;
181 grlist_addref(state->grlist);
182 if (state->grlist != ostate->grlist) {
183 if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
184 errstr = "setgroups()";
188 state->ruid = user_uid;
189 state->euid = user_uid;
190 state->suid = ROOT_UID;
191 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
192 errstr = "setresuid(user_uid, user_uid, ROOT_UID)";
198 /* headed for exec() */
199 state->rgid = user_gid;
200 state->egid = user_gid;
201 state->sgid = user_gid;
202 if (setresgid(ID(rgid), ID(egid), ID(sgid))) {
203 errstr = "setresgid(user_gid, user_gid, user_gid)";
206 state->grlist = user_group_list;
207 grlist_addref(state->grlist);
208 if (state->grlist != ostate->grlist) {
209 if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
210 errstr = "setgroups()";
214 state->ruid = user_uid;
215 state->euid = user_uid;
216 state->suid = user_uid;
217 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
218 errstr = "setresuid(user_uid, user_uid, user_uid)";
225 state->egid = runas_gr ? runas_gr->gr_gid : runas_pw->pw_gid;
227 if (setresgid(-1, ID(egid), -1)) {
228 errstr = _("unable to change to runas gid");
231 state->grlist = runas_setgroups();
233 state->euid = runas_pw ? runas_pw->pw_uid : user_uid;
235 if (setresuid(-1, ID(euid), -1)) {
236 errstr = _("unable to change to runas uid");
242 state->grlist = ostate->grlist;
243 grlist_addref(state->grlist);
245 /* assumes euid == ROOT_UID, ruid == user */
247 state->egid = sudoers_gid;
249 if (setresgid(-1, ID(egid), -1))
250 error(1, _("unable to change to sudoers gid"));
252 state->ruid = ROOT_UID;
254 * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
255 * we use a non-zero uid in order to avoid NFS lossage.
256 * Using uid 1 is a bit bogus but should work on all OS's.
258 if (sudoers_uid == ROOT_UID && (sudoers_mode & 040))
261 state->euid = sudoers_uid;
262 state->suid = ROOT_UID;
263 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
264 errstr = "setresuid(ROOT_UID, SUDOERS_UID, ROOT_UID)";
270 state->grlist = ostate->grlist;
271 grlist_addref(state->grlist);
275 state->ruid = ROOT_UID;
276 state->euid = timestamp_uid;
277 state->suid = ROOT_UID;
278 if (setresuid(ID(ruid), ID(euid), ID(suid))) {
279 errstr = "setresuid(ROOT_UID, timestamp_uid, ROOT_UID)";
287 debug_return_bool(1);
289 /* XXX - better warnings inline */
290 warningx("%s: %s", errstr,
291 errno == EAGAIN ? _("too many processes") : strerror(errno));
293 debug_return_bool(0);
300 struct perm_state *state, *ostate;
301 debug_decl(restore_perms, SUDO_DEBUG_PERMS)
303 if (perm_stack_depth < 2)
306 state = &perm_stack[perm_stack_depth - 1];
307 ostate = &perm_stack[perm_stack_depth - 2];
310 /* XXX - more cases here where euid != ruid */
311 if (OID(euid) == ROOT_UID && state->euid != ROOT_UID) {
312 if (setresuid(-1, ROOT_UID, -1)) {
313 warning("setresuid() [%d, %d, %d] -> [%d, %d, %d]",
314 (int)state->ruid, (int)state->euid, (int)state->suid,
319 if (setresuid(OID(ruid), OID(euid), OID(suid))) {
320 warning("setresuid() [%d, %d, %d] -> [%d, %d, %d]",
321 (int)state->ruid, (int)state->euid, (int)state->suid,
322 (int)OID(ruid), (int)OID(euid), (int)OID(suid));
325 if (setresgid(OID(rgid), OID(egid), OID(sgid))) {
326 warning("setresgid() [%d, %d, %d] -> [%d, %d, %d]",
327 (int)state->rgid, (int)state->egid, (int)state->sgid,
328 (int)OID(rgid), (int)OID(egid), (int)OID(sgid));
331 if (state->grlist != ostate->grlist) {
332 if (sudo_setgroups(ostate->grlist->ngids, ostate->grlist->gids)) {
333 warning("setgroups()");
337 grlist_delref(state->grlist);
345 # ifdef HAVE_SETREUID
348 * Set real and effective uids and gids based on perm.
349 * We always retain a real or effective uid of ROOT_UID unless
350 * we are headed for an exec().
351 * This version of set_perms() works fine with the "stay_setuid" option.
356 struct perm_state *state, *ostate = NULL;
359 debug_decl(set_perms, SUDO_DEBUG_PERMS)
361 noexit = ISSET(perm, PERM_NOEXIT);
362 CLR(perm, PERM_MASK);
364 if (perm_stack_depth == PERM_STACK_MAX) {
365 errstr = _("perm stack overflow");
370 state = &perm_stack[perm_stack_depth];
371 if (perm != PERM_INITIAL) {
372 if (perm_stack_depth == 0) {
373 errstr = _("perm stack underflow");
377 ostate = &perm_stack[perm_stack_depth - 1];
378 if (memcmp(state, ostate, sizeof(*state)) == 0)
384 /* Stash initial state */
385 state->ruid = getuid();
386 state->euid = geteuid();
387 state->rgid = getgid();
388 state->egid = getegid();
389 state->grlist = user_group_list;
390 grlist_addref(state->grlist);
395 * setreuid(0, 0) may fail on some systems if euid is not already 0.
397 if (ostate->euid != ROOT_UID) {
398 if (setreuid(-1, ROOT_UID)) {
399 errstr = "setreuid(-1, ROOT_UID)";
403 state->euid = ROOT_UID;
404 if (setreuid(ID(ruid), -1)) {
405 errstr = "setreuid(ROOT_UID, -1)";
408 state->ruid = ROOT_UID;
411 state->grlist = ostate->grlist;
412 grlist_addref(state->grlist);
417 state->egid = user_gid;
418 if (setregid(-1, ID(egid))) {
419 errstr = "setregid(-1, user_gid)";
422 state->grlist = user_group_list;
423 grlist_addref(state->grlist);
424 if (state->grlist != ostate->grlist) {
425 if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
426 errstr = "setgroups()";
430 state->ruid = ROOT_UID;
431 state->euid = user_uid;
432 if (setreuid(ID(ruid), ID(euid))) {
433 errstr = "setreuid(ROOT_UID, user_uid)";
439 /* headed for exec() */
440 state->rgid = user_gid;
441 state->egid = user_gid;
442 if (setregid(ID(rgid), ID(egid))) {
443 errstr = "setregid(user_gid, user_gid)";
446 state->grlist = user_group_list;
447 grlist_addref(state->grlist);
448 if (state->grlist != ostate->grlist) {
449 if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
450 errstr = "setgroups()";
454 state->ruid = user_uid;
455 state->euid = user_uid;
456 if (setreuid(ID(ruid), ID(euid))) {
457 errstr = "setreuid(user_uid, user_uid)";
464 state->egid = runas_gr ? runas_gr->gr_gid : runas_pw->pw_gid;
465 if (setregid(ID(rgid), ID(egid))) {
466 errstr = _("unable to change to runas gid");
469 state->grlist = runas_setgroups();
470 state->ruid = ROOT_UID;
471 state->euid = runas_pw ? runas_pw->pw_uid : user_uid;
472 if (setreuid(ID(ruid), ID(euid))) {
473 errstr = _("unable to change to runas uid");
479 state->grlist = ostate->grlist;
480 grlist_addref(state->grlist);
482 /* assume euid == ROOT_UID, ruid == user */
484 state->egid = sudoers_gid;
485 if (setregid(-1, ID(egid)))
486 error(1, _("unable to change to sudoers gid"));
488 state->ruid = ROOT_UID;
490 * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
491 * we use a non-zero uid in order to avoid NFS lossage.
492 * Using uid 1 is a bit bogus but should work on all OS's.
494 if (sudoers_uid == ROOT_UID && (sudoers_mode & 040))
497 state->euid = sudoers_uid;
498 if (setreuid(ID(ruid), ID(euid))) {
499 errstr = "setreuid(ROOT_UID, SUDOERS_UID)";
505 state->grlist = ostate->grlist;
506 grlist_addref(state->grlist);
509 state->ruid = ROOT_UID;
510 state->euid = timestamp_uid;
511 if (setreuid(ID(ruid), ID(euid))) {
512 errstr = "setreuid(ROOT_UID, timestamp_uid)";
520 debug_return_bool(1);
522 /* XXX - better warnings inline */
523 warningx("%s: %s", errstr,
524 errno == EAGAIN ? _("too many processes") : strerror(errno));
526 debug_return_bool(0);
533 struct perm_state *state, *ostate;
534 debug_decl(restore_perms, SUDO_DEBUG_PERMS)
536 if (perm_stack_depth < 2)
539 state = &perm_stack[perm_stack_depth - 1];
540 ostate = &perm_stack[perm_stack_depth - 2];
544 * When changing euid to ROOT_UID, setreuid() may fail even if
545 * the ruid is ROOT_UID so call setuid() first.
547 if (OID(euid) == ROOT_UID) {
548 /* setuid() may not set the saved ID unless the euid is ROOT_UID */
549 if (ID(euid) != ROOT_UID)
550 (void)setreuid(-1, ROOT_UID);
551 if (setuid(ROOT_UID)) {
552 warning("setuid() [%d, %d] -> %d)", (int)state->ruid,
553 (int)state->euid, ROOT_UID);
557 if (setreuid(OID(ruid), OID(euid))) {
558 warning("setreuid() [%d, %d] -> [%d, %d]", (int)state->ruid,
559 (int)state->euid, (int)OID(ruid), (int)OID(euid));
562 if (setregid(OID(rgid), OID(egid))) {
563 warning("setregid() [%d, %d] -> [%d, %d]", (int)state->rgid,
564 (int)state->egid, (int)OID(rgid), (int)OID(egid));
567 if (state->grlist != ostate->grlist) {
568 if (sudo_setgroups(ostate->grlist->ngids, ostate->grlist->gids)) {
569 warning("setgroups()");
573 grlist_delref(state->grlist);
580 # else /* !HAVE_SETRESUID && !HAVE_SETREUID */
584 * Set real and effective uids and gids based on perm.
585 * We always retain a real or effective uid of ROOT_UID unless
586 * we are headed for an exec().
587 * This version of set_perms() works fine with the "stay_setuid" option.
592 struct perm_state *state, *ostate = NULL;
595 debug_decl(set_perms, SUDO_DEBUG_PERMS)
597 noexit = ISSET(perm, PERM_NOEXIT);
598 CLR(perm, PERM_MASK);
600 if (perm_stack_depth == PERM_STACK_MAX) {
601 errstr = _("perm stack overflow");
606 state = &perm_stack[perm_stack_depth];
607 if (perm != PERM_INITIAL) {
608 if (perm_stack_depth == 0) {
609 errstr = _("perm stack underflow");
613 ostate = &perm_stack[perm_stack_depth - 1];
614 if (memcmp(state, ostate, sizeof(*state)) == 0)
619 * Since we only have setuid() and seteuid() and semantics
620 * for these calls differ on various systems, we set
621 * real and effective uids to ROOT_UID initially to be safe.
623 if (perm != PERM_INITIAL) {
624 if (seteuid(ROOT_UID)) {
625 errstr = "seteuid(ROOT_UID)";
628 if (setuid(ROOT_UID)) {
629 errstr = "setuid(ROOT_UID)";
636 /* Stash initial state */
637 state->ruid = getuid();
638 state->euid = geteuid();
639 state->rgid = getgid();
640 state->egid = getegid();
641 state->grlist = user_group_list;
642 grlist_addref(state->grlist);
646 /* We already set ruid/euid above. */
647 state->ruid = ROOT_UID;
648 state->euid = ROOT_UID;
651 state->grlist = ostate->grlist;
652 grlist_addref(state->grlist);
656 state->egid = user_gid;
657 if (setegid(ID(egid))) {
658 errstr = "setegid(user_gid)";
661 state->grlist = user_group_list;
662 grlist_addref(state->grlist);
663 if (state->grlist != ostate->grlist) {
664 if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
665 errstr = "setgroups()";
670 state->ruid = ROOT_UID;
671 state->euid = user_uid;
672 if (seteuid(ID(euid))) {
673 errstr = "seteuid(user_uid)";
679 /* headed for exec() */
680 state->rgid = user_gid;
681 state->egid = user_gid;
682 if (setgid(user_gid)) {
683 errstr = "setgid(user_gid)";
686 state->grlist = user_group_list;
687 grlist_addref(state->grlist);
688 if (state->grlist != ostate->grlist) {
689 if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
690 errstr = "setgroups()";
694 state->ruid = user_uid;
695 state->euid = user_uid;
696 if (setuid(user_uid)) {
697 errstr = "setuid(user_uid)";
704 state->egid = runas_gr ? runas_gr->gr_gid : runas_pw->pw_gid;
705 if (setegid(ID(egid))) {
706 errstr = _("unable to change to runas gid");
709 state->grlist = runas_setgroups();
711 state->euid = runas_pw ? runas_pw->pw_uid : user_uid;
712 if (seteuid(ID(euid))) {
713 errstr = _("unable to change to runas uid");
719 state->grlist = ostate->grlist;
720 grlist_addref(state->grlist);
722 /* assume euid == ROOT_UID, ruid == user */
724 state->egid = sudoers_gid;
725 if (setegid(ID(egid)))
726 error(1, _("unable to change to sudoers gid"));
728 state->ruid = ROOT_UID;
730 * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
731 * we use a non-zero uid in order to avoid NFS lossage.
732 * Using uid 1 is a bit bogus but should work on all OS's.
734 if (sudoers_uid == ROOT_UID && (sudoers_mode & 040))
737 state->euid = sudoers_uid;
738 if (seteuid(ID(euid))) {
739 errstr = "seteuid(SUDOERS_UID)";
745 state->grlist = ostate->grlist;
746 grlist_addref(state->grlist);
749 state->ruid = ROOT_UID;
750 state->euid = timestamp_uid;
751 if (seteuid(ID(euid))) {
752 errstr = "seteuid(timestamp_uid)";
760 debug_return_bool(1);
762 /* XXX - better warnings inline */
763 warningx("%s: %s", errstr,
764 errno == EAGAIN ? _("too many processes") : strerror(errno));
766 debug_return_bool(0);
773 struct perm_state *state, *ostate;
774 debug_decl(restore_perms, SUDO_DEBUG_PERMS)
776 if (perm_stack_depth < 2)
779 state = &perm_stack[perm_stack_depth - 1];
780 ostate = &perm_stack[perm_stack_depth - 2];
784 * Since we only have setuid() and seteuid() and semantics
785 * for these calls differ on various systems, we set
786 * real and effective uids to ROOT_UID initially to be safe.
788 if (seteuid(ROOT_UID)) {
789 errstr = "seteuid(ROOT_UID)";
792 if (setuid(ROOT_UID)) {
793 errstr = "setuid(ROOT_UID)";
797 if (setegid(OID(egid))) {
798 warning("setegid(%d)", (int)OID(egid));
801 if (state->grlist != ostate->grlist) {
802 if (sudo_setgroups(ostate->grlist->ngids, ostate->grlist->gids)) {
803 warning("setgroups()");
807 if (seteuid(OID(euid))) {
808 warning("seteuid(%d)", (int)OID(euid));
811 grlist_delref(state->grlist);
818 # else /* !HAVE_SETRESUID && !HAVE_SETREUID && !HAVE_SETEUID */
821 * Set uids and gids based on perm via setuid() and setgid().
822 * NOTE: does not support the "stay_setuid" or timestampowner options.
823 * Also, sudoers_uid and sudoers_gid are not used.
828 struct perm_state *state, *ostate = NULL;
831 debug_decl(set_perms, SUDO_DEBUG_PERMS)
833 noexit = ISSET(perm, PERM_NOEXIT);
834 CLR(perm, PERM_MASK);
836 if (perm_stack_depth == PERM_STACK_MAX) {
837 errstr = _("perm stack overflow");
842 state = &perm_stack[perm_stack_depth];
843 if (perm != PERM_INITIAL) {
844 if (perm_stack_depth == 0) {
845 errstr = _("perm stack underflow");
849 ostate = &perm_stack[perm_stack_depth - 1];
850 if (memcmp(state, ostate, sizeof(*state)) == 0)
856 /* Stash initial state */
857 state->ruid = getuid();
858 state->rgid = getgid();
859 state->grlist = user_group_list;
860 grlist_addref(state->grlist);
864 state->ruid = ROOT_UID;
866 state->grlist = ostate->grlist;
867 grlist_addref(state->grlist);
868 if (setuid(ROOT_UID)) {
869 errstr = "setuid(ROOT_UID)";
875 state->rgid = user_gid;
876 (void) setgid(user_gid);
877 state->grlist = user_group_list;
878 grlist_addref(state->grlist);
879 if (state->grlist != ostate->grlist) {
880 if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
881 errstr = "setgroups()";
885 state->ruid = user_uid;
886 if (setuid(user_uid)) {
887 errstr = "setuid(user_uid)";
896 /* Unsupported since we can't set euid. */
902 debug_return_bool(1);
904 /* XXX - better warnings inline */
905 warningx("%s: %s", errstr,
906 errno == EAGAIN ? _("too many processes") : strerror(errno));
908 debug_return_bool(0);
915 struct perm_state *state, *ostate;
916 debug_decl(restore_perms, SUDO_DEBUG_PERMS)
918 if (perm_stack_depth < 2)
921 state = &perm_stack[perm_stack_depth - 1];
922 ostate = &perm_stack[perm_stack_depth - 2];
925 if (OID(rgid) != -1 && setgid(ostate->rgid)) {
926 warning("setgid(%d)", (int)ostate->rgid);
929 if (state->grlist != ostate->grlist) {
930 if (sudo_setgroups(ostate->grlist->ngids, ostate->grlist->gids)) {
931 warning("setgroups()");
935 grlist_delref(state->grlist);
936 if (OID(ruid) != -1 && setuid(ostate->ruid)) {
937 warning("setuid(%d)", (int)ostate->ruid);
945 # endif /* HAVE_SETEUID */
946 # endif /* HAVE_SETREUID */
947 #endif /* HAVE_SETRESUID */
949 static struct group_list *
950 runas_setgroups(void)
953 struct group_list *grlist;
954 debug_decl(runas_setgroups, SUDO_DEBUG_PERMS)
956 if (def_preserve_groups) {
957 grlist_addref(user_group_list);
958 debug_return_ptr(user_group_list);
961 pw = runas_pw ? runas_pw : sudo_user.pw;
962 #ifdef HAVE_SETAUTHDB
963 aix_setauthdb(pw->pw_name);
965 grlist = get_group_list(pw);
966 #ifdef HAVE_SETAUTHDB
969 if (sudo_setgroups(grlist->ngids, grlist->gids) < 0)
970 log_error(USE_ERRNO|MSG_ONLY, _("unable to set runas group vector"));
971 debug_return_ptr(grlist);