2 * Copyright (c) 1994-1996,1998-2001 Todd C. Miller <Todd.Miller@courtesan.com>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * 4. Products derived from this software may not be called "Sudo" nor
20 * may "Sudo" appear in their names without specific prior written
21 * permission from the author.
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
24 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
25 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
26 * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
29 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
30 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
31 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
32 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 #include <sys/types.h>
38 #include <sys/param.h>
48 #endif /* STDC_HEADERS */
52 # ifdef HAVE_STRINGS_H
55 #endif /* HAVE_STRING_H */
58 #endif /* HAVE_UNISTD_H */
62 #ifdef HAVE_LOGIN_CAP_H
63 # include <login_cap.h>
69 static const char rcsid[] = "$Sudo: set_perms.c,v 1.12 2002/01/22 02:00:25 millert Exp $";
75 static void runas_setup __P((void));
76 static void fatal __P((char *, int));
78 #if !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION)
80 * Set real and effective uids and gids based on perm.
81 * Since we have POSIX saved IDs we can get away with just
82 * toggling the effective uid/gid unless we are headed for an exec().
85 set_perms_posix(perm, sudo_mode)
94 fatal("seteuid(0) failed, your operating system may have broken POSIX saved ID support\nTry running configure with --disable-saved-ids", 0);
98 /* headed for exec() */
101 fatal("setuid(0)", 1);
105 (void) setegid(user_gid);
106 if (seteuid(user_uid))
107 fatal("seteuid(user_uid)", 1);
111 /* headed for exec() */
112 (void) setgid(user_gid);
113 if (setuid(user_uid))
114 fatal("setuid(user_uid)", 1);
118 /* headed for exec(), assume euid == 0 */
120 if (def_flag(I_STAY_SETUID))
121 error = seteuid(runas_pw->pw_uid);
123 error = setuid(runas_pw->pw_uid);
125 fatal("unable to change to runas uid", 1);
129 /* assume euid == 0, ruid == user */
130 if (setegid(SUDOERS_GID))
131 fatal("unable to change to sudoers gid", 1);
134 * If SUDOERS_UID == 0 and SUDOERS_MODE
135 * is group readable we use a non-zero
136 * uid in order to avoid NFS lossage.
137 * Using uid 1 is a bit bogus but should
140 if (SUDOERS_UID == 0) {
141 if ((SUDOERS_MODE & 040) && seteuid(1))
142 fatal("seteuid(1)", 1);
144 if (seteuid(SUDOERS_UID))
145 fatal("seteuid(SUDOERS_UID)", 1);
150 #endif /* !NO_SAVED_IDS && _SC_SAVED_IDS && _SC_VERSION */
154 * Set real and effective uids and gids based on perm.
155 * We always retain a real or effective uid of 0 unless
156 * we are headed for an exec().
159 set_perms_fallback(perm, sudo_mode)
169 fatal("setuid(0) failed, your operating system may have broken POSIX saved ID support\nTry running configure with --disable-setreuid", 0);
173 (void) setegid(user_gid);
174 if (setreuid(0, user_uid))
175 fatal("setreuid(0, user_uid)", 1);
179 /* headed for exec() */
180 (void) setgid(user_gid);
181 if (setuid(user_uid))
182 fatal("setuid(user_uid)", 1);
186 /* headed for exec(), assume euid == 0 */
188 if (def_flag(I_STAY_SETUID))
189 error = setreuid(user_uid, runas_pw->pw_uid);
191 error = setuid(runas_pw->pw_uid);
193 fatal("unable to change to runas uid", 1);
197 /* assume euid == 0, ruid == user */
198 if (setegid(SUDOERS_GID))
199 fatal("unable to change to sudoers gid", 1);
202 * If SUDOERS_UID == 0 and SUDOERS_MODE
203 * is group readable we use a non-zero
204 * uid in order to avoid NFS lossage.
205 * Using uid 1 is a bit bogus but should
208 if (SUDOERS_UID == 0) {
209 if ((SUDOERS_MODE & 040) && setreuid(0, 1))
210 fatal("setreuid(0, 1)", 1);
212 if (setreuid(0, SUDOERS_UID))
213 fatal("setreuid(0, SUDOERS_UID)", 1);
222 * Set real and effective uids and gids based on perm.
223 * NOTE: does not support the "stay_setuid" option.
226 set_perms_fallback(perm, sudo_mode)
232 * Since we only have setuid() and seteuid() we have to set
233 * real and effective uidss to 0 initially.
236 fatal("setuid(0)", 1);
240 (void) setegid(user_gid);
241 if (seteuid(user_uid))
242 fatal("seteuid(user_uid)", 1);
246 /* headed for exec() */
247 (void) setgid(user_gid);
248 if (setuid(user_uid))
249 fatal("setuid(user_uid)", 1);
253 /* headed for exec(), assume euid == 0 */
255 if (setuid(runas_pw->pw_uid))
256 fatal("unable to change to runas uid", 1);
260 /* assume euid == 0, ruid == user */
261 if (setegid(SUDOERS_GID))
262 fatal("unable to change to sudoers gid", 1);
265 * If SUDOERS_UID == 0 and SUDOERS_MODE
266 * is group readable we use a non-zero
267 * uid in order to avoid NFS lossage.
268 * Using uid 1 is a bit bogus but should
271 if (SUDOERS_UID == 0) {
272 if ((SUDOERS_MODE & 040) && seteuid(1))
273 fatal("seteuid(1)", 1);
275 if (seteuid(SUDOERS_UID))
276 fatal("seteuid(SUDOERS_UID)", 1);
281 #endif /* HAVE_SETREUID */
286 #ifdef HAVE_LOGIN_CAP_H
288 extern login_cap_t *lc;
291 if (runas_pw->pw_name != NULL) {
293 pam_prep_user(runas_pw);
294 #endif /* HAVE_PAM */
296 #ifdef HAVE_LOGIN_CAP_H
297 if (def_flag(I_USE_LOGINCLASS)) {
299 * We don't have setusercontext() set the user since we
300 * may only want to set the effective uid. Depending on
301 * sudoers and/or command line arguments we may not want
302 * setusercontext() to call initgroups().
304 flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
305 if (!def_flag(I_PRESERVE_GROUPS))
306 flags |= LOGIN_SETGROUP;
307 else if (setgid(runas_pw->pw_gid))
308 perror("cannot set gid to runas gid");
309 error = setusercontext(lc, runas_pw,
310 runas_pw->pw_uid, flags);
312 perror("unable to set user context");
314 #endif /* HAVE_LOGIN_CAP_H */
316 if (setgid(runas_pw->pw_gid))
317 perror("cannot set gid to runas gid");
318 #ifdef HAVE_INITGROUPS
320 * Initialize group vector unless asked not to.
322 if (!def_flag(I_PRESERVE_GROUPS) &&
323 initgroups(*user_runas, runas_pw->pw_gid) < 0)
324 perror("cannot set group vector");
325 #endif /* HAVE_INITGROUPS */