2 * Copyright (c) 1994-1996,1998-2004 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * Sponsored in part by the Defense Advanced Research Projects
17 * Agency (DARPA) and Air Force Research Laboratory, Air Force
18 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 #include <sys/types.h>
24 #include <sys/param.h>
34 #endif /* STDC_HEADERS */
38 # ifdef HAVE_STRINGS_H
41 #endif /* HAVE_STRING_H */
44 #endif /* HAVE_UNISTD_H */
48 #ifdef HAVE_LOGIN_CAP_H
49 # include <login_cap.h>
55 static const char rcsid[] = "$Sudo: set_perms.c,v 1.30 2004/05/27 23:12:02 millert Exp $";
59 # define ROOT_UID 65535
67 static void runas_setup __P((void));
68 static void fatal __P((char *, int));
70 #if !defined(HAVE_SETRESUID) && !defined(HAVE_SETREUID) && \
71 !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION)
73 * Set real and effective uids and gids based on perm.
74 * Since we have POSIX saved IDs we can get away with just
75 * toggling the effective uid/gid unless we are headed for an exec().
85 if (seteuid(ROOT_UID))
86 fatal("seteuid(ROOT_UID) failed, your operating system may have broken POSIX saved ID support\nTry running configure with --disable-saved-ids", 0);
90 /* headed for exec() */
91 (void) seteuid(ROOT_UID);
93 fatal("setuid(ROOT_UID)", 1);
97 (void) setegid(user_gid);
98 if (seteuid(user_uid))
99 fatal("seteuid(user_uid)", 1);
103 /* headed for exec() */
104 (void) setgid(user_gid);
105 if (setuid(user_uid))
106 fatal("setuid(user_uid)", 1);
110 if (seteuid(runas_pw->pw_uid))
111 fatal("unable to change to runas uid", 1);
114 case PERM_FULL_RUNAS:
115 /* headed for exec(), assume euid == ROOT_UID */
118 error = seteuid(runas_pw->pw_uid);
120 error = setuid(runas_pw->pw_uid);
122 fatal("unable to change to runas uid", 1);
126 /* assume euid == ROOT_UID, ruid == user */
127 if (setegid(SUDOERS_GID))
128 fatal("unable to change to sudoers gid", 1);
131 * If SUDOERS_UID == ROOT_UID and SUDOERS_MODE
132 * is group readable we use a non-zero
133 * uid in order to avoid NFS lossage.
134 * Using uid 1 is a bit bogus but should
137 if (SUDOERS_UID == ROOT_UID) {
138 if ((SUDOERS_MODE & 040) && seteuid(1))
139 fatal("seteuid(1)", 1);
141 if (seteuid(SUDOERS_UID))
142 fatal("seteuid(SUDOERS_UID)", 1);
146 if (seteuid(timestamp_uid))
147 fatal("seteuid(timestamp_uid)", 1);
152 #endif /* !NO_SAVED_IDS && _SC_SAVED_IDS && _SC_VERSION */
154 #ifdef HAVE_SETRESUID
156 * Set real and effective and saved uids and gids based on perm.
157 * We always retain a saved uid of 0 unless we are headed for an exec().
158 * We only flip the effective gid since it only changes for PERM_SUDOERS.
159 * This version of set_perms() works fine with the "stay_setuid" option.
170 if (setresuid(ROOT_UID, ROOT_UID, ROOT_UID))
171 fatal("setresuid(ROOT_UID, ROOT_UID, ROOT_UID) failed, your operating system may have a broken setresuid() function\nTry running configure with --disable-setresuid", 0);
175 (void) setresgid(-1, user_gid, -1);
176 if (setresuid(user_uid, user_uid, ROOT_UID))
177 fatal("setresuid(user_uid, user_uid, ROOT_UID)", 1);
181 /* headed for exec() */
182 (void) setgid(user_gid);
183 if (setresuid(user_uid, user_uid, user_uid))
184 fatal("setresuid(user_uid, user_uid, user_uid)", 1);
188 if (setresuid(-1, runas_pw->pw_uid, -1))
189 fatal("unable to change to runas uid", 1);
192 case PERM_FULL_RUNAS:
193 /* headed for exec(), assume euid == ROOT_UID */
195 error = setresuid(def_stay_setuid ?
196 user_uid : runas_pw->pw_uid,
197 runas_pw->pw_uid, runas_pw->pw_uid);
199 fatal("unable to change to runas uid", 1);
203 /* assume euid == ROOT_UID, ruid == user */
204 if (setresgid(-1, SUDOERS_GID, -1))
205 fatal("unable to change to sudoers gid", 1);
208 * If SUDOERS_UID == ROOT_UID and SUDOERS_MODE
209 * is group readable we use a non-zero
210 * uid in order to avoid NFS lossage.
211 * Using uid 1 is a bit bogus but should
214 if (SUDOERS_UID == ROOT_UID) {
215 if ((SUDOERS_MODE & 040) && setresuid(ROOT_UID, 1, ROOT_UID))
216 fatal("setresuid(ROOT_UID, 1, ROOT_UID)", 1);
218 if (setresuid(ROOT_UID, SUDOERS_UID, ROOT_UID))
219 fatal("setresuid(ROOT_UID, SUDOERS_UID, ROOT_UID)", 1);
223 if (setresuid(ROOT_UID, timestamp_uid, ROOT_UID))
224 fatal("setresuid(ROOT_UID, timestamp_uid, ROOT_UID)", 1);
230 # ifdef HAVE_SETREUID
233 * Set real and effective uids and gids based on perm.
234 * We always retain a real or effective uid of ROOT_UID unless
235 * we are headed for an exec().
236 * This version of set_perms() works fine with the "stay_setuid" option.
247 if (setreuid(-1, ROOT_UID))
248 fatal("setreuid(-1, ROOT_UID) failed, your operating system may have a broken setreuid() function\nTry running configure with --disable-setreuid", 0);
249 if (setuid(ROOT_UID))
250 fatal("setuid(ROOT_UID)", 1);
254 (void) setregid(-1, user_gid);
255 if (setreuid(ROOT_UID, user_uid))
256 fatal("setreuid(ROOT_UID, user_uid)", 1);
260 /* headed for exec() */
261 (void) setgid(user_gid);
262 if (setreuid(user_uid, user_uid))
263 fatal("setreuid(user_uid, user_uid)", 1);
267 if (setreuid(-1, runas_pw->pw_uid))
268 fatal("unable to change to runas uid", 1);
271 case PERM_FULL_RUNAS:
272 /* headed for exec(), assume euid == ROOT_UID */
274 error = setreuid(def_stay_setuid ?
275 user_uid : runas_pw->pw_uid,
278 fatal("unable to change to runas uid", 1);
282 /* assume euid == ROOT_UID, ruid == user */
283 if (setregid(-1, SUDOERS_GID))
284 fatal("unable to change to sudoers gid", 1);
287 * If SUDOERS_UID == ROOT_UID and SUDOERS_MODE
288 * is group readable we use a non-zero
289 * uid in order to avoid NFS lossage.
290 * Using uid 1 is a bit bogus but should
293 if (SUDOERS_UID == ROOT_UID) {
294 if ((SUDOERS_MODE & 040) && setreuid(ROOT_UID, 1))
295 fatal("setreuid(ROOT_UID, 1)", 1);
297 if (setreuid(ROOT_UID, SUDOERS_UID))
298 fatal("setreuid(ROOT_UID, SUDOERS_UID)", 1);
302 if (setreuid(ROOT_UID, timestamp_uid))
303 fatal("setreuid(ROOT_UID, timestamp_uid)", 1);
309 # ifdef HAVE_SETREUID
312 * Set real and effective uids and gids based on perm.
313 * NOTE: does not support the "stay_setuid" option.
316 set_perms_nosuid(perm)
321 * Since we only have setuid() and seteuid() we have to set
322 * real and effective uids to ROOT_UID initially.
324 if (setuid(ROOT_UID))
325 fatal("setuid(ROOT_UID)", 1);
329 (void) setegid(user_gid);
330 if (seteuid(user_uid))
331 fatal("seteuid(user_uid)", 1);
335 /* headed for exec() */
336 (void) setgid(user_gid);
337 if (setuid(user_uid))
338 fatal("setuid(user_uid)", 1);
342 if (seteuid(runas_pw->pw_uid))
343 fatal("unable to change to runas uid", 1);
346 case PERM_FULL_RUNAS:
347 /* headed for exec(), assume euid == ROOT_UID */
349 if (setuid(runas_pw->pw_uid))
350 fatal("unable to change to runas uid", 1);
354 /* assume euid == ROOT_UID, ruid == user */
355 if (setegid(SUDOERS_GID))
356 fatal("unable to change to sudoers gid", 1);
359 * If SUDOERS_UID == ROOT_UID and SUDOERS_MODE
360 * is group readable we use a non-zero
361 * uid in order to avoid NFS lossage.
362 * Using uid 1 is a bit bogus but should
365 if (SUDOERS_UID == ROOT_UID) {
366 if ((SUDOERS_MODE & 040) && seteuid(1))
367 fatal("seteuid(1)", 1);
369 if (seteuid(SUDOERS_UID))
370 fatal("seteuid(SUDOERS_UID)", 1);
374 if (seteuid(timestamp_uid))
375 fatal("seteuid(timestamp_uid)", 1);
383 * Set uids and gids based on perm via setuid() and setgid().
384 * NOTE: does not support the "stay_setuid" or timestampowner options.
385 * Also, SUDOERS_UID and SUDOERS_GID are not used.
388 set_perms_nosuid(perm)
395 if (setuid(ROOT_UID))
396 fatal("setuid(ROOT_UID)", 1);
400 (void) setgid(user_gid);
401 if (setuid(user_uid))
402 fatal("setuid(user_uid)", 1);
405 case PERM_FULL_RUNAS:
407 if (setuid(runas_pw->pw_uid))
408 fatal("unable to change to runas uid", 1);
415 /* Unsupported since we can't set euid. */
419 # endif /* HAVE_SETEUID */
420 # endif /* HAVE_SETREUID */
421 #endif /* HAVE_SETRESUID */
426 #ifdef HAVE_LOGIN_CAP_H
428 extern login_cap_t *lc;
431 if (runas_pw->pw_name != NULL) {
433 pam_prep_user(runas_pw);
434 #endif /* HAVE_PAM */
436 #ifdef HAVE_LOGIN_CAP_H
437 if (def_use_loginclass) {
439 * We don't have setusercontext() set the user since we
440 * may only want to set the effective uid. Depending on
441 * sudoers and/or command line arguments we may not want
442 * setusercontext() to call initgroups().
444 flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
445 if (!def_preserve_groups)
446 SET(flags, LOGIN_SETGROUP);
447 else if (setgid(runas_pw->pw_gid))
448 perror("cannot set gid to runas gid");
449 error = setusercontext(lc, runas_pw,
450 runas_pw->pw_uid, flags);
452 if (runas_pw->pw_uid != ROOT_UID)
453 fatal("unable to set user context", 1);
455 perror("unable to set user context");
458 #endif /* HAVE_LOGIN_CAP_H */
460 if (setgid(runas_pw->pw_gid))
461 perror("cannot set gid to runas gid");
462 #ifdef HAVE_INITGROUPS
464 * Initialize group vector unless asked not to.
466 if (!def_preserve_groups &&
467 initgroups(*user_runas, runas_pw->pw_gid) < 0)
468 perror("cannot set group vector");
469 #endif /* HAVE_INITGROUPS */