/*
- * Copyright (c) 1994-1996,1998-2011 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1994-1996,1998-2013 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
#include <config.h>
#include <sys/types.h>
-#include <sys/param.h>
#include <sys/stat.h>
#include <stdio.h>
#ifdef STDC_HEADERS
{
struct perm_state *state, *ostate = NULL;
char errbuf[1024];
+ const char *errstr = errbuf;
int noexit;
debug_decl(set_perms, SUDO_DEBUG_PERMS)
CLR(perm, PERM_MASK);
if (perm_stack_depth == PERM_STACK_MAX) {
- strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf));
+ errstr = N_("perm stack overflow");
errno = EINVAL;
goto bad;
}
state = &perm_stack[perm_stack_depth];
if (perm != PERM_INITIAL) {
if (perm_stack_depth == 0) {
- strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf));
+ errstr = N_("perm stack underflow");
errno = EINVAL;
goto bad;
}
/* Stash initial state */
#ifdef HAVE_GETRESUID
if (getresuid(&state->ruid, &state->euid, &state->suid)) {
- strlcpy(errbuf, "PERM_INITIAL: getresuid", sizeof(errbuf));
+ errstr = "PERM_INITIAL: getresuid";
goto bad;
}
if (getresgid(&state->rgid, &state->egid, &state->sgid)) {
- strlcpy(errbuf, "PERM_INITIAL: getresgid", sizeof(errbuf));
+ errstr = "PERM_INITIAL: getresgid";
goto bad;
}
#else
goto bad;
}
state->rgid = ostate->rgid;
- state->egid = ostate->egid;
+ state->egid = ROOT_GID;
state->sgid = ostate->sgid;
+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+ "[%d, %d, %d] -> [%d, %d, %d]", __func__,
+ (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
+ (int)state->rgid, (int)state->egid, (int)state->sgid);
+ if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) {
+ errstr = N_("unable to change to root gid");
+ goto bad;
+ }
state->grlist = ostate->grlist;
sudo_grlist_addref(state->grlist);
break;
sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
- strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf));
+ errstr = "PERM_USER: setgroups";
goto bad;
}
}
sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
- strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
+ errstr = "PERM_FULL_USER: setgroups";
goto bad;
}
}
(int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
(int)state->rgid, (int)state->egid, (int)state->sgid);
if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) {
- strlcpy(errbuf, _("unable to change to runas gid"), sizeof(errbuf));
+ errstr = N_("unable to change to runas gid");
goto bad;
}
state->grlist = runas_setgroups();
(int)ostate->ruid, (int)ostate->euid, (int)ostate->suid,
(int)state->ruid, (int)state->euid, (int)state->suid);
if (UID_CHANGED && setresuid(ID(ruid), ID(euid), ID(suid))) {
- strlcpy(errbuf, _("unable to change to runas uid"), sizeof(errbuf));
+ errstr = N_("unable to change to runas uid");
goto bad;
}
break;
(int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
(int)state->rgid, (int)state->egid, (int)state->sgid);
if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) {
- strlcpy(errbuf, _("unable to change to sudoers gid"), sizeof(errbuf));
+ errstr = N_("unable to change to sudoers gid");
goto bad;
}
perm_stack_depth++;
debug_return_bool(1);
bad:
- warningx("%s: %s", errbuf,
+ warningx("%s: %s", _(errstr),
errno == EAGAIN ? _("too many processes") : strerror(errno));
if (noexit)
debug_return_bool(0);
{
struct perm_state *state, *ostate = NULL;
char errbuf[1024];
+ const char *errstr = errbuf;
int noexit;
debug_decl(set_perms, SUDO_DEBUG_PERMS)
CLR(perm, PERM_MASK);
if (perm_stack_depth == PERM_STACK_MAX) {
- strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf));
+ errstr = N_("perm stack overflow");
errno = EINVAL;
goto bad;
}
state = &perm_stack[perm_stack_depth];
if (perm != PERM_INITIAL) {
if (perm_stack_depth == 0) {
- strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf));
+ errstr = N_("perm stack underflow");
errno = EINVAL;
goto bad;
}
goto bad;
}
state->rgid = ostate->rgid;
- state->egid = ostate->egid;
+ state->egid = ROOT_GID;
state->sgid = ostate->sgid;
+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+ "[%d, %d, %d] -> [%d, %d, %d]", __func__,
+ (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
+ (int)state->rgid, (int)state->egid, (int)state->sgid);
+ if (GID_CHANGED && setgidx(ID_EFFECTIVE, ROOT_GID)) {
+ errstr = N_("unable to change to root gid");
+ goto bad;
+ }
state->grlist = ostate->grlist;
sudo_grlist_addref(state->grlist);
break;
sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
- strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf));
+ errstr = "PERM_USER: setgroups";
goto bad;
}
}
sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
- strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
+ errstr = "PERM_FULL_USER: setgroups";
goto bad;
}
}
(int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
(int)state->rgid, (int)state->egid, (int)state->sgid);
if (GID_CHANGED && setgidx(ID_EFFECTIVE, state->egid)) {
- strlcpy(errbuf, _("unable to change to runas gid"), sizeof(errbuf));
+ errstr = N_("unable to change to runas gid");
goto bad;
}
state->grlist = runas_setgroups();
(int)ostate->ruid, (int)ostate->euid, (int)ostate->suid,
(int)state->ruid, (int)state->euid, (int)state->suid);
if (UID_CHANGED && setuidx(ID_EFFECTIVE, state->euid)) {
- strlcpy(errbuf, _("unable to change to runas uid"), sizeof(errbuf));
+ errstr = N_("unable to change to runas uid");
goto bad;
}
break;
(int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
(int)state->rgid, (int)state->egid, (int)state->sgid);
if (GID_CHANGED && setgidx(ID_EFFECTIVE, sudoers_gid)) {
- strlcpy(errbuf, _("unable to change to sudoers gid"), sizeof(errbuf));
+ errstr = N_("unable to change to sudoers gid");
goto bad;
}
perm_stack_depth++;
debug_return_bool(1);
bad:
- warningx("%s: %s", errbuf,
+ warningx("%s: %s", _(errstr),
errno == EAGAIN ? _("too many processes") : strerror(errno));
if (noexit)
debug_return_bool(0);
{
struct perm_state *state, *ostate = NULL;
char errbuf[1024];
+ const char *errstr = errbuf;
int noexit;
debug_decl(set_perms, SUDO_DEBUG_PERMS)
CLR(perm, PERM_MASK);
if (perm_stack_depth == PERM_STACK_MAX) {
- strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf));
+ errstr = N_("perm stack overflow");
errno = EINVAL;
goto bad;
}
state = &perm_stack[perm_stack_depth];
if (perm != PERM_INITIAL) {
if (perm_stack_depth == 0) {
- strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf));
+ errstr = N_("perm stack underflow");
errno = EINVAL;
goto bad;
}
}
}
state->rgid = ostate->rgid;
- state->egid = ostate->rgid;
+ state->egid = ROOT_GID;
+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+ "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
+ (int)ostate->egid, (int)state->rgid, (int)state->egid);
+ if (GID_CHANGED && setregid(ID(rgid), ID(egid))) {
+ snprintf(errbuf, sizeof(errbuf),
+ "PERM_ROOT: setregid(%d, %d)", ID(rgid), ID(egid));
+ goto bad;
+ }
state->grlist = ostate->grlist;
sudo_grlist_addref(state->grlist);
break;
sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
- strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf));
+ errstr = "PERM_USER: setgroups";
goto bad;
}
}
sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
- strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
+ errstr = "PERM_FULL_USER: setgroups";
goto bad;
}
}
"[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
(int)ostate->egid, (int)state->rgid, (int)state->egid);
if (GID_CHANGED && setregid(ID(rgid), ID(egid))) {
- strlcpy(errbuf, _("unable to change to runas gid"), sizeof(errbuf));
+ errstr = N_("unable to change to runas gid");
goto bad;
}
state->grlist = runas_setgroups();
"[%d, %d] -> [%d, %d]", __func__, (int)ostate->ruid,
(int)ostate->euid, (int)state->ruid, (int)state->euid);
if (UID_CHANGED && setreuid(ID(ruid), ID(euid))) {
- strlcpy(errbuf, _("unable to change to runas uid"), sizeof(errbuf));
+ errstr = N_("unable to change to runas uid");
goto bad;
}
break;
"[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
(int)ostate->egid, (int)state->rgid, (int)state->egid);
if (GID_CHANGED && setregid(ID(rgid), ID(egid))) {
- strlcpy(errbuf, _("unable to change to sudoers gid"), sizeof(errbuf));
+ errstr = N_("unable to change to sudoers gid");
goto bad;
}
perm_stack_depth++;
debug_return_bool(1);
bad:
- warningx("%s: %s", errbuf,
+ warningx("%s: %s", _(errstr),
errno == EAGAIN ? _("too many processes") : strerror(errno));
if (noexit)
debug_return_bool(0);
if (OID(euid) == ROOT_UID) {
/* setuid() may not set the saved ID unless the euid is ROOT_UID */
if (ID(euid) != ROOT_UID)
- (void)setreuid(-1, ROOT_UID);
+ ignore_result(setreuid(-1, ROOT_UID));
if (setuid(ROOT_UID)) {
warning("setuid() [%d, %d] -> %d)", (int)state->ruid,
(int)state->euid, ROOT_UID);
{
struct perm_state *state, *ostate = NULL;
char errbuf[1024];
+ const char *errstr = errbuf;
int noexit;
debug_decl(set_perms, SUDO_DEBUG_PERMS)
CLR(perm, PERM_MASK);
if (perm_stack_depth == PERM_STACK_MAX) {
- strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf));
+ errstr = N_("perm stack overflow");
errno = EINVAL;
goto bad;
}
state = &perm_stack[perm_stack_depth];
if (perm != PERM_INITIAL) {
if (perm_stack_depth == 0) {
- strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf));
+ errstr = N_("perm stack underflow");
errno = EINVAL;
goto bad;
}
state->ruid = ROOT_UID;
state->euid = ROOT_UID;
state->rgid = ostate->rgid;
- state->egid = ostate->egid;
+ state->egid = ROOT_GID;
+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+ "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
+ (int)ostate->egid, ROOT_GID, ROOT_GID);
+ if (GID_CHANGED && setegid(ROOT_GID)) {
+ errstr = N_("unable to change to root gid");
+ goto bad;
+ }
state->grlist = ostate->grlist;
sudo_grlist_addref(state->grlist);
break;
sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
- strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf));
+ errstr = "PERM_USER: setgroups";
goto bad;
}
}
sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
- strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
+ errstr = "PERM_FULL_USER: setgroups";
goto bad;
}
}
"[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
(int)ostate->egid, (int)state->rgid, (int)state->egid);
if (GID_CHANGED && setegid(state->egid)) {
- strlcpy(errbuf, _("unable to change to runas gid"), sizeof(errbuf));
+ errstr = N_("unable to change to runas gid");
goto bad;
}
state->grlist = runas_setgroups();
"[%d, %d] -> [%d, %d]", __func__, (int)ostate->ruid,
(int)ostate->euid, (int)state->ruid, (int)state->euid);
if (seteuid(state->euid)) {
- strlcpy(errbuf, _("unable to change to runas uid"), sizeof(errbuf));
+ errstr = N_("unable to change to runas uid");
goto bad;
}
break;
"[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
(int)ostate->egid, (int)state->rgid, (int)state->egid);
if (GID_CHANGED && setegid(sudoers_gid)) {
- strlcpy(errbuf, _("unable to change to sudoers gid"), sizeof(errbuf));
+ errstr = N_("unable to change to sudoers gid");
goto bad;
}
perm_stack_depth++;
debug_return_bool(1);
bad:
- warningx("%s: %s", errbuf,
+ warningx("%s: %s", _(errstr),
errno == EAGAIN ? _("too many processes") : strerror(errno));
if (noexit)
debug_return_bool(0);
{
struct perm_state *state, *ostate = NULL;
char errbuf[1024];
+ const char *errstr = errbuf;
int noexit;
debug_decl(set_perms, SUDO_DEBUG_PERMS)
CLR(perm, PERM_MASK);
if (perm_stack_depth == PERM_STACK_MAX) {
- strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf));
+ errstr = N_("perm stack overflow");
errno = EINVAL;
goto bad;
}
state = &perm_stack[perm_stack_depth];
if (perm != PERM_INITIAL) {
if (perm_stack_depth == 0) {
- strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf));
+ errstr = N_("perm stack underflow");
errno = EINVAL;
goto bad;
}
case PERM_ROOT:
state->ruid = ROOT_UID;
- state->rgid = ostate->rgid;
+ state->rgid = ROOT_GID;
state->grlist = ostate->grlist;
sudo_grlist_addref(state->grlist);
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
snprintf(errbuf, sizeof(errbuf), "PERM_ROOT: setuid(%d)", ROOT_UID);
goto bad;
}
+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+ "[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
+ if (setgid(ROOT_GID)) {
+ errstr = N_("unable to change to root gid");
+ goto bad;
+ }
break;
case PERM_FULL_USER:
state->rgid = user_gid;
- sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: gid: "
"[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
(void) setgid(user_gid);
state->grlist = user_group_list;
sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
- strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
+ errstr = "PERM_FULL_USER: setgroups";
goto bad;
}
}
state->ruid = user_uid;
- sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: uid: "
"[%d] -> [%d]", __func__, (int)ostate->ruid, (int)state->ruid);
if (setuid(user_uid)) {
snprintf(errbuf, sizeof(errbuf),
perm_stack_depth++;
debug_return_bool(1);
bad:
- warningx("%s: %s", errbuf,
+ warningx("%s: %s", _(errstr),
errno == EAGAIN ? _("too many processes") : strerror(errno));
if (noexit)
debug_return_bool(0);
aix_restoreauthdb();
#endif
if (sudo_setgroups(grlist->ngids, grlist->gids) < 0)
- log_fatal(USE_ERRNO|MSG_ONLY, _("unable to set runas group vector"));
+ log_fatal(USE_ERRNO|MSG_ONLY, N_("unable to set runas group vector"));
debug_return_ptr(grlist);
}
#endif /* HAVE_SETRESUID || HAVE_SETREUID || HAVE_SETEUID */