author | raf |
Fri, 06 Jun 2008 14:02:15 -0700 | |
changeset 6812 | febeba71273d |
parent 5331 | 3047ad28a67b |
child 11537 | 8eca52188202 |
permissions | -rw-r--r-- |
0 | 1 |
/* |
2 |
* CDDL HEADER START |
|
3 |
* |
|
4 |
* The contents of this file are subject to the terms of the |
|
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
5 |
* Common Development and Distribution License (the "License"). |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
6 |
* You may not use this file except in compliance with the License. |
0 | 7 |
* |
8 |
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 |
* or http://www.opensolaris.org/os/licensing. |
|
10 |
* See the License for the specific language governing permissions |
|
11 |
* and limitations under the License. |
|
12 |
* |
|
13 |
* When distributing Covered Code, include this CDDL HEADER in each |
|
14 |
* file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 |
* If applicable, add the following below this CDDL HEADER, with the |
|
16 |
* fields enclosed by brackets "[]" replaced with your own identifying |
|
17 |
* information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 |
* |
|
19 |
* CDDL HEADER END |
|
20 |
*/ |
|
3864 | 21 |
|
0 | 22 |
/* |
6812 | 23 |
* Copyright 2008 Sun Microsystems, Inc. All rights reserved. |
0 | 24 |
* Use is subject to license terms. |
25 |
*/ |
|
26 |
||
6812 | 27 |
#pragma ident "%Z%%M% %I% %E% SMI" |
0 | 28 |
|
6812 | 29 |
#pragma weak _getprivimplinfo = getprivimplinfo |
30 |
#pragma weak _priv_addset = priv_addset |
|
31 |
#pragma weak _priv_allocset = priv_allocset |
|
32 |
#pragma weak _priv_copyset = priv_copyset |
|
33 |
#pragma weak _priv_delset = priv_delset |
|
34 |
#pragma weak _priv_emptyset = priv_emptyset |
|
35 |
#pragma weak _priv_fillset = priv_fillset |
|
36 |
#pragma weak _priv_freeset = priv_freeset |
|
37 |
#pragma weak _priv_getbyname = priv_getbyname |
|
38 |
#pragma weak _priv_getbynum = priv_getbynum |
|
39 |
#pragma weak _priv_getsetbyname = priv_getsetbyname |
|
40 |
#pragma weak _priv_getsetbynum = priv_getsetbynum |
|
41 |
#pragma weak _priv_ineffect = priv_ineffect |
|
42 |
#pragma weak _priv_intersect = priv_intersect |
|
43 |
#pragma weak _priv_inverse = priv_inverse |
|
44 |
#pragma weak _priv_isemptyset = priv_isemptyset |
|
45 |
#pragma weak _priv_isequalset = priv_isequalset |
|
46 |
#pragma weak _priv_isfullset = priv_isfullset |
|
47 |
#pragma weak _priv_ismember = priv_ismember |
|
48 |
#pragma weak _priv_issubset = priv_issubset |
|
49 |
#pragma weak _priv_set = priv_set |
|
50 |
#pragma weak _priv_union = priv_union |
|
0 | 51 |
|
6812 | 52 |
#include "lint.h" |
0 | 53 |
|
54 |
#define _STRUCTURED_PROC 1 |
|
55 |
||
56 |
#include "priv_private.h" |
|
57 |
#include "mtlib.h" |
|
58 |
#include "libc.h" |
|
59 |
#include <errno.h> |
|
60 |
#include <stdarg.h> |
|
61 |
#include <stdlib.h> |
|
62 |
#include <unistd.h> |
|
63 |
#include <strings.h> |
|
64 |
#include <synch.h> |
|
65 |
#include <alloca.h> |
|
3864 | 66 |
#include <atomic.h> |
0 | 67 |
#include <sys/ucred.h> |
68 |
#include <sys/procfs.h> |
|
69 |
#include <sys/param.h> |
|
70 |
#include <sys/corectl.h> |
|
71 |
#include <priv_utils.h> |
|
72 |
#include <zone.h> |
|
73 |
||
74 |
/* Include each string only once - until the compiler/linker are fixed */ |
|
75 |
static const char *permitted = PRIV_PERMITTED; |
|
76 |
static const char *effective = PRIV_EFFECTIVE; |
|
77 |
static const char *limit = PRIV_LIMIT; |
|
78 |
static const char *inheritable = PRIV_INHERITABLE; |
|
79 |
/* |
|
80 |
* Data independent privilege set operations. |
|
81 |
* |
|
82 |
* Only a few functions are provided that do not default to |
|
83 |
* the system implementation of privileges. A limited set of |
|
84 |
* interfaces is provided that accepts a priv_data_t * |
|
85 |
* argument; this set of interfaces is a private interface between libc |
|
86 |
* and libproc. It is delivered in order to interpret privilege sets |
|
87 |
* in debuggers in a implementation independent way. As such, we |
|
88 |
* don't need to provide the bulk of the interfaces, only a few |
|
89 |
* boolean tests (isfull, isempty) the name<->num mappings and |
|
90 |
* set pretty print functions. The boolean tests are only needed for |
|
91 |
* the latter, so those aren't provided externally. |
|
92 |
* |
|
93 |
* Additionally, we provide the function that maps the kernel implementation |
|
94 |
* structure into a libc private data structure. |
|
95 |
*/ |
|
96 |
||
97 |
priv_data_t *privdata; |
|
98 |
||
99 |
static mutex_t pd_lock = DEFAULTMUTEX; |
|
100 |
||
101 |
static int |
|
102 |
parseninfo(priv_info_names_t *na, char ***buf, int *cp) |
|
103 |
{ |
|
104 |
char *q; |
|
105 |
int i; |
|
106 |
||
107 |
*buf = libc_malloc(sizeof (char *) * na->cnt); |
|
108 |
||
109 |
if (*buf == NULL) |
|
110 |
return (-1); |
|
111 |
||
112 |
q = na->names; |
|
113 |
||
114 |
for (i = 0; i < na->cnt; i++) { |
|
115 |
int l = strlen(q); |
|
116 |
||
117 |
(*buf)[i] = q; |
|
118 |
q += l + 1; |
|
119 |
} |
|
120 |
*cp = na->cnt; |
|
121 |
return (0); |
|
122 |
} |
|
123 |
||
124 |
struct strint { |
|
125 |
char *name; |
|
126 |
int rank; |
|
127 |
}; |
|
128 |
||
129 |
static int |
|
130 |
strintcmp(const void *a, const void *b) |
|
131 |
{ |
|
132 |
const struct strint *ap = a; |
|
133 |
const struct strint *bp = b; |
|
134 |
||
135 |
return (strcasecmp(ap->name, bp->name)); |
|
136 |
} |
|
137 |
||
138 |
priv_data_t * |
|
139 |
__priv_parse_info(priv_impl_info_t *ip) |
|
140 |
{ |
|
141 |
priv_data_t *tmp; |
|
142 |
char *x; |
|
143 |
size_t size = PRIV_IMPL_INFO_SIZE(ip); |
|
144 |
int i; |
|
145 |
||
146 |
tmp = libc_malloc(sizeof (*tmp)); |
|
147 |
||
148 |
if (tmp == NULL) |
|
149 |
return (NULL); |
|
150 |
||
151 |
(void) memset(tmp, 0, sizeof (*tmp)); |
|
152 |
||
153 |
tmp->pd_pinfo = ip; |
|
154 |
tmp->pd_setsize = sizeof (priv_chunk_t) * ip->priv_setsize; |
|
155 |
tmp->pd_ucredsize = UCRED_SIZE(ip); |
|
156 |
||
157 |
x = (char *)ip; |
|
158 |
x += ip->priv_headersize; |
|
159 |
||
160 |
while (x < ((char *)ip) + size) { |
|
161 |
/* LINTED: alignment */ |
|
162 |
priv_info_names_t *na = (priv_info_names_t *)x; |
|
163 |
/* LINTED: alignment */ |
|
164 |
priv_info_set_t *st = (priv_info_set_t *)x; |
|
165 |
struct strint *tmparr; |
|
166 |
||
167 |
switch (na->info.priv_info_type) { |
|
168 |
case PRIV_INFO_SETNAMES: |
|
169 |
if (parseninfo(na, &tmp->pd_setnames, &tmp->pd_nsets)) |
|
170 |
goto out; |
|
171 |
break; |
|
172 |
case PRIV_INFO_PRIVNAMES: |
|
173 |
if (parseninfo(na, &tmp->pd_privnames, &tmp->pd_nprivs)) |
|
174 |
goto out; |
|
175 |
/* |
|
176 |
* We compute a sorted index which allows us |
|
177 |
* to present a sorted list of privileges |
|
178 |
* without actually having to sort it each time. |
|
179 |
*/ |
|
180 |
tmp->pd_setsort = libc_malloc(tmp->pd_nprivs * |
|
181 |
sizeof (int)); |
|
182 |
if (tmp->pd_setsort == NULL) |
|
183 |
goto out; |
|
184 |
||
185 |
tmparr = libc_malloc(tmp->pd_nprivs * |
|
186 |
sizeof (struct strint)); |
|
187 |
||
188 |
if (tmparr == NULL) |
|
189 |
goto out; |
|
190 |
||
191 |
for (i = 0; i < tmp->pd_nprivs; i++) { |
|
192 |
tmparr[i].rank = i; |
|
193 |
tmparr[i].name = tmp->pd_privnames[i]; |
|
194 |
} |
|
195 |
qsort(tmparr, tmp->pd_nprivs, sizeof (struct strint), |
|
6812 | 196 |
strintcmp); |
0 | 197 |
for (i = 0; i < tmp->pd_nprivs; i++) |
198 |
tmp->pd_setsort[i] = tmparr[i].rank; |
|
199 |
libc_free(tmparr); |
|
200 |
break; |
|
201 |
case PRIV_INFO_BASICPRIVS: |
|
202 |
tmp->pd_basicset = (priv_set_t *)&st->set[0]; |
|
203 |
break; |
|
204 |
default: |
|
205 |
/* unknown, ignore */ |
|
206 |
break; |
|
207 |
} |
|
208 |
x += na->info.priv_info_size; |
|
209 |
} |
|
210 |
return (tmp); |
|
211 |
out: |
|
212 |
libc_free(tmp->pd_setnames); |
|
213 |
libc_free(tmp->pd_privnames); |
|
214 |
libc_free(tmp->pd_setsort); |
|
215 |
libc_free(tmp); |
|
216 |
return (NULL); |
|
217 |
} |
|
218 |
||
219 |
/* |
|
220 |
* Caller must have allocated d->pd_pinfo and should free it, |
|
221 |
* if necessary. |
|
222 |
*/ |
|
223 |
void |
|
224 |
__priv_free_info(priv_data_t *d) |
|
225 |
{ |
|
226 |
libc_free(d->pd_setnames); |
|
227 |
libc_free(d->pd_privnames); |
|
228 |
libc_free(d->pd_setsort); |
|
229 |
libc_free(d); |
|
230 |
} |
|
231 |
||
232 |
/* |
|
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
233 |
* Return with the pd_lock held and data loaded or indicate failure. |
0 | 234 |
*/ |
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
235 |
int |
0 | 236 |
lock_data(void) |
237 |
{ |
|
3864 | 238 |
if (__priv_getdata() == NULL) |
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
239 |
return (-1); |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
240 |
|
0 | 241 |
lmutex_lock(&pd_lock); |
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
242 |
return (0); |
0 | 243 |
} |
244 |
||
245 |
boolean_t |
|
246 |
refresh_data(void) |
|
247 |
{ |
|
248 |
priv_impl_info_t *ip, ii; |
|
249 |
priv_data_t *tmp; |
|
250 |
char *p0, *q0; |
|
251 |
int oldn, newn; |
|
252 |
int i; |
|
253 |
||
254 |
if (getprivinfo(&ii, sizeof (ii)) != 0 || |
|
255 |
ii.priv_max == privdata->pd_nprivs) |
|
256 |
return (B_FALSE); |
|
257 |
||
258 |
ip = alloca(PRIV_IMPL_INFO_SIZE(&ii)); |
|
259 |
||
260 |
(void) getprivinfo(ip, PRIV_IMPL_INFO_SIZE(&ii)); |
|
261 |
||
262 |
/* Parse the info; then copy the additional bits */ |
|
263 |
tmp = __priv_parse_info(ip); |
|
264 |
if (tmp == NULL) |
|
265 |
return (B_FALSE); |
|
266 |
||
267 |
oldn = privdata->pd_nprivs; |
|
268 |
p0 = privdata->pd_privnames[0]; |
|
269 |
||
270 |
newn = tmp->pd_nprivs; |
|
271 |
q0 = tmp->pd_privnames[0]; |
|
272 |
||
273 |
/* copy the extra information to the old datastructure */ |
|
274 |
(void) memcpy((char *)privdata->pd_pinfo + sizeof (priv_impl_info_t), |
|
6812 | 275 |
(char *)ip + sizeof (priv_impl_info_t), |
276 |
PRIV_IMPL_INFO_SIZE(ip) - sizeof (priv_impl_info_t)); |
|
0 | 277 |
|
278 |
/* Copy the first oldn pointers */ |
|
279 |
(void) memcpy(tmp->pd_privnames, privdata->pd_privnames, |
|
280 |
oldn * sizeof (char *)); |
|
281 |
||
282 |
/* Adjust the rest */ |
|
283 |
for (i = oldn; i < newn; i++) |
|
284 |
tmp->pd_privnames[i] += p0 - q0; |
|
285 |
||
286 |
/* Install the larger arrays */ |
|
287 |
libc_free(privdata->pd_privnames); |
|
288 |
privdata->pd_privnames = tmp->pd_privnames; |
|
289 |
tmp->pd_privnames = NULL; |
|
290 |
||
291 |
libc_free(privdata->pd_setsort); |
|
292 |
privdata->pd_setsort = tmp->pd_setsort; |
|
293 |
tmp->pd_setsort = NULL; |
|
294 |
||
295 |
/* Copy the rest of the data */ |
|
296 |
*privdata->pd_pinfo = *ip; |
|
297 |
||
298 |
privdata->pd_nprivs = newn; |
|
299 |
||
300 |
__priv_free_info(tmp); |
|
301 |
return (B_TRUE); |
|
302 |
} |
|
303 |
||
304 |
void |
|
305 |
unlock_data(void) |
|
306 |
{ |
|
307 |
lmutex_unlock(&pd_lock); |
|
308 |
} |
|
309 |
||
310 |
static priv_set_t *__priv_allocset(priv_data_t *); |
|
311 |
||
312 |
priv_data_t * |
|
313 |
__priv_getdata(void) |
|
314 |
{ |
|
315 |
if (privdata == NULL) { |
|
3864 | 316 |
lmutex_lock(&pd_lock); |
317 |
if (privdata == NULL) { |
|
318 |
priv_data_t *tmp; |
|
319 |
priv_impl_info_t *ip; |
|
320 |
size_t size = sizeof (priv_impl_info_t) + 2048; |
|
321 |
size_t realsize; |
|
322 |
priv_impl_info_t *aip = alloca(size); |
|
0 | 323 |
|
3864 | 324 |
if (getprivinfo(aip, size) != 0) |
325 |
goto out; |
|
326 |
||
327 |
realsize = PRIV_IMPL_INFO_SIZE(aip); |
|
328 |
||
329 |
ip = libc_malloc(realsize); |
|
330 |
||
331 |
if (ip == NULL) |
|
332 |
goto out; |
|
0 | 333 |
|
3864 | 334 |
if (realsize <= size) { |
335 |
(void) memcpy(ip, aip, realsize); |
|
336 |
} else if (getprivinfo(ip, realsize) != 0) { |
|
337 |
libc_free(ip); |
|
338 |
goto out; |
|
339 |
} |
|
0 | 340 |
|
3864 | 341 |
if ((tmp = __priv_parse_info(ip)) == NULL) { |
342 |
libc_free(ip); |
|
343 |
goto out; |
|
344 |
} |
|
0 | 345 |
|
3864 | 346 |
/* Allocate the zoneset just once, here */ |
347 |
tmp->pd_zoneset = __priv_allocset(tmp); |
|
348 |
if (tmp->pd_zoneset == NULL) |
|
349 |
goto clean; |
|
0 | 350 |
|
3864 | 351 |
if (zone_getattr(getzoneid(), ZONE_ATTR_PRIVSET, |
352 |
tmp->pd_zoneset, tmp->pd_setsize) |
|
353 |
== tmp->pd_setsize) { |
|
354 |
membar_producer(); |
|
355 |
privdata = tmp; |
|
356 |
goto out; |
|
357 |
} |
|
358 |
||
359 |
priv_freeset(tmp->pd_zoneset); |
|
360 |
clean: |
|
361 |
__priv_free_info(tmp); |
|
0 | 362 |
libc_free(ip); |
363 |
} |
|
3864 | 364 |
out: |
365 |
lmutex_unlock(&pd_lock); |
|
0 | 366 |
} |
3864 | 367 |
membar_consumer(); |
0 | 368 |
return (privdata); |
369 |
} |
|
370 |
||
371 |
const priv_impl_info_t * |
|
6812 | 372 |
getprivimplinfo(void) |
0 | 373 |
{ |
374 |
priv_data_t *d; |
|
375 |
||
376 |
LOADPRIVDATA(d); |
|
377 |
||
378 |
return (d->pd_pinfo); |
|
379 |
} |
|
380 |
||
381 |
static priv_set_t * |
|
382 |
priv_vlist(va_list ap) |
|
383 |
{ |
|
384 |
priv_set_t *pset = priv_allocset(); |
|
385 |
const char *priv; |
|
386 |
||
387 |
if (pset == NULL) |
|
388 |
return (NULL); |
|
389 |
||
390 |
priv_emptyset(pset); |
|
391 |
||
392 |
while ((priv = va_arg(ap, const char *)) != NULL) { |
|
393 |
if (priv_addset(pset, priv) < 0) { |
|
394 |
priv_freeset(pset); |
|
395 |
return (NULL); |
|
396 |
} |
|
397 |
} |
|
398 |
return (pset); |
|
399 |
} |
|
400 |
||
401 |
/* |
|
402 |
* priv_set(op, set, priv_id1, priv_id2, ..., NULL) |
|
403 |
* |
|
404 |
* Library routine to enable a user process to set a specific |
|
405 |
* privilege set appropriately using a single call. User is |
|
406 |
* required to terminate the list of privileges with NULL. |
|
407 |
*/ |
|
408 |
int |
|
409 |
priv_set(priv_op_t op, priv_ptype_t setname, ...) |
|
410 |
{ |
|
411 |
va_list ap; |
|
412 |
priv_set_t *pset; |
|
413 |
int ret; |
|
414 |
||
415 |
va_start(ap, setname); |
|
416 |
||
417 |
pset = priv_vlist(ap); |
|
418 |
||
419 |
va_end(ap); |
|
420 |
||
421 |
if (pset == NULL) |
|
422 |
return (-1); |
|
423 |
||
424 |
/* All sets */ |
|
425 |
if (setname == NULL) { |
|
426 |
priv_data_t *d; |
|
427 |
int set; |
|
428 |
||
429 |
LOADPRIVDATA(d); |
|
430 |
||
431 |
for (set = 0; set < d->pd_nsets; set++) |
|
432 |
if ((ret = syscall(SYS_privsys, PRIVSYS_SETPPRIV, op, |
|
6812 | 433 |
set, (void *)pset, d->pd_setsize)) != 0) |
0 | 434 |
break; |
435 |
} else { |
|
436 |
ret = setppriv(op, setname, pset); |
|
437 |
} |
|
438 |
||
439 |
priv_freeset(pset); |
|
440 |
return (ret); |
|
441 |
} |
|
442 |
||
443 |
/* |
|
444 |
* priv_ineffect(privilege). |
|
5331 | 445 |
* tests the existence of a privilege against the effective set. |
0 | 446 |
*/ |
447 |
boolean_t |
|
448 |
priv_ineffect(const char *priv) |
|
449 |
{ |
|
450 |
priv_set_t *curset; |
|
451 |
boolean_t res; |
|
452 |
||
453 |
curset = priv_allocset(); |
|
454 |
||
455 |
if (curset == NULL) |
|
456 |
return (B_FALSE); |
|
457 |
||
458 |
if (getppriv(effective, curset) != 0 || |
|
459 |
!priv_ismember(curset, priv)) |
|
460 |
res = B_FALSE; |
|
461 |
else |
|
462 |
res = B_TRUE; |
|
463 |
||
464 |
priv_freeset(curset); |
|
465 |
||
466 |
return (res); |
|
467 |
} |
|
468 |
||
469 |
/* |
|
470 |
* The routine __init_daemon_priv() is private to Solaris and is |
|
471 |
* used by daemons to limit the privileges they can use and |
|
472 |
* to set the uid they run under. |
|
473 |
*/ |
|
474 |
||
475 |
static const char root_cp[] = "/core.%f.%t"; |
|
476 |
static const char daemon_cp[] = "/var/tmp/core.%f.%t"; |
|
477 |
||
478 |
int |
|
479 |
__init_daemon_priv(int flags, uid_t uid, gid_t gid, ...) |
|
480 |
{ |
|
481 |
priv_set_t *nset; |
|
482 |
priv_set_t *perm = NULL; |
|
483 |
va_list pa; |
|
484 |
priv_data_t *d; |
|
485 |
int ret = -1; |
|
486 |
char buf[1024]; |
|
487 |
||
488 |
LOADPRIVDATA(d); |
|
489 |
||
490 |
va_start(pa, gid); |
|
491 |
||
492 |
nset = priv_vlist(pa); |
|
493 |
||
494 |
va_end(pa); |
|
495 |
||
496 |
if (nset == NULL) |
|
497 |
return (-1); |
|
498 |
||
499 |
/* Always add the basic set */ |
|
500 |
if (d->pd_basicset != NULL) |
|
501 |
priv_union(d->pd_basicset, nset); |
|
502 |
||
503 |
/* |
|
504 |
* This is not a significant failure: it allows us to start programs |
|
505 |
* with sufficient privileges and with the proper uid. We don't |
|
506 |
* care enough about the extra groups in that case. |
|
507 |
*/ |
|
508 |
if (flags & PU_RESETGROUPS) |
|
509 |
(void) setgroups(0, NULL); |
|
510 |
||
4321
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3864
diff
changeset
|
511 |
if (gid != (gid_t)-1 && setgid(gid) != 0) |
0 | 512 |
goto end; |
513 |
||
514 |
perm = priv_allocset(); |
|
515 |
if (perm == NULL) |
|
516 |
goto end; |
|
517 |
||
518 |
/* E = P */ |
|
519 |
(void) getppriv(permitted, perm); |
|
520 |
(void) setppriv(PRIV_SET, effective, perm); |
|
521 |
||
522 |
/* Now reset suid and euid */ |
|
4321
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3864
diff
changeset
|
523 |
if (uid != (uid_t)-1 && setreuid(uid, uid) != 0) |
0 | 524 |
goto end; |
525 |
||
526 |
/* Check for the limit privs */ |
|
527 |
if ((flags & PU_LIMITPRIVS) && |
|
528 |
setppriv(PRIV_SET, limit, nset) != 0) |
|
529 |
goto end; |
|
530 |
||
531 |
if (flags & PU_CLEARLIMITSET) { |
|
532 |
priv_emptyset(perm); |
|
533 |
if (setppriv(PRIV_SET, limit, perm) != 0) |
|
534 |
goto end; |
|
535 |
} |
|
536 |
||
537 |
/* Remove the privileges from all the other sets */ |
|
538 |
if (setppriv(PRIV_SET, permitted, nset) != 0) |
|
539 |
goto end; |
|
540 |
||
541 |
if (!(flags & PU_INHERITPRIVS)) |
|
542 |
priv_emptyset(nset); |
|
543 |
||
544 |
ret = setppriv(PRIV_SET, inheritable, nset); |
|
545 |
end: |
|
546 |
priv_freeset(nset); |
|
547 |
priv_freeset(perm); |
|
548 |
||
549 |
if (core_get_process_path(buf, sizeof (buf), getpid()) == 0 && |
|
550 |
strcmp(buf, "core") == 0) { |
|
551 |
||
4321
a8930ec16e52
PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
casper
parents:
3864
diff
changeset
|
552 |
if ((uid == (uid_t)-1 ? geteuid() : uid) == 0) { |
0 | 553 |
(void) core_set_process_path(root_cp, sizeof (root_cp), |
554 |
getpid()); |
|
555 |
} else { |
|
556 |
(void) core_set_process_path(daemon_cp, |
|
557 |
sizeof (daemon_cp), getpid()); |
|
558 |
} |
|
559 |
} |
|
560 |
(void) setpflags(__PROC_PROTECT, 0); |
|
561 |
||
562 |
return (ret); |
|
563 |
} |
|
564 |
||
565 |
/* |
|
566 |
* The routine __fini_daemon_priv() is private to Solaris and is |
|
567 |
* used by daemons to clear remaining unwanted privileges and |
|
568 |
* reenable core dumps. |
|
569 |
*/ |
|
570 |
void |
|
571 |
__fini_daemon_priv(const char *priv, ...) |
|
572 |
{ |
|
573 |
priv_set_t *nset; |
|
574 |
va_list pa; |
|
575 |
||
576 |
va_start(pa, priv); |
|
577 |
||
578 |
if (priv != NULL) { |
|
579 |
nset = priv_vlist(pa); |
|
580 |
if (nset == NULL) |
|
581 |
return; |
|
582 |
||
583 |
(void) priv_addset(nset, priv); |
|
584 |
(void) setppriv(PRIV_OFF, permitted, nset); |
|
585 |
priv_freeset(nset); |
|
586 |
} |
|
587 |
||
588 |
va_end(pa); |
|
589 |
||
590 |
(void) setpflags(__PROC_PROTECT, 0); |
|
591 |
} |
|
592 |
||
593 |
/* |
|
594 |
* The routine __init_suid_priv() is private to Solaris and is |
|
595 |
* used by set-uid root programs to limit the privileges acquired |
|
596 |
* to those actually needed. |
|
597 |
*/ |
|
598 |
||
599 |
static priv_set_t *bracketpriv; |
|
600 |
||
601 |
int |
|
602 |
__init_suid_priv(int flags, ...) |
|
603 |
{ |
|
604 |
priv_set_t *nset = NULL; |
|
605 |
priv_set_t *tmpset = NULL; |
|
606 |
va_list pa; |
|
607 |
int r = -1; |
|
608 |
uid_t ruid, euid; |
|
609 |
||
610 |
euid = geteuid(); |
|
611 |
||
612 |
/* If we're not set-uid root, don't reset the uid */ |
|
613 |
if (euid == 0) { |
|
614 |
ruid = getuid(); |
|
615 |
/* If we're running as root, keep everything */ |
|
616 |
if (ruid == 0) |
|
617 |
return (0); |
|
618 |
} |
|
619 |
||
620 |
/* Can call this only once */ |
|
621 |
if (bracketpriv != NULL) |
|
622 |
return (-1); |
|
623 |
||
624 |
va_start(pa, flags); |
|
625 |
||
626 |
nset = priv_vlist(pa); |
|
627 |
||
628 |
va_end(pa); |
|
629 |
||
630 |
if (nset == NULL) |
|
631 |
goto end; |
|
632 |
||
633 |
tmpset = priv_allocset(); |
|
634 |
||
635 |
if (tmpset == NULL) |
|
636 |
goto end; |
|
637 |
||
638 |
/* We cannot grow our privileges beyond P, so start there */ |
|
639 |
(void) getppriv(permitted, tmpset); |
|
640 |
||
641 |
/* Is the privilege we need even in P? */ |
|
642 |
if (!priv_issubset(nset, tmpset)) |
|
643 |
goto end; |
|
644 |
||
645 |
bracketpriv = priv_allocset(); |
|
646 |
if (bracketpriv == NULL) |
|
647 |
goto end; |
|
648 |
||
649 |
priv_copyset(nset, bracketpriv); |
|
650 |
||
651 |
/* Always add the basic set */ |
|
652 |
priv_union(priv_basic(), nset); |
|
653 |
||
654 |
/* But don't add what we don't have */ |
|
655 |
priv_intersect(tmpset, nset); |
|
656 |
||
657 |
(void) getppriv(inheritable, tmpset); |
|
658 |
||
659 |
/* And stir in the inheritable privileges */ |
|
660 |
priv_union(tmpset, nset); |
|
661 |
||
662 |
if ((r = setppriv(PRIV_SET, effective, tmpset)) != 0) |
|
663 |
goto end; |
|
664 |
||
665 |
if ((r = setppriv(PRIV_SET, permitted, nset)) != 0) |
|
666 |
goto end; |
|
667 |
||
668 |
if (flags & PU_CLEARLIMITSET) |
|
669 |
priv_emptyset(nset); |
|
670 |
||
671 |
if ((flags & (PU_LIMITPRIVS|PU_CLEARLIMITSET)) != 0 && |
|
672 |
(r = setppriv(PRIV_SET, limit, nset)) != 0) |
|
673 |
goto end; |
|
674 |
||
675 |
if (euid == 0) |
|
676 |
r = setreuid(ruid, ruid); |
|
677 |
||
678 |
end: |
|
679 |
priv_freeset(tmpset); |
|
680 |
priv_freeset(nset); |
|
681 |
if (r != 0) { |
|
682 |
/* Fail without leaving uid 0 around */ |
|
683 |
if (euid == 0) |
|
684 |
(void) setreuid(ruid, ruid); |
|
685 |
priv_freeset(bracketpriv); |
|
686 |
bracketpriv = NULL; |
|
687 |
} |
|
688 |
||
689 |
return (r); |
|
690 |
} |
|
691 |
||
692 |
/* |
|
693 |
* Toggle privileges on/off in the effective set. |
|
694 |
*/ |
|
695 |
int |
|
696 |
__priv_bracket(priv_op_t op) |
|
697 |
{ |
|
698 |
/* We're running fully privileged or didn't check errors first time */ |
|
699 |
if (bracketpriv == NULL) |
|
700 |
return (0); |
|
701 |
||
702 |
/* Only PRIV_ON and PRIV_OFF are valid */ |
|
703 |
if (op == PRIV_SET) |
|
704 |
return (-1); |
|
705 |
||
706 |
return (setppriv(op, effective, bracketpriv)); |
|
707 |
} |
|
708 |
||
709 |
/* |
|
710 |
* Remove privileges from E & P. |
|
711 |
*/ |
|
712 |
void |
|
713 |
__priv_relinquish(void) |
|
714 |
{ |
|
715 |
if (bracketpriv != NULL) { |
|
716 |
(void) setppriv(PRIV_OFF, permitted, bracketpriv); |
|
717 |
priv_freeset(bracketpriv); |
|
718 |
bracketpriv = NULL; |
|
719 |
} |
|
720 |
} |
|
721 |
||
722 |
/* |
|
723 |
* Use binary search on the ordered list. |
|
724 |
*/ |
|
725 |
int |
|
726 |
__priv_getbyname(const priv_data_t *d, const char *name) |
|
727 |
{ |
|
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
728 |
char *const *list; |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
729 |
const int *order; |
0 | 730 |
int lo = 0; |
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
731 |
int hi; |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
732 |
|
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
733 |
if (d == NULL) |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
734 |
return (-1); |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
735 |
|
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
736 |
list = d->pd_privnames; |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
737 |
order = d->pd_setsort; |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
738 |
hi = d->pd_nprivs - 1; |
0 | 739 |
|
740 |
if (strncasecmp(name, "priv_", 5) == 0) |
|
741 |
name += 5; |
|
742 |
||
743 |
do { |
|
744 |
int mid = (lo + hi) / 2; |
|
745 |
int res = strcasecmp(name, list[order[mid]]); |
|
746 |
||
747 |
if (res == 0) |
|
748 |
return (order[mid]); |
|
749 |
else if (res < 0) |
|
750 |
hi = mid - 1; |
|
751 |
else |
|
752 |
lo = mid + 1; |
|
753 |
} while (lo <= hi); |
|
754 |
||
755 |
errno = EINVAL; |
|
756 |
return (-1); |
|
757 |
} |
|
758 |
||
759 |
int |
|
760 |
priv_getbyname(const char *name) |
|
761 |
{ |
|
762 |
WITHPRIVLOCKED(int, -1, __priv_getbyname(GETPRIVDATA(), name)); |
|
763 |
} |
|
764 |
||
765 |
int |
|
766 |
__priv_getsetbyname(const priv_data_t *d, const char *name) |
|
767 |
{ |
|
768 |
int i; |
|
769 |
int n = d->pd_nsets; |
|
770 |
char *const *list = d->pd_setnames; |
|
771 |
||
772 |
if (strncasecmp(name, "priv_", 5) == 0) |
|
773 |
name += 5; |
|
774 |
||
775 |
for (i = 0; i < n; i++) { |
|
776 |
if (strcasecmp(list[i], name) == 0) |
|
777 |
return (i); |
|
778 |
} |
|
779 |
||
780 |
errno = EINVAL; |
|
781 |
return (-1); |
|
782 |
} |
|
783 |
||
784 |
int |
|
785 |
priv_getsetbyname(const char *name) |
|
786 |
{ |
|
787 |
/* Not locked: sets don't change */ |
|
788 |
return (__priv_getsetbyname(GETPRIVDATA(), name)); |
|
789 |
} |
|
790 |
||
791 |
static const char * |
|
792 |
priv_bynum(int i, int n, char **list) |
|
793 |
{ |
|
794 |
if (i < 0 || i >= n) |
|
795 |
return (NULL); |
|
796 |
||
797 |
return (list[i]); |
|
798 |
} |
|
799 |
||
800 |
const char * |
|
801 |
__priv_getbynum(const priv_data_t *d, int num) |
|
802 |
{ |
|
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
803 |
if (d == NULL) |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
804 |
return (NULL); |
0 | 805 |
return (priv_bynum(num, d->pd_nprivs, d->pd_privnames)); |
806 |
} |
|
807 |
||
808 |
const char * |
|
809 |
priv_getbynum(int num) |
|
810 |
{ |
|
811 |
WITHPRIVLOCKED(const char *, NULL, __priv_getbynum(GETPRIVDATA(), num)); |
|
812 |
} |
|
813 |
||
814 |
const char * |
|
815 |
__priv_getsetbynum(const priv_data_t *d, int num) |
|
816 |
{ |
|
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
817 |
if (d == NULL) |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
818 |
return (NULL); |
0 | 819 |
return (priv_bynum(num, d->pd_nsets, d->pd_setnames)); |
820 |
} |
|
821 |
||
822 |
const char * |
|
823 |
priv_getsetbynum(int num) |
|
824 |
{ |
|
825 |
return (__priv_getsetbynum(GETPRIVDATA(), num)); |
|
826 |
} |
|
827 |
||
828 |
||
829 |
/* |
|
830 |
* Privilege manipulation functions |
|
831 |
* |
|
832 |
* Without knowing the details of the privilege set implementation, |
|
833 |
* opaque pointers can be used to manipulate sets at will. |
|
834 |
*/ |
|
835 |
||
836 |
static priv_set_t * |
|
837 |
__priv_allocset(priv_data_t *d) |
|
838 |
{ |
|
1059
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
839 |
if (d == NULL) |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
840 |
return (NULL); |
11ef9d4a0acc
6255958 priv_* functions don't deal with resource problems, can deadlock
casper
parents:
0
diff
changeset
|
841 |
|
0 | 842 |
return (libc_malloc(d->pd_setsize)); |
843 |
} |
|
844 |
||
845 |
priv_set_t * |
|
846 |
priv_allocset(void) |
|
847 |
{ |
|
848 |
return (__priv_allocset(GETPRIVDATA())); |
|
849 |
} |
|
850 |
||
851 |
void |
|
852 |
priv_freeset(priv_set_t *p) |
|
853 |
{ |
|
854 |
int er = errno; |
|
855 |
||
856 |
libc_free(p); |
|
857 |
errno = er; |
|
858 |
} |
|
859 |
||
860 |
void |
|
861 |
__priv_emptyset(priv_data_t *d, priv_set_t *set) |
|
862 |
{ |
|
863 |
(void) memset(set, 0, d->pd_setsize); |
|
864 |
} |
|
865 |
||
866 |
void |
|
867 |
priv_emptyset(priv_set_t *set) |
|
868 |
{ |
|
869 |
__priv_emptyset(GETPRIVDATA(), set); |
|
870 |
} |
|
871 |
||
872 |
void |
|
873 |
__priv_fillset(priv_data_t *d, priv_set_t *set) |
|
874 |
{ |
|
875 |
(void) memset(set, ~0, d->pd_setsize); |
|
876 |
} |
|
877 |
||
878 |
void |
|
879 |
priv_fillset(priv_set_t *set) |
|
880 |
{ |
|
881 |
__priv_fillset(GETPRIVDATA(), set); |
|
882 |
} |
|
883 |
||
884 |
||
885 |
#define PRIV_TEST_BODY_D(d, test) \ |
|
886 |
int i; \ |
|
887 |
\ |
|
888 |
for (i = d->pd_pinfo->priv_setsize; i-- > 0; ) \ |
|
889 |
if (!(test)) \ |
|
890 |
return (B_FALSE); \ |
|
891 |
\ |
|
892 |
return (B_TRUE) |
|
893 |
||
894 |
boolean_t |
|
895 |
priv_isequalset(const priv_set_t *a, const priv_set_t *b) |
|
896 |
{ |
|
897 |
priv_data_t *d; |
|
898 |
||
899 |
LOADPRIVDATA(d); |
|
900 |
||
901 |
return ((boolean_t)(memcmp(a, b, d->pd_setsize) == 0)); |
|
902 |
} |
|
903 |
||
904 |
boolean_t |
|
905 |
__priv_isemptyset(priv_data_t *d, const priv_set_t *set) |
|
906 |
{ |
|
907 |
PRIV_TEST_BODY_D(d, ((priv_chunk_t *)set)[i] == 0); |
|
908 |
} |
|
909 |
||
910 |
boolean_t |
|
911 |
priv_isemptyset(const priv_set_t *set) |
|
912 |
{ |
|
913 |
return (__priv_isemptyset(GETPRIVDATA(), set)); |
|
914 |
} |
|
915 |
||
916 |
boolean_t |
|
917 |
__priv_isfullset(priv_data_t *d, const priv_set_t *set) |
|
918 |
{ |
|
919 |
PRIV_TEST_BODY_D(d, ((priv_chunk_t *)set)[i] == ~(priv_chunk_t)0); |
|
920 |
} |
|
921 |
||
922 |
boolean_t |
|
923 |
priv_isfullset(const priv_set_t *set) |
|
924 |
{ |
|
925 |
return (__priv_isfullset(GETPRIVDATA(), set)); |
|
926 |
} |
|
927 |
||
928 |
/* |
|
929 |
* Return true if a is a subset of b |
|
930 |
*/ |
|
931 |
boolean_t |
|
932 |
__priv_issubset(priv_data_t *d, const priv_set_t *a, const priv_set_t *b) |
|
933 |
{ |
|
934 |
PRIV_TEST_BODY_D(d, (((priv_chunk_t *)a)[i] | ((priv_chunk_t *)b)[i]) == |
|
6812 | 935 |
((priv_chunk_t *)b)[i]); |
0 | 936 |
} |
937 |
||
938 |
boolean_t |
|
939 |
priv_issubset(const priv_set_t *a, const priv_set_t *b) |
|
940 |
{ |
|
941 |
return (__priv_issubset(GETPRIVDATA(), a, b)); |
|
942 |
} |
|
943 |
||
944 |
#define PRIV_CHANGE_BODY(a, op, b) \ |
|
945 |
int i; \ |
|
946 |
priv_data_t *d; \ |
|
947 |
\ |
|
948 |
LOADPRIVDATA(d); \ |
|
949 |
\ |
|
950 |
for (i = 0; i < d->pd_pinfo->priv_setsize; i++) \ |
|
951 |
((priv_chunk_t *)a)[i] op \ |
|
952 |
((priv_chunk_t *)b)[i] |
|
953 |
||
954 |
/* B = A ^ B */ |
|
955 |
void |
|
956 |
priv_intersect(const priv_set_t *a, priv_set_t *b) |
|
957 |
{ |
|
958 |
/* CSTYLED */ |
|
959 |
PRIV_CHANGE_BODY(b, &=, a); |
|
960 |
} |
|
961 |
||
962 |
/* B = A */ |
|
963 |
void |
|
964 |
priv_copyset(const priv_set_t *a, priv_set_t *b) |
|
965 |
{ |
|
966 |
/* CSTYLED */ |
|
967 |
PRIV_CHANGE_BODY(b, =, a); |
|
968 |
} |
|
969 |
||
970 |
/* B = A v B */ |
|
971 |
void |
|
972 |
priv_union(const priv_set_t *a, priv_set_t *b) |
|
973 |
{ |
|
974 |
/* CSTYLED */ |
|
975 |
PRIV_CHANGE_BODY(b, |=, a); |
|
976 |
} |
|
977 |
||
978 |
/* A = ! A */ |
|
979 |
void |
|
980 |
priv_inverse(priv_set_t *a) |
|
981 |
{ |
|
982 |
PRIV_CHANGE_BODY(a, = ~, a); |
|
983 |
} |
|
984 |
||
985 |
/* |
|
986 |
* Manipulating single privileges. |
|
987 |
*/ |
|
988 |
||
989 |
int |
|
990 |
priv_addset(priv_set_t *a, const char *p) |
|
991 |
{ |
|
992 |
int priv = priv_getbyname(p); |
|
993 |
||
994 |
if (priv < 0) |
|
995 |
return (-1); |
|
996 |
||
997 |
PRIV_ADDSET(a, priv); |
|
998 |
||
999 |
return (0); |
|
1000 |
} |
|
1001 |
||
1002 |
int |
|
1003 |
priv_delset(priv_set_t *a, const char *p) |
|
1004 |
{ |
|
1005 |
int priv = priv_getbyname(p); |
|
1006 |
||
1007 |
if (priv < 0) |
|
1008 |
return (-1); |
|
1009 |
||
1010 |
PRIV_DELSET(a, priv); |
|
1011 |
return (0); |
|
1012 |
} |
|
1013 |
||
1014 |
boolean_t |
|
1015 |
priv_ismember(const priv_set_t *a, const char *p) |
|
1016 |
{ |
|
1017 |
int priv = priv_getbyname(p); |
|
1018 |
||
1019 |
if (priv < 0) |
|
1020 |
return (B_FALSE); |
|
1021 |
||
1022 |
return ((boolean_t)PRIV_ISMEMBER(a, priv)); |
|
1023 |
} |