Gitiles
Code Review Sign In
gerrit.opencord.org / quagga / 566941f953b025598134109c5f9547dc4fea287e / . / lib / privs.c
blob: 69606f57c11d8ae8b40b531e1ffa49f2ee10dce3 [file] [log] [blame]
paul01245822003-05-20 01:22:17 +0000[diff] [blame]1/*
2 * Zebra privileges.
3 *
4 * Copyright (C) 2003 Paul Jakma.
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]5 * Copyright (C) 2005 Sun Microsystems, Inc.
paul01245822003-05-20 01:22:17 +0000[diff] [blame]6 *
7 * This file is part of GNU Zebra.
8 *
9 * GNU Zebra is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2, or (at your option) any
12 * later version.
13 *
14 * GNU Zebra is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with GNU Zebra; see the file COPYING. If not, write to the Free
21 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
22 * 02111-1307, USA.
23 */
paul01245822003-05-20 01:22:17 +0000[diff] [blame]24#include <zebra.h>
25#include "log.h"
26#include "privs.h"
27#include "memory.h"
paul01245822003-05-20 01:22:17 +0000[diff] [blame]28
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]29#ifdef HAVE_CAPABILITIES
30/* sort out some generic internal types for:
31 *
32 * privilege values (cap_value_t, priv_t) -> pvalue_t
33 * privilege set (..., priv_set_t) -> pset_t
34 * privilege working storage (cap_t, ...) -> pstorage_t
35 *
36 * values we think of as numeric (they're ints really, but we dont know)
37 * sets are mostly opaque, to hold a set of privileges, related in some way.
38 * storage binds together a set of sets we're interested in.
39 * (in reality: cap_value_t and priv_t are ints)
40 */
41#ifdef HAVE_LCAPS
42/* Linux doesn't have a 'set' type: a set of related privileges */
43struct _pset {
44 int num;
45 cap_value_t *caps;
46};
47typedef cap_value_t pvalue_t;
48typedef struct _pset pset_t;
49typedef cap_t pstorage_t;
50
51#elif defined (HAVE_SOLARIS_CAPABILITIES)
52typedef priv_t pvalue_t;
53typedef priv_set_t pset_t;
54typedef priv_set_t *pstorage_t;
55#else /* neither LCAPS nor SOLARIS_CAPABILITIES */
56#error "HAVE_CAPABILITIES defined, but neither LCAPS nor Solaris Capabilties!"
57#endif /* HAVE_LCAPS */
58#endif /* HAVE_CAPABILITIES */
59
60/* the default NULL state we report is RAISED, but could be LOWERED if
61 * zprivs_terminate is called and the NULL handler is installed.
62 */
63static zebra_privs_current_t zprivs_null_state = ZPRIVS_RAISED;
64
paul01245822003-05-20 01:22:17 +0000[diff] [blame]65/* internal privileges state */
66static struct _zprivs_t
67{
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]68#ifdef HAVE_CAPABILITIES
69 pstorage_t caps; /* working storage */
70 pset_t *syscaps_p; /* system-type requested permitted caps */
71 pset_t *syscaps_i; /* system-type requested inheritable caps */
72#endif /* HAVE_CAPABILITIES */
paul01245822003-05-20 01:22:17 +0000[diff] [blame]73 uid_t zuid, /* uid to run as */
74 zsuid; /* saved uid */
75 gid_t zgid; /* gid to run as */
hassoba3a0bc2003-06-04 17:41:54 +0000[diff] [blame]76 gid_t vtygrp; /* gid for vty sockets */
paul01245822003-05-20 01:22:17 +0000[diff] [blame]77} zprivs_state;
78
79/* externally exported but not directly accessed functions */
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]80#ifdef HAVE_CAPABILITIES
paul01245822003-05-20 01:22:17 +0000[diff] [blame]81int zprivs_change_caps (zebra_privs_ops_t);
82zebra_privs_current_t zprivs_state_caps (void);
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]83#endif /* HAVE_CAPABILITIES */
paul01245822003-05-20 01:22:17 +0000[diff] [blame]84int zprivs_change_uid (zebra_privs_ops_t);
85zebra_privs_current_t zprivs_state_uid (void);
86int zprivs_change_null (zebra_privs_ops_t);
87zebra_privs_current_t zprivs_state_null (void);
paul01245822003-05-20 01:22:17 +0000[diff] [blame]88
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]89#ifdef HAVE_CAPABILITIES
90/* internal capability API */
91static pset_t *zcaps2sys (zebra_capabilities_t *, int);
92static void zprivs_caps_init (struct zebra_privs_t *);
93static void zprivs_caps_terminate (void);
94
95/* Map of Quagga abstract capabilities to system capabilities */
96static struct
paul01245822003-05-20 01:22:17 +0000[diff] [blame]97{
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]98 int num;
99 pvalue_t *system_caps;
100} cap_map [ZCAP_MAX] =
101{
102#ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */
103 [ZCAP_SETID] = { 2, (pvalue_t []) { CAP_SETGID,
104 CAP_SETUID }, },
105 [ZCAP_BIND] = { 2, (pvalue_t []) { CAP_NET_BIND_SERVICE,
106 CAP_NET_BROADCAST }, },
107 [ZCAP_NET_ADMIN] = { 1, (pvalue_t []) { CAP_NET_ADMIN }, },
108 [ZCAP_NET_RAW] = { 1, (pvalue_t []) { CAP_NET_RAW }, },
109 [ZCAP_CHROOT] = { 1, (pvalue_t []) { CAP_SYS_CHROOT, }, },
110 [ZCAP_NICE] = { 1, (pvalue_t []) { CAP_SYS_NICE }, },
111 [ZCAP_PTRACE] = { 1, (pvalue_t []) { CAP_SYS_PTRACE }, },
112 [ZCAP_DAC_OVERRIDE] = { 1, (pvalue_t []) { CAP_DAC_OVERRIDE }, },
113 [ZCAP_READ_SEARCH] = { 1, (pvalue_t []) { CAP_DAC_READ_SEARCH }, },
114 [ZCAP_SYS_ADMIN] = { 1, (pvalue_t []) { CAP_SYS_ADMIN }, },
115 [ZCAP_FOWNER] = { 1, (pvalue_t []) { CAP_FOWNER }, },
116#elif defined(HAVE_SOLARIS_CAPABILITIES) /* HAVE_LCAPS */
117 /* Quagga -> Solaris privilege mappings */
118 [ZCAP_SETID] = { 1, (pvalue_t []) { PRIV_PROC_SETID }, },
119 [ZCAP_BIND] = { 1, (pvalue_t []) { PRIV_NET_PRIVADDR }, },
Paul Jakma6b148fa2007-09-18 18:07:18 +0000[diff] [blame]120 /* IP_CONFIG is a subset of NET_CONFIG and is allowed in zones */
121#ifdef PRIV_SYS_IP_CONFIG
122 [ZCAP_NET_ADMIN] = { 1, (pvalue_t []) { PRIV_SYS_IP_CONFIG }, },
123#else
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]124 [ZCAP_NET_ADMIN] = { 1, (pvalue_t []) { PRIV_SYS_NET_CONFIG }, },
Paul Jakma6b148fa2007-09-18 18:07:18 +0000[diff] [blame]125#endif
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]126 [ZCAP_NET_RAW] = { 2, (pvalue_t []) { PRIV_NET_RAWACCESS,
127 PRIV_NET_ICMPACCESS }, },
128 [ZCAP_CHROOT] = { 1, (pvalue_t []) { PRIV_PROC_CHROOT }, },
129 [ZCAP_NICE] = { 1, (pvalue_t []) { PRIV_PROC_PRIOCNTL }, },
130 [ZCAP_PTRACE] = { 1, (pvalue_t []) { PRIV_PROC_SESSION }, },
131 [ZCAP_DAC_OVERRIDE] = { 2, (pvalue_t []) { PRIV_FILE_DAC_EXECUTE,
132 PRIV_FILE_DAC_READ,
133 PRIV_FILE_DAC_SEARCH,
134 PRIV_FILE_DAC_WRITE,
135 PRIV_FILE_DAC_SEARCH }, },
136 [ZCAP_READ_SEARCH] = { 2, (pvalue_t []) { PRIV_FILE_DAC_SEARCH,
137 PRIV_FILE_DAC_READ }, },
138 [ZCAP_SYS_ADMIN] = { 1, (pvalue_t []) { PRIV_SYS_ADMIN }, },
139 [ZCAP_FOWNER] = { 1, (pvalue_t []) { PRIV_FILE_OWNER }, },
140#endif /* HAVE_SOLARIS_CAPABILITIES */
paul01245822003-05-20 01:22:17 +0000[diff] [blame]141};
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]142
143#ifdef HAVE_LCAPS
144/* Linux forms of capabilities methods */
paul01245822003-05-20 01:22:17 +0000[diff] [blame]145/* convert zebras privileges to system capabilities */
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]146static pset_t *
paul01245822003-05-20 01:22:17 +0000[diff] [blame]147zcaps2sys (zebra_capabilities_t *zcaps, int num)
148{
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]149 pset_t *syscaps;
150 int i, j = 0, count = 0;
paul01245822003-05-20 01:22:17 +0000[diff] [blame]151
152 if (!num)
153 return NULL;
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]154
155 /* first count up how many system caps we have */
156 for (i= 0; i < num; i++)
157 count += cap_map[zcaps[i]].num;
158
159 if ( (syscaps = XCALLOC (MTYPE_PRIVS, (sizeof(pset_t) * num))) == NULL)
paul01245822003-05-20 01:22:17 +0000[diff] [blame]160 {
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]161 fprintf (stderr, "%s: could not allocate syscaps!", __func__);
paul01245822003-05-20 01:22:17 +0000[diff] [blame]162 return NULL;
163 }
164
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]165 syscaps->caps = XCALLOC (MTYPE_PRIVS, (sizeof (pvalue_t) * count));
166
167 if (!syscaps->caps)
paul01245822003-05-20 01:22:17 +0000[diff] [blame]168 {
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]169 fprintf (stderr, "%s: could not XCALLOC caps!", __func__);
170 return NULL;
paul01245822003-05-20 01:22:17 +0000[diff] [blame]171 }
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]172
173 /* copy the capabilities over */
174 count = 0;
175 for (i=0; i < num; i++)
176 for (j = 0; j < cap_map[zcaps[i]].num; j++)
177 syscaps->caps[count++] = cap_map[zcaps[i]].system_caps[j];
178
179 /* iterations above should be exact same as previous count, obviously.. */
180 syscaps->num = count;
181
paul01245822003-05-20 01:22:17 +0000[diff] [blame]182 return syscaps;
183}
184
185/* set or clear the effective capabilities to/from permitted */
186int
187zprivs_change_caps (zebra_privs_ops_t op)
188{
189 cap_flag_value_t cflag;
190
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]191 /* should be no possibility of being called without valid caps */
192 assert (zprivs_state.syscaps_p && zprivs_state.caps);
193 if (! (zprivs_state.syscaps_p && zprivs_state.caps))
194 exit (1);
195
paul01245822003-05-20 01:22:17 +0000[diff] [blame]196 if (op == ZPRIVS_RAISE)
197 cflag = CAP_SET;
198 else if (op == ZPRIVS_LOWER)
199 cflag = CAP_CLEAR;
200 else
201 return -1;
202
203 if ( !cap_set_flag (zprivs_state.caps, CAP_EFFECTIVE,
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]204 zprivs_state.syscaps_p->num,
205 zprivs_state.syscaps_p->caps,
206 cflag))
paul01245822003-05-20 01:22:17 +0000[diff] [blame]207 return cap_set_proc (zprivs_state.caps);
208 return -1;
209}
210
211zebra_privs_current_t
212zprivs_state_caps (void)
213{
214 int i;
paul01245822003-05-20 01:22:17 +0000[diff] [blame]215 cap_flag_value_t val;
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]216
217 /* should be no possibility of being called without valid caps */
218 assert (zprivs_state.syscaps_p && zprivs_state.caps);
219 if (! (zprivs_state.syscaps_p && zprivs_state.caps))
220 exit (1);
paul01245822003-05-20 01:22:17 +0000[diff] [blame]221
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]222 for (i=0; i < zprivs_state.syscaps_p->num; i++)
paul01245822003-05-20 01:22:17 +0000[diff] [blame]223 {
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]224 if ( cap_get_flag (zprivs_state.caps, zprivs_state.syscaps_p->caps[i],
paul01245822003-05-20 01:22:17 +0000[diff] [blame]225 CAP_EFFECTIVE, &val) )
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]226 {
227 zlog_warn ("zprivs_state_caps: could not cap_get_flag, %s",
228 safe_strerror (errno) );
229 return ZPRIVS_UNKNOWN;
230 }
paul01245822003-05-20 01:22:17 +0000[diff] [blame]231 if (val == CAP_SET)
paul33b72942003-05-20 02:22:42 +0000[diff] [blame]232 return ZPRIVS_RAISED;
paul01245822003-05-20 01:22:17 +0000[diff] [blame]233 }
234 return ZPRIVS_LOWERED;
235}
236
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]237static void
238zprivs_caps_init (struct zebra_privs_t *zprivs)
239{
240 zprivs_state.syscaps_p = zcaps2sys (zprivs->caps_p, zprivs->cap_num_p);
241 zprivs_state.syscaps_i = zcaps2sys (zprivs->caps_i, zprivs->cap_num_i);
paul01245822003-05-20 01:22:17 +0000[diff] [blame]242
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]243 /* Tell kernel we want caps maintained across uid changes */
244 if ( prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1 )
245 {
246 fprintf (stderr, "privs_init: could not set PR_SET_KEEPCAPS, %s\n",
247 safe_strerror (errno) );
248 exit(1);
249 }
250
251 if ( !zprivs_state.syscaps_p )
252 {
253 fprintf (stderr, "privs_init: capabilities enabled, "
254 "but no capabilities supplied\n");
255 }
256
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]257 /* we have caps, we have no need to ever change back the original user */
258 if (zprivs_state.zuid)
259 {
260 if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
261 {
262 fprintf (stderr, "zprivs_init (cap): could not setreuid, %s\n",
263 safe_strerror (errno));
264 exit (1);
265 }
266 }
267
Paul Jakma924f9d32006-03-30 13:25:52 +0000[diff] [blame]268 if ( !(zprivs_state.caps = cap_init()) )
269 {
270 fprintf (stderr, "privs_init: failed to cap_init, %s\n",
271 safe_strerror (errno));
272 exit (1);
273 }
274
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]275 if ( cap_clear (zprivs_state.caps) )
276 {
277 fprintf (stderr, "privs_init: failed to cap_clear, %s\n",
278 safe_strerror (errno));
279 exit (1);
280 }
281
282 /* set permitted caps */
283 cap_set_flag(zprivs_state.caps, CAP_PERMITTED,
284 zprivs_state.syscaps_p->num,
285 zprivs_state.syscaps_p->caps,
286 CAP_SET);
287
288 /* set inheritable caps, if any */
289 if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num)
290 {
291 cap_set_flag(zprivs_state.caps, CAP_INHERITABLE,
292 zprivs_state.syscaps_i->num,
293 zprivs_state.syscaps_i->caps,
294 CAP_SET);
295 }
296
297 /* apply caps. CAP_EFFECTIVE is cleared. we'll raise the caps as
298 * and when, and only when, they are needed.
299 */
300 if ( cap_set_proc (zprivs_state.caps) )
301 {
302 fprintf (stderr, "privs_init: initial cap_set_proc failed\n");
303 exit (1);
304 }
305
306 /* set methods for the caller to use */
307 zprivs->change = zprivs_change_caps;
308 zprivs->current_state = zprivs_state_caps;
309}
310
311static void
312zprivs_caps_terminate (void)
313{
314 /* clear all capabilities */
315 if (zprivs_state.caps)
316 cap_clear (zprivs_state.caps);
317
318 /* and boom, capabilities are gone forever */
319 if ( cap_set_proc (zprivs_state.caps) )
320 {
321 fprintf (stderr, "privs_terminate: cap_set_proc failed, %s",
322 safe_strerror (errno) );
323 exit (1);
324 }
325
326 /* free up private state */
327 if (zprivs_state.syscaps_p->num)
328 {
329 XFREE (MTYPE_PRIVS, zprivs_state.syscaps_p->caps);
330 XFREE (MTYPE_PRIVS, zprivs_state.syscaps_p);
331 }
332
333 if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num)
334 {
335 XFREE (MTYPE_PRIVS, zprivs_state.syscaps_i->caps);
336 XFREE (MTYPE_PRIVS, zprivs_state.syscaps_i);
337 }
338
339 cap_free (zprivs_state.caps);
340}
341#elif defined (HAVE_SOLARIS_CAPABILITIES) /* !HAVE_LCAPS */
342
343/* Solaris specific capability/privilege methods
344 *
345 * Resources:
346 * - the 'privileges' man page
347 * - http://cvs.opensolaris.org
348 * - http://blogs.sun.com/roller/page/gbrunett?entry=privilege_enabling_set_id_programs1
349 */
350
351/* convert zebras privileges to system capabilities */
352static pset_t *
353zcaps2sys (zebra_capabilities_t *zcaps, int num)
354{
355 pset_t *syscaps;
paul6e0f1b92005-11-24 12:47:17 +0000[diff] [blame]356 int i, j = 0;
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]357
358 if ((syscaps = priv_allocset()) == NULL)
359 {
360 fprintf (stderr, "%s: could not allocate syscaps!\n", __func__);
361 exit (1);
362 }
363
364 priv_emptyset (syscaps);
365
366 for (i=0; i < num; i++)
367 for (j = 0; j < cap_map[zcaps[i]].num; j++)
368 priv_addset (syscaps, cap_map[zcaps[i]].system_caps[j]);
369
370 return syscaps;
371}
372
373/* callback exported to users to RAISE and LOWER effective privileges
374 * from nothing to the given permitted set and back down
375 */
376int
377zprivs_change_caps (zebra_privs_ops_t op)
378{
379
380 /* should be no possibility of being called without valid caps */
381 assert (zprivs_state.syscaps_p);
382 if (!zprivs_state.syscaps_p)
383 {
384 fprintf (stderr, "%s: Eek, missing caps!", __func__);
385 exit (1);
386 }
387
388 /* to raise: copy original permitted into our working effective set
389 * to lower: just clear the working effective set
390 */
391 if (op == ZPRIVS_RAISE)
392 priv_copyset (zprivs_state.syscaps_p, zprivs_state.caps);
393 else if (op == ZPRIVS_LOWER)
394 priv_emptyset (zprivs_state.caps);
395 else
396 return -1;
397
398 if (setppriv (PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps) != 0)
399 return -1;
400
401 return 0;
402}
403
404/* Retrieve current privilege state, is it RAISED or LOWERED? */
405zebra_privs_current_t
406zprivs_state_caps (void)
407{
408 zebra_privs_current_t result;
409 pset_t *effective;
410
411 if ( (effective = priv_allocset()) == NULL)
412 {
paul6e0f1b92005-11-24 12:47:17 +0000[diff] [blame]413 fprintf (stderr, "%s: failed to get priv_allocset! %s\n", __func__,
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]414 safe_strerror (errno));
415 return ZPRIVS_UNKNOWN;
416 }
417
418 if (getppriv (PRIV_EFFECTIVE, effective))
419 {
paul6e0f1b92005-11-24 12:47:17 +0000[diff] [blame]420 fprintf (stderr, "%s: failed to get state! %s\n", __func__,
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]421 safe_strerror (errno));
422 result = ZPRIVS_UNKNOWN;
423 }
424 else
425 {
426 if (priv_isemptyset (effective) == B_TRUE)
427 result = ZPRIVS_LOWERED;
428 else
429 result = ZPRIVS_RAISED;
430 }
431
432 if (effective)
433 priv_freeset (effective);
434
435 return result;
436}
437
438static void
439zprivs_caps_init (struct zebra_privs_t *zprivs)
440{
441 pset_t *basic;
442 pset_t *empty;
443
444 /* the specified sets */
445 zprivs_state.syscaps_p = zcaps2sys (zprivs->caps_p, zprivs->cap_num_p);
446 zprivs_state.syscaps_i = zcaps2sys (zprivs->caps_i, zprivs->cap_num_i);
447
448 /* nonsensical to have gotten here but not have capabilities */
449 if (!zprivs_state.syscaps_p)
450 {
451 fprintf (stderr, "%s: capabilities enabled, "
452 "but no valid capabilities supplied\n",
453 __func__);
454 }
455
456 /* We retain the basic set in our permitted set, as Linux has no
457 * equivalent. The basic set on Linux hence is implicit, always
458 * there.
459 */
460 if ((basic = priv_str_to_set("basic", ",", NULL)) == NULL)
461 {
462 fprintf (stderr, "%s: couldn't get basic set!\n", __func__);
463 exit (1);
464 }
465
466 /* Add the basic set to the permitted set */
467 priv_union (basic, zprivs_state.syscaps_p);
468 priv_freeset (basic);
469
470 /* we need an empty set for 'effective', potentially for inheritable too */
471 if ( (empty = priv_allocset()) == NULL)
472 {
473 fprintf (stderr, "%s: couldn't get empty set!\n", __func__);
474 exit (1);
475 }
476 priv_emptyset (empty);
477
478 /* Hey kernel, we know about privileges!
479 * this isn't strictly required, use of setppriv should have same effect
480 */
481 if (setpflags (PRIV_AWARE, 1))
482 {
483 fprintf (stderr, "%s: error setting PRIV_AWARE!, %s\n", __func__,
484 safe_strerror (errno) );
485 exit (1);
486 }
487
488 /* need either valid or empty sets for both p and i.. */
489 assert (zprivs_state.syscaps_i && zprivs_state.syscaps_p);
490
Paul Jakma924f9d32006-03-30 13:25:52 +0000[diff] [blame]491 /* we have caps, we have no need to ever change back the original user
492 * change real, effective and saved to the specified user.
493 */
494 if (zprivs_state.zuid)
495 {
496 if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
497 {
498 fprintf (stderr, "%s: could not setreuid, %s\n",
499 __func__, safe_strerror (errno));
500 exit (1);
501 }
502 }
503
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]504 /* set the permitted set */
505 if (setppriv (PRIV_SET, PRIV_PERMITTED, zprivs_state.syscaps_p))
506 {
507 fprintf (stderr, "%s: error setting permitted set!, %s\n", __func__,
508 safe_strerror (errno) );
509 exit (1);
510 }
511
512 /* set the inheritable set */
513 if (setppriv (PRIV_SET, PRIV_INHERITABLE, zprivs_state.syscaps_i))
514 {
515 fprintf (stderr, "%s: error setting inheritable set!, %s\n", __func__,
516 safe_strerror (errno) );
517 exit (1);
518 }
519
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]520 /* now clear the effective set and we're ready to go */
521 if (setppriv (PRIV_SET, PRIV_EFFECTIVE, empty))
522 {
523 fprintf (stderr, "%s: error setting effective set!, %s\n", __func__,
524 safe_strerror (errno) );
525 exit (1);
526 }
527
528 /* we'll use this as our working-storage privset */
529 zprivs_state.caps = empty;
530
531 /* set methods for the caller to use */
532 zprivs->change = zprivs_change_caps;
533 zprivs->current_state = zprivs_state_caps;
534}
535
536static void
537zprivs_caps_terminate (void)
538{
539 assert (zprivs_state.caps);
540
541 /* clear all capabilities */
542 priv_emptyset (zprivs_state.caps);
543 setppriv (PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps);
544 setppriv (PRIV_SET, PRIV_PERMITTED, zprivs_state.caps);
545 setppriv (PRIV_SET, PRIV_INHERITABLE, zprivs_state.caps);
546
547 /* free up private state */
548 if (zprivs_state.syscaps_p)
549 priv_freeset (zprivs_state.syscaps_p);
550 if (zprivs_state.syscaps_i)
551 priv_freeset (zprivs_state.syscaps_i);
552
553 priv_freeset (zprivs_state.caps);
554}
555#else /* !HAVE_LCAPS && ! HAVE_SOLARIS_CAPABILITIES */
556#error "Neither Solaris nor Linux capabilities, dazed and confused..."
557#endif /* HAVE_LCAPS */
558#endif /* HAVE_CAPABILITIES */
559
paul01245822003-05-20 01:22:17 +0000[diff] [blame]560int
561zprivs_change_uid (zebra_privs_ops_t op)
562{
paul28efaa32003-05-20 03:49:43 +0000[diff] [blame]563
paul01245822003-05-20 01:22:17 +0000[diff] [blame]564 if (op == ZPRIVS_RAISE)
565 return seteuid (zprivs_state.zsuid);
566 else if (op == ZPRIVS_LOWER)
567 return seteuid (zprivs_state.zuid);
568 else
569 return -1;
570}
571
572zebra_privs_current_t
573zprivs_state_uid (void)
574{
575 return ( (zprivs_state.zuid == geteuid()) ? ZPRIVS_LOWERED : ZPRIVS_RAISED);
576}
577
578int
579zprivs_change_null (zebra_privs_ops_t op)
580{
581 return 0;
582}
583
584zebra_privs_current_t
585zprivs_state_null (void)
586{
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]587 return zprivs_null_state;
paul01245822003-05-20 01:22:17 +0000[diff] [blame]588}
589
paul01245822003-05-20 01:22:17 +0000[diff] [blame]590void
591zprivs_init(struct zebra_privs_t *zprivs)
592{
593 struct passwd *pwentry = NULL;
594 struct group *grentry = NULL;
595
hassoba3a0bc2003-06-04 17:41:54 +0000[diff] [blame]596 if (!zprivs)
597 {
paul58a9d812003-06-11 05:12:40 +0000[diff] [blame]598 fprintf (stderr, "zprivs_init: called with NULL arg!\n");
hassoba3a0bc2003-06-04 17:41:54 +0000[diff] [blame]599 exit (1);
600 }
601
paul01245822003-05-20 01:22:17 +0000[diff] [blame]602 /* NULL privs */
603 if (! (zprivs->user || zprivs->group
604 || zprivs->cap_num_p || zprivs->cap_num_i) )
605 {
606 zprivs->change = zprivs_change_null;
607 zprivs->current_state = zprivs_state_null;
608 return;
609 }
610
611 if (zprivs->user)
612 {
613 if ( (pwentry = getpwnam (zprivs->user)) )
hassoba3a0bc2003-06-04 17:41:54 +0000[diff] [blame]614 {
615 zprivs_state.zuid = pwentry->pw_uid;
616 }
617 else
618 {
paul58a9d812003-06-11 05:12:40 +0000[diff] [blame]619 /* cant use log.h here as it depends on vty */
620 fprintf (stderr, "privs_init: could not lookup user %s\n",
621 zprivs->user);
hassoba3a0bc2003-06-04 17:41:54 +0000[diff] [blame]622 exit (1);
623 }
624 }
625
626 grentry = NULL;
627
628 if (zprivs->vty_group)
629 /* Add the vty_group to the supplementary groups so it can be chowned to */
630 {
631 if ( (grentry = getgrnam (zprivs->vty_group)) )
632 {
633 zprivs_state.vtygrp = grentry->gr_gid;
634 if ( setgroups (1, &zprivs_state.vtygrp) )
635 {
paul58a9d812003-06-11 05:12:40 +0000[diff] [blame]636 fprintf (stderr, "privs_init: could not setgroups, %s\n",
ajs6099b3b2004-11-20 02:06:59 +0000[diff] [blame]637 safe_strerror (errno) );
hassoba3a0bc2003-06-04 17:41:54 +0000[diff] [blame]638 exit (1);
639 }
640 }
paul01245822003-05-20 01:22:17 +0000[diff] [blame]641 else
642 {
paul58a9d812003-06-11 05:12:40 +0000[diff] [blame]643 fprintf (stderr, "privs_init: could not lookup vty group %s\n",
644 zprivs->vty_group);
paul01245822003-05-20 01:22:17 +0000[diff] [blame]645 exit (1);
646 }
647 }
648
649 if (zprivs->group)
650 {
hassoba3a0bc2003-06-04 17:41:54 +0000[diff] [blame]651 if ( (grentry = getgrnam (zprivs->group)) )
652 {
653 zprivs_state.zgid = grentry->gr_gid;
654 }
paul01245822003-05-20 01:22:17 +0000[diff] [blame]655 else
656 {
paul58a9d812003-06-11 05:12:40 +0000[diff] [blame]657 fprintf (stderr, "privs_init: could not lookup group %s\n",
658 zprivs->group);
paul01245822003-05-20 01:22:17 +0000[diff] [blame]659 exit (1);
660 }
paul01245822003-05-20 01:22:17 +0000[diff] [blame]661 /* change group now, forever. uid we do later */
662 if ( setregid (zprivs_state.zgid, zprivs_state.zgid) )
663 {
paul58a9d812003-06-11 05:12:40 +0000[diff] [blame]664 fprintf (stderr, "zprivs_init: could not setregid, %s\n",
ajs6099b3b2004-11-20 02:06:59 +0000[diff] [blame]665 safe_strerror (errno) );
paul01245822003-05-20 01:22:17 +0000[diff] [blame]666 exit (1);
667 }
668 }
669
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]670#ifdef HAVE_CAPABILITIES
671 zprivs_caps_init (zprivs);
672#else /* !HAVE_CAPABILITIES */
paul01245822003-05-20 01:22:17 +0000[diff] [blame]673 /* we dont have caps. we'll need to maintain rid and saved uid
674 * and change euid back to saved uid (who we presume has all neccessary
675 * privileges) whenever we are asked to raise our privileges.
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]676 *
677 * This is not worth that much security wise, but all we can do.
paul01245822003-05-20 01:22:17 +0000[diff] [blame]678 */
679 zprivs_state.zsuid = geteuid();
680 if ( zprivs_state.zuid )
681 {
682 if ( setreuid (-1, zprivs_state.zuid) )
683 {
paul58a9d812003-06-11 05:12:40 +0000[diff] [blame]684 fprintf (stderr, "privs_init (uid): could not setreuid, %s\n",
ajs6099b3b2004-11-20 02:06:59 +0000[diff] [blame]685 safe_strerror (errno));
paul01245822003-05-20 01:22:17 +0000[diff] [blame]686 exit (1);
687 }
688 }
689
690 zprivs->change = zprivs_change_uid;
691 zprivs->current_state = zprivs_state_uid;
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]692#endif /* HAVE_CAPABILITIES */
paul01245822003-05-20 01:22:17 +0000[diff] [blame]693}
694
695void
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]696zprivs_terminate (struct zebra_privs_t *zprivs)
paul01245822003-05-20 01:22:17 +0000[diff] [blame]697{
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]698 if (!zprivs)
paul01245822003-05-20 01:22:17 +0000[diff] [blame]699 {
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]700 fprintf (stderr, "%s: no privs struct given, terminating", __func__);
701 exit (0);
702 }
paul01245822003-05-20 01:22:17 +0000[diff] [blame]703
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]704#ifdef HAVE_CAPABILITIES
705 zprivs_caps_terminate();
706#else /* !HAVE_CAPABILITIES */
paul01245822003-05-20 01:22:17 +0000[diff] [blame]707 if (zprivs_state.zuid)
708 {
709 if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
710 {
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]711 fprintf (stderr, "privs_terminate: could not setreuid, %s",
ajs6099b3b2004-11-20 02:06:59 +0000[diff] [blame]712 safe_strerror (errno) );
paul01245822003-05-20 01:22:17 +0000[diff] [blame]713 exit (1);
714 }
715 }
716#endif /* HAVE_LCAPS */
paulceacedb2005-09-29 14:39:32 +0000[diff] [blame]717
718 zprivs->change = zprivs_change_null;
719 zprivs->current_state = zprivs_state_null;
720 zprivs_null_state = ZPRIVS_LOWERED;
paul01245822003-05-20 01:22:17 +0000[diff] [blame]721 return;
722}
hassoba3a0bc2003-06-04 17:41:54 +0000[diff] [blame]723
724void
725zprivs_get_ids(struct zprivs_ids_t *ids)
726{
727
728 ids->uid_priv = getuid();
729 (zprivs_state.zuid) ? (ids->uid_normal = zprivs_state.zuid)
730 : (ids->uid_normal = -1);
731 (zprivs_state.zgid) ? (ids->gid_normal = zprivs_state.zgid)
732 : (ids->gid_normal = -1);
733 (zprivs_state.vtygrp) ? (ids->gid_vty = zprivs_state.vtygrp)
734 : (ids->gid_vty = -1);
735
736 return;
737}