X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/12408a1b16c3ce5b7e203bec879ceb3d67ae09a8..HEAD:/openssh/uidswap.c diff --git a/openssh/uidswap.c b/openssh/uidswap.c index 4cabaa4..cc91fcf 100644 --- a/openssh/uidswap.c +++ b/openssh/uidswap.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: uidswap.c,v 1.24 2003/05/29 16:58:45 deraadt Exp $"); +RCSID("$OpenBSD: uidswap.c,v 1.18 2001/08/08 21:34:19 markus Exp $"); #include "log.h" #include "uidswap.h" @@ -52,9 +52,8 @@ temporarily_use_uid(struct passwd *pw) #ifdef SAVED_IDS_WORK_WITH_SETEUID saved_euid = geteuid(); saved_egid = getegid(); - debug("temporarily_use_uid: %u/%u (e=%u/%u)", - (u_int)pw->pw_uid, (u_int)pw->pw_gid, - (u_int)saved_euid, (u_int)saved_egid); + debug("temporarily_use_uid: %d/%d (e=%d)", + pw->pw_uid, pw->pw_gid, saved_euid); if (saved_euid != 0) { privileged = 0; return; @@ -68,7 +67,7 @@ temporarily_use_uid(struct passwd *pw) privileged = 1; temporarily_use_uid_effective = 1; - saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); + saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); if (saved_egroupslen < 0) fatal("getgroups: %.100s", strerror(errno)); @@ -77,13 +76,15 @@ temporarily_use_uid(struct passwd *pw) if (initgroups(pw->pw_name, pw->pw_gid) < 0) fatal("initgroups: %s: %.100s", pw->pw_name, strerror(errno)); - user_groupslen = getgroups(NGROUPS_MAX, user_groups); + user_groupslen = getgroups(NGROUPS_MAX, user_groups); if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); } +#ifndef HAVE_CYGWIN /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); +#endif /* !HAVE_CYWIN */ #ifndef SAVED_IDS_WORK_WITH_SETEUID /* Propagate the privileged gid to all of our gids. */ if (setgid(getegid()) < 0) @@ -93,10 +94,10 @@ temporarily_use_uid(struct passwd *pw) debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno)); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ if (setegid(pw->pw_gid) < 0) - fatal("setegid %u: %.100s", (u_int)pw->pw_gid, + fatal("setegid %u: %.100s", (u_int) pw->pw_gid, strerror(errno)); if (seteuid(pw->pw_uid) == -1) - fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, + fatal("seteuid %u: %.100s", (u_int) pw->pw_uid, strerror(errno)); } @@ -106,21 +107,20 @@ temporarily_use_uid(struct passwd *pw) void restore_uid(void) { + debug("restore_uid"); /* it's a no-op unless privileged */ - if (!privileged) { - debug("restore_uid: (unprivileged)"); + if (!privileged) return; - } if (!temporarily_use_uid_effective) fatal("restore_uid: temporarily_use_uid not effective"); #ifdef SAVED_IDS_WORK_WITH_SETEUID - debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid); /* Set the effective uid back to the saved privileged uid. */ if (seteuid(saved_euid) < 0) - fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno)); + fatal("seteuid %u: %.100s", (u_int) saved_euid, strerror(errno)); if (setegid(saved_egid) < 0) - fatal("setegid %u: %.100s", (u_int)saved_egid, strerror(errno)); + fatal("setegid %u: %.100s", (u_int) saved_egid, + strerror(errno)); #else /* SAVED_IDS_WORK_WITH_SETEUID */ /* * We are unable to restore the real uid to its unprivileged value. @@ -131,8 +131,10 @@ restore_uid(void) setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ +#ifndef HAVE_CYGWIN if (setgroups(saved_egroupslen, saved_egroups) < 0) fatal("setgroups: %.100s", strerror(errno)); +#endif /* !HAVE_CYGWIN */ temporarily_use_uid_effective = 0; } @@ -143,65 +145,10 @@ restore_uid(void) void permanently_set_uid(struct passwd *pw) { - uid_t old_uid = getuid(); - gid_t old_gid = getgid(); - if (temporarily_use_uid_effective) - fatal("permanently_set_uid: temporarily_use_uid effective"); - debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, - (u_int)pw->pw_gid); - -#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) - if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) - fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); -#elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID) - if (setregid(pw->pw_gid, pw->pw_gid) < 0) - fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); -#else - if (setegid(pw->pw_gid) < 0) - fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); + fatal("restore_uid: temporarily_use_uid effective"); if (setgid(pw->pw_gid) < 0) - fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); -#endif - -#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID) - if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) - fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); -#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) - if (setreuid(pw->pw_uid, pw->pw_uid) < 0) - fatal("setreuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); -#else -# ifndef SETEUID_BREAKS_SETUID - if (seteuid(pw->pw_uid) < 0) - fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); -# endif + fatal("setgid %u: %.100s", (u_int) pw->pw_gid, strerror(errno)); if (setuid(pw->pw_uid) < 0) - fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); -#endif - - /* Try restoration of GID if changed (test clearing of saved gid) */ - if (old_gid != pw->pw_gid && - (setgid(old_gid) != -1 || setegid(old_gid) != -1)) - fatal("%s: was able to restore old [e]gid", __func__); - - /* Verify GID drop was successful */ - if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) { - fatal("%s: egid incorrect gid:%u egid:%u (should be %u)", - __func__, (u_int)getgid(), (u_int)getegid(), - (u_int)pw->pw_gid); - } - -#ifndef HAVE_CYGWIN - /* Try restoration of UID if changed (test clearing of saved uid) */ - if (old_uid != pw->pw_uid && - (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) - fatal("%s: was able to restore old [e]uid", __func__); -#endif - - /* Verify UID drop was successful */ - if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) { - fatal("%s: euid incorrect uid:%u euid:%u (should be %u)", - __func__, (u_int)getuid(), (u_int)geteuid(), - (u_int)pw->pw_uid); - } + fatal("setuid %u: %.100s", (u_int) pw->pw_uid, strerror(errno)); }