- (tim) [contrib/cygwin/README] add minires-devel requirement. Patch from

[openssh.git] / uidswap.c

diff --git a/uidswap.c b/uidswap.c
index 04c269b0a1769a39629c672f793061e9b383bb18..44c4cb626c8a7d10cee86d0da45cb013316f8878 100644 (file)
--- a/uidswap.c
+++ b/uidswap.c
@@ -16,6 +16,7 @@ RCSID("$OpenBSD: uidswap.c,v 1.24 2003/05/29 16:58:45 deraadt Exp $");
 
 #include "log.h"
 #include "uidswap.h"
+#include "xmalloc.h"
 
 /*
  * Note: all these functions must work in all of the following cases:
@@ -38,7 +39,7 @@ static gid_t  saved_egid = 0;
 /* Saved effective uid. */
 static int     privileged = 0;
 static int     temporarily_use_uid_effective = 0;
-static gid_t   saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX];
+static gid_t   *saved_egroups = NULL, *user_groups = NULL;
 static int     saved_egroupslen = -1, user_groupslen = -1;
 
 /*
@@ -68,18 +69,38 @@ temporarily_use_uid(struct passwd *pw)
 
        privileged = 1;
        temporarily_use_uid_effective = 1;
-       saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups);
+
+       saved_egroupslen = getgroups(0, NULL);
        if (saved_egroupslen < 0)
                fatal("getgroups: %.100s", strerror(errno));
+       if (saved_egroupslen > 0) {
+               saved_egroups = xrealloc(saved_egroups,
+                   saved_egroupslen * sizeof(gid_t));
+               if (getgroups(saved_egroupslen, saved_egroups) < 0)
+                       fatal("getgroups: %.100s", strerror(errno));
+       } else { /* saved_egroupslen == 0 */
+               if (saved_egroups != NULL)
+                       xfree(saved_egroups);
+       }
 
        /* set and save the user's groups */
        if (user_groupslen == -1) {
                if (initgroups(pw->pw_name, pw->pw_gid) < 0)
                        fatal("initgroups: %s: %.100s", pw->pw_name,
                            strerror(errno));
-               user_groupslen = getgroups(NGROUPS_MAX, user_groups);
+
+               user_groupslen = getgroups(0, NULL);
                if (user_groupslen < 0)
                        fatal("getgroups: %.100s", strerror(errno));
+               if (user_groupslen > 0) {
+                       user_groups = xrealloc(user_groups,
+                           user_groupslen * sizeof(gid_t));
+                       if (getgroups(user_groupslen, user_groups) < 0)
+                               fatal("getgroups: %.100s", strerror(errno));
+               } else { /* user_groupslen == 0 */
+                       if (user_groups)
+                               xfree(user_groups);
+               }
        }
        /* Set the effective uid to the given (unprivileged) uid. */
        if (setgroups(user_groupslen, user_groups) < 0)
@@ -151,10 +172,10 @@ permanently_set_uid(struct passwd *pw)
        debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
            (u_int)pw->pw_gid);
 
-#if defined(HAVE_SETRESGID)
+#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
        if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
                fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
-#elif defined(HAVE_SETREGID)
+#elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID)
        if (setregid(pw->pw_gid, pw->pw_gid) < 0)
                fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
 #else
@@ -164,12 +185,12 @@ permanently_set_uid(struct passwd *pw)
                fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
 #endif
 
-#if defined(HAVE_SETRESUID)
-       if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
-               fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
-#elif defined(HAVE_SETRESUID)
+#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
        if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
                fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
+       if (setreuid(pw->pw_uid, pw->pw_uid) < 0)
+               fatal("setreuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
 #else
 # ifndef SETEUID_BREAKS_SETUID
        if (seteuid(pw->pw_uid) < 0)
@@ -180,26 +201,28 @@ permanently_set_uid(struct passwd *pw)
 #endif
 
        /* Try restoration of GID if changed (test clearing of saved gid) */
-       if (old_gid != pw->pw_gid && 
+       if (old_gid != pw->pw_gid &&
            (setgid(old_gid) != -1 || setegid(old_gid) != -1))
-               fatal("%s: was able to restore old [e]gid");
+               fatal("%s: was able to restore old [e]gid", __func__);
 
        /* Verify GID drop was successful */
        if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) {
-               fatal("%s: egid incorrect gid:%u egid:%u (should be %u)", 
-                   __func__, (u_int)getgid(), (u_int)getegid(), 
+               fatal("%s: egid incorrect gid:%u egid:%u (should be %u)",
+                   __func__, (u_int)getgid(), (u_int)getegid(),
                    (u_int)pw->pw_gid);
        }
 
+#ifndef HAVE_CYGWIN
        /* Try restoration of UID if changed (test clearing of saved uid) */
-       if (old_uid != pw->pw_uid && 
+       if (old_uid != pw->pw_uid &&
            (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
-               fatal("%s: was able to restore old [e]uid");
+               fatal("%s: was able to restore old [e]uid", __func__);
+#endif
 
        /* Verify UID drop was successful */
        if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
-               fatal("%s: euid incorrect uid:%u euid:%u (should be %u)", 
-                   __func__, (u_int)getuid(), (u_int)geteuid(), 
+               fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
+                   __func__, (u_int)getuid(), (u_int)geteuid(),
                    (u_int)pw->pw_uid);
        }
 }