)
# Checks for header files.
-AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \
+AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \
getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \
login_cap.h maillock.h netdb.h netgroup.h \
netinet/in_systm.h paths.h pty.h readpassphrase.h \
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS(\
- arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \
- bindresvport_sa clock fchmod fchown freeaddrinfo futimes \
+ arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename \
+ bcopy bindresvport_sa clock fchmod fchown freeaddrinfo futimes \
gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \
getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \
inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
pstat readpassphrase realpath recvmsg rresvport_af sendmsg \
setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
- setproctitle setresgid setreuid setrlimit setsid setvbuf sigaction \
- sigvec snprintf socketpair strerror strlcat strlcpy strmode strnvis \
- sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \
+ setproctitle setregid setresgid setresuid setreuid setrlimit \
+ setsid setvbuf sigaction sigvec snprintf socketpair strerror \
+ strlcat strlcpy strmode strnvis sysconf tcgetpgrp truncate utimes \
+ vhangup vsnprintf waitpid \
)
AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
void
permanently_set_uid(struct passwd *pw)
{
+ uid_t old_uid = getuid();
+ gid_t old_gid = getgid();
+
if (temporarily_use_uid_effective)
fatal("permanently_set_uid: temporarily_use_uid effective");
debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
(u_int)pw->pw_gid);
+
+#if defined(HAVE_SETRESGID)
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
+ fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+#elif defined(HAVE_SETREGID)
+ if (setregid(pw->pw_gid, pw->pw_gid) < 0)
+ fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+#else
if (setegid(pw->pw_gid) < 0)
fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
if (setgid(pw->pw_gid) < 0)
fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+#endif
+
+#if defined(HAVE_SETRESUID)
+ if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
+ fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+#elif defined(HAVE_SETRESUID)
+ if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
+ fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+#else
+# ifndef SETEUID_BREAKS_SETUID
if (seteuid(pw->pw_uid) < 0)
fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+# endif
if (setuid(pw->pw_uid) < 0)
fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+#endif
+
+ /* Try restoration of GID if changed (test clearing of saved gid) */
+ if (old_gid != pw->pw_gid &&
+ (setgid(old_gid) != -1 || setegid(old_gid) != -1))
+ fatal("%s: was able to restore old [e]gid");
+
+ /* Verify GID drop was successful */
+ if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) {
+ fatal("%s: egid incorrect gid:%u egid:%u (should be %u)",
+ __func__, (u_int)getgid(), (u_int)getegid(),
+ (u_int)pw->pw_gid);
+ }
+
+ /* Try restoration of UID if changed (test clearing of saved uid) */
+ if (old_uid != pw->pw_uid &&
+ (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+ fatal("%s: was able to restore old [e]uid");
+
+ /* Verify UID drop was successful */
+ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
+ fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
+ __func__, (u_int)getuid(), (u_int)geteuid(),
+ (u_int)pw->pw_uid);
+ }
}
andersk / openssh.git / commitdiff
