Home | History | Annotate | Download | only in openssh
      1 /* $OpenBSD: uidswap.c,v 1.39 2015/06/24 01:49:19 dtucker Exp $ */
      2 /*
      3  * Author: Tatu Ylonen <ylo (at) cs.hut.fi>
      4  * Copyright (c) 1995 Tatu Ylonen <ylo (at) cs.hut.fi>, Espoo, Finland
      5  *                    All rights reserved
      6  * Code for uid-swapping.
      7  *
      8  * As far as I am concerned, the code I have written for this software
      9  * can be used freely for any purpose.  Any derived versions of this
     10  * software must be clearly marked as such, and if the derived work is
     11  * incompatible with the protocol description in the RFC file, it must be
     12  * called by a name other than "ssh" or "Secure Shell".
     13  */
     14 
     15 #include "includes.h"
     16 
     17 #include <errno.h>
     18 #include <pwd.h>
     19 #include <string.h>
     20 #include <unistd.h>
     21 #include <limits.h>
     22 #include <stdarg.h>
     23 #include <stdlib.h>
     24 
     25 #include <grp.h>
     26 
     27 #include "log.h"
     28 #include "uidswap.h"
     29 #include "xmalloc.h"
     30 
     31 #ifdef ANDROID
     32 #include <private/android_filesystem_config.h>
     33 #if !defined(GCE_PLATFORM_SDK_VERSION) || (GCE_PLATFORM_SDK_VERSION > 17)
     34 #include <sys/capability.h>
     35 #else
     36 #include <linux/capability.h>
     37 #endif
     38 #include <sys/prctl.h>
     39 #endif
     40 
     41 /*
     42  * Note: all these functions must work in all of the following cases:
     43  *    1. euid=0, ruid=0
     44  *    2. euid=0, ruid!=0
     45  *    3. euid!=0, ruid!=0
     46  * Additionally, they must work regardless of whether the system has
     47  * POSIX saved uids or not.
     48  */
     49 
     50 #if defined(_POSIX_SAVED_IDS) && !defined(BROKEN_SAVED_UIDS)
     51 /* Lets assume that posix saved ids also work with seteuid, even though that
     52    is not part of the posix specification. */
     53 #define SAVED_IDS_WORK_WITH_SETEUID
     54 /* Saved effective uid. */
     55 static uid_t 	saved_euid = 0;
     56 static gid_t	saved_egid = 0;
     57 #endif
     58 
     59 /* Saved effective uid. */
     60 static int	privileged = 0;
     61 static int	temporarily_use_uid_effective = 0;
     62 static gid_t	*saved_egroups = NULL, *user_groups = NULL;
     63 static int	saved_egroupslen = -1, user_groupslen = -1;
     64 
     65 /*
     66  * Temporarily changes to the given uid.  If the effective user
     67  * id is not root, this does nothing.  This call cannot be nested.
     68  */
     69 void
     70 temporarily_use_uid(struct passwd *pw)
     71 {
     72 	/* Save the current euid, and egroups. */
     73 #ifdef SAVED_IDS_WORK_WITH_SETEUID
     74 	saved_euid = geteuid();
     75 	saved_egid = getegid();
     76 	debug("temporarily_use_uid: %u/%u (e=%u/%u)",
     77 	    (u_int)pw->pw_uid, (u_int)pw->pw_gid,
     78 	    (u_int)saved_euid, (u_int)saved_egid);
     79 #ifndef HAVE_CYGWIN
     80 	if (saved_euid != 0) {
     81 		privileged = 0;
     82 		return;
     83 	}
     84 #endif
     85 #else
     86 	if (geteuid() != 0) {
     87 		privileged = 0;
     88 		return;
     89 	}
     90 #endif /* SAVED_IDS_WORK_WITH_SETEUID */
     91 
     92 	privileged = 1;
     93 	temporarily_use_uid_effective = 1;
     94 
     95 	saved_egroupslen = getgroups(0, NULL);
     96 	if (saved_egroupslen < 0)
     97 		fatal("getgroups: %.100s", strerror(errno));
     98 	if (saved_egroupslen > 0) {
     99 		saved_egroups = xreallocarray(saved_egroups,
    100 		    saved_egroupslen, sizeof(gid_t));
    101 		if (getgroups(saved_egroupslen, saved_egroups) < 0)
    102 			fatal("getgroups: %.100s", strerror(errno));
    103 	} else { /* saved_egroupslen == 0 */
    104 		free(saved_egroups);
    105 	}
    106 
    107 	/* set and save the user's groups */
    108 	if (user_groupslen == -1) {
    109 		if (initgroups(pw->pw_name, pw->pw_gid) < 0)
    110 			fatal("initgroups: %s: %.100s", pw->pw_name,
    111 			    strerror(errno));
    112 
    113 		user_groupslen = getgroups(0, NULL);
    114 		if (user_groupslen < 0)
    115 			fatal("getgroups: %.100s", strerror(errno));
    116 		if (user_groupslen > 0) {
    117 			user_groups = xreallocarray(user_groups,
    118 			    user_groupslen, sizeof(gid_t));
    119 			if (getgroups(user_groupslen, user_groups) < 0)
    120 				fatal("getgroups: %.100s", strerror(errno));
    121 		} else { /* user_groupslen == 0 */
    122 			free(user_groups);
    123 		}
    124 	}
    125 	/* Set the effective uid to the given (unprivileged) uid. */
    126 	if (setgroups(user_groupslen, user_groups) < 0)
    127 		fatal("setgroups: %.100s", strerror(errno));
    128 #ifndef SAVED_IDS_WORK_WITH_SETEUID
    129 	/* Propagate the privileged gid to all of our gids. */
    130 	if (setgid(getegid()) < 0)
    131 		debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno));
    132 	/* Propagate the privileged uid to all of our uids. */
    133 	if (setuid(geteuid()) < 0)
    134 		debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno));
    135 #endif /* SAVED_IDS_WORK_WITH_SETEUID */
    136 	if (setegid(pw->pw_gid) < 0)
    137 		fatal("setegid %u: %.100s", (u_int)pw->pw_gid,
    138 		    strerror(errno));
    139 	if (seteuid(pw->pw_uid) == -1)
    140 		fatal("seteuid %u: %.100s", (u_int)pw->pw_uid,
    141 		    strerror(errno));
    142 }
    143 
    144 void
    145 permanently_drop_suid(uid_t uid)
    146 {
    147 #ifndef NO_UID_RESTORATION_TEST
    148 	uid_t old_uid = getuid();
    149 #endif
    150 
    151 	debug("permanently_drop_suid: %u", (u_int)uid);
    152 	if (setresuid(uid, uid, uid) < 0)
    153 		fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
    154 
    155 #ifndef NO_UID_RESTORATION_TEST
    156 	/*
    157 	 * Try restoration of UID if changed (test clearing of saved uid).
    158 	 *
    159 	 * Note that we don't do this on Cygwin, or on Solaris-based platforms
    160 	 * where fine-grained privileges are available (the user might be
    161 	 * deliberately allowed the right to setuid back to root).
    162 	 */
    163 	if (old_uid != uid &&
    164 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
    165 		fatal("%s: was able to restore old [e]uid", __func__);
    166 #endif
    167 
    168 	/* Verify UID drop was successful */
    169 	if (getuid() != uid || geteuid() != uid) {
    170 		fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
    171 		    __func__, (u_int)getuid(), (u_int)geteuid(), (u_int)uid);
    172 	}
    173 }
    174 
    175 /*
    176  * Restores to the original (privileged) uid.
    177  */
    178 void
    179 restore_uid(void)
    180 {
    181 	/* it's a no-op unless privileged */
    182 	if (!privileged) {
    183 		debug("restore_uid: (unprivileged)");
    184 		return;
    185 	}
    186 	if (!temporarily_use_uid_effective)
    187 		fatal("restore_uid: temporarily_use_uid not effective");
    188 
    189 #ifdef SAVED_IDS_WORK_WITH_SETEUID
    190 	debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid);
    191 	/* Set the effective uid back to the saved privileged uid. */
    192 	if (seteuid(saved_euid) < 0)
    193 		fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno));
    194 	if (setegid(saved_egid) < 0)
    195 		fatal("setegid %u: %.100s", (u_int)saved_egid, strerror(errno));
    196 #else /* SAVED_IDS_WORK_WITH_SETEUID */
    197 	/*
    198 	 * We are unable to restore the real uid to its unprivileged value.
    199 	 * Propagate the real uid (usually more privileged) to effective uid
    200 	 * as well.
    201 	 */
    202 	setuid(getuid());
    203 	setgid(getgid());
    204 #endif /* SAVED_IDS_WORK_WITH_SETEUID */
    205 
    206 	if (setgroups(saved_egroupslen, saved_egroups) < 0)
    207 		fatal("setgroups: %.100s", strerror(errno));
    208 	temporarily_use_uid_effective = 0;
    209 }
    210 
    211 /*
    212  * Permanently sets all uids to the given uid.  This cannot be
    213  * called while temporarily_use_uid is effective.
    214  */
    215 void
    216 permanently_set_uid(struct passwd *pw)
    217 {
    218 #ifndef NO_UID_RESTORATION_TEST
    219 	uid_t old_uid = getuid();
    220 	gid_t old_gid = getgid();
    221 #endif
    222 #if defined(ANDROID)
    223 	struct __user_cap_header_struct header;
    224 	struct __user_cap_data_struct cap;
    225 #endif
    226 
    227 	if (pw == NULL)
    228 		fatal("permanently_set_uid: no user given");
    229 	if (temporarily_use_uid_effective)
    230 		fatal("permanently_set_uid: temporarily_use_uid effective");
    231 	debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
    232 	    (u_int)pw->pw_gid);
    233 
    234 #if defined(ANDROID)
    235 	if (pw->pw_uid == AID_SHELL) {
    236 		prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
    237 
    238 		/* add extra groups needed for shell user:
    239 		 * - AID_LOG to read system logs (adb logcat)
    240 		 * - AID_INPUT to diagnose input issues (getevent)
    241 		 * - AID_INET to diagnose network issues (netcfg, ping)
    242 		 * - AID_GRAPHICS to access the frame buffer
    243 		 * - AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump)
    244 		 * - AID_SDCARD_RW to allow writing to the SD card
    245 		 * - AID_MOUNT to allow unmounting the SD card before rebooting
    246 		 * - AID_NET_BW_STATS to read out qtaguid statistics. */
    247 		gid_t groups[] = {AID_LOG,       AID_INPUT,  AID_INET,
    248 				  AID_GRAPHICS,  AID_NET_BT, AID_NET_BT_ADMIN,
    249 				  AID_SDCARD_RW, AID_MOUNT,  AID_NET_BW_STATS};
    250 		setgroups(sizeof(groups)/sizeof(groups[0]), groups);
    251 	}
    252 #endif
    253 
    254 	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
    255 		fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
    256 
    257 #ifdef __APPLE__
    258 	/*
    259 	 * OS X requires initgroups after setgid to opt back into
    260 	 * memberd support for >16 supplemental groups.
    261 	 */
    262 	if (initgroups(pw->pw_name, pw->pw_gid) < 0)
    263 		fatal("initgroups %.100s %u: %.100s",
    264 		    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
    265 #endif
    266 
    267 	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
    268 		fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
    269 
    270 #ifndef NO_UID_RESTORATION_TEST
    271 	/* Try restoration of GID if changed (test clearing of saved gid) */
    272 	if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
    273 	    (setgid(old_gid) != -1 || setegid(old_gid) != -1))
    274 		fatal("%s: was able to restore old [e]gid", __func__);
    275 #endif
    276 
    277 	/* Verify GID drop was successful */
    278 	if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) {
    279 		fatal("%s: egid incorrect gid:%u egid:%u (should be %u)",
    280 		    __func__, (u_int)getgid(), (u_int)getegid(),
    281 		    (u_int)pw->pw_gid);
    282 	}
    283 
    284 #ifndef NO_UID_RESTORATION_TEST
    285 	/* Try restoration of UID if changed (test clearing of saved uid) */
    286 	if (old_uid != pw->pw_uid &&
    287 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
    288 		fatal("%s: was able to restore old [e]uid", __func__);
    289 #endif
    290 
    291 	/* Verify UID drop was successful */
    292 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
    293 		fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
    294 		    __func__, (u_int)getuid(), (u_int)geteuid(),
    295 		    (u_int)pw->pw_uid);
    296 	}
    297 
    298 #ifdef ANDROID
    299 	if (pw->pw_uid == AID_SHELL) {
    300 		/* set CAP_SYS_BOOT capability, so "adb reboot" will succeed */
    301 		header.version = _LINUX_CAPABILITY_VERSION;
    302 		header.pid = 0;
    303 		cap.effective = cap.permitted = (1 << CAP_SYS_BOOT);
    304 		cap.inheritable = 0;
    305 		capset(&header, &cap);
    306 	}
    307 #endif
    308 
    309 }
    310