1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 35 * $FreeBSD: src/sys/kern/kern_prot.c,v 1.53.2.9 2002/03/09 05:20:26 dd Exp $ 36 */ 37 38 /* 39 * System calls related to processes and protection 40 */ 41 42 #include <sys/param.h> 43 #include <sys/acct.h> 44 #include <sys/systm.h> 45 #include <sys/sysproto.h> 46 #include <sys/kernel.h> 47 #include <sys/lock.h> 48 #include <sys/proc.h> 49 #include <sys/priv.h> 50 #include <sys/malloc.h> 51 #include <sys/pioctl.h> 52 #include <sys/resourcevar.h> 53 #include <sys/jail.h> 54 #include <sys/lockf.h> 55 #include <sys/spinlock.h> 56 57 #include <sys/thread2.h> 58 #include <sys/spinlock2.h> 59 60 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 61 62 int 63 sys_getpid(struct getpid_args *uap) 64 { 65 struct proc *p = curproc; 66 67 uap->sysmsg_fds[0] = p->p_pid; 68 return (0); 69 } 70 71 int 72 sys_getppid(struct getppid_args *uap) 73 { 74 struct proc *p = curproc; 75 76 lwkt_gettoken_shared(&p->p_token); 77 uap->sysmsg_result = p->p_pptr->p_pid; 78 lwkt_reltoken(&p->p_token); 79 80 return (0); 81 } 82 83 int 84 sys_lwp_gettid(struct lwp_gettid_args *uap) 85 { 86 struct lwp *lp = curthread->td_lwp; 87 uap->sysmsg_result = lp->lwp_tid; 88 return (0); 89 } 90 91 /* 92 * Get process group ID; note that POSIX getpgrp takes no parameter 93 */ 94 int 95 sys_getpgrp(struct getpgrp_args *uap) 96 { 97 struct proc *p = curproc; 98 99 lwkt_gettoken_shared(&p->p_token); 100 uap->sysmsg_result = p->p_pgrp->pg_id; 101 lwkt_reltoken(&p->p_token); 102 103 return (0); 104 } 105 106 /* 107 * Get an arbitrary pid's process group id 108 */ 109 int 110 sys_getpgid(struct getpgid_args *uap) 111 { 112 struct proc *p = curproc; 113 struct proc *pt; 114 int error; 115 116 error = 0; 117 118 if (uap->pid == 0) { 119 pt = p; 120 PHOLD(pt); 121 } else { 122 pt = pfind(uap->pid); 123 if (pt == NULL) 124 error = ESRCH; 125 } 126 if (error == 0) { 127 lwkt_gettoken_shared(&pt->p_token); 128 uap->sysmsg_result = pt->p_pgrp->pg_id; 129 lwkt_reltoken(&pt->p_token); 130 } 131 if (pt) 132 PRELE(pt); 133 return (error); 134 } 135 136 /* 137 * Get an arbitrary pid's session id. 138 */ 139 int 140 sys_getsid(struct getsid_args *uap) 141 { 142 struct proc *p = curproc; 143 struct proc *pt; 144 int error; 145 146 error = 0; 147 148 if (uap->pid == 0) { 149 pt = p; 150 PHOLD(pt); 151 } else { 152 pt = pfind(uap->pid); 153 if (pt == NULL) 154 error = ESRCH; 155 } 156 if (error == 0) 157 uap->sysmsg_result = pt->p_session->s_sid; 158 if (pt) 159 PRELE(pt); 160 return (error); 161 } 162 163 164 /* 165 * getuid() 166 */ 167 int 168 sys_getuid(struct getuid_args *uap) 169 { 170 struct ucred *cred = curthread->td_ucred; 171 172 uap->sysmsg_fds[0] = cred->cr_ruid; 173 return (0); 174 } 175 176 /* 177 * geteuid() 178 */ 179 int 180 sys_geteuid(struct geteuid_args *uap) 181 { 182 struct ucred *cred = curthread->td_ucred; 183 184 uap->sysmsg_result = cred->cr_uid; 185 return (0); 186 } 187 188 /* 189 * getgid() 190 */ 191 int 192 sys_getgid(struct getgid_args *uap) 193 { 194 struct ucred *cred = curthread->td_ucred; 195 196 uap->sysmsg_fds[0] = cred->cr_rgid; 197 return (0); 198 } 199 200 /* 201 * Get effective group ID. The "egid" is groups[0], and could be obtained 202 * via getgroups. This syscall exists because it is somewhat painful to do 203 * correctly in a library function. 204 */ 205 int 206 sys_getegid(struct getegid_args *uap) 207 { 208 struct ucred *cred = curthread->td_ucred; 209 210 uap->sysmsg_result = cred->cr_groups[0]; 211 return (0); 212 } 213 214 int 215 sys_getgroups(struct getgroups_args *uap) 216 { 217 struct ucred *cr; 218 u_int ngrp; 219 int error; 220 221 cr = curthread->td_ucred; 222 if ((ngrp = uap->gidsetsize) == 0) { 223 uap->sysmsg_result = cr->cr_ngroups; 224 return (0); 225 } 226 if (ngrp < cr->cr_ngroups) 227 return (EINVAL); 228 ngrp = cr->cr_ngroups; 229 error = copyout((caddr_t)cr->cr_groups, 230 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)); 231 if (error == 0) 232 uap->sysmsg_result = ngrp; 233 return (error); 234 } 235 236 int 237 sys_lwp_setname(struct lwp_setname_args *uap) 238 { 239 struct proc *p = curproc; 240 char comm0[MAXCOMLEN + 1]; 241 const char *comm = NULL; 242 struct lwp *lp; 243 int error; 244 245 if (uap->name != NULL) { 246 error = copyinstr(uap->name, comm0, sizeof(comm0), NULL); 247 if (error) { 248 if (error != ENAMETOOLONG) 249 return error; 250 /* Truncate */ 251 comm0[MAXCOMLEN] = '\0'; 252 } 253 comm = comm0; 254 } else { 255 /* Restore to the default name, i.e. process name. */ 256 comm = p->p_comm; 257 } 258 259 lwkt_gettoken(&p->p_token); 260 261 lp = lwp_rb_tree_RB_LOOKUP(&p->p_lwp_tree, uap->tid); 262 if (lp != NULL) { 263 strlcpy(lp->lwp_thread->td_comm, comm, 264 sizeof(lp->lwp_thread->td_comm)); 265 error = 0; 266 } else { 267 error = ESRCH; 268 } 269 270 lwkt_reltoken(&p->p_token); 271 return error; 272 } 273 274 int 275 sys_setsid(struct setsid_args *uap) 276 { 277 struct proc *p = curproc; 278 struct pgrp *pg = NULL; 279 int error; 280 281 lwkt_gettoken(&p->p_token); 282 if (p->p_pgid == p->p_pid || (pg = pgfind(p->p_pid)) != NULL) { 283 error = EPERM; 284 if (pg) 285 pgrel(pg); 286 } else { 287 enterpgrp(p, p->p_pid, 1); 288 uap->sysmsg_result = p->p_pid; 289 error = 0; 290 } 291 lwkt_reltoken(&p->p_token); 292 return (error); 293 } 294 295 /* 296 * set process group (setpgid/old setpgrp) 297 * 298 * caller does setpgid(targpid, targpgid) 299 * 300 * pid must be caller or child of caller (ESRCH) 301 * if a child 302 * pid must be in same session (EPERM) 303 * pid can't have done an exec (EACCES) 304 * if pgid != pid 305 * there must exist some pid in same session having pgid (EPERM) 306 * pid must not be session leader (EPERM) 307 */ 308 int 309 sys_setpgid(struct setpgid_args *uap) 310 { 311 struct proc *curp = curproc; 312 struct proc *targp; /* target process */ 313 struct pgrp *pgrp = NULL; /* target pgrp */ 314 int error; 315 316 if (uap->pgid < 0) 317 return (EINVAL); 318 319 if (uap->pid != 0 && uap->pid != curp->p_pid) { 320 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 321 if (targp) 322 PRELE(targp); 323 error = ESRCH; 324 targp = NULL; 325 goto done; 326 } 327 lwkt_gettoken(&targp->p_token); 328 /* targp now referenced and its token is held */ 329 330 if (targp->p_pgrp == NULL || 331 targp->p_session != curp->p_session) { 332 error = EPERM; 333 goto done; 334 } 335 if (targp->p_flags & P_EXEC) { 336 error = EACCES; 337 goto done; 338 } 339 } else { 340 targp = curp; 341 PHOLD(targp); 342 lwkt_gettoken(&targp->p_token); 343 } 344 if (SESS_LEADER(targp)) { 345 error = EPERM; 346 goto done; 347 } 348 if (uap->pgid == 0) { 349 uap->pgid = targp->p_pid; 350 } else if (uap->pgid != targp->p_pid) { 351 if ((pgrp = pgfind(uap->pgid)) == NULL || 352 pgrp->pg_session != curp->p_session) { 353 error = EPERM; 354 goto done; 355 } 356 } 357 error = enterpgrp(targp, uap->pgid, 0); 358 done: 359 if (pgrp) 360 pgrel(pgrp); 361 if (targp) { 362 lwkt_reltoken(&targp->p_token); 363 PRELE(targp); 364 } 365 return (error); 366 } 367 368 /* 369 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 370 * compatible. It says that setting the uid/gid to euid/egid is a special 371 * case of "appropriate privilege". Once the rules are expanded out, this 372 * basically means that setuid(nnn) sets all three id's, in all permitted 373 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 374 * does not set the saved id - this is dangerous for traditional BSD 375 * programs. For this reason, we *really* do not want to set 376 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 377 */ 378 #define POSIX_APPENDIX_B_4_2_2 379 380 int 381 sys_setuid(struct setuid_args *uap) 382 { 383 struct proc *p = curproc; 384 struct ucred *cr; 385 uid_t uid; 386 int error; 387 388 lwkt_gettoken(&p->p_token); 389 cr = p->p_ucred; 390 391 /* 392 * See if we have "permission" by POSIX 1003.1 rules. 393 * 394 * Note that setuid(geteuid()) is a special case of 395 * "appropriate privileges" in appendix B.4.2.2. We need 396 * to use this clause to be compatible with traditional BSD 397 * semantics. Basically, it means that "setuid(xx)" sets all 398 * three id's (assuming you have privs). 399 * 400 * Notes on the logic. We do things in three steps. 401 * 1: We determine if the euid is going to change, and do EPERM 402 * right away. We unconditionally change the euid later if this 403 * test is satisfied, simplifying that part of the logic. 404 * 2: We determine if the real and/or saved uid's are going to 405 * change. Determined by compile options. 406 * 3: Change euid last. (after tests in #2 for "appropriate privs") 407 */ 408 uid = uap->uid; 409 if (uid != cr->cr_ruid && /* allow setuid(getuid()) */ 410 #ifdef _POSIX_SAVED_IDS 411 uid != crc->cr_svuid && /* allow setuid(saved gid) */ 412 #endif 413 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 414 uid != cr->cr_uid && /* allow setuid(geteuid()) */ 415 #endif 416 (error = priv_check_cred(cr, PRIV_CRED_SETUID, 0))) 417 goto done; 418 419 #ifdef _POSIX_SAVED_IDS 420 /* 421 * Do we have "appropriate privileges" (are we root or uid == euid) 422 * If so, we are changing the real uid and/or saved uid. 423 */ 424 if ( 425 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 426 uid == cr->cr_uid || 427 #endif 428 priv_check_cred(cr, PRIV_CRED_SETUID, 0) == 0) /* we are using privs */ 429 #endif 430 { 431 /* 432 * Set the real uid and transfer proc count to new user. 433 */ 434 if (uid != cr->cr_ruid) { 435 cr = change_ruid(uid); 436 setsugid(); 437 } 438 /* 439 * Set saved uid 440 * 441 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 442 * the security of seteuid() depends on it. B.4.2.2 says it 443 * is important that we should do this. 444 */ 445 if (cr->cr_svuid != uid) { 446 cr = cratom_proc(p); 447 cr->cr_svuid = uid; 448 setsugid(); 449 } 450 } 451 452 /* 453 * In all permitted cases, we are changing the euid. 454 * Copy credentials so other references do not see our changes. 455 */ 456 if (cr->cr_uid != uid) { 457 change_euid(uid); 458 setsugid(); 459 } 460 error = 0; 461 done: 462 lwkt_reltoken(&p->p_token); 463 return (error); 464 } 465 466 int 467 sys_seteuid(struct seteuid_args *uap) 468 { 469 struct proc *p = curproc; 470 struct ucred *cr; 471 uid_t euid; 472 int error; 473 474 lwkt_gettoken(&p->p_token); 475 cr = p->p_ucred; 476 euid = uap->euid; 477 if (euid != cr->cr_ruid && /* allow seteuid(getuid()) */ 478 euid != cr->cr_svuid && /* allow seteuid(saved uid) */ 479 (error = priv_check_cred(cr, PRIV_CRED_SETEUID, 0))) { 480 lwkt_reltoken(&p->p_token); 481 return (error); 482 } 483 484 /* 485 * Everything's okay, do it. Copy credentials so other references do 486 * not see our changes. 487 */ 488 if (cr->cr_uid != euid) { 489 change_euid(euid); 490 setsugid(); 491 } 492 lwkt_reltoken(&p->p_token); 493 return (0); 494 } 495 496 int 497 sys_setgid(struct setgid_args *uap) 498 { 499 struct proc *p = curproc; 500 struct ucred *cr; 501 gid_t gid; 502 int error; 503 504 lwkt_gettoken(&p->p_token); 505 cr = p->p_ucred; 506 507 /* 508 * See if we have "permission" by POSIX 1003.1 rules. 509 * 510 * Note that setgid(getegid()) is a special case of 511 * "appropriate privileges" in appendix B.4.2.2. We need 512 * to use this clause to be compatible with traditional BSD 513 * semantics. Basically, it means that "setgid(xx)" sets all 514 * three id's (assuming you have privs). 515 * 516 * For notes on the logic here, see setuid() above. 517 */ 518 gid = uap->gid; 519 if (gid != cr->cr_rgid && /* allow setgid(getgid()) */ 520 #ifdef _POSIX_SAVED_IDS 521 gid != cr->cr_svgid && /* allow setgid(saved gid) */ 522 #endif 523 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 524 gid != cr->cr_groups[0] && /* allow setgid(getegid()) */ 525 #endif 526 (error = priv_check_cred(cr, PRIV_CRED_SETGID, 0))) { 527 goto done; 528 } 529 530 #ifdef _POSIX_SAVED_IDS 531 /* 532 * Do we have "appropriate privileges" (are we root or gid == egid) 533 * If so, we are changing the real uid and saved gid. 534 */ 535 if ( 536 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 537 gid == cr->cr_groups[0] || 538 #endif 539 priv_check_cred(cr, PRIV_CRED_SETGID, 0) == 0) /* we are using privs */ 540 #endif 541 { 542 /* 543 * Set real gid 544 */ 545 if (cr->cr_rgid != gid) { 546 cr = cratom_proc(p); 547 cr->cr_rgid = gid; 548 setsugid(); 549 } 550 /* 551 * Set saved gid 552 * 553 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 554 * the security of setegid() depends on it. B.4.2.2 says it 555 * is important that we should do this. 556 */ 557 if (cr->cr_svgid != gid) { 558 cr = cratom_proc(p); 559 cr->cr_svgid = gid; 560 setsugid(); 561 } 562 } 563 /* 564 * In all cases permitted cases, we are changing the egid. 565 * Copy credentials so other references do not see our changes. 566 */ 567 if (cr->cr_groups[0] != gid) { 568 cr = cratom_proc(p); 569 cr->cr_groups[0] = gid; 570 setsugid(); 571 } 572 error = 0; 573 done: 574 lwkt_reltoken(&p->p_token); 575 return (error); 576 } 577 578 int 579 sys_setegid(struct setegid_args *uap) 580 { 581 struct proc *p = curproc; 582 struct ucred *cr; 583 gid_t egid; 584 int error; 585 586 lwkt_gettoken(&p->p_token); 587 cr = p->p_ucred; 588 egid = uap->egid; 589 if (egid != cr->cr_rgid && /* allow setegid(getgid()) */ 590 egid != cr->cr_svgid && /* allow setegid(saved gid) */ 591 (error = priv_check_cred(cr, PRIV_CRED_SETEGID, 0))) { 592 goto done; 593 } 594 if (cr->cr_groups[0] != egid) { 595 cr = cratom_proc(p); 596 cr->cr_groups[0] = egid; 597 setsugid(); 598 } 599 error = 0; 600 done: 601 lwkt_reltoken(&p->p_token); 602 return (error); 603 } 604 605 int 606 sys_setgroups(struct setgroups_args *uap) 607 { 608 struct proc *p = curproc; 609 struct ucred *cr; 610 u_int ngrp; 611 int error; 612 613 lwkt_gettoken(&p->p_token); 614 cr = p->p_ucred; 615 616 if ((error = priv_check_cred(cr, PRIV_CRED_SETGROUPS, 0))) 617 goto done; 618 ngrp = uap->gidsetsize; 619 if (ngrp > NGROUPS) { 620 error = EINVAL; 621 goto done; 622 } 623 /* 624 * XXX A little bit lazy here. We could test if anything has 625 * changed before cratom() and setting P_SUGID. 626 */ 627 cr = cratom_proc(p); 628 if (ngrp < 1) { 629 /* 630 * setgroups(0, NULL) is a legitimate way of clearing the 631 * groups vector on non-BSD systems (which generally do not 632 * have the egid in the groups[0]). We risk security holes 633 * when running non-BSD software if we do not do the same. 634 */ 635 cr->cr_ngroups = 1; 636 } else { 637 error = copyin(uap->gidset, cr->cr_groups, 638 ngrp * sizeof(gid_t)); 639 if (error) 640 goto done; 641 cr->cr_ngroups = ngrp; 642 } 643 setsugid(); 644 error = 0; 645 done: 646 lwkt_reltoken(&p->p_token); 647 return (error); 648 } 649 650 int 651 sys_setreuid(struct setreuid_args *uap) 652 { 653 struct proc *p = curproc; 654 struct ucred *cr; 655 uid_t ruid, euid; 656 int error; 657 658 lwkt_gettoken(&p->p_token); 659 cr = p->p_ucred; 660 661 ruid = uap->ruid; 662 euid = uap->euid; 663 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && 664 ruid != cr->cr_svuid) || 665 (euid != (uid_t)-1 && euid != cr->cr_uid && 666 euid != cr->cr_ruid && euid != cr->cr_svuid)) && 667 (error = priv_check_cred(cr, PRIV_CRED_SETREUID, 0)) != 0) { 668 goto done; 669 } 670 671 if (euid != (uid_t)-1 && cr->cr_uid != euid) { 672 cr = change_euid(euid); 673 setsugid(); 674 } 675 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) { 676 cr = change_ruid(ruid); 677 setsugid(); 678 } 679 if ((ruid != (uid_t)-1 || cr->cr_uid != cr->cr_ruid) && 680 cr->cr_svuid != cr->cr_uid) { 681 cr = cratom_proc(p); 682 cr->cr_svuid = cr->cr_uid; 683 setsugid(); 684 } 685 error = 0; 686 done: 687 lwkt_reltoken(&p->p_token); 688 return (error); 689 } 690 691 int 692 sys_setregid(struct setregid_args *uap) 693 { 694 struct proc *p = curproc; 695 struct ucred *cr; 696 gid_t rgid, egid; 697 int error; 698 699 lwkt_gettoken(&p->p_token); 700 cr = p->p_ucred; 701 702 rgid = uap->rgid; 703 egid = uap->egid; 704 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && 705 rgid != cr->cr_svgid) || 706 (egid != (gid_t)-1 && egid != cr->cr_groups[0] && 707 egid != cr->cr_rgid && egid != cr->cr_svgid)) && 708 (error = priv_check_cred(cr, PRIV_CRED_SETREGID, 0)) != 0) { 709 goto done; 710 } 711 712 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) { 713 cr = cratom_proc(p); 714 cr->cr_groups[0] = egid; 715 setsugid(); 716 } 717 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) { 718 cr = cratom_proc(p); 719 cr->cr_rgid = rgid; 720 setsugid(); 721 } 722 if ((rgid != (gid_t)-1 || cr->cr_groups[0] != cr->cr_rgid) && 723 cr->cr_svgid != cr->cr_groups[0]) { 724 cr = cratom_proc(p); 725 cr->cr_svgid = cr->cr_groups[0]; 726 setsugid(); 727 } 728 error = 0; 729 done: 730 lwkt_reltoken(&p->p_token); 731 return (error); 732 } 733 734 /* 735 * setresuid(ruid, euid, suid) is like setreuid except control over the 736 * saved uid is explicit. 737 */ 738 int 739 sys_setresuid(struct setresuid_args *uap) 740 { 741 struct proc *p = curproc; 742 struct ucred *cr; 743 uid_t ruid, euid, suid; 744 int error; 745 746 lwkt_gettoken(&p->p_token); 747 cr = p->p_ucred; 748 749 ruid = uap->ruid; 750 euid = uap->euid; 751 suid = uap->suid; 752 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && 753 ruid != cr->cr_svuid && ruid != cr->cr_uid) || 754 (euid != (uid_t)-1 && euid != cr->cr_ruid && 755 euid != cr->cr_svuid && euid != cr->cr_uid) || 756 (suid != (uid_t)-1 && suid != cr->cr_ruid && 757 suid != cr->cr_svuid && suid != cr->cr_uid)) && 758 (error = priv_check_cred(cr, PRIV_CRED_SETRESUID, 0)) != 0) { 759 goto done; 760 } 761 if (euid != (uid_t)-1 && cr->cr_uid != euid) { 762 cr = change_euid(euid); 763 setsugid(); 764 } 765 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) { 766 cr = change_ruid(ruid); 767 setsugid(); 768 } 769 if (suid != (uid_t)-1 && cr->cr_svuid != suid) { 770 cr = cratom_proc(p); 771 cr->cr_svuid = suid; 772 setsugid(); 773 } 774 error = 0; 775 done: 776 lwkt_reltoken(&p->p_token); 777 return (error); 778 } 779 780 /* 781 * setresgid(rgid, egid, sgid) is like setregid except control over the 782 * saved gid is explicit. 783 */ 784 int 785 sys_setresgid(struct setresgid_args *uap) 786 { 787 struct proc *p = curproc; 788 struct ucred *cr; 789 gid_t rgid, egid, sgid; 790 int error; 791 792 lwkt_gettoken(&p->p_token); 793 cr = p->p_ucred; 794 rgid = uap->rgid; 795 egid = uap->egid; 796 sgid = uap->sgid; 797 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && 798 rgid != cr->cr_svgid && rgid != cr->cr_groups[0]) || 799 (egid != (gid_t)-1 && egid != cr->cr_rgid && 800 egid != cr->cr_svgid && egid != cr->cr_groups[0]) || 801 (sgid != (gid_t)-1 && sgid != cr->cr_rgid && 802 sgid != cr->cr_svgid && sgid != cr->cr_groups[0])) && 803 (error = priv_check_cred(cr, PRIV_CRED_SETRESGID, 0)) != 0) { 804 goto done; 805 } 806 807 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) { 808 cr = cratom_proc(p); 809 cr->cr_groups[0] = egid; 810 setsugid(); 811 } 812 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) { 813 cr = cratom_proc(p); 814 cr->cr_rgid = rgid; 815 setsugid(); 816 } 817 if (sgid != (gid_t)-1 && cr->cr_svgid != sgid) { 818 cr = cratom_proc(p); 819 cr->cr_svgid = sgid; 820 setsugid(); 821 } 822 error = 0; 823 done: 824 lwkt_reltoken(&p->p_token); 825 return (error); 826 } 827 828 int 829 sys_getresuid(struct getresuid_args *uap) 830 { 831 struct ucred *cr; 832 int error1 = 0, error2 = 0, error3 = 0; 833 834 /* 835 * copyout's can fault synchronously so we cannot use a shared 836 * token here. 837 */ 838 cr = curthread->td_ucred; 839 if (uap->ruid) 840 error1 = copyout((caddr_t)&cr->cr_ruid, 841 (caddr_t)uap->ruid, sizeof(cr->cr_ruid)); 842 if (uap->euid) 843 error2 = copyout((caddr_t)&cr->cr_uid, 844 (caddr_t)uap->euid, sizeof(cr->cr_uid)); 845 if (uap->suid) 846 error3 = copyout((caddr_t)&cr->cr_svuid, 847 (caddr_t)uap->suid, sizeof(cr->cr_svuid)); 848 return error1 ? error1 : (error2 ? error2 : error3); 849 } 850 851 int 852 sys_getresgid(struct getresgid_args *uap) 853 { 854 struct ucred *cr; 855 int error1 = 0, error2 = 0, error3 = 0; 856 857 cr = curthread->td_ucred; 858 if (uap->rgid) 859 error1 = copyout(&cr->cr_rgid, uap->rgid, 860 sizeof(cr->cr_rgid)); 861 if (uap->egid) 862 error2 = copyout(&cr->cr_groups[0], uap->egid, 863 sizeof(cr->cr_groups[0])); 864 if (uap->sgid) 865 error3 = copyout(&cr->cr_svgid, uap->sgid, 866 sizeof(cr->cr_svgid)); 867 return error1 ? error1 : (error2 ? error2 : error3); 868 } 869 870 871 /* 872 * NOTE: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 873 * we use P_SUGID because we consider changing the owners as 874 * "tainting" as well. 875 * This is significant for procs that start as root and "become" 876 * a user without an exec - programs cannot know *everything* 877 * that libc *might* have put in their data segment. 878 */ 879 int 880 sys_issetugid(struct issetugid_args *uap) 881 { 882 uap->sysmsg_result = (curproc->p_flags & P_SUGID) ? 1 : 0; 883 return (0); 884 } 885 886 /* 887 * Check if gid is a member of the group set. 888 */ 889 int 890 groupmember(gid_t gid, struct ucred *cred) 891 { 892 gid_t *gp; 893 gid_t *egp; 894 895 egp = &(cred->cr_groups[cred->cr_ngroups]); 896 for (gp = cred->cr_groups; gp < egp; gp++) { 897 if (*gp == gid) 898 return (1); 899 } 900 return (0); 901 } 902 903 /* 904 * Test whether the specified credentials have the privilege 905 * in question. 906 * 907 * A kernel thread without a process context is assumed to have 908 * the privilege in question. In situations where the caller always 909 * expect a cred to exist, the cred should be passed separately and 910 * priv_check_cred() should be used instead of priv_check(). 911 * 912 * Returns 0 or error. 913 */ 914 int 915 priv_check(struct thread *td, int priv) 916 { 917 if (td->td_lwp != NULL) 918 return priv_check_cred(td->td_ucred, priv, 0); 919 return (0); 920 } 921 922 /* 923 * Check a credential for privilege. 924 * 925 * A non-null credential is expected unless NULL_CRED_OKAY is set. 926 */ 927 int 928 priv_check_cred(struct ucred *cred, int priv, int flags) 929 { 930 int error; 931 932 KASSERT(PRIV_VALID(priv), ("priv_check_cred: invalid privilege")); 933 934 KASSERT(cred != NULL || (flags & NULL_CRED_OKAY), 935 ("priv_check_cred: NULL cred!")); 936 937 if (cred == NULL) { 938 if (flags & NULL_CRED_OKAY) 939 return (0); 940 else 941 return (EPERM); 942 } 943 if (cred->cr_uid != 0) 944 return (EPERM); 945 946 error = prison_priv_check(cred, priv); 947 if (error) 948 return (error); 949 950 /* NOTE: accounting for suser access (p_acflag/ASU) removed */ 951 return (0); 952 } 953 954 /* 955 * Return zero if p1 can fondle p2, return errno (EPERM/ESRCH) otherwise. 956 */ 957 int 958 p_trespass(struct ucred *cr1, struct ucred *cr2) 959 { 960 if (cr1 == cr2) 961 return (0); 962 if (!PRISON_CHECK(cr1, cr2)) 963 return (ESRCH); 964 if (cr1->cr_ruid == cr2->cr_ruid) 965 return (0); 966 if (cr1->cr_uid == cr2->cr_ruid) 967 return (0); 968 if (cr1->cr_ruid == cr2->cr_uid) 969 return (0); 970 if (cr1->cr_uid == cr2->cr_uid) 971 return (0); 972 if (priv_check_cred(cr1, PRIV_PROC_TRESPASS, 0) == 0) 973 return (0); 974 return (EPERM); 975 } 976 977 static __inline void 978 _crinit(struct ucred *cr) 979 { 980 cr->cr_ref = 1; 981 } 982 983 void 984 crinit(struct ucred *cr) 985 { 986 bzero(cr, sizeof(*cr)); 987 _crinit(cr); 988 } 989 990 /* 991 * Allocate a zeroed cred structure. 992 */ 993 struct ucred * 994 crget(void) 995 { 996 struct ucred *cr; 997 998 cr = kmalloc(sizeof(*cr), M_CRED, M_WAITOK|M_ZERO); 999 _crinit(cr); 1000 return (cr); 1001 } 1002 1003 /* 1004 * Claim another reference to a ucred structure. Can be used with special 1005 * creds. 1006 * 1007 * It must be possible to call this routine with spinlocks held, meaning 1008 * that this routine itself cannot obtain a spinlock. 1009 */ 1010 struct ucred * 1011 crhold(struct ucred *cr) 1012 { 1013 if (cr != NOCRED && cr != FSCRED) 1014 atomic_add_int(&cr->cr_ref, 1); 1015 return(cr); 1016 } 1017 1018 /* 1019 * Drop a reference from the cred structure, free it if the reference count 1020 * reaches 0. 1021 * 1022 * NOTE: because we used atomic_add_int() above, without a spinlock, we 1023 * must also use atomic_subtract_int() below. A spinlock is required 1024 * in crfree() to handle multiple callers racing the refcount to 0. 1025 */ 1026 void 1027 crfree(struct ucred *cr) 1028 { 1029 if (cr->cr_ref <= 0) 1030 panic("Freeing already free credential! %p", cr); 1031 if (atomic_fetchadd_int(&cr->cr_ref, -1) == 1) { 1032 /* 1033 * Some callers of crget(), such as nfs_statfs(), 1034 * allocate a temporary credential, but don't 1035 * allocate a uidinfo structure. 1036 */ 1037 if (cr->cr_uidinfo != NULL) { 1038 uidrop(cr->cr_uidinfo); 1039 cr->cr_uidinfo = NULL; 1040 } 1041 if (cr->cr_ruidinfo != NULL) { 1042 uidrop(cr->cr_ruidinfo); 1043 cr->cr_ruidinfo = NULL; 1044 } 1045 1046 /* 1047 * Destroy empty prisons 1048 */ 1049 if (jailed(cr)) 1050 prison_free(cr->cr_prison); 1051 cr->cr_prison = NULL; /* safety */ 1052 1053 kfree((caddr_t)cr, M_CRED); 1054 } 1055 } 1056 1057 /* 1058 * Atomize a cred structure so it can be modified without polluting 1059 * other references to it. 1060 * 1061 * MPSAFE (however, *pcr must be stable) 1062 */ 1063 struct ucred * 1064 cratom(struct ucred **pcr) 1065 { 1066 struct ucred *oldcr; 1067 struct ucred *newcr; 1068 1069 oldcr = *pcr; 1070 if (oldcr->cr_ref == 1) 1071 return (oldcr); 1072 newcr = crget(); /* this might block */ 1073 oldcr = *pcr; /* re-cache after potentially blocking */ 1074 *newcr = *oldcr; 1075 if (newcr->cr_uidinfo) 1076 uihold(newcr->cr_uidinfo); 1077 if (newcr->cr_ruidinfo) 1078 uihold(newcr->cr_ruidinfo); 1079 if (jailed(newcr)) 1080 prison_hold(newcr->cr_prison); 1081 newcr->cr_ref = 1; 1082 crfree(oldcr); 1083 *pcr = newcr; 1084 1085 return (newcr); 1086 } 1087 1088 /* 1089 * Called with a modifying token held, but must still obtain p_spin to 1090 * actually replace p_ucred to handle races against syscall entry from 1091 * other threads which cache p_ucred->td_ucred. 1092 * 1093 * (the threads will only get the spin-lock, and they only need to in 1094 * the case where td_ucred != p_ucred so this is optimal). 1095 */ 1096 struct ucred * 1097 cratom_proc(struct proc *p) 1098 { 1099 struct ucred *oldcr; 1100 struct ucred *newcr; 1101 1102 oldcr = p->p_ucred; 1103 if (oldcr->cr_ref == 1) 1104 return(oldcr); 1105 1106 newcr = crget(); /* this might block */ 1107 oldcr = p->p_ucred; /* so re-cache oldcr (do not re-test) */ 1108 *newcr = *oldcr; 1109 if (newcr->cr_uidinfo) 1110 uihold(newcr->cr_uidinfo); 1111 if (newcr->cr_ruidinfo) 1112 uihold(newcr->cr_ruidinfo); 1113 if (jailed(newcr)) 1114 prison_hold(newcr->cr_prison); 1115 newcr->cr_ref = 1; 1116 1117 spin_lock(&p->p_spin); 1118 p->p_ucred = newcr; 1119 spin_unlock(&p->p_spin); 1120 crfree(oldcr); 1121 1122 return newcr; 1123 } 1124 1125 /* 1126 * Dup cred struct to a new held one. 1127 */ 1128 struct ucred * 1129 crdup(struct ucred *cr) 1130 { 1131 struct ucred *newcr; 1132 1133 newcr = crget(); 1134 *newcr = *cr; 1135 if (newcr->cr_uidinfo) 1136 uihold(newcr->cr_uidinfo); 1137 if (newcr->cr_ruidinfo) 1138 uihold(newcr->cr_ruidinfo); 1139 if (jailed(newcr)) 1140 prison_hold(newcr->cr_prison); 1141 newcr->cr_ref = 1; 1142 return (newcr); 1143 } 1144 1145 /* 1146 * Fill in a struct xucred based on a struct ucred. 1147 */ 1148 void 1149 cru2x(struct ucred *cr, struct xucred *xcr) 1150 { 1151 1152 bzero(xcr, sizeof(*xcr)); 1153 xcr->cr_version = XUCRED_VERSION; 1154 xcr->cr_uid = cr->cr_uid; 1155 xcr->cr_ngroups = cr->cr_ngroups; 1156 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1157 } 1158 1159 /* 1160 * Get login name, if available. 1161 */ 1162 int 1163 sys_getlogin(struct getlogin_args *uap) 1164 { 1165 struct proc *p = curproc; 1166 char buf[MAXLOGNAME]; 1167 int error; 1168 1169 if (uap->namelen > MAXLOGNAME) /* namelen is unsigned */ 1170 uap->namelen = MAXLOGNAME; 1171 bzero(buf, sizeof(buf)); 1172 lwkt_gettoken_shared(&p->p_token); 1173 bcopy(p->p_pgrp->pg_session->s_login, buf, uap->namelen); 1174 lwkt_reltoken(&p->p_token); 1175 1176 error = copyout(buf, uap->namebuf, uap->namelen); 1177 return (error); 1178 } 1179 1180 /* 1181 * Set login name. 1182 */ 1183 int 1184 sys_setlogin(struct setlogin_args *uap) 1185 { 1186 struct thread *td = curthread; 1187 struct proc *p; 1188 struct ucred *cred; 1189 char buf[MAXLOGNAME]; 1190 int error; 1191 1192 cred = td->td_ucred; 1193 p = td->td_proc; 1194 1195 if ((error = priv_check_cred(cred, PRIV_PROC_SETLOGIN, 0))) 1196 return (error); 1197 bzero(buf, sizeof(buf)); 1198 error = copyinstr(uap->namebuf, buf, sizeof(buf), NULL); 1199 if (error == ENAMETOOLONG) 1200 error = EINVAL; 1201 if (error == 0) { 1202 lwkt_gettoken_shared(&p->p_token); 1203 memcpy(p->p_pgrp->pg_session->s_login, buf, sizeof(buf)); 1204 lwkt_reltoken(&p->p_token); 1205 } 1206 return (error); 1207 } 1208 1209 void 1210 setsugid(void) 1211 { 1212 struct proc *p = curproc; 1213 1214 KKASSERT(p != NULL); 1215 lwkt_gettoken(&p->p_token); 1216 p->p_flags |= P_SUGID; 1217 if (!(p->p_pfsflags & PF_ISUGID)) 1218 p->p_stops = 0; 1219 lwkt_reltoken(&p->p_token); 1220 } 1221 1222 /* 1223 * Helper function to change the effective uid of a process 1224 */ 1225 struct ucred * 1226 change_euid(uid_t euid) 1227 { 1228 struct proc *p = curproc; 1229 struct ucred *cr; 1230 1231 KKASSERT(p != NULL); 1232 lf_count_adjust(p, 0); 1233 cr = cratom_proc(p); 1234 cr->cr_uid = euid; 1235 uireplace(&cr->cr_uidinfo, uifind(euid)); 1236 lf_count_adjust(p, 1); 1237 return (cr); 1238 } 1239 1240 /* 1241 * Helper function to change the real uid of a process 1242 * 1243 * The per-uid process count for this process is transfered from 1244 * the old uid to the new uid. 1245 */ 1246 struct ucred * 1247 change_ruid(uid_t ruid) 1248 { 1249 struct proc *p = curproc; 1250 struct ucred *cr; 1251 1252 KKASSERT(p != NULL); 1253 1254 cr = cratom_proc(p); 1255 chgproccnt(cr->cr_ruidinfo, -1, 0); 1256 cr->cr_ruid = ruid; 1257 uireplace(&cr->cr_ruidinfo, uifind(ruid)); 1258 chgproccnt(cr->cr_ruidinfo, 1, 0); 1259 return (cr); 1260 } 1261