1 #include "exim.h"
2 #include <sys/types.h>
3 #include <unistd.h>
4 #include <string.h>
5
6 static enum {
7 PRIV_DROPPING, PRIV_DROPPED,
8 PRIV_RESTORING, PRIV_RESTORED
9 } priv_state = PRIV_RESTORED;
10
11
12 static uid_t priv_euid;
13 static gid_t priv_egid;
14 static gid_t priv_groups[EXIM_GROUPLIST_SIZE + 1];
15 static int priv_ngroups;
16
17 /* Inspired by OpenSSH's temporarily_use_uid(). Thanks! */
18
19 void
priv_drop_temp(const uid_t temp_uid,const gid_t temp_gid)20 priv_drop_temp(const uid_t temp_uid, const gid_t temp_gid)
21 {
22 if (priv_state != PRIV_RESTORED)
23 log_write(0, LOG_PANIC_DIE, "priv_drop_temp: unexpected priv_state %d != %d", priv_state, PRIV_RESTORED);
24
25 priv_state = PRIV_DROPPING;
26
27 priv_euid = geteuid();
28 if (priv_euid == root_uid)
29 {
30 priv_egid = getegid();
31 priv_ngroups = getgroups(nelem(priv_groups), priv_groups);
32 if (priv_ngroups < 0)
33 log_write(0, LOG_PANIC_DIE, "getgroups: %s", strerror(errno));
34
35 if (priv_ngroups > 0 && setgroups(1, &temp_gid) != 0)
36 log_write(0, LOG_PANIC_DIE, "setgroups: %s", strerror(errno));
37 if (setegid(temp_gid) != 0)
38 log_write(0, LOG_PANIC_DIE, "setegid(%d): %s", temp_gid, strerror(errno));
39 if (seteuid(temp_uid) != 0)
40 log_write(0, LOG_PANIC_DIE, "seteuid(%d): %s", temp_uid, strerror(errno));
41
42 if (geteuid() != temp_uid)
43 log_write(0, LOG_PANIC_DIE, "getdeuid() != %d", temp_uid);
44 if (getegid() != temp_gid)
45 log_write(0, LOG_PANIC_DIE, "getegid() != %d", temp_gid);
46 }
47
48 priv_state = PRIV_DROPPED;
49 }
50
51 /* Inspired by OpenSSH's restore_uid(). Thanks! */
52
53 void
priv_restore(void)54 priv_restore(void)
55 {
56 if (priv_state != PRIV_DROPPED)
57 log_write(0, LOG_PANIC_DIE, "priv_restore: unexpected priv_state %d != %d", priv_state, PRIV_DROPPED);
58 priv_state = PRIV_RESTORING;
59
60 if (priv_euid == root_uid)
61 {
62 if (seteuid(priv_euid) != 0)
63 log_write(0, LOG_PANIC_DIE, "seteuid(%d): %s", priv_euid, strerror(errno));
64 if (setegid(priv_egid) != 0)
65 log_write(0, LOG_PANIC_DIE, "setegid(%d): %s", priv_egid, strerror(errno));
66 if (priv_ngroups > 0 && setgroups(priv_ngroups, priv_groups) != 0)
67 log_write(0, LOG_PANIC_DIE, "setgroups: %s", strerror(errno));
68
69 if (geteuid() != priv_euid)
70 log_write(0, LOG_PANIC_DIE, "getdeuid() != %d", priv_euid);
71 if (getegid() != priv_egid)
72 log_write(0, LOG_PANIC_DIE, "getdegid() != %d", priv_egid);
73 }
74
75 priv_state = PRIV_RESTORED;
76 }
77