1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the University of 21 * California, Berkeley and its contributors. 22 * 4. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 39 * $FreeBSD: src/sys/kern/kern_prot.c,v 1.53.2.9 2002/03/09 05:20:26 dd Exp $ 40 */ 41 42 /* 43 * System calls related to processes and protection 44 */ 45 46 #include "opt_compat.h" 47 48 #include <sys/param.h> 49 #include <sys/acct.h> 50 #include <sys/systm.h> 51 #include <sys/sysproto.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/proc.h> 55 #include <sys/priv.h> 56 #include <sys/malloc.h> 57 #include <sys/pioctl.h> 58 #include <sys/resourcevar.h> 59 #include <sys/jail.h> 60 #include <sys/lockf.h> 61 #include <sys/spinlock.h> 62 63 #include <sys/thread2.h> 64 #include <sys/spinlock2.h> 65 66 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 67 68 int 69 sys_getpid(struct getpid_args *uap) 70 { 71 struct proc *p = curproc; 72 73 uap->sysmsg_fds[0] = p->p_pid; 74 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 75 lwkt_gettoken(&proc_token); 76 uap->sysmsg_fds[1] = p->p_pptr->p_pid; 77 lwkt_reltoken(&proc_token); 78 #endif 79 return (0); 80 } 81 82 int 83 sys_getppid(struct getppid_args *uap) 84 { 85 struct proc *p = curproc; 86 87 lwkt_gettoken(&proc_token); 88 uap->sysmsg_result = p->p_pptr->p_pid; 89 lwkt_reltoken(&proc_token); 90 91 return (0); 92 } 93 94 /* 95 * MPSAFE 96 */ 97 int 98 sys_lwp_gettid(struct lwp_gettid_args *uap) 99 { 100 struct lwp *lp = curthread->td_lwp; 101 102 uap->sysmsg_result = lp->lwp_tid; 103 return (0); 104 } 105 106 /* 107 * Get process group ID; note that POSIX getpgrp takes no parameter 108 * 109 * MPSAFE XXX pgrp 110 */ 111 int 112 sys_getpgrp(struct getpgrp_args *uap) 113 { 114 struct proc *p = curproc; 115 116 uap->sysmsg_result = p->p_pgrp->pg_id; 117 return (0); 118 } 119 120 /* 121 * Get an arbitrary pid's process group id 122 */ 123 int 124 sys_getpgid(struct getpgid_args *uap) 125 { 126 struct proc *p = curproc; 127 struct proc *pt; 128 int error; 129 130 error = 0; 131 132 if (uap->pid == 0) { 133 pt = p; 134 PHOLD(pt); 135 } else { 136 pt = pfind(uap->pid); 137 if (pt == NULL) 138 error = ESRCH; 139 } 140 /* XXX MPSAFE on pgrp? */ 141 if (error == 0) 142 uap->sysmsg_result = pt->p_pgrp->pg_id; 143 if (pt) 144 PRELE(pt); 145 return (error); 146 } 147 148 /* 149 * Get an arbitrary pid's session id. 150 */ 151 int 152 sys_getsid(struct getsid_args *uap) 153 { 154 struct proc *p = curproc; 155 struct proc *pt; 156 int error; 157 158 error = 0; 159 160 if (uap->pid == 0) { 161 pt = p; 162 PHOLD(pt); 163 } else { 164 pt = pfind(uap->pid); 165 if (pt == NULL) 166 error = ESRCH; 167 } 168 if (error == 0) 169 uap->sysmsg_result = pt->p_session->s_sid; 170 if (pt) 171 PRELE(pt); 172 return (error); 173 } 174 175 176 /* 177 * getuid() 178 * 179 * MPSAFE 180 */ 181 int 182 sys_getuid(struct getuid_args *uap) 183 { 184 struct ucred *cred = curthread->td_ucred; 185 186 uap->sysmsg_fds[0] = cred->cr_ruid; 187 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 188 uap->sysmsg_fds[1] = cred->cr_uid; 189 #endif 190 return (0); 191 } 192 193 /* 194 * geteuid() 195 * 196 * MPSAFE 197 */ 198 int 199 sys_geteuid(struct geteuid_args *uap) 200 { 201 struct ucred *cred = curthread->td_ucred; 202 203 uap->sysmsg_result = cred->cr_uid; 204 return (0); 205 } 206 207 /* 208 * getgid() 209 * 210 * MPSAFE 211 */ 212 int 213 sys_getgid(struct getgid_args *uap) 214 { 215 struct ucred *cred = curthread->td_ucred; 216 217 uap->sysmsg_fds[0] = cred->cr_rgid; 218 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 219 uap->sysmsg_fds[1] = cred->cr_groups[0]; 220 #endif 221 return (0); 222 } 223 224 /* 225 * Get effective group ID. The "egid" is groups[0], and could be obtained 226 * via getgroups. This syscall exists because it is somewhat painful to do 227 * correctly in a library function. 228 * 229 * MPSAFE 230 */ 231 int 232 sys_getegid(struct getegid_args *uap) 233 { 234 struct ucred *cred = curthread->td_ucred; 235 236 uap->sysmsg_result = cred->cr_groups[0]; 237 return (0); 238 } 239 240 /* 241 * MPSAFE 242 */ 243 int 244 sys_getgroups(struct getgroups_args *uap) 245 { 246 struct ucred *cr; 247 u_int ngrp; 248 int error; 249 250 cr = curthread->td_ucred; 251 if ((ngrp = uap->gidsetsize) == 0) { 252 uap->sysmsg_result = cr->cr_ngroups; 253 return (0); 254 } 255 if (ngrp < cr->cr_ngroups) 256 return (EINVAL); 257 ngrp = cr->cr_ngroups; 258 error = copyout((caddr_t)cr->cr_groups, 259 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)); 260 if (error == 0) 261 uap->sysmsg_result = ngrp; 262 return (error); 263 } 264 265 int 266 sys_setsid(struct setsid_args *uap) 267 { 268 struct proc *p = curproc; 269 struct pgrp *pg = NULL; 270 int error; 271 272 lwkt_gettoken(&p->p_token); 273 if (p->p_pgid == p->p_pid || (pg = pgfind(p->p_pid)) != NULL) { 274 error = EPERM; 275 if (pg) 276 pgrel(pg); 277 } else { 278 enterpgrp(p, p->p_pid, 1); 279 uap->sysmsg_result = p->p_pid; 280 error = 0; 281 } 282 lwkt_reltoken(&p->p_token); 283 return (error); 284 } 285 286 /* 287 * set process group (setpgid/old setpgrp) 288 * 289 * caller does setpgid(targpid, targpgid) 290 * 291 * pid must be caller or child of caller (ESRCH) 292 * if a child 293 * pid must be in same session (EPERM) 294 * pid can't have done an exec (EACCES) 295 * if pgid != pid 296 * there must exist some pid in same session having pgid (EPERM) 297 * pid must not be session leader (EPERM) 298 */ 299 int 300 sys_setpgid(struct setpgid_args *uap) 301 { 302 struct proc *curp = curproc; 303 struct proc *targp; /* target process */ 304 struct pgrp *pgrp = NULL; /* target pgrp */ 305 int error; 306 307 if (uap->pgid < 0) 308 return (EINVAL); 309 310 if (uap->pid != 0 && uap->pid != curp->p_pid) { 311 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 312 if (targp) 313 PRELE(targp); 314 error = ESRCH; 315 targp = NULL; 316 goto done; 317 } 318 lwkt_gettoken(&targp->p_token); 319 /* targp now referenced and its token is held */ 320 321 if (targp->p_pgrp == NULL || 322 targp->p_session != curp->p_session) { 323 error = EPERM; 324 goto done; 325 } 326 if (targp->p_flags & P_EXEC) { 327 error = EACCES; 328 goto done; 329 } 330 } else { 331 targp = curp; 332 PHOLD(targp); 333 lwkt_gettoken(&targp->p_token); 334 } 335 if (SESS_LEADER(targp)) { 336 error = EPERM; 337 goto done; 338 } 339 if (uap->pgid == 0) { 340 uap->pgid = targp->p_pid; 341 } else if (uap->pgid != targp->p_pid) { 342 if ((pgrp = pgfind(uap->pgid)) == NULL || 343 pgrp->pg_session != curp->p_session) { 344 error = EPERM; 345 goto done; 346 } 347 } 348 error = enterpgrp(targp, uap->pgid, 0); 349 done: 350 if (pgrp) 351 pgrel(pgrp); 352 if (targp) { 353 lwkt_reltoken(&targp->p_token); 354 PRELE(targp); 355 } 356 return (error); 357 } 358 359 /* 360 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 361 * compatible. It says that setting the uid/gid to euid/egid is a special 362 * case of "appropriate privilege". Once the rules are expanded out, this 363 * basically means that setuid(nnn) sets all three id's, in all permitted 364 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 365 * does not set the saved id - this is dangerous for traditional BSD 366 * programs. For this reason, we *really* do not want to set 367 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 368 */ 369 #define POSIX_APPENDIX_B_4_2_2 370 371 int 372 sys_setuid(struct setuid_args *uap) 373 { 374 struct proc *p = curproc; 375 struct ucred *cr; 376 uid_t uid; 377 int error; 378 379 lwkt_gettoken(&proc_token); 380 cr = p->p_ucred; 381 382 /* 383 * See if we have "permission" by POSIX 1003.1 rules. 384 * 385 * Note that setuid(geteuid()) is a special case of 386 * "appropriate privileges" in appendix B.4.2.2. We need 387 * to use this clause to be compatible with traditional BSD 388 * semantics. Basically, it means that "setuid(xx)" sets all 389 * three id's (assuming you have privs). 390 * 391 * Notes on the logic. We do things in three steps. 392 * 1: We determine if the euid is going to change, and do EPERM 393 * right away. We unconditionally change the euid later if this 394 * test is satisfied, simplifying that part of the logic. 395 * 2: We determine if the real and/or saved uid's are going to 396 * change. Determined by compile options. 397 * 3: Change euid last. (after tests in #2 for "appropriate privs") 398 */ 399 uid = uap->uid; 400 if (uid != cr->cr_ruid && /* allow setuid(getuid()) */ 401 #ifdef _POSIX_SAVED_IDS 402 uid != crc->cr_svuid && /* allow setuid(saved gid) */ 403 #endif 404 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 405 uid != cr->cr_uid && /* allow setuid(geteuid()) */ 406 #endif 407 (error = priv_check_cred(cr, PRIV_CRED_SETUID, 0))) 408 goto done; 409 410 #ifdef _POSIX_SAVED_IDS 411 /* 412 * Do we have "appropriate privileges" (are we root or uid == euid) 413 * If so, we are changing the real uid and/or saved uid. 414 */ 415 if ( 416 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 417 uid == cr->cr_uid || 418 #endif 419 priv_check_cred(cr, PRIV_CRED_SETUID, 0) == 0) /* we are using privs */ 420 #endif 421 { 422 /* 423 * Set the real uid and transfer proc count to new user. 424 */ 425 if (uid != cr->cr_ruid) { 426 cr = change_ruid(uid); 427 setsugid(); 428 } 429 /* 430 * Set saved uid 431 * 432 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 433 * the security of seteuid() depends on it. B.4.2.2 says it 434 * is important that we should do this. 435 */ 436 if (cr->cr_svuid != uid) { 437 cr = cratom(&p->p_ucred); 438 cr->cr_svuid = uid; 439 setsugid(); 440 } 441 } 442 443 /* 444 * In all permitted cases, we are changing the euid. 445 * Copy credentials so other references do not see our changes. 446 */ 447 if (cr->cr_uid != uid) { 448 change_euid(uid); 449 setsugid(); 450 } 451 error = 0; 452 done: 453 lwkt_reltoken(&proc_token); 454 return (error); 455 } 456 457 int 458 sys_seteuid(struct seteuid_args *uap) 459 { 460 struct proc *p = curproc; 461 struct ucred *cr; 462 uid_t euid; 463 int error; 464 465 lwkt_gettoken(&proc_token); 466 cr = p->p_ucred; 467 euid = uap->euid; 468 if (euid != cr->cr_ruid && /* allow seteuid(getuid()) */ 469 euid != cr->cr_svuid && /* allow seteuid(saved uid) */ 470 (error = priv_check_cred(cr, PRIV_CRED_SETEUID, 0))) { 471 lwkt_reltoken(&proc_token); 472 return (error); 473 } 474 475 /* 476 * Everything's okay, do it. Copy credentials so other references do 477 * not see our changes. 478 */ 479 if (cr->cr_uid != euid) { 480 change_euid(euid); 481 setsugid(); 482 } 483 lwkt_reltoken(&proc_token); 484 return (0); 485 } 486 487 int 488 sys_setgid(struct setgid_args *uap) 489 { 490 struct proc *p = curproc; 491 struct ucred *cr; 492 gid_t gid; 493 int error; 494 495 lwkt_gettoken(&proc_token); 496 cr = p->p_ucred; 497 498 /* 499 * See if we have "permission" by POSIX 1003.1 rules. 500 * 501 * Note that setgid(getegid()) is a special case of 502 * "appropriate privileges" in appendix B.4.2.2. We need 503 * to use this clause to be compatible with traditional BSD 504 * semantics. Basically, it means that "setgid(xx)" sets all 505 * three id's (assuming you have privs). 506 * 507 * For notes on the logic here, see setuid() above. 508 */ 509 gid = uap->gid; 510 if (gid != cr->cr_rgid && /* allow setgid(getgid()) */ 511 #ifdef _POSIX_SAVED_IDS 512 gid != cr->cr_svgid && /* allow setgid(saved gid) */ 513 #endif 514 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 515 gid != cr->cr_groups[0] && /* allow setgid(getegid()) */ 516 #endif 517 (error = priv_check_cred(cr, PRIV_CRED_SETGID, 0))) { 518 goto done; 519 } 520 521 #ifdef _POSIX_SAVED_IDS 522 /* 523 * Do we have "appropriate privileges" (are we root or gid == egid) 524 * If so, we are changing the real uid and saved gid. 525 */ 526 if ( 527 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 528 gid == cr->cr_groups[0] || 529 #endif 530 priv_check_cred(cr, PRIV_CRED_SETGID, 0) == 0) /* we are using privs */ 531 #endif 532 { 533 /* 534 * Set real gid 535 */ 536 if (cr->cr_rgid != gid) { 537 cr = cratom(&p->p_ucred); 538 cr->cr_rgid = gid; 539 setsugid(); 540 } 541 /* 542 * Set saved gid 543 * 544 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 545 * the security of setegid() depends on it. B.4.2.2 says it 546 * is important that we should do this. 547 */ 548 if (cr->cr_svgid != gid) { 549 cr = cratom(&p->p_ucred); 550 cr->cr_svgid = gid; 551 setsugid(); 552 } 553 } 554 /* 555 * In all cases permitted cases, we are changing the egid. 556 * Copy credentials so other references do not see our changes. 557 */ 558 if (cr->cr_groups[0] != gid) { 559 cr = cratom(&p->p_ucred); 560 cr->cr_groups[0] = gid; 561 setsugid(); 562 } 563 error = 0; 564 done: 565 lwkt_reltoken(&proc_token); 566 return (error); 567 } 568 569 int 570 sys_setegid(struct setegid_args *uap) 571 { 572 struct proc *p = curproc; 573 struct ucred *cr; 574 gid_t egid; 575 int error; 576 577 lwkt_gettoken(&proc_token); 578 cr = p->p_ucred; 579 egid = uap->egid; 580 if (egid != cr->cr_rgid && /* allow setegid(getgid()) */ 581 egid != cr->cr_svgid && /* allow setegid(saved gid) */ 582 (error = priv_check_cred(cr, PRIV_CRED_SETEGID, 0))) { 583 goto done; 584 } 585 if (cr->cr_groups[0] != egid) { 586 cr = cratom(&p->p_ucred); 587 cr->cr_groups[0] = egid; 588 setsugid(); 589 } 590 error = 0; 591 done: 592 lwkt_reltoken(&proc_token); 593 return (error); 594 } 595 596 int 597 sys_setgroups(struct setgroups_args *uap) 598 { 599 struct proc *p = curproc; 600 struct ucred *cr; 601 u_int ngrp; 602 int error; 603 604 lwkt_gettoken(&proc_token); 605 cr = p->p_ucred; 606 607 if ((error = priv_check_cred(cr, PRIV_CRED_SETGROUPS, 0))) 608 goto done; 609 ngrp = uap->gidsetsize; 610 if (ngrp > NGROUPS) { 611 error = EINVAL; 612 goto done; 613 } 614 /* 615 * XXX A little bit lazy here. We could test if anything has 616 * changed before cratom() and setting P_SUGID. 617 */ 618 cr = cratom(&p->p_ucred); 619 if (ngrp < 1) { 620 /* 621 * setgroups(0, NULL) is a legitimate way of clearing the 622 * groups vector on non-BSD systems (which generally do not 623 * have the egid in the groups[0]). We risk security holes 624 * when running non-BSD software if we do not do the same. 625 */ 626 cr->cr_ngroups = 1; 627 } else { 628 error = copyin(uap->gidset, cr->cr_groups, 629 ngrp * sizeof(gid_t)); 630 if (error) 631 goto done; 632 cr->cr_ngroups = ngrp; 633 } 634 setsugid(); 635 error = 0; 636 done: 637 lwkt_reltoken(&proc_token); 638 return (error); 639 } 640 641 int 642 sys_setreuid(struct setreuid_args *uap) 643 { 644 struct proc *p = curproc; 645 struct ucred *cr; 646 uid_t ruid, euid; 647 int error; 648 649 lwkt_gettoken(&proc_token); 650 cr = p->p_ucred; 651 652 ruid = uap->ruid; 653 euid = uap->euid; 654 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && ruid != cr->cr_svuid) || 655 (euid != (uid_t)-1 && euid != cr->cr_uid && 656 euid != cr->cr_ruid && euid != cr->cr_svuid)) && 657 (error = priv_check_cred(cr, PRIV_CRED_SETREUID, 0)) != 0) { 658 goto done; 659 } 660 661 if (euid != (uid_t)-1 && cr->cr_uid != euid) { 662 cr = change_euid(euid); 663 setsugid(); 664 } 665 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) { 666 cr = change_ruid(ruid); 667 setsugid(); 668 } 669 if ((ruid != (uid_t)-1 || cr->cr_uid != cr->cr_ruid) && 670 cr->cr_svuid != cr->cr_uid) { 671 cr = cratom(&p->p_ucred); 672 cr->cr_svuid = cr->cr_uid; 673 setsugid(); 674 } 675 error = 0; 676 done: 677 lwkt_reltoken(&proc_token); 678 return (error); 679 } 680 681 int 682 sys_setregid(struct setregid_args *uap) 683 { 684 struct proc *p = curproc; 685 struct ucred *cr; 686 gid_t rgid, egid; 687 int error; 688 689 lwkt_gettoken(&proc_token); 690 cr = p->p_ucred; 691 692 rgid = uap->rgid; 693 egid = uap->egid; 694 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && rgid != cr->cr_svgid) || 695 (egid != (gid_t)-1 && egid != cr->cr_groups[0] && 696 egid != cr->cr_rgid && egid != cr->cr_svgid)) && 697 (error = priv_check_cred(cr, PRIV_CRED_SETREGID, 0)) != 0) { 698 goto done; 699 } 700 701 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) { 702 cr = cratom(&p->p_ucred); 703 cr->cr_groups[0] = egid; 704 setsugid(); 705 } 706 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) { 707 cr = cratom(&p->p_ucred); 708 cr->cr_rgid = rgid; 709 setsugid(); 710 } 711 if ((rgid != (gid_t)-1 || cr->cr_groups[0] != cr->cr_rgid) && 712 cr->cr_svgid != cr->cr_groups[0]) { 713 cr = cratom(&p->p_ucred); 714 cr->cr_svgid = cr->cr_groups[0]; 715 setsugid(); 716 } 717 error = 0; 718 done: 719 lwkt_reltoken(&proc_token); 720 return (error); 721 } 722 723 /* 724 * setresuid(ruid, euid, suid) is like setreuid except control over the 725 * saved uid is explicit. 726 */ 727 int 728 sys_setresuid(struct setresuid_args *uap) 729 { 730 struct proc *p = curproc; 731 struct ucred *cr; 732 uid_t ruid, euid, suid; 733 int error; 734 735 lwkt_gettoken(&proc_token); 736 cr = p->p_ucred; 737 738 ruid = uap->ruid; 739 euid = uap->euid; 740 suid = uap->suid; 741 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && ruid != cr->cr_svuid && 742 ruid != cr->cr_uid) || 743 (euid != (uid_t)-1 && euid != cr->cr_ruid && euid != cr->cr_svuid && 744 euid != cr->cr_uid) || 745 (suid != (uid_t)-1 && suid != cr->cr_ruid && suid != cr->cr_svuid && 746 suid != cr->cr_uid)) && 747 (error = priv_check_cred(cr, PRIV_CRED_SETRESUID, 0)) != 0) { 748 goto done; 749 } 750 if (euid != (uid_t)-1 && cr->cr_uid != euid) { 751 cr = change_euid(euid); 752 setsugid(); 753 } 754 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) { 755 cr = change_ruid(ruid); 756 setsugid(); 757 } 758 if (suid != (uid_t)-1 && cr->cr_svuid != suid) { 759 cr = cratom(&p->p_ucred); 760 cr->cr_svuid = suid; 761 setsugid(); 762 } 763 error = 0; 764 done: 765 lwkt_reltoken(&proc_token); 766 return (error); 767 } 768 769 /* 770 * setresgid(rgid, egid, sgid) is like setregid except control over the 771 * saved gid is explicit. 772 */ 773 int 774 sys_setresgid(struct setresgid_args *uap) 775 { 776 struct proc *p = curproc; 777 struct ucred *cr; 778 gid_t rgid, egid, sgid; 779 int error; 780 781 lwkt_gettoken(&proc_token); 782 cr = p->p_ucred; 783 rgid = uap->rgid; 784 egid = uap->egid; 785 sgid = uap->sgid; 786 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && rgid != cr->cr_svgid && 787 rgid != cr->cr_groups[0]) || 788 (egid != (gid_t)-1 && egid != cr->cr_rgid && egid != cr->cr_svgid && 789 egid != cr->cr_groups[0]) || 790 (sgid != (gid_t)-1 && sgid != cr->cr_rgid && sgid != cr->cr_svgid && 791 sgid != cr->cr_groups[0])) && 792 (error = priv_check_cred(cr, PRIV_CRED_SETRESGID, 0)) != 0) { 793 goto done; 794 } 795 796 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) { 797 cr = cratom(&p->p_ucred); 798 cr->cr_groups[0] = egid; 799 setsugid(); 800 } 801 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) { 802 cr = cratom(&p->p_ucred); 803 cr->cr_rgid = rgid; 804 setsugid(); 805 } 806 if (sgid != (gid_t)-1 && cr->cr_svgid != sgid) { 807 cr = cratom(&p->p_ucred); 808 cr->cr_svgid = sgid; 809 setsugid(); 810 } 811 error = 0; 812 done: 813 lwkt_reltoken(&proc_token); 814 return (error); 815 } 816 817 int 818 sys_getresuid(struct getresuid_args *uap) 819 { 820 struct proc *p = curproc; 821 struct ucred *cr; 822 int error1 = 0, error2 = 0, error3 = 0; 823 824 lwkt_gettoken(&proc_token); 825 cr = p->p_ucred; 826 if (uap->ruid) 827 error1 = copyout((caddr_t)&cr->cr_ruid, 828 (caddr_t)uap->ruid, sizeof(cr->cr_ruid)); 829 if (uap->euid) 830 error2 = copyout((caddr_t)&cr->cr_uid, 831 (caddr_t)uap->euid, sizeof(cr->cr_uid)); 832 if (uap->suid) 833 error3 = copyout((caddr_t)&cr->cr_svuid, 834 (caddr_t)uap->suid, sizeof(cr->cr_svuid)); 835 lwkt_reltoken(&proc_token); 836 return error1 ? error1 : (error2 ? error2 : error3); 837 } 838 839 /* 840 * MPSAFE 841 */ 842 int 843 sys_getresgid(struct getresgid_args *uap) 844 { 845 struct ucred *cr; 846 int error1 = 0, error2 = 0, error3 = 0; 847 848 cr = curthread->td_ucred; 849 if (uap->rgid) 850 error1 = copyout(&cr->cr_rgid, uap->rgid, 851 sizeof(cr->cr_rgid)); 852 if (uap->egid) 853 error2 = copyout(&cr->cr_groups[0], uap->egid, 854 sizeof(cr->cr_groups[0])); 855 if (uap->sgid) 856 error3 = copyout(&cr->cr_svgid, uap->sgid, 857 sizeof(cr->cr_svgid)); 858 return error1 ? error1 : (error2 ? error2 : error3); 859 } 860 861 862 /* 863 * NOTE: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 864 * we use P_SUGID because we consider changing the owners as 865 * "tainting" as well. 866 * This is significant for procs that start as root and "become" 867 * a user without an exec - programs cannot know *everything* 868 * that libc *might* have put in their data segment. 869 * 870 * MPSAFE 871 */ 872 int 873 sys_issetugid(struct issetugid_args *uap) 874 { 875 uap->sysmsg_result = (curproc->p_flags & P_SUGID) ? 1 : 0; 876 return (0); 877 } 878 879 /* 880 * Check if gid is a member of the group set. 881 */ 882 int 883 groupmember(gid_t gid, struct ucred *cred) 884 { 885 gid_t *gp; 886 gid_t *egp; 887 888 egp = &(cred->cr_groups[cred->cr_ngroups]); 889 for (gp = cred->cr_groups; gp < egp; gp++) { 890 if (*gp == gid) 891 return (1); 892 } 893 return (0); 894 } 895 896 /* 897 * Test whether the specified credentials have the privilege 898 * in question. 899 * 900 * A kernel thread without a process context is assumed to have 901 * the privilege in question. In situations where the caller always 902 * expect a cred to exist, the cred should be passed separately and 903 * priv_check_cred() should be used instead of priv_check(). 904 * 905 * Returns 0 or error. 906 * 907 * MPSAFE 908 */ 909 int 910 priv_check(struct thread *td, int priv) 911 { 912 if (td->td_lwp != NULL) 913 return priv_check_cred(td->td_ucred, priv, 0); 914 return (0); 915 } 916 917 /* 918 * Check a credential for privilege. 919 * 920 * A non-null credential is expected unless NULL_CRED_OKAY is set. 921 * 922 * MPSAFE 923 */ 924 int 925 priv_check_cred(struct ucred *cred, int priv, int flags) 926 { 927 int error; 928 929 KASSERT(PRIV_VALID(priv), ("priv_check_cred: invalid privilege")); 930 931 KASSERT(cred != NULL || flags & NULL_CRED_OKAY, 932 ("priv_check_cred: NULL cred!")); 933 934 if (cred == NULL) { 935 if (flags & NULL_CRED_OKAY) 936 return (0); 937 else 938 return (EPERM); 939 } 940 if (cred->cr_uid != 0) 941 return (EPERM); 942 943 error = prison_priv_check(cred, priv); 944 if (error) 945 return (error); 946 947 /* NOTE: accounting for suser access (p_acflag/ASU) removed */ 948 return (0); 949 } 950 951 /* 952 * Return zero if p1 can fondle p2, return errno (EPERM/ESRCH) otherwise. 953 */ 954 int 955 p_trespass(struct ucred *cr1, struct ucred *cr2) 956 { 957 if (cr1 == cr2) 958 return (0); 959 if (!PRISON_CHECK(cr1, cr2)) 960 return (ESRCH); 961 if (cr1->cr_ruid == cr2->cr_ruid) 962 return (0); 963 if (cr1->cr_uid == cr2->cr_ruid) 964 return (0); 965 if (cr1->cr_ruid == cr2->cr_uid) 966 return (0); 967 if (cr1->cr_uid == cr2->cr_uid) 968 return (0); 969 if (priv_check_cred(cr1, PRIV_PROC_TRESPASS, 0) == 0) 970 return (0); 971 return (EPERM); 972 } 973 974 /* 975 * MPSAFE 976 */ 977 static __inline void 978 _crinit(struct ucred *cr) 979 { 980 cr->cr_ref = 1; 981 } 982 983 /* 984 * MPSAFE 985 */ 986 void 987 crinit(struct ucred *cr) 988 { 989 bzero(cr, sizeof(*cr)); 990 _crinit(cr); 991 } 992 993 /* 994 * Allocate a zeroed cred structure. 995 * 996 * MPSAFE 997 */ 998 struct ucred * 999 crget(void) 1000 { 1001 struct ucred *cr; 1002 1003 cr = kmalloc(sizeof(*cr), M_CRED, M_WAITOK|M_ZERO); 1004 _crinit(cr); 1005 return (cr); 1006 } 1007 1008 /* 1009 * Claim another reference to a ucred structure. Can be used with special 1010 * creds. 1011 * 1012 * It must be possible to call this routine with spinlocks held, meaning 1013 * that this routine itself cannot obtain a spinlock. 1014 * 1015 * MPSAFE 1016 */ 1017 struct ucred * 1018 crhold(struct ucred *cr) 1019 { 1020 if (cr != NOCRED && cr != FSCRED) 1021 atomic_add_int(&cr->cr_ref, 1); 1022 return(cr); 1023 } 1024 1025 /* 1026 * Drop a reference from the cred structure, free it if the reference count 1027 * reaches 0. 1028 * 1029 * NOTE: because we used atomic_add_int() above, without a spinlock, we 1030 * must also use atomic_subtract_int() below. A spinlock is required 1031 * in crfree() to handle multiple callers racing the refcount to 0. 1032 * 1033 * MPSAFE 1034 */ 1035 void 1036 crfree(struct ucred *cr) 1037 { 1038 if (cr->cr_ref <= 0) 1039 panic("Freeing already free credential! %p", cr); 1040 if (atomic_fetchadd_int(&cr->cr_ref, -1) == 1) { 1041 /* 1042 * Some callers of crget(), such as nfs_statfs(), 1043 * allocate a temporary credential, but don't 1044 * allocate a uidinfo structure. 1045 */ 1046 if (cr->cr_uidinfo != NULL) { 1047 uidrop(cr->cr_uidinfo); 1048 cr->cr_uidinfo = NULL; 1049 } 1050 if (cr->cr_ruidinfo != NULL) { 1051 uidrop(cr->cr_ruidinfo); 1052 cr->cr_ruidinfo = NULL; 1053 } 1054 1055 /* 1056 * Destroy empty prisons 1057 */ 1058 if (jailed(cr)) 1059 prison_free(cr->cr_prison); 1060 cr->cr_prison = NULL; /* safety */ 1061 1062 kfree((caddr_t)cr, M_CRED); 1063 } 1064 } 1065 1066 /* 1067 * Atomize a cred structure so it can be modified without polluting 1068 * other references to it. 1069 * 1070 * MPSAFE (however, *pcr must be stable) 1071 */ 1072 struct ucred * 1073 cratom(struct ucred **pcr) 1074 { 1075 struct ucred *oldcr; 1076 struct ucred *newcr; 1077 1078 oldcr = *pcr; 1079 if (oldcr->cr_ref == 1) 1080 return (oldcr); 1081 newcr = crget(); 1082 *newcr = *oldcr; 1083 if (newcr->cr_uidinfo) 1084 uihold(newcr->cr_uidinfo); 1085 if (newcr->cr_ruidinfo) 1086 uihold(newcr->cr_ruidinfo); 1087 if (jailed(newcr)) 1088 prison_hold(newcr->cr_prison); 1089 newcr->cr_ref = 1; 1090 crfree(oldcr); 1091 *pcr = newcr; 1092 return (newcr); 1093 } 1094 1095 #if 0 /* no longer used but keep around for a little while */ 1096 /* 1097 * Copy cred structure to a new one and free the old one. 1098 * 1099 * MPSAFE (*cr must be stable) 1100 */ 1101 struct ucred * 1102 crcopy(struct ucred *cr) 1103 { 1104 struct ucred *newcr; 1105 1106 if (cr->cr_ref == 1) 1107 return (cr); 1108 newcr = crget(); 1109 *newcr = *cr; 1110 if (newcr->cr_uidinfo) 1111 uihold(newcr->cr_uidinfo); 1112 if (newcr->cr_ruidinfo) 1113 uihold(newcr->cr_ruidinfo); 1114 if (jailed(newcr)) 1115 prison_hold(newcr->cr_prison); 1116 newcr->cr_ref = 1; 1117 crfree(cr); 1118 return (newcr); 1119 } 1120 #endif 1121 1122 /* 1123 * Dup cred struct to a new held one. 1124 */ 1125 struct ucred * 1126 crdup(struct ucred *cr) 1127 { 1128 struct ucred *newcr; 1129 1130 newcr = crget(); 1131 *newcr = *cr; 1132 if (newcr->cr_uidinfo) 1133 uihold(newcr->cr_uidinfo); 1134 if (newcr->cr_ruidinfo) 1135 uihold(newcr->cr_ruidinfo); 1136 if (jailed(newcr)) 1137 prison_hold(newcr->cr_prison); 1138 newcr->cr_ref = 1; 1139 return (newcr); 1140 } 1141 1142 /* 1143 * Fill in a struct xucred based on a struct ucred. 1144 */ 1145 void 1146 cru2x(struct ucred *cr, struct xucred *xcr) 1147 { 1148 1149 bzero(xcr, sizeof(*xcr)); 1150 xcr->cr_version = XUCRED_VERSION; 1151 xcr->cr_uid = cr->cr_uid; 1152 xcr->cr_ngroups = cr->cr_ngroups; 1153 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1154 } 1155 1156 /* 1157 * Get login name, if available. 1158 */ 1159 int 1160 sys_getlogin(struct getlogin_args *uap) 1161 { 1162 struct proc *p = curproc; 1163 char buf[MAXLOGNAME]; 1164 int error; 1165 1166 if (uap->namelen > MAXLOGNAME) /* namelen is unsigned */ 1167 uap->namelen = MAXLOGNAME; 1168 bzero(buf, sizeof(buf)); 1169 lwkt_gettoken(&proc_token); 1170 bcopy(p->p_pgrp->pg_session->s_login, buf, uap->namelen); 1171 lwkt_reltoken(&proc_token); 1172 1173 error = copyout(buf, uap->namebuf, uap->namelen); 1174 return (error); 1175 } 1176 1177 /* 1178 * Set login name. 1179 */ 1180 int 1181 sys_setlogin(struct setlogin_args *uap) 1182 { 1183 struct thread *td = curthread; 1184 struct proc *p; 1185 struct ucred *cred; 1186 char buf[MAXLOGNAME]; 1187 int error; 1188 1189 cred = td->td_ucred; 1190 p = td->td_proc; 1191 1192 if ((error = priv_check_cred(cred, PRIV_PROC_SETLOGIN, 0))) 1193 return (error); 1194 bzero(buf, sizeof(buf)); 1195 error = copyinstr(uap->namebuf, buf, sizeof(buf), NULL); 1196 if (error == ENAMETOOLONG) 1197 error = EINVAL; 1198 if (error == 0) { 1199 lwkt_gettoken(&proc_token); 1200 memcpy(p->p_pgrp->pg_session->s_login, buf, sizeof(buf)); 1201 lwkt_reltoken(&proc_token); 1202 } 1203 return (error); 1204 } 1205 1206 void 1207 setsugid(void) 1208 { 1209 struct proc *p = curproc; 1210 1211 KKASSERT(p != NULL); 1212 lwkt_gettoken(&p->p_token); 1213 p->p_flags |= P_SUGID; 1214 if (!(p->p_pfsflags & PF_ISUGID)) 1215 p->p_stops = 0; 1216 lwkt_reltoken(&p->p_token); 1217 } 1218 1219 /* 1220 * Helper function to change the effective uid of a process 1221 */ 1222 struct ucred * 1223 change_euid(uid_t euid) 1224 { 1225 struct proc *p = curproc; 1226 struct ucred *cr; 1227 1228 KKASSERT(p != NULL); 1229 lf_count_adjust(p, 0); 1230 cr = cratom(&p->p_ucred); 1231 cr->cr_uid = euid; 1232 uireplace(&cr->cr_uidinfo, uifind(euid)); 1233 lf_count_adjust(p, 1); 1234 return (cr); 1235 } 1236 1237 /* 1238 * Helper function to change the real uid of a process 1239 * 1240 * The per-uid process count for this process is transfered from 1241 * the old uid to the new uid. 1242 */ 1243 struct ucred * 1244 change_ruid(uid_t ruid) 1245 { 1246 struct proc *p = curproc; 1247 struct ucred *cr; 1248 1249 KKASSERT(p != NULL); 1250 1251 cr = cratom(&p->p_ucred); 1252 chgproccnt(cr->cr_ruidinfo, -1, 0); 1253 cr->cr_ruid = ruid; 1254 uireplace(&cr->cr_ruidinfo, uifind(ruid)); 1255 chgproccnt(cr->cr_ruidinfo, 1, 0); 1256 return (cr); 1257 } 1258