1 /* $NetBSD: pt_file.c,v 1.17 2007/07/02 18:07:45 pooka Exp $ */ 2 3 /* 4 * Copyright (c) 1992, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * This code is derived from software donated to Berkeley by 8 * Jan-Simon Pendry. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * from: Id: pt_file.c,v 1.1 1992/05/25 21:43:09 jsp Exp 35 * @(#)pt_file.c 8.3 (Berkeley) 7/3/94 36 */ 37 38 #include <sys/cdefs.h> 39 #ifndef lint 40 __RCSID("$NetBSD: pt_file.c,v 1.17 2007/07/02 18:07:45 pooka Exp $"); 41 #endif /* not lint */ 42 43 #include <stdio.h> 44 #include <unistd.h> 45 #include <stdlib.h> 46 #include <string.h> 47 #include <errno.h> 48 #include <fcntl.h> 49 #include <sys/types.h> 50 #include <sys/param.h> 51 #include <sys/syslog.h> 52 53 #include "portald.h" 54 55 #ifdef DEBUG 56 #define DEBUG_SYSLOG syslog 57 #else 58 /* 59 * The "if (0) ..." will be optimized away by the compiler if 60 * DEBUG is not defined. 61 */ 62 #define DEBUG_SYSLOG if (0) syslog 63 #endif 64 65 int 66 lose_credentials(struct portal_cred *pcr) 67 { 68 /* 69 * If we are root, then switch into the caller's credentials. 70 * By the way, we _always_ log failures, to make 71 * sure questionable activity is noticed. 72 */ 73 if (getuid() == 0) { 74 /* Set groups first ... */ 75 if (setgroups(pcr->pcr_ngroups, pcr->pcr_groups) < 0) { 76 syslog(LOG_WARNING, 77 "lose_credentials: setgroups() failed (%m)"); 78 return (errno); 79 } 80 /* ... then gid ... */ 81 if (setgid(pcr->pcr_gid) < 0) { 82 syslog(LOG_WARNING, 83 "lose_credentials: setgid(%d) failed (%m)", 84 pcr->pcr_gid); 85 } 86 /* 87 * ... and now do the setuid() where we lose all special 88 * powers (both real and effective userid). 89 */ 90 if (setuid(pcr->pcr_uid) < 0) { 91 syslog(LOG_WARNING, 92 "lose_credentials: setuid(%d) failed (%m)", 93 pcr->pcr_uid); 94 } 95 /* The credential change was successful! */ 96 DEBUG_SYSLOG(LOG_DEBUG, "Root-owned mount process lowered credentials -- returning successfully!\n"); 97 return 0; 98 } 99 DEBUG_SYSLOG(LOG_DEBUG, "Actual/effective/caller's creds are:"); 100 DEBUG_SYSLOG(LOG_DEBUG, "%d/%d %d/%d %d/%d", getuid(), 101 getgid(), geteuid(), getegid(), pcr->pcr_uid, pcr->pcr_gid); 102 /* 103 * Else, fail if the uid is neither actual or effective 104 * uid of mount process... 105 */ 106 if ((getuid() != pcr->pcr_uid) && (geteuid() != pcr->pcr_uid)) { 107 syslog(LOG_WARNING, 108 "lose_credentials: uid %d != uid %d, or euid %d != uid %d", 109 getuid(), pcr->pcr_uid, geteuid(), pcr->pcr_uid); 110 return EPERM; 111 } 112 /* 113 * ... or the gid is neither the actual or effective 114 * gid of the mount process. 115 */ 116 if ((getgid() != pcr->pcr_gid) && (getegid() != pcr->pcr_gid)) { 117 syslog(LOG_WARNING, 118 "lose_credentials: gid %d != gid %d, or egid %d != gid %d", 119 getgid(), pcr->pcr_gid, getegid(), pcr->pcr_gid); 120 return EPERM; 121 } 122 /* 123 * If we make it here, we have a uid _and_ gid match! Allow the 124 * access. 125 */ 126 DEBUG_SYSLOG(LOG_DEBUG, "Returning successfully!\n"); 127 return 0; 128 } 129 130 int 131 portal_file(struct portal_cred *pcr, char *key, char **v, int *fdp) 132 { 133 int fd; 134 char pbuf[MAXPATHLEN]; 135 int error; 136 int origuid, origgid; 137 138 origuid = getuid(); 139 origgid = getgid(); 140 pbuf[0] = '/'; 141 strlcpy(pbuf + 1, key + (v[1] ? strlen(v[1]) : 0), sizeof(pbuf) - 1); 142 DEBUG_SYSLOG(LOG_DEBUG, "path = %s, uid = %d, gid = %d", 143 pbuf, pcr->pcr_uid, pcr->pcr_gid); 144 145 if ((error = lose_credentials(pcr)) != 0) { 146 DEBUG_SYSLOG(LOG_DEBUG, "portal_file: Credential err %d", error); 147 return error; 148 } 149 error = 0; 150 /* 151 * Be careful -- only set error to errno if there is an error. 152 * errno could hold an old, uncaught value, from a routine 153 * called long before now. 154 */ 155 fd = open(pbuf, O_RDWR | O_CREAT, 0666); 156 if (fd < 0) { 157 error = errno; 158 if (error == EACCES) { 159 DEBUG_SYSLOG(LOG_DEBUG, "Error: could not open '%s' " 160 "read/write with create flag. " 161 "Trying read-only open...", pbuf); 162 /* Try opening read-only. */ 163 fd = open(pbuf, O_RDONLY, 0); 164 if (fd < 0) { 165 error = errno; 166 DEBUG_SYSLOG(LOG_DEBUG, "That failed too! %m"); 167 } else { 168 /* Clear the error indicator. */ 169 error = 0; 170 } 171 } else { 172 DEBUG_SYSLOG(LOG_DEBUG, "Error: could not open '%s': %m", pbuf); 173 } 174 175 } 176 if (seteuid((uid_t) origuid) < 0) { /* XXX - should reset gidset 177 * too */ 178 error = errno; 179 syslog(LOG_WARNING, "setcred: %m"); 180 if (fd >= 0) { 181 (void) close(fd); 182 fd = -1; 183 } 184 } 185 if (error == 0) 186 *fdp = fd; 187 188 DEBUG_SYSLOG(LOG_DEBUG, "pt_file returns *fdp = %d, error = %d", *fdp, 189 error); 190 return (error); 191 } 192