]> git.proxmox.com Git - mirror_frr.git/blame - lib/privs.c
projects / mirror_frr.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #5104 from opensourcerouting/route-map-nbv2
[mirror_frr.git] / lib / privs.c
CommitLineData
d62a17ae 1/*
01245821 2 * Zebra privileges.
3 *
4 * Copyright (C) 2003 Paul Jakma.
01070b9e 5 * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
01245821 6 *
7 * This file is part of GNU Zebra.
8 *
9 * GNU Zebra is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2, or (at your option) any
12 * later version.
13 *
14 * GNU Zebra is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
18 *
896014f4
DL		 19 * You should have received a copy of the GNU General Public License along
20 * with this program; see the file COPYING; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
01245821 22 */
01245821 23#include <zebra.h>
24#include "log.h"
25#include "privs.h"
26#include "memory.h"
00dffa8c 27#include "frr_pthread.h"
ff245f0e 28#include "lib_errors.h"
8875d051 29#include "lib/queue.h"
01245821 30
8875d051
MS		 31DEFINE_MTYPE_STATIC(LIB, PRIVS, "Privilege information")
32
33/*
34 * Different capabilities/privileges apis have different characteristics: some
35 * are process-wide, and some are per-thread.
36 */
ceacedba 37#ifdef HAVE_CAPABILITIES
8875d051
MS		 38#ifdef HAVE_LCAPS
39static const bool privs_per_process; /* = false */
40#elif defined(HAVE_SOLARIS_CAPABILITIES)
41static const bool privs_per_process = true;
42#endif
43#else
44static const bool privs_per_process = true;
45#endif /* HAVE_CAPABILITIES */
4a1ab8e4 46
8875d051 47#ifdef HAVE_CAPABILITIES
4a1ab8e4 48
ceacedba 49/* sort out some generic internal types for:
50 *
51 * privilege values (cap_value_t, priv_t) -> pvalue_t
52 * privilege set (..., priv_set_t) -> pset_t
53 * privilege working storage (cap_t, ...) -> pstorage_t
54 *
55 * values we think of as numeric (they're ints really, but we dont know)
56 * sets are mostly opaque, to hold a set of privileges, related in some way.
57 * storage binds together a set of sets we're interested in.
58 * (in reality: cap_value_t and priv_t are ints)
d62a17ae 59 */
ceacedba 60#ifdef HAVE_LCAPS
61/* Linux doesn't have a 'set' type: a set of related privileges */
62struct _pset {
d62a17ae 63 int num;
64 cap_value_t *caps;
ceacedba 65};
66typedef cap_value_t pvalue_t;
67typedef struct _pset pset_t;
68typedef cap_t pstorage_t;
6b0655a2 69
d62a17ae 70#elif defined(HAVE_SOLARIS_CAPABILITIES)
ceacedba 71typedef priv_t pvalue_t;
72typedef priv_set_t pset_t;
73typedef priv_set_t *pstorage_t;
74#else /* neither LCAPS nor SOLARIS_CAPABILITIES */
75#error "HAVE_CAPABILITIES defined, but neither LCAPS nor Solaris Capabilties!"
76#endif /* HAVE_LCAPS */
77#endif /* HAVE_CAPABILITIES */
6b0655a2 78
ceacedba 79/* the default NULL state we report is RAISED, but could be LOWERED if
80 * zprivs_terminate is called and the NULL handler is installed.
81 */
82static zebra_privs_current_t zprivs_null_state = ZPRIVS_RAISED;
83
01245821 84/* internal privileges state */
d62a17ae 85static struct _zprivs_t {
ceacedba 86#ifdef HAVE_CAPABILITIES
d62a17ae 87 pstorage_t caps; /* working storage */
88 pset_t *syscaps_p; /* system-type requested permitted caps */
89 pset_t *syscaps_i; /* system-type requested inheritable caps */
90#endif /* HAVE_CAPABILITIES */
91 uid_t zuid, /* uid to run as */
92 zsuid; /* saved uid */
93 gid_t zgid; /* gid to run as */
94 gid_t vtygrp; /* gid for vty sockets */
01245821 95} zprivs_state;
96
97/* externally exported but not directly accessed functions */
ceacedba 98#ifdef HAVE_CAPABILITIES
d62a17ae 99int zprivs_change_caps(zebra_privs_ops_t);
100zebra_privs_current_t zprivs_state_caps(void);
ceacedba 101#endif /* HAVE_CAPABILITIES */
d62a17ae 102int zprivs_change_uid(zebra_privs_ops_t);
103zebra_privs_current_t zprivs_state_uid(void);
104int zprivs_change_null(zebra_privs_ops_t);
105zebra_privs_current_t zprivs_state_null(void);
01245821 106
ceacedba 107#ifdef HAVE_CAPABILITIES
108/* internal capability API */
d62a17ae 109static pset_t *zcaps2sys(zebra_capabilities_t *, int);
110static void zprivs_caps_init(struct zebra_privs_t *);
111static void zprivs_caps_terminate(void);
ceacedba 112
113/* Map of Quagga abstract capabilities to system capabilities */
d62a17ae 114static struct {
115 int num;
116 pvalue_t *system_caps;
117} cap_map[ZCAP_MAX] = {
ceacedba 118#ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */
9d303b37
DL		 119 [ZCAP_SETID] =
120 {
121 2, (pvalue_t[]){CAP_SETGID, CAP_SETUID},
122 },
123 [ZCAP_BIND] =
124 {
125 1, (pvalue_t[]){CAP_NET_BIND_SERVICE},
126 },
127 [ZCAP_NET_ADMIN] =
128 {
129 1, (pvalue_t[]){CAP_NET_ADMIN},
130 },
131 [ZCAP_NET_RAW] =
132 {
133 1, (pvalue_t[]){CAP_NET_RAW},
134 },
135 [ZCAP_CHROOT] =
136 {
137 1,
138 (pvalue_t[]){
139 CAP_SYS_CHROOT,
140 },
141 },
142 [ZCAP_NICE] =
143 {
144 1, (pvalue_t[]){CAP_SYS_NICE},
145 },
146 [ZCAP_PTRACE] =
147 {
148 1, (pvalue_t[]){CAP_SYS_PTRACE},
149 },
150 [ZCAP_DAC_OVERRIDE] =
151 {
152 1, (pvalue_t[]){CAP_DAC_OVERRIDE},
153 },
154 [ZCAP_READ_SEARCH] =
155 {
156 1, (pvalue_t[]){CAP_DAC_READ_SEARCH},
157 },
158 [ZCAP_SYS_ADMIN] =
159 {
160 1, (pvalue_t[]){CAP_SYS_ADMIN},
161 },
162 [ZCAP_FOWNER] =
163 {
164 1, (pvalue_t[]){CAP_FOWNER},
d62a17ae 165 },
ceacedba 166#elif defined(HAVE_SOLARIS_CAPABILITIES) /* HAVE_LCAPS */
9d303b37
DL		 167 /* Quagga -> Solaris privilege mappings */
168 [ZCAP_SETID] =
169 {
170 1, (pvalue_t[]){PRIV_PROC_SETID},
171 },
172 [ZCAP_BIND] =
173 {
174 1, (pvalue_t[]){PRIV_NET_PRIVADDR},
175 },
d62a17ae 176/* IP_CONFIG is a subset of NET_CONFIG and is allowed in zones */
6b148faa 177#ifdef PRIV_SYS_IP_CONFIG
9d303b37
DL		 178 [ZCAP_NET_ADMIN] =
179 {
180 1, (pvalue_t[]){PRIV_SYS_IP_CONFIG},
181 },
6b148faa 182#else
9d303b37
DL		 183 [ZCAP_NET_ADMIN] =
184 {
185 1, (pvalue_t[]){PRIV_SYS_NET_CONFIG},
186 },
6b148faa 187#endif
9d303b37
DL		 188 [ZCAP_NET_RAW] =
189 {
190 2, (pvalue_t[]){PRIV_NET_RAWACCESS,
191 PRIV_NET_ICMPACCESS},
192 },
193 [ZCAP_CHROOT] =
194 {
195 1, (pvalue_t[]){PRIV_PROC_CHROOT},
196 },
197 [ZCAP_NICE] =
198 {
199 1, (pvalue_t[]){PRIV_PROC_PRIOCNTL},
200 },
201 [ZCAP_PTRACE] =
202 {
203 1, (pvalue_t[]){PRIV_PROC_SESSION},
204 },
205 [ZCAP_DAC_OVERRIDE] =
206 {
207 5, (pvalue_t[]){PRIV_FILE_DAC_EXECUTE,
208 PRIV_FILE_DAC_READ,
209 PRIV_FILE_DAC_SEARCH,
210 PRIV_FILE_DAC_WRITE,
211 PRIV_FILE_DAC_SEARCH},
212 },
213 [ZCAP_READ_SEARCH] =
214 {
215 2, (pvalue_t[]){PRIV_FILE_DAC_SEARCH,
216 PRIV_FILE_DAC_READ},
217 },
218 [ZCAP_SYS_ADMIN] =
219 {
220 1, (pvalue_t[]){PRIV_SYS_ADMIN},
221 },
222 [ZCAP_FOWNER] =
223 {
224 1, (pvalue_t[]){PRIV_FILE_OWNER},
225 },
ceacedba 226#endif /* HAVE_SOLARIS_CAPABILITIES */
01245821 227};
6b0655a2 228
ceacedba 229#ifdef HAVE_LCAPS
230/* Linux forms of capabilities methods */
01245821 231/* convert zebras privileges to system capabilities */
d62a17ae 232static pset_t *zcaps2sys(zebra_capabilities_t *zcaps, int num)
01245821 233{
d62a17ae 234 pset_t *syscaps;
235 int i, j = 0, count = 0;
236
237 if (!num)
238 return NULL;
239
240 /* first count up how many system caps we have */
241 for (i = 0; i < num; i++)
242 count += cap_map[zcaps[i]].num;
243
244 if ((syscaps = XCALLOC(MTYPE_PRIVS, (sizeof(pset_t) * num))) == NULL) {
245 fprintf(stderr, "%s: could not allocate syscaps!", __func__);
246 return NULL;
247 }
248
249 syscaps->caps = XCALLOC(MTYPE_PRIVS, (sizeof(pvalue_t) * count));
250
251 if (!syscaps->caps) {
252 fprintf(stderr, "%s: could not XCALLOC caps!", __func__);
253 return NULL;
254 }
255
256 /* copy the capabilities over */
257 count = 0;
258 for (i = 0; i < num; i++)
259 for (j = 0; j < cap_map[zcaps[i]].num; j++)
260 syscaps->caps[count++] =
261 cap_map[zcaps[i]].system_caps[j];
262
263 /* iterations above should be exact same as previous count, obviously..
264 */
265 syscaps->num = count;
266
267 return syscaps;
01245821 268}
269
270/* set or clear the effective capabilities to/from permitted */
d62a17ae 271int zprivs_change_caps(zebra_privs_ops_t op)
01245821 272{
d62a17ae 273 cap_flag_value_t cflag;
274
275 /* should be no possibility of being called without valid caps */
276 assert(zprivs_state.syscaps_p && zprivs_state.caps);
277 if (!(zprivs_state.syscaps_p && zprivs_state.caps))
278 exit(1);
279
280 if (op == ZPRIVS_RAISE)
281 cflag = CAP_SET;
282 else if (op == ZPRIVS_LOWER)
283 cflag = CAP_CLEAR;
284 else
285 return -1;
286
287 if (!cap_set_flag(zprivs_state.caps, CAP_EFFECTIVE,
288 zprivs_state.syscaps_p->num,
289 zprivs_state.syscaps_p->caps, cflag))
290 return cap_set_proc(zprivs_state.caps);
291 return -1;
01245821 292}
293
d62a17ae 294zebra_privs_current_t zprivs_state_caps(void)
01245821 295{
d62a17ae 296 int i;
297 cap_flag_value_t val;
298
299 /* should be no possibility of being called without valid caps */
300 assert(zprivs_state.syscaps_p && zprivs_state.caps);
301 if (!(zprivs_state.syscaps_p && zprivs_state.caps))
302 exit(1);
303
304 for (i = 0; i < zprivs_state.syscaps_p->num; i++) {
305 if (cap_get_flag(zprivs_state.caps,
306 zprivs_state.syscaps_p->caps[i], CAP_EFFECTIVE,
307 &val)) {
ff245f0e 308 flog_err(
450971aa 309 EC_LIB_SYSTEM_CALL,
d62a17ae 310 "zprivs_state_caps: could not cap_get_flag, %s",
311 safe_strerror(errno));
312 return ZPRIVS_UNKNOWN;
313 }
314 if (val == CAP_SET)
315 return ZPRIVS_RAISED;
316 }
317 return ZPRIVS_LOWERED;
01245821 318}
319
d62a17ae 320static void zprivs_caps_init(struct zebra_privs_t *zprivs)
ceacedba 321{
d62a17ae 322 zprivs_state.syscaps_p = zcaps2sys(zprivs->caps_p, zprivs->cap_num_p);
323 zprivs_state.syscaps_i = zcaps2sys(zprivs->caps_i, zprivs->cap_num_i);
324
325 /* Tell kernel we want caps maintained across uid changes */
326 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
327 fprintf(stderr,
328 "privs_init: could not set PR_SET_KEEPCAPS, %s\n",
329 safe_strerror(errno));
330 exit(1);
331 }
332
333 /* we have caps, we have no need to ever change back the original user
334 */
335 /* only change uid if we don't have the correct one */
336 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
337 if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) {
338 fprintf(stderr,
339 "zprivs_init (cap): could not setreuid, %s\n",
340 safe_strerror(errno));
341 exit(1);
342 }
343 }
344
345 if (!zprivs_state.syscaps_p)
346 return;
347
348 if (!(zprivs_state.caps = cap_init())) {
349 fprintf(stderr, "privs_init: failed to cap_init, %s\n",
350 safe_strerror(errno));
351 exit(1);
352 }
353
354 if (cap_clear(zprivs_state.caps)) {
355 fprintf(stderr, "privs_init: failed to cap_clear, %s\n",
356 safe_strerror(errno));
357 exit(1);
358 }
359
360 /* set permitted caps */
361 cap_set_flag(zprivs_state.caps, CAP_PERMITTED,
362 zprivs_state.syscaps_p->num, zprivs_state.syscaps_p->caps,
363 CAP_SET);
364
365 /* set inheritable caps, if any */
366 if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) {
367 cap_set_flag(zprivs_state.caps, CAP_INHERITABLE,
368 zprivs_state.syscaps_i->num,
369 zprivs_state.syscaps_i->caps, CAP_SET);
370 }
371
372 /* apply caps. CAP_EFFECTIVE is cleared. we'll raise the caps as
373 * and when, and only when, they are needed.
374 */
375 if (cap_set_proc(zprivs_state.caps)) {
376 cap_t current_caps;
377 char *current_caps_text = NULL;
378 char *wanted_caps_text = NULL;
379
380 fprintf(stderr, "privs_init: initial cap_set_proc failed: %s\n",
381 safe_strerror(errno));
382
383 current_caps = cap_get_proc();
384 if (current_caps) {
385 current_caps_text = cap_to_text(current_caps, NULL);
386 cap_free(current_caps);
387 }
388
389 wanted_caps_text = cap_to_text(zprivs_state.caps, NULL);
390 fprintf(stderr, "Wanted caps: %s\n",
391 wanted_caps_text ? wanted_caps_text : "???");
392 fprintf(stderr, "Have caps: %s\n",
393 current_caps_text ? current_caps_text : "???");
394 if (current_caps_text)
395 cap_free(current_caps_text);
396 if (wanted_caps_text)
397 cap_free(wanted_caps_text);
398
399 exit(1);
400 }
401
402 /* set methods for the caller to use */
403 zprivs->change = zprivs_change_caps;
404 zprivs->current_state = zprivs_state_caps;
ceacedba 405}
406
d62a17ae 407static void zprivs_caps_terminate(void)
ceacedba 408{
d62a17ae 409 /* clear all capabilities */
410 if (zprivs_state.caps)
411 cap_clear(zprivs_state.caps);
412
413 /* and boom, capabilities are gone forever */
414 if (cap_set_proc(zprivs_state.caps)) {
415 fprintf(stderr, "privs_terminate: cap_set_proc failed, %s",
416 safe_strerror(errno));
417 exit(1);
418 }
419
420 /* free up private state */
421 if (zprivs_state.syscaps_p->num) {
422 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p->caps);
423 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p);
424 }
425
426 if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) {
427 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_i->caps);
428 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_i);
429 }
430
431 cap_free(zprivs_state.caps);
ceacedba 432}
d62a17ae 433#elif defined(HAVE_SOLARIS_CAPABILITIES) /* !HAVE_LCAPS */
6b0655a2 434
d62a17ae 435/* Solaris specific capability/privilege methods
ceacedba 436 *
437 * Resources:
438 * - the 'privileges' man page
439 * - http://cvs.opensolaris.org
d62a17ae 440 * -
441 * http://blogs.sun.com/roller/page/gbrunett?entry=privilege_enabling_set_id_programs1
ceacedba 442 */
443
d62a17ae 444static pset_t *zprivs_caps_minimal()
01070b9e 445{
d62a17ae 446 pset_t *minimal;
01070b9e 447
d62a17ae 448 if ((minimal = priv_str_to_set("basic", ",", NULL)) == NULL) {
449 fprintf(stderr, "%s: couldn't get basic set!\n", __func__);
450 exit(1);
451 }
01070b9e 452
d62a17ae 453 /* create a minimal privilege set from the basic set */
454 (void)priv_delset(minimal, PRIV_PROC_EXEC);
455 (void)priv_delset(minimal, PRIV_PROC_INFO);
456 (void)priv_delset(minimal, PRIV_PROC_SESSION);
457 (void)priv_delset(minimal, PRIV_FILE_LINK_ANY);
01070b9e 458
d62a17ae 459 return minimal;
01070b9e
BB		 460}
461
ceacedba 462/* convert zebras privileges to system capabilities */
d62a17ae 463static pset_t *zcaps2sys(zebra_capabilities_t *zcaps, int num)
ceacedba 464{
d62a17ae 465 pset_t *syscaps;
466 int i, j = 0;
467
468 if ((syscaps = priv_allocset()) == NULL) {
469 fprintf(stderr, "%s: could not allocate syscaps!\n", __func__);
470 exit(1);
471 }
472
473 priv_emptyset(syscaps);
474
475 for (i = 0; i < num; i++)
476 for (j = 0; j < cap_map[zcaps[i]].num; j++)
477 priv_addset(syscaps, cap_map[zcaps[i]].system_caps[j]);
478
479 return syscaps;
ceacedba 480}
481
482/* callback exported to users to RAISE and LOWER effective privileges
483 * from nothing to the given permitted set and back down
484 */
d62a17ae 485int zprivs_change_caps(zebra_privs_ops_t op)
ceacedba 486{
d62a17ae 487 pset_t *privset;
488
489 /* should be no possibility of being called without valid caps */
490 assert(zprivs_state.syscaps_p);
491 if (!zprivs_state.syscaps_p) {
492 fprintf(stderr, "%s: Eek, missing privileged caps!", __func__);
493 exit(1);
494 }
495
496 assert(zprivs_state.caps);
497 if (!zprivs_state.caps) {
498 fprintf(stderr, "%s: Eek, missing caps!", __func__);
499 exit(1);
500 }
501
502 /* to raise: copy original permitted as our working effective set
503 * to lower: copy regular effective set stored in zprivs_state.caps
504 */
505 if (op == ZPRIVS_RAISE)
506 privset = zprivs_state.syscaps_p;
507 else if (op == ZPRIVS_LOWER)
508 privset = zprivs_state.caps;
509 else
510 return -1;
511
512 if (setppriv(PRIV_SET, PRIV_EFFECTIVE, privset) != 0)
513 return -1;
514
515 return 0;
ceacedba 516}
517
518/* Retrieve current privilege state, is it RAISED or LOWERED? */
d62a17ae 519zebra_privs_current_t zprivs_state_caps(void)
ceacedba 520{
d62a17ae 521 zebra_privs_current_t result;
522 pset_t *effective;
523
524 if ((effective = priv_allocset()) == NULL) {
525 fprintf(stderr, "%s: failed to get priv_allocset! %s\n",
526 __func__, safe_strerror(errno));
527 return ZPRIVS_UNKNOWN;
528 }
529
530 if (getppriv(PRIV_EFFECTIVE, effective)) {
531 fprintf(stderr, "%s: failed to get state! %s\n", __func__,
532 safe_strerror(errno));
533 result = ZPRIVS_UNKNOWN;
534 } else {
535 if (priv_isequalset(effective, zprivs_state.syscaps_p))
536 result = ZPRIVS_RAISED;
537 else if (priv_isequalset(effective, zprivs_state.caps))
538 result = ZPRIVS_LOWERED;
539 else
540 result = ZPRIVS_UNKNOWN;
541 }
542
543 priv_freeset(effective);
544 return result;
ceacedba 545}
546
d62a17ae 547static void zprivs_caps_init(struct zebra_privs_t *zprivs)
ceacedba 548{
d62a17ae 549 pset_t *basic;
550 pset_t *minimal;
551
552 /* the specified sets */
553 zprivs_state.syscaps_p = zcaps2sys(zprivs->caps_p, zprivs->cap_num_p);
554 zprivs_state.syscaps_i = zcaps2sys(zprivs->caps_i, zprivs->cap_num_i);
555
556 /* nonsensical to have gotten here but not have capabilities */
557 if (!zprivs_state.syscaps_p) {
558 fprintf(stderr,
559 "%s: capabilities enabled, "
560 "but no valid capabilities supplied\n",
561 __func__);
562 }
563
564 /* We retain the basic set in our permitted set, as Linux has no
565 * equivalent. The basic set on Linux hence is implicit, always
566 * there.
567 */
568 if ((basic = priv_str_to_set("basic", ",", NULL)) == NULL) {
569 fprintf(stderr, "%s: couldn't get basic set!\n", __func__);
570 exit(1);
571 }
572
573 /* Add the basic set to the permitted set */
574 priv_union(basic, zprivs_state.syscaps_p);
575 priv_freeset(basic);
576
577 /* Hey kernel, we know about privileges!
578 * this isn't strictly required, use of setppriv should have same effect
579 */
580 if (setpflags(PRIV_AWARE, 1)) {
581 fprintf(stderr, "%s: error setting PRIV_AWARE!, %s\n", __func__,
582 safe_strerror(errno));
583 exit(1);
584 }
585
586 /* need either valid or empty sets for both p and i.. */
587 assert(zprivs_state.syscaps_i && zprivs_state.syscaps_p);
588
589 /* we have caps, we have no need to ever change back the original user
590 * change real, effective and saved to the specified user.
591 */
592 /* only change uid if we don't have the correct one */
593 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
594 if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) {
595 fprintf(stderr, "%s: could not setreuid, %s\n",
596 __func__, safe_strerror(errno));
597 exit(1);
598 }
599 }
600
601 /* set the permitted set */
602 if (setppriv(PRIV_SET, PRIV_PERMITTED, zprivs_state.syscaps_p)) {
603 fprintf(stderr, "%s: error setting permitted set!, %s\n",
604 __func__, safe_strerror(errno));
605 exit(1);
606 }
607
608 /* set the inheritable set */
609 if (setppriv(PRIV_SET, PRIV_INHERITABLE, zprivs_state.syscaps_i)) {
610 fprintf(stderr, "%s: error setting inheritable set!, %s\n",
611 __func__, safe_strerror(errno));
612 exit(1);
613 }
614
615 /* we need a minimal basic set for 'effective', potentially for
616 * inheritable too */
617 minimal = zprivs_caps_minimal();
618
619 /* now set the effective set with a subset of basic privileges */
620 if (setppriv(PRIV_SET, PRIV_EFFECTIVE, minimal)) {
621 fprintf(stderr, "%s: error setting effective set!, %s\n",
622 __func__, safe_strerror(errno));
623 exit(1);
624 }
625
626 /* we'll use the minimal set as our working-storage privset */
627 zprivs_state.caps = minimal;
628
629 /* set methods for the caller to use */
630 zprivs->change = zprivs_change_caps;
631 zprivs->current_state = zprivs_state_caps;
ceacedba 632}
633
d62a17ae 634static void zprivs_caps_terminate(void)
ceacedba 635{
d62a17ae 636 assert(zprivs_state.caps);
637
638 /* clear all capabilities by using working-storage privset */
639 setppriv(PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps);
640 setppriv(PRIV_SET, PRIV_PERMITTED, zprivs_state.caps);
641 setppriv(PRIV_SET, PRIV_INHERITABLE, zprivs_state.caps);
642
643 /* free up private state */
644 if (zprivs_state.syscaps_p)
645 priv_freeset(zprivs_state.syscaps_p);
646 if (zprivs_state.syscaps_i)
647 priv_freeset(zprivs_state.syscaps_i);
648
649 priv_freeset(zprivs_state.caps);
ceacedba 650}
651#else /* !HAVE_LCAPS && ! HAVE_SOLARIS_CAPABILITIES */
652#error "Neither Solaris nor Linux capabilities, dazed and confused..."
653#endif /* HAVE_LCAPS */
654#endif /* HAVE_CAPABILITIES */
6b0655a2 655
d62a17ae 656int zprivs_change_uid(zebra_privs_ops_t op)
01245821 657{
d62a17ae 658 if (zprivs_state.zsuid == zprivs_state.zuid)
659 return 0;
660 if (op == ZPRIVS_RAISE)
661 return seteuid(zprivs_state.zsuid);
662 else if (op == ZPRIVS_LOWER)
663 return seteuid(zprivs_state.zuid);
664 else
665 return -1;
01245821 666}
667
d62a17ae 668zebra_privs_current_t zprivs_state_uid(void)
01245821 669{
d62a17ae 670 return ((zprivs_state.zuid == geteuid()) ? ZPRIVS_LOWERED
671 : ZPRIVS_RAISED);
01245821 672}
673
d62a17ae 674int zprivs_change_null(zebra_privs_ops_t op)
01245821 675{
d62a17ae 676 return 0;
01245821 677}
678
d62a17ae 679zebra_privs_current_t zprivs_state_null(void)
01245821 680{
d62a17ae 681 return zprivs_null_state;
01245821 682}
683
4a9ea50e
DL		 684#ifndef HAVE_GETGROUPLIST
685/* Solaris 11 has no getgrouplist() */
d62a17ae 686static int getgrouplist(const char *user, gid_t group, gid_t *groups,
687 int *ngroups)
4a9ea50e 688{
d62a17ae 689 struct group *grp;
690 size_t usridx;
691 int pos = 0, ret;
692
693 if (pos < *ngroups)
694 groups[pos] = group;
695 pos++;
696
697 setgrent();
698 while ((grp = getgrent())) {
699 if (grp->gr_gid == group)
700 continue;
701 for (usridx = 0; grp->gr_mem[usridx] != NULL; usridx++)
702 if (!strcmp(grp->gr_mem[usridx], user)) {
703 if (pos < *ngroups)
704 groups[pos] = grp->gr_gid;
705 pos++;
706 break;
707 }
708 }
709 endgrent();
710
711 ret = (pos <= *ngroups) ? pos : -1;
712 *ngroups = pos;
713 return ret;
4a9ea50e
DL		 714}
715#endif /* HAVE_GETGROUPLIST */
716
8875d051
MS		 717/*
718 * Helper function that locates a refcounting object to use: a process-wide
719 * object or a per-pthread object.
720 */
721static struct zebra_privs_refs_t *get_privs_refs(struct zebra_privs_t *privs)
722{
723 struct zebra_privs_refs_t *temp, *refs = NULL;
724 pthread_t tid;
725
726 if (privs_per_process)
727 refs = &(privs->process_refs);
728 else {
729 /* Locate - or create - the object for the current pthread. */
730 tid = pthread_self();
731
732 STAILQ_FOREACH(temp, &(privs->thread_refs), entry) {
733 if (pthread_equal(temp->tid, tid)) {
734 refs = temp;
735 break;
736 }
737 }
738
739 /* Need to create a new refcounting object. */
740 if (refs == NULL) {
741 refs = XCALLOC(MTYPE_PRIVS,
742 sizeof(struct zebra_privs_refs_t));
743 refs->tid = tid;
744 STAILQ_INSERT_TAIL(&(privs->thread_refs), refs, entry);
745 }
746 }
747
748 return refs;
749}
750
6017c3a2
DL		 751struct zebra_privs_t *_zprivs_raise(struct zebra_privs_t *privs,
752 const char *funcname)
753{
754 int save_errno = errno;
8875d051 755 struct zebra_privs_refs_t *refs;
6017c3a2
DL		 756
757 if (!privs)
758 return NULL;
759
8875d051
MS		 760 /*
761 * Serialize 'raise' operations; particularly important for
762 * OSes where privs are process-wide.
763 */
00dffa8c 764 frr_with_mutex(&(privs->mutex)) {
8875d051
MS		 765 /* Locate ref-counting object to use */
766 refs = get_privs_refs(privs);
767
768 if (++(refs->refcount) == 1) {
064e2f32
MS		 769 errno = 0;
770 if (privs->change(ZPRIVS_RAISE)) {
771 zlog_err("%s: Failed to raise privileges (%s)",
772 funcname, safe_strerror(errno));
773 }
774 errno = save_errno;
8875d051 775 refs->raised_in_funcname = funcname;
064e2f32 776 }
c5c44d4b 777 }
c5c44d4b 778
6017c3a2
DL		 779 return privs;
780}
781
782void _zprivs_lower(struct zebra_privs_t **privs)
783{
784 int save_errno = errno;
8875d051 785 struct zebra_privs_refs_t *refs;
6017c3a2
DL		 786
787 if (!*privs)
788 return;
789
8875d051
MS		 790 /* Serialize 'lower privs' operation - particularly important
791 * when OS privs are process-wide.
792 */
00dffa8c 793 frr_with_mutex(&(*privs)->mutex) {
8875d051
MS		 794 refs = get_privs_refs(*privs);
795
796 if (--(refs->refcount) == 0) {
064e2f32
MS		 797 errno = 0;
798 if ((*privs)->change(ZPRIVS_LOWER)) {
799 zlog_err("%s: Failed to lower privileges (%s)",
8875d051 800 refs->raised_in_funcname,
064e2f32
MS		 801 safe_strerror(errno));
802 }
803 errno = save_errno;
8875d051 804 refs->raised_in_funcname = NULL;
064e2f32 805 }
c5c44d4b 806 }
c5c44d4b 807
6017c3a2
DL		 808 *privs = NULL;
809}
810
37a1f2fb 811void zprivs_preinit(struct zebra_privs_t *zprivs)
01245821 812{
d62a17ae 813 struct passwd *pwentry = NULL;
814 struct group *grentry = NULL;
d62a17ae 815
816 if (!zprivs) {
817 fprintf(stderr, "zprivs_init: called with NULL arg!\n");
818 exit(1);
819 }
820
c5c44d4b 821 pthread_mutex_init(&(zprivs->mutex), NULL);
8875d051
MS		 822 zprivs->process_refs.refcount = 0;
823 zprivs->process_refs.raised_in_funcname = NULL;
824 STAILQ_INIT(&zprivs->thread_refs);
c5c44d4b 825
d62a17ae 826 if (zprivs->vty_group) {
827 /* in a "NULL" setup, this is allowed to fail too, but still
828 * try. */
829 if ((grentry = getgrnam(zprivs->vty_group)))
830 zprivs_state.vtygrp = grentry->gr_gid;
831 else
832 zprivs_state.vtygrp = (gid_t)-1;
833 }
834
835 /* NULL privs */
836 if (!(zprivs->user || zprivs->group || zprivs->cap_num_p
837 || zprivs->cap_num_i)) {
838 zprivs->change = zprivs_change_null;
839 zprivs->current_state = zprivs_state_null;
840 return;
841 }
842
843 if (zprivs->user) {
844 if ((pwentry = getpwnam(zprivs->user)) == NULL) {
845 /* cant use log.h here as it depends on vty */
846 fprintf(stderr,
847 "privs_init: could not lookup user %s\n",
848 zprivs->user);
849 exit(1);
850 }
851
852 zprivs_state.zuid = pwentry->pw_uid;
853 zprivs_state.zgid = pwentry->pw_gid;
854 }
855
856 grentry = NULL;
857
858 if (zprivs->group) {
859 if ((grentry = getgrnam(zprivs->group)) == NULL) {
860 fprintf(stderr,
861 "privs_init: could not lookup group %s\n",
862 zprivs->group);
863 exit(1);
864 }
865
866 zprivs_state.zgid = grentry->gr_gid;
867 }
37a1f2fb
DL		 868}
869
870void zprivs_init(struct zebra_privs_t *zprivs)
871{
1c77d034 872 gid_t groups[NGROUPS_MAX] = {};
37a1f2fb
DL		 873 int i, ngroups = 0;
874 int found = 0;
875
876 /* NULL privs */
877 if (!(zprivs->user || zprivs->group || zprivs->cap_num_p
878 || zprivs->cap_num_i))
879 return;
d62a17ae 880
881 if (zprivs->user) {
72de5f4b 882 ngroups = array_size(groups);
d62a17ae 883 if (getgrouplist(zprivs->user, zprivs_state.zgid, groups,
884 &ngroups)
885 < 0) {
886 /* cant use log.h here as it depends on vty */
887 fprintf(stderr,
888 "privs_init: could not getgrouplist for user %s\n",
889 zprivs->user);
890 exit(1);
891 }
892 }
893
894 if (zprivs->vty_group)
895 /* Add the vty_group to the supplementary groups so it can be chowned to
9d303b37 896 */
d62a17ae 897 {
898 if (zprivs_state.vtygrp == (gid_t)-1) {
899 fprintf(stderr,
900 "privs_init: could not lookup vty group %s\n",
901 zprivs->vty_group);
902 exit(1);
903 }
904
905 for (i = 0; i < ngroups; i++)
906 if (groups[i] == zprivs_state.vtygrp) {
907 found++;
908 break;
909 }
910
911 if (!found) {
912 fprintf(stderr,
913 "privs_init: user(%s) is not part of vty group specified(%s)\n",
914 zprivs->user, zprivs->vty_group);
915 exit(1);
916 }
7e3a1ec7 917 if (i >= ngroups && ngroups < (int)array_size(groups)) {
d62a17ae 918 groups[i] = zprivs_state.vtygrp;
919 }
920 }
921
922 zprivs_state.zsuid = geteuid(); /* initial uid */
923 /* add groups only if we changed uid - otherwise skip */
924 if ((ngroups) && (zprivs_state.zsuid != zprivs_state.zuid)) {
925 if (setgroups(ngroups, groups)) {
926 fprintf(stderr, "privs_init: could not setgroups, %s\n",
927 safe_strerror(errno));
928 exit(1);
929 }
930 }
931
932 /* change gid only if we changed uid - otherwise skip */
933 if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
934 /* change group now, forever. uid we do later */
935 if (setregid(zprivs_state.zgid, zprivs_state.zgid)) {
936 fprintf(stderr, "zprivs_init: could not setregid, %s\n",
937 safe_strerror(errno));
938 exit(1);
939 }
940 }
941
ceacedba 942#ifdef HAVE_CAPABILITIES
d62a17ae 943 zprivs_caps_init(zprivs);
8e04538c
DS		 944
945 /*
946 * If we have initialized the system with no requested
947 * capabilities, change will not have been set
948 * to anything by zprivs_caps_init, As such
949 * we should make sure that when we attempt
950 * to raize privileges that we actually have
951 * a do nothing function to call instead of a
952 * crash :).
953 */
954 if (!zprivs->change)
955 zprivs->change = zprivs_change_null;
956
d62a17ae 957#else /* !HAVE_CAPABILITIES */
958 /* we dont have caps. we'll need to maintain rid and saved uid
959 * and change euid back to saved uid (who we presume has all neccessary
960 * privileges) whenever we are asked to raise our privileges.
961 *
962 * This is not worth that much security wise, but all we can do.
963 */
964 zprivs_state.zsuid = geteuid();
965 /* only change uid if we don't have the correct one */
966 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
967 if (setreuid(-1, zprivs_state.zuid)) {
968 fprintf(stderr,
969 "privs_init (uid): could not setreuid, %s\n",
970 safe_strerror(errno));
971 exit(1);
972 }
973 }
974
975 zprivs->change = zprivs_change_uid;
976 zprivs->current_state = zprivs_state_uid;
ceacedba 977#endif /* HAVE_CAPABILITIES */
01245821 978}
979
d62a17ae 980void zprivs_terminate(struct zebra_privs_t *zprivs)
01245821 981{
8875d051
MS		 982 struct zebra_privs_refs_t *refs;
983
d62a17ae 984 if (!zprivs) {
985 fprintf(stderr, "%s: no privs struct given, terminating",
986 __func__);
987 exit(0);
988 }
989
ceacedba 990#ifdef HAVE_CAPABILITIES
4093d47b
DL		 991 if (zprivs->user || zprivs->group || zprivs->cap_num_p
992 || zprivs->cap_num_i)
993 zprivs_caps_terminate();
d62a17ae 994#else /* !HAVE_CAPABILITIES */
995 /* only change uid if we don't have the correct one */
996 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
997 if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) {
998 fprintf(stderr,
999 "privs_terminate: could not setreuid, %s",
1000 safe_strerror(errno));
1001 exit(1);
1002 }
1003 }
01245821 1004#endif /* HAVE_LCAPS */
ceacedba 1005
8875d051
MS		 1006 while ((refs = STAILQ_FIRST(&(zprivs->thread_refs))) != NULL) {
1007 STAILQ_REMOVE_HEAD(&(zprivs->thread_refs), entry);
1008 XFREE(MTYPE_PRIVS, refs);
1009 }
1010
d62a17ae 1011 zprivs->change = zprivs_change_null;
1012 zprivs->current_state = zprivs_state_null;
1013 zprivs_null_state = ZPRIVS_LOWERED;
1014 return;
01245821 1015}
ba3a0bc5 1016
d62a17ae 1017void zprivs_get_ids(struct zprivs_ids_t *ids)
ba3a0bc5 1018{
1019
d62a17ae 1020 ids->uid_priv = getuid();
1021 (zprivs_state.zuid) ? (ids->uid_normal = zprivs_state.zuid)
1022 : (ids->uid_normal = -1);
1023 (zprivs_state.zgid) ? (ids->gid_normal = zprivs_state.zgid)
1024 : (ids->gid_normal = -1);
1025 (zprivs_state.vtygrp) ? (ids->gid_vty = zprivs_state.vtygrp)
1026 : (ids->gid_vty = -1);
1027
1028 return;
ba3a0bc5 1029}
FRRouting mirror