]>
Commit | Line | Data |
---|---|---|
d62a17ae | 1 | /* |
01245821 | 2 | * Zebra privileges. |
3 | * | |
4 | * Copyright (C) 2003 Paul Jakma. | |
01070b9e | 5 | * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. |
01245821 | 6 | * |
7 | * This file is part of GNU Zebra. | |
8 | * | |
9 | * GNU Zebra is free software; you can redistribute it and/or modify it | |
10 | * under the terms of the GNU General Public License as published by the | |
11 | * Free Software Foundation; either version 2, or (at your option) any | |
12 | * later version. | |
13 | * | |
14 | * GNU Zebra is distributed in the hope that it will be useful, but | |
15 | * WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
17 | * General Public License for more details. | |
18 | * | |
896014f4 DL |
19 | * You should have received a copy of the GNU General Public License along |
20 | * with this program; see the file COPYING; if not, write to the Free Software | |
21 | * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA | |
01245821 | 22 | */ |
01245821 | 23 | #include <zebra.h> |
24 | #include "log.h" | |
25 | #include "privs.h" | |
26 | #include "memory.h" | |
01245821 | 27 | |
ceacedba | 28 | #ifdef HAVE_CAPABILITIES |
4a1ab8e4 DL |
29 | |
30 | DEFINE_MTYPE_STATIC(LIB, PRIVS, "Privilege information") | |
31 | ||
ceacedba | 32 | /* sort out some generic internal types for: |
33 | * | |
34 | * privilege values (cap_value_t, priv_t) -> pvalue_t | |
35 | * privilege set (..., priv_set_t) -> pset_t | |
36 | * privilege working storage (cap_t, ...) -> pstorage_t | |
37 | * | |
38 | * values we think of as numeric (they're ints really, but we dont know) | |
39 | * sets are mostly opaque, to hold a set of privileges, related in some way. | |
40 | * storage binds together a set of sets we're interested in. | |
41 | * (in reality: cap_value_t and priv_t are ints) | |
d62a17ae | 42 | */ |
ceacedba | 43 | #ifdef HAVE_LCAPS |
44 | /* Linux doesn't have a 'set' type: a set of related privileges */ | |
45 | struct _pset { | |
d62a17ae | 46 | int num; |
47 | cap_value_t *caps; | |
ceacedba | 48 | }; |
49 | typedef cap_value_t pvalue_t; | |
50 | typedef struct _pset pset_t; | |
51 | typedef cap_t pstorage_t; | |
6b0655a2 | 52 | |
d62a17ae | 53 | #elif defined(HAVE_SOLARIS_CAPABILITIES) |
ceacedba | 54 | typedef priv_t pvalue_t; |
55 | typedef priv_set_t pset_t; | |
56 | typedef priv_set_t *pstorage_t; | |
57 | #else /* neither LCAPS nor SOLARIS_CAPABILITIES */ | |
58 | #error "HAVE_CAPABILITIES defined, but neither LCAPS nor Solaris Capabilties!" | |
59 | #endif /* HAVE_LCAPS */ | |
60 | #endif /* HAVE_CAPABILITIES */ | |
6b0655a2 | 61 | |
ceacedba | 62 | /* the default NULL state we report is RAISED, but could be LOWERED if |
63 | * zprivs_terminate is called and the NULL handler is installed. | |
64 | */ | |
65 | static zebra_privs_current_t zprivs_null_state = ZPRIVS_RAISED; | |
66 | ||
01245821 | 67 | /* internal privileges state */ |
d62a17ae | 68 | static struct _zprivs_t { |
ceacedba | 69 | #ifdef HAVE_CAPABILITIES |
d62a17ae | 70 | pstorage_t caps; /* working storage */ |
71 | pset_t *syscaps_p; /* system-type requested permitted caps */ | |
72 | pset_t *syscaps_i; /* system-type requested inheritable caps */ | |
73 | #endif /* HAVE_CAPABILITIES */ | |
74 | uid_t zuid, /* uid to run as */ | |
75 | zsuid; /* saved uid */ | |
76 | gid_t zgid; /* gid to run as */ | |
77 | gid_t vtygrp; /* gid for vty sockets */ | |
01245821 | 78 | } zprivs_state; |
79 | ||
80 | /* externally exported but not directly accessed functions */ | |
ceacedba | 81 | #ifdef HAVE_CAPABILITIES |
d62a17ae | 82 | int zprivs_change_caps(zebra_privs_ops_t); |
83 | zebra_privs_current_t zprivs_state_caps(void); | |
ceacedba | 84 | #endif /* HAVE_CAPABILITIES */ |
d62a17ae | 85 | int zprivs_change_uid(zebra_privs_ops_t); |
86 | zebra_privs_current_t zprivs_state_uid(void); | |
87 | int zprivs_change_null(zebra_privs_ops_t); | |
88 | zebra_privs_current_t zprivs_state_null(void); | |
01245821 | 89 | |
ceacedba | 90 | #ifdef HAVE_CAPABILITIES |
91 | /* internal capability API */ | |
d62a17ae | 92 | static pset_t *zcaps2sys(zebra_capabilities_t *, int); |
93 | static void zprivs_caps_init(struct zebra_privs_t *); | |
94 | static void zprivs_caps_terminate(void); | |
ceacedba | 95 | |
96 | /* Map of Quagga abstract capabilities to system capabilities */ | |
d62a17ae | 97 | static struct { |
98 | int num; | |
99 | pvalue_t *system_caps; | |
100 | } cap_map[ZCAP_MAX] = { | |
ceacedba | 101 | #ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */ |
c14777c6 | 102 | [ZCAP_SETID] = |
103 | { | |
104 | 2, | |
105 | (pvalue_t[]){CAP_SETGID, CAP_SETUID}, | |
106 | }, | |
107 | [ZCAP_BIND] = | |
108 | { | |
109 | 1, | |
110 | (pvalue_t[]){CAP_NET_BIND_SERVICE}, | |
111 | }, | |
112 | [ZCAP_NET_ADMIN] = | |
113 | { | |
114 | 1, | |
115 | (pvalue_t[]){CAP_NET_ADMIN}, | |
116 | }, | |
117 | [ZCAP_NET_RAW] = | |
118 | { | |
119 | 1, | |
120 | (pvalue_t[]){CAP_NET_RAW}, | |
121 | }, | |
122 | [ZCAP_CHROOT] = | |
123 | { | |
124 | 1, | |
125 | (pvalue_t[]){ | |
126 | CAP_SYS_CHROOT, | |
d62a17ae | 127 | }, |
c14777c6 | 128 | }, |
129 | [ZCAP_NICE] = | |
130 | { | |
131 | 1, | |
132 | (pvalue_t[]){CAP_SYS_NICE}, | |
133 | }, | |
134 | [ZCAP_PTRACE] = | |
135 | { | |
136 | 1, | |
137 | (pvalue_t[]){CAP_SYS_PTRACE}, | |
138 | }, | |
139 | [ZCAP_DAC_OVERRIDE] = | |
140 | { | |
141 | 1, | |
142 | (pvalue_t[]){CAP_DAC_OVERRIDE}, | |
143 | }, | |
144 | [ZCAP_READ_SEARCH] = | |
145 | { | |
146 | 1, | |
147 | (pvalue_t[]){CAP_DAC_READ_SEARCH}, | |
148 | }, | |
149 | [ZCAP_SYS_ADMIN] = | |
150 | { | |
151 | 1, | |
152 | (pvalue_t[]){CAP_SYS_ADMIN}, | |
153 | }, | |
154 | [ZCAP_FOWNER] = | |
155 | { | |
156 | 1, | |
157 | (pvalue_t[]){CAP_FOWNER}, | |
158 | }, | |
ceacedba | 159 | #elif defined(HAVE_SOLARIS_CAPABILITIES) /* HAVE_LCAPS */ |
c14777c6 | 160 | /* Quagga -> Solaris privilege mappings */ |
161 | [ZCAP_SETID] = | |
162 | { | |
163 | 1, | |
164 | (pvalue_t[]){PRIV_PROC_SETID}, | |
165 | }, | |
166 | [ZCAP_BIND] = | |
167 | { | |
168 | 1, | |
169 | (pvalue_t[]){PRIV_NET_PRIVADDR}, | |
170 | }, | |
d62a17ae | 171 | /* IP_CONFIG is a subset of NET_CONFIG and is allowed in zones */ |
6b148faa | 172 | #ifdef PRIV_SYS_IP_CONFIG |
c14777c6 | 173 | [ZCAP_NET_ADMIN] = |
174 | { | |
175 | 1, | |
176 | (pvalue_t[]){PRIV_SYS_IP_CONFIG}, | |
177 | }, | |
6b148faa | 178 | #else |
c14777c6 | 179 | [ZCAP_NET_ADMIN] = |
180 | { | |
181 | 1, | |
182 | (pvalue_t[]){PRIV_SYS_NET_CONFIG}, | |
183 | }, | |
6b148faa | 184 | #endif |
c14777c6 | 185 | [ZCAP_NET_RAW] = |
186 | { | |
187 | 2, | |
188 | (pvalue_t[]){PRIV_NET_RAWACCESS, PRIV_NET_ICMPACCESS}, | |
189 | }, | |
190 | [ZCAP_CHROOT] = | |
191 | { | |
192 | 1, | |
193 | (pvalue_t[]){PRIV_PROC_CHROOT}, | |
194 | }, | |
195 | [ZCAP_NICE] = | |
196 | { | |
197 | 1, | |
198 | (pvalue_t[]){PRIV_PROC_PRIOCNTL}, | |
199 | }, | |
200 | [ZCAP_PTRACE] = | |
201 | { | |
202 | 1, | |
203 | (pvalue_t[]){PRIV_PROC_SESSION}, | |
204 | }, | |
205 | [ZCAP_DAC_OVERRIDE] = | |
206 | { | |
207 | 5, | |
208 | (pvalue_t[]){PRIV_FILE_DAC_EXECUTE, PRIV_FILE_DAC_READ, | |
209 | PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_WRITE, | |
210 | PRIV_FILE_DAC_SEARCH}, | |
211 | }, | |
212 | [ZCAP_READ_SEARCH] = | |
213 | { | |
214 | 2, | |
215 | (pvalue_t[]){PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_READ}, | |
216 | }, | |
217 | [ZCAP_SYS_ADMIN] = | |
218 | { | |
219 | 1, | |
220 | (pvalue_t[]){PRIV_SYS_ADMIN}, | |
221 | }, | |
222 | [ZCAP_FOWNER] = | |
223 | { | |
224 | 1, | |
225 | (pvalue_t[]){PRIV_FILE_OWNER}, | |
226 | }, | |
ceacedba | 227 | #endif /* HAVE_SOLARIS_CAPABILITIES */ |
01245821 | 228 | }; |
6b0655a2 | 229 | |
ceacedba | 230 | #ifdef HAVE_LCAPS |
231 | /* Linux forms of capabilities methods */ | |
01245821 | 232 | /* convert zebras privileges to system capabilities */ |
d62a17ae | 233 | static pset_t *zcaps2sys(zebra_capabilities_t *zcaps, int num) |
01245821 | 234 | { |
d62a17ae | 235 | pset_t *syscaps; |
236 | int i, j = 0, count = 0; | |
237 | ||
238 | if (!num) | |
239 | return NULL; | |
240 | ||
241 | /* first count up how many system caps we have */ | |
242 | for (i = 0; i < num; i++) | |
243 | count += cap_map[zcaps[i]].num; | |
244 | ||
245 | if ((syscaps = XCALLOC(MTYPE_PRIVS, (sizeof(pset_t) * num))) == NULL) { | |
246 | fprintf(stderr, "%s: could not allocate syscaps!", __func__); | |
247 | return NULL; | |
248 | } | |
249 | ||
250 | syscaps->caps = XCALLOC(MTYPE_PRIVS, (sizeof(pvalue_t) * count)); | |
251 | ||
252 | if (!syscaps->caps) { | |
253 | fprintf(stderr, "%s: could not XCALLOC caps!", __func__); | |
254 | return NULL; | |
255 | } | |
256 | ||
257 | /* copy the capabilities over */ | |
258 | count = 0; | |
259 | for (i = 0; i < num; i++) | |
260 | for (j = 0; j < cap_map[zcaps[i]].num; j++) | |
261 | syscaps->caps[count++] = | |
262 | cap_map[zcaps[i]].system_caps[j]; | |
263 | ||
264 | /* iterations above should be exact same as previous count, obviously.. | |
265 | */ | |
266 | syscaps->num = count; | |
267 | ||
268 | return syscaps; | |
01245821 | 269 | } |
270 | ||
271 | /* set or clear the effective capabilities to/from permitted */ | |
d62a17ae | 272 | int zprivs_change_caps(zebra_privs_ops_t op) |
01245821 | 273 | { |
d62a17ae | 274 | cap_flag_value_t cflag; |
275 | ||
276 | /* should be no possibility of being called without valid caps */ | |
277 | assert(zprivs_state.syscaps_p && zprivs_state.caps); | |
278 | if (!(zprivs_state.syscaps_p && zprivs_state.caps)) | |
279 | exit(1); | |
280 | ||
281 | if (op == ZPRIVS_RAISE) | |
282 | cflag = CAP_SET; | |
283 | else if (op == ZPRIVS_LOWER) | |
284 | cflag = CAP_CLEAR; | |
285 | else | |
286 | return -1; | |
287 | ||
288 | if (!cap_set_flag(zprivs_state.caps, CAP_EFFECTIVE, | |
289 | zprivs_state.syscaps_p->num, | |
290 | zprivs_state.syscaps_p->caps, cflag)) | |
291 | return cap_set_proc(zprivs_state.caps); | |
292 | return -1; | |
01245821 | 293 | } |
294 | ||
d62a17ae | 295 | zebra_privs_current_t zprivs_state_caps(void) |
01245821 | 296 | { |
d62a17ae | 297 | int i; |
298 | cap_flag_value_t val; | |
299 | ||
300 | /* should be no possibility of being called without valid caps */ | |
301 | assert(zprivs_state.syscaps_p && zprivs_state.caps); | |
302 | if (!(zprivs_state.syscaps_p && zprivs_state.caps)) | |
303 | exit(1); | |
304 | ||
305 | for (i = 0; i < zprivs_state.syscaps_p->num; i++) { | |
306 | if (cap_get_flag(zprivs_state.caps, | |
307 | zprivs_state.syscaps_p->caps[i], CAP_EFFECTIVE, | |
308 | &val)) { | |
309 | zlog_warn( | |
310 | "zprivs_state_caps: could not cap_get_flag, %s", | |
311 | safe_strerror(errno)); | |
312 | return ZPRIVS_UNKNOWN; | |
313 | } | |
314 | if (val == CAP_SET) | |
315 | return ZPRIVS_RAISED; | |
316 | } | |
317 | return ZPRIVS_LOWERED; | |
01245821 | 318 | } |
319 | ||
d62a17ae | 320 | static void zprivs_caps_init(struct zebra_privs_t *zprivs) |
ceacedba | 321 | { |
d62a17ae | 322 | zprivs_state.syscaps_p = zcaps2sys(zprivs->caps_p, zprivs->cap_num_p); |
323 | zprivs_state.syscaps_i = zcaps2sys(zprivs->caps_i, zprivs->cap_num_i); | |
324 | ||
325 | /* Tell kernel we want caps maintained across uid changes */ | |
326 | if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) { | |
327 | fprintf(stderr, | |
328 | "privs_init: could not set PR_SET_KEEPCAPS, %s\n", | |
329 | safe_strerror(errno)); | |
330 | exit(1); | |
331 | } | |
332 | ||
333 | /* we have caps, we have no need to ever change back the original user | |
334 | */ | |
335 | /* only change uid if we don't have the correct one */ | |
336 | if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { | |
337 | if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) { | |
338 | fprintf(stderr, | |
339 | "zprivs_init (cap): could not setreuid, %s\n", | |
340 | safe_strerror(errno)); | |
341 | exit(1); | |
342 | } | |
343 | } | |
344 | ||
345 | if (!zprivs_state.syscaps_p) | |
346 | return; | |
347 | ||
348 | if (!(zprivs_state.caps = cap_init())) { | |
349 | fprintf(stderr, "privs_init: failed to cap_init, %s\n", | |
350 | safe_strerror(errno)); | |
351 | exit(1); | |
352 | } | |
353 | ||
354 | if (cap_clear(zprivs_state.caps)) { | |
355 | fprintf(stderr, "privs_init: failed to cap_clear, %s\n", | |
356 | safe_strerror(errno)); | |
357 | exit(1); | |
358 | } | |
359 | ||
360 | /* set permitted caps */ | |
361 | cap_set_flag(zprivs_state.caps, CAP_PERMITTED, | |
362 | zprivs_state.syscaps_p->num, zprivs_state.syscaps_p->caps, | |
363 | CAP_SET); | |
364 | ||
365 | /* set inheritable caps, if any */ | |
366 | if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) { | |
367 | cap_set_flag(zprivs_state.caps, CAP_INHERITABLE, | |
368 | zprivs_state.syscaps_i->num, | |
369 | zprivs_state.syscaps_i->caps, CAP_SET); | |
370 | } | |
371 | ||
372 | /* apply caps. CAP_EFFECTIVE is cleared. we'll raise the caps as | |
373 | * and when, and only when, they are needed. | |
374 | */ | |
375 | if (cap_set_proc(zprivs_state.caps)) { | |
376 | cap_t current_caps; | |
377 | char *current_caps_text = NULL; | |
378 | char *wanted_caps_text = NULL; | |
379 | ||
380 | fprintf(stderr, "privs_init: initial cap_set_proc failed: %s\n", | |
381 | safe_strerror(errno)); | |
382 | ||
383 | current_caps = cap_get_proc(); | |
384 | if (current_caps) { | |
385 | current_caps_text = cap_to_text(current_caps, NULL); | |
386 | cap_free(current_caps); | |
387 | } | |
388 | ||
389 | wanted_caps_text = cap_to_text(zprivs_state.caps, NULL); | |
390 | fprintf(stderr, "Wanted caps: %s\n", | |
391 | wanted_caps_text ? wanted_caps_text : "???"); | |
392 | fprintf(stderr, "Have caps: %s\n", | |
393 | current_caps_text ? current_caps_text : "???"); | |
394 | if (current_caps_text) | |
395 | cap_free(current_caps_text); | |
396 | if (wanted_caps_text) | |
397 | cap_free(wanted_caps_text); | |
398 | ||
399 | exit(1); | |
400 | } | |
401 | ||
402 | /* set methods for the caller to use */ | |
403 | zprivs->change = zprivs_change_caps; | |
404 | zprivs->current_state = zprivs_state_caps; | |
ceacedba | 405 | } |
406 | ||
d62a17ae | 407 | static void zprivs_caps_terminate(void) |
ceacedba | 408 | { |
d62a17ae | 409 | /* clear all capabilities */ |
410 | if (zprivs_state.caps) | |
411 | cap_clear(zprivs_state.caps); | |
412 | ||
413 | /* and boom, capabilities are gone forever */ | |
414 | if (cap_set_proc(zprivs_state.caps)) { | |
415 | fprintf(stderr, "privs_terminate: cap_set_proc failed, %s", | |
416 | safe_strerror(errno)); | |
417 | exit(1); | |
418 | } | |
419 | ||
420 | /* free up private state */ | |
421 | if (zprivs_state.syscaps_p->num) { | |
422 | XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p->caps); | |
423 | XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p); | |
424 | } | |
425 | ||
426 | if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) { | |
427 | XFREE(MTYPE_PRIVS, zprivs_state.syscaps_i->caps); | |
428 | XFREE(MTYPE_PRIVS, zprivs_state.syscaps_i); | |
429 | } | |
430 | ||
431 | cap_free(zprivs_state.caps); | |
ceacedba | 432 | } |
d62a17ae | 433 | #elif defined(HAVE_SOLARIS_CAPABILITIES) /* !HAVE_LCAPS */ |
6b0655a2 | 434 | |
d62a17ae | 435 | /* Solaris specific capability/privilege methods |
ceacedba | 436 | * |
437 | * Resources: | |
438 | * - the 'privileges' man page | |
439 | * - http://cvs.opensolaris.org | |
d62a17ae | 440 | * - |
441 | * http://blogs.sun.com/roller/page/gbrunett?entry=privilege_enabling_set_id_programs1 | |
ceacedba | 442 | */ |
443 | ||
d62a17ae | 444 | static pset_t *zprivs_caps_minimal() |
01070b9e | 445 | { |
d62a17ae | 446 | pset_t *minimal; |
01070b9e | 447 | |
d62a17ae | 448 | if ((minimal = priv_str_to_set("basic", ",", NULL)) == NULL) { |
449 | fprintf(stderr, "%s: couldn't get basic set!\n", __func__); | |
450 | exit(1); | |
451 | } | |
01070b9e | 452 | |
d62a17ae | 453 | /* create a minimal privilege set from the basic set */ |
454 | (void)priv_delset(minimal, PRIV_PROC_EXEC); | |
455 | (void)priv_delset(minimal, PRIV_PROC_INFO); | |
456 | (void)priv_delset(minimal, PRIV_PROC_SESSION); | |
457 | (void)priv_delset(minimal, PRIV_FILE_LINK_ANY); | |
01070b9e | 458 | |
d62a17ae | 459 | return minimal; |
01070b9e BB |
460 | } |
461 | ||
ceacedba | 462 | /* convert zebras privileges to system capabilities */ |
d62a17ae | 463 | static pset_t *zcaps2sys(zebra_capabilities_t *zcaps, int num) |
ceacedba | 464 | { |
d62a17ae | 465 | pset_t *syscaps; |
466 | int i, j = 0; | |
467 | ||
468 | if ((syscaps = priv_allocset()) == NULL) { | |
469 | fprintf(stderr, "%s: could not allocate syscaps!\n", __func__); | |
470 | exit(1); | |
471 | } | |
472 | ||
473 | priv_emptyset(syscaps); | |
474 | ||
475 | for (i = 0; i < num; i++) | |
476 | for (j = 0; j < cap_map[zcaps[i]].num; j++) | |
477 | priv_addset(syscaps, cap_map[zcaps[i]].system_caps[j]); | |
478 | ||
479 | return syscaps; | |
ceacedba | 480 | } |
481 | ||
482 | /* callback exported to users to RAISE and LOWER effective privileges | |
483 | * from nothing to the given permitted set and back down | |
484 | */ | |
d62a17ae | 485 | int zprivs_change_caps(zebra_privs_ops_t op) |
ceacedba | 486 | { |
d62a17ae | 487 | pset_t *privset; |
488 | ||
489 | /* should be no possibility of being called without valid caps */ | |
490 | assert(zprivs_state.syscaps_p); | |
491 | if (!zprivs_state.syscaps_p) { | |
492 | fprintf(stderr, "%s: Eek, missing privileged caps!", __func__); | |
493 | exit(1); | |
494 | } | |
495 | ||
496 | assert(zprivs_state.caps); | |
497 | if (!zprivs_state.caps) { | |
498 | fprintf(stderr, "%s: Eek, missing caps!", __func__); | |
499 | exit(1); | |
500 | } | |
501 | ||
502 | /* to raise: copy original permitted as our working effective set | |
503 | * to lower: copy regular effective set stored in zprivs_state.caps | |
504 | */ | |
505 | if (op == ZPRIVS_RAISE) | |
506 | privset = zprivs_state.syscaps_p; | |
507 | else if (op == ZPRIVS_LOWER) | |
508 | privset = zprivs_state.caps; | |
509 | else | |
510 | return -1; | |
511 | ||
512 | if (setppriv(PRIV_SET, PRIV_EFFECTIVE, privset) != 0) | |
513 | return -1; | |
514 | ||
515 | return 0; | |
ceacedba | 516 | } |
517 | ||
518 | /* Retrieve current privilege state, is it RAISED or LOWERED? */ | |
d62a17ae | 519 | zebra_privs_current_t zprivs_state_caps(void) |
ceacedba | 520 | { |
d62a17ae | 521 | zebra_privs_current_t result; |
522 | pset_t *effective; | |
523 | ||
524 | if ((effective = priv_allocset()) == NULL) { | |
525 | fprintf(stderr, "%s: failed to get priv_allocset! %s\n", | |
526 | __func__, safe_strerror(errno)); | |
527 | return ZPRIVS_UNKNOWN; | |
528 | } | |
529 | ||
530 | if (getppriv(PRIV_EFFECTIVE, effective)) { | |
531 | fprintf(stderr, "%s: failed to get state! %s\n", __func__, | |
532 | safe_strerror(errno)); | |
533 | result = ZPRIVS_UNKNOWN; | |
534 | } else { | |
535 | if (priv_isequalset(effective, zprivs_state.syscaps_p)) | |
536 | result = ZPRIVS_RAISED; | |
537 | else if (priv_isequalset(effective, zprivs_state.caps)) | |
538 | result = ZPRIVS_LOWERED; | |
539 | else | |
540 | result = ZPRIVS_UNKNOWN; | |
541 | } | |
542 | ||
543 | priv_freeset(effective); | |
544 | return result; | |
ceacedba | 545 | } |
546 | ||
d62a17ae | 547 | static void zprivs_caps_init(struct zebra_privs_t *zprivs) |
ceacedba | 548 | { |
d62a17ae | 549 | pset_t *basic; |
550 | pset_t *minimal; | |
551 | ||
552 | /* the specified sets */ | |
553 | zprivs_state.syscaps_p = zcaps2sys(zprivs->caps_p, zprivs->cap_num_p); | |
554 | zprivs_state.syscaps_i = zcaps2sys(zprivs->caps_i, zprivs->cap_num_i); | |
555 | ||
556 | /* nonsensical to have gotten here but not have capabilities */ | |
557 | if (!zprivs_state.syscaps_p) { | |
558 | fprintf(stderr, | |
559 | "%s: capabilities enabled, " | |
560 | "but no valid capabilities supplied\n", | |
561 | __func__); | |
562 | } | |
563 | ||
564 | /* We retain the basic set in our permitted set, as Linux has no | |
565 | * equivalent. The basic set on Linux hence is implicit, always | |
566 | * there. | |
567 | */ | |
568 | if ((basic = priv_str_to_set("basic", ",", NULL)) == NULL) { | |
569 | fprintf(stderr, "%s: couldn't get basic set!\n", __func__); | |
570 | exit(1); | |
571 | } | |
572 | ||
573 | /* Add the basic set to the permitted set */ | |
574 | priv_union(basic, zprivs_state.syscaps_p); | |
575 | priv_freeset(basic); | |
576 | ||
577 | /* Hey kernel, we know about privileges! | |
578 | * this isn't strictly required, use of setppriv should have same effect | |
579 | */ | |
580 | if (setpflags(PRIV_AWARE, 1)) { | |
581 | fprintf(stderr, "%s: error setting PRIV_AWARE!, %s\n", __func__, | |
582 | safe_strerror(errno)); | |
583 | exit(1); | |
584 | } | |
585 | ||
586 | /* need either valid or empty sets for both p and i.. */ | |
587 | assert(zprivs_state.syscaps_i && zprivs_state.syscaps_p); | |
588 | ||
589 | /* we have caps, we have no need to ever change back the original user | |
590 | * change real, effective and saved to the specified user. | |
591 | */ | |
592 | /* only change uid if we don't have the correct one */ | |
593 | if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { | |
594 | if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) { | |
595 | fprintf(stderr, "%s: could not setreuid, %s\n", | |
596 | __func__, safe_strerror(errno)); | |
597 | exit(1); | |
598 | } | |
599 | } | |
600 | ||
601 | /* set the permitted set */ | |
602 | if (setppriv(PRIV_SET, PRIV_PERMITTED, zprivs_state.syscaps_p)) { | |
603 | fprintf(stderr, "%s: error setting permitted set!, %s\n", | |
604 | __func__, safe_strerror(errno)); | |
605 | exit(1); | |
606 | } | |
607 | ||
608 | /* set the inheritable set */ | |
609 | if (setppriv(PRIV_SET, PRIV_INHERITABLE, zprivs_state.syscaps_i)) { | |
610 | fprintf(stderr, "%s: error setting inheritable set!, %s\n", | |
611 | __func__, safe_strerror(errno)); | |
612 | exit(1); | |
613 | } | |
614 | ||
615 | /* we need a minimal basic set for 'effective', potentially for | |
616 | * inheritable too */ | |
617 | minimal = zprivs_caps_minimal(); | |
618 | ||
619 | /* now set the effective set with a subset of basic privileges */ | |
620 | if (setppriv(PRIV_SET, PRIV_EFFECTIVE, minimal)) { | |
621 | fprintf(stderr, "%s: error setting effective set!, %s\n", | |
622 | __func__, safe_strerror(errno)); | |
623 | exit(1); | |
624 | } | |
625 | ||
626 | /* we'll use the minimal set as our working-storage privset */ | |
627 | zprivs_state.caps = minimal; | |
628 | ||
629 | /* set methods for the caller to use */ | |
630 | zprivs->change = zprivs_change_caps; | |
631 | zprivs->current_state = zprivs_state_caps; | |
ceacedba | 632 | } |
633 | ||
d62a17ae | 634 | static void zprivs_caps_terminate(void) |
ceacedba | 635 | { |
d62a17ae | 636 | assert(zprivs_state.caps); |
637 | ||
638 | /* clear all capabilities by using working-storage privset */ | |
639 | setppriv(PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps); | |
640 | setppriv(PRIV_SET, PRIV_PERMITTED, zprivs_state.caps); | |
641 | setppriv(PRIV_SET, PRIV_INHERITABLE, zprivs_state.caps); | |
642 | ||
643 | /* free up private state */ | |
644 | if (zprivs_state.syscaps_p) | |
645 | priv_freeset(zprivs_state.syscaps_p); | |
646 | if (zprivs_state.syscaps_i) | |
647 | priv_freeset(zprivs_state.syscaps_i); | |
648 | ||
649 | priv_freeset(zprivs_state.caps); | |
ceacedba | 650 | } |
651 | #else /* !HAVE_LCAPS && ! HAVE_SOLARIS_CAPABILITIES */ | |
652 | #error "Neither Solaris nor Linux capabilities, dazed and confused..." | |
653 | #endif /* HAVE_LCAPS */ | |
654 | #endif /* HAVE_CAPABILITIES */ | |
6b0655a2 | 655 | |
d62a17ae | 656 | int zprivs_change_uid(zebra_privs_ops_t op) |
01245821 | 657 | { |
d62a17ae | 658 | if (zprivs_state.zsuid == zprivs_state.zuid) |
659 | return 0; | |
660 | if (op == ZPRIVS_RAISE) | |
661 | return seteuid(zprivs_state.zsuid); | |
662 | else if (op == ZPRIVS_LOWER) | |
663 | return seteuid(zprivs_state.zuid); | |
664 | else | |
665 | return -1; | |
01245821 | 666 | } |
667 | ||
d62a17ae | 668 | zebra_privs_current_t zprivs_state_uid(void) |
01245821 | 669 | { |
d62a17ae | 670 | return ((zprivs_state.zuid == geteuid()) ? ZPRIVS_LOWERED |
671 | : ZPRIVS_RAISED); | |
01245821 | 672 | } |
673 | ||
d62a17ae | 674 | int zprivs_change_null(zebra_privs_ops_t op) |
01245821 | 675 | { |
d62a17ae | 676 | return 0; |
01245821 | 677 | } |
678 | ||
d62a17ae | 679 | zebra_privs_current_t zprivs_state_null(void) |
01245821 | 680 | { |
d62a17ae | 681 | return zprivs_null_state; |
01245821 | 682 | } |
683 | ||
4a9ea50e DL |
684 | #ifndef HAVE_GETGROUPLIST |
685 | /* Solaris 11 has no getgrouplist() */ | |
d62a17ae | 686 | static int getgrouplist(const char *user, gid_t group, gid_t *groups, |
687 | int *ngroups) | |
4a9ea50e | 688 | { |
d62a17ae | 689 | struct group *grp; |
690 | size_t usridx; | |
691 | int pos = 0, ret; | |
692 | ||
693 | if (pos < *ngroups) | |
694 | groups[pos] = group; | |
695 | pos++; | |
696 | ||
697 | setgrent(); | |
698 | while ((grp = getgrent())) { | |
699 | if (grp->gr_gid == group) | |
700 | continue; | |
701 | for (usridx = 0; grp->gr_mem[usridx] != NULL; usridx++) | |
702 | if (!strcmp(grp->gr_mem[usridx], user)) { | |
703 | if (pos < *ngroups) | |
704 | groups[pos] = grp->gr_gid; | |
705 | pos++; | |
706 | break; | |
707 | } | |
708 | } | |
709 | endgrent(); | |
710 | ||
711 | ret = (pos <= *ngroups) ? pos : -1; | |
712 | *ngroups = pos; | |
713 | return ret; | |
4a9ea50e DL |
714 | } |
715 | #endif /* HAVE_GETGROUPLIST */ | |
716 | ||
d62a17ae | 717 | void zprivs_init(struct zebra_privs_t *zprivs) |
01245821 | 718 | { |
d62a17ae | 719 | struct passwd *pwentry = NULL; |
720 | struct group *grentry = NULL; | |
721 | gid_t groups[NGROUPS_MAX]; | |
722 | int i, ngroups = 0; | |
723 | int found = 0; | |
724 | ||
725 | if (!zprivs) { | |
726 | fprintf(stderr, "zprivs_init: called with NULL arg!\n"); | |
727 | exit(1); | |
728 | } | |
729 | ||
730 | if (zprivs->vty_group) { | |
731 | /* in a "NULL" setup, this is allowed to fail too, but still | |
732 | * try. */ | |
733 | if ((grentry = getgrnam(zprivs->vty_group))) | |
734 | zprivs_state.vtygrp = grentry->gr_gid; | |
735 | else | |
736 | zprivs_state.vtygrp = (gid_t)-1; | |
737 | } | |
738 | ||
739 | /* NULL privs */ | |
740 | if (!(zprivs->user || zprivs->group || zprivs->cap_num_p | |
741 | || zprivs->cap_num_i)) { | |
742 | zprivs->change = zprivs_change_null; | |
743 | zprivs->current_state = zprivs_state_null; | |
744 | return; | |
745 | } | |
746 | ||
747 | if (zprivs->user) { | |
748 | if ((pwentry = getpwnam(zprivs->user)) == NULL) { | |
749 | /* cant use log.h here as it depends on vty */ | |
750 | fprintf(stderr, | |
751 | "privs_init: could not lookup user %s\n", | |
752 | zprivs->user); | |
753 | exit(1); | |
754 | } | |
755 | ||
756 | zprivs_state.zuid = pwentry->pw_uid; | |
757 | zprivs_state.zgid = pwentry->pw_gid; | |
758 | } | |
759 | ||
760 | grentry = NULL; | |
761 | ||
762 | if (zprivs->group) { | |
763 | if ((grentry = getgrnam(zprivs->group)) == NULL) { | |
764 | fprintf(stderr, | |
765 | "privs_init: could not lookup group %s\n", | |
766 | zprivs->group); | |
767 | exit(1); | |
768 | } | |
769 | ||
770 | zprivs_state.zgid = grentry->gr_gid; | |
771 | } | |
772 | ||
773 | if (zprivs->user) { | |
774 | ngroups = sizeof(groups); | |
775 | if (getgrouplist(zprivs->user, zprivs_state.zgid, groups, | |
776 | &ngroups) | |
777 | < 0) { | |
778 | /* cant use log.h here as it depends on vty */ | |
779 | fprintf(stderr, | |
780 | "privs_init: could not getgrouplist for user %s\n", | |
781 | zprivs->user); | |
782 | exit(1); | |
783 | } | |
784 | } | |
785 | ||
786 | if (zprivs->vty_group) | |
787 | /* Add the vty_group to the supplementary groups so it can be chowned to | |
c14777c6 | 788 | */ |
d62a17ae | 789 | { |
790 | if (zprivs_state.vtygrp == (gid_t)-1) { | |
791 | fprintf(stderr, | |
792 | "privs_init: could not lookup vty group %s\n", | |
793 | zprivs->vty_group); | |
794 | exit(1); | |
795 | } | |
796 | ||
797 | for (i = 0; i < ngroups; i++) | |
798 | if (groups[i] == zprivs_state.vtygrp) { | |
799 | found++; | |
800 | break; | |
801 | } | |
802 | ||
803 | if (!found) { | |
804 | fprintf(stderr, | |
805 | "privs_init: user(%s) is not part of vty group specified(%s)\n", | |
806 | zprivs->user, zprivs->vty_group); | |
807 | exit(1); | |
808 | } | |
809 | if (i >= ngroups && ngroups < (int)ZEBRA_NUM_OF(groups)) { | |
810 | groups[i] = zprivs_state.vtygrp; | |
811 | } | |
812 | } | |
813 | ||
814 | zprivs_state.zsuid = geteuid(); /* initial uid */ | |
815 | /* add groups only if we changed uid - otherwise skip */ | |
816 | if ((ngroups) && (zprivs_state.zsuid != zprivs_state.zuid)) { | |
817 | if (setgroups(ngroups, groups)) { | |
818 | fprintf(stderr, "privs_init: could not setgroups, %s\n", | |
819 | safe_strerror(errno)); | |
820 | exit(1); | |
821 | } | |
822 | } | |
823 | ||
824 | /* change gid only if we changed uid - otherwise skip */ | |
825 | if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid)) { | |
826 | /* change group now, forever. uid we do later */ | |
827 | if (setregid(zprivs_state.zgid, zprivs_state.zgid)) { | |
828 | fprintf(stderr, "zprivs_init: could not setregid, %s\n", | |
829 | safe_strerror(errno)); | |
830 | exit(1); | |
831 | } | |
832 | } | |
833 | ||
ceacedba | 834 | #ifdef HAVE_CAPABILITIES |
d62a17ae | 835 | zprivs_caps_init(zprivs); |
836 | #else /* !HAVE_CAPABILITIES */ | |
837 | /* we dont have caps. we'll need to maintain rid and saved uid | |
838 | * and change euid back to saved uid (who we presume has all neccessary | |
839 | * privileges) whenever we are asked to raise our privileges. | |
840 | * | |
841 | * This is not worth that much security wise, but all we can do. | |
842 | */ | |
843 | zprivs_state.zsuid = geteuid(); | |
844 | /* only change uid if we don't have the correct one */ | |
845 | if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { | |
846 | if (setreuid(-1, zprivs_state.zuid)) { | |
847 | fprintf(stderr, | |
848 | "privs_init (uid): could not setreuid, %s\n", | |
849 | safe_strerror(errno)); | |
850 | exit(1); | |
851 | } | |
852 | } | |
853 | ||
854 | zprivs->change = zprivs_change_uid; | |
855 | zprivs->current_state = zprivs_state_uid; | |
ceacedba | 856 | #endif /* HAVE_CAPABILITIES */ |
01245821 | 857 | } |
858 | ||
d62a17ae | 859 | void zprivs_terminate(struct zebra_privs_t *zprivs) |
01245821 | 860 | { |
d62a17ae | 861 | if (!zprivs) { |
862 | fprintf(stderr, "%s: no privs struct given, terminating", | |
863 | __func__); | |
864 | exit(0); | |
865 | } | |
866 | ||
ceacedba | 867 | #ifdef HAVE_CAPABILITIES |
d62a17ae | 868 | zprivs_caps_terminate(); |
869 | #else /* !HAVE_CAPABILITIES */ | |
870 | /* only change uid if we don't have the correct one */ | |
871 | if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { | |
872 | if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) { | |
873 | fprintf(stderr, | |
874 | "privs_terminate: could not setreuid, %s", | |
875 | safe_strerror(errno)); | |
876 | exit(1); | |
877 | } | |
878 | } | |
01245821 | 879 | #endif /* HAVE_LCAPS */ |
ceacedba | 880 | |
d62a17ae | 881 | zprivs->change = zprivs_change_null; |
882 | zprivs->current_state = zprivs_state_null; | |
883 | zprivs_null_state = ZPRIVS_LOWERED; | |
884 | return; | |
01245821 | 885 | } |
ba3a0bc5 | 886 | |
d62a17ae | 887 | void zprivs_get_ids(struct zprivs_ids_t *ids) |
ba3a0bc5 | 888 | { |
889 | ||
d62a17ae | 890 | ids->uid_priv = getuid(); |
891 | (zprivs_state.zuid) ? (ids->uid_normal = zprivs_state.zuid) | |
892 | : (ids->uid_normal = -1); | |
893 | (zprivs_state.zgid) ? (ids->gid_normal = zprivs_state.zgid) | |
894 | : (ids->gid_normal = -1); | |
895 | (zprivs_state.vtygrp) ? (ids->gid_vty = zprivs_state.vtygrp) | |
896 | : (ids->gid_vty = -1); | |
897 | ||
898 | return; | |
ba3a0bc5 | 899 | } |