4 * Copyright (C) 2003 Paul Jakma.
5 * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
7 * This file is part of GNU Zebra.
9 * GNU Zebra is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2, or (at your option) any
14 * GNU Zebra is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; see the file COPYING; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
28 #ifdef HAVE_CAPABILITIES
30 DEFINE_MTYPE_STATIC(LIB
, PRIVS
, "Privilege information")
32 /* sort out some generic internal types for:
34 * privilege values (cap_value_t, priv_t) -> pvalue_t
35 * privilege set (..., priv_set_t) -> pset_t
36 * privilege working storage (cap_t, ...) -> pstorage_t
38 * values we think of as numeric (they're ints really, but we dont know)
39 * sets are mostly opaque, to hold a set of privileges, related in some way.
40 * storage binds together a set of sets we're interested in.
41 * (in reality: cap_value_t and priv_t are ints)
44 /* Linux doesn't have a 'set' type: a set of related privileges */
49 typedef cap_value_t pvalue_t
;
50 typedef struct _pset pset_t
;
51 typedef cap_t pstorage_t
;
53 #elif defined (HAVE_SOLARIS_CAPABILITIES)
54 typedef priv_t pvalue_t
;
55 typedef priv_set_t pset_t
;
56 typedef priv_set_t
*pstorage_t
;
57 #else /* neither LCAPS nor SOLARIS_CAPABILITIES */
58 #error "HAVE_CAPABILITIES defined, but neither LCAPS nor Solaris Capabilties!"
59 #endif /* HAVE_LCAPS */
60 #endif /* HAVE_CAPABILITIES */
62 /* the default NULL state we report is RAISED, but could be LOWERED if
63 * zprivs_terminate is called and the NULL handler is installed.
65 static zebra_privs_current_t zprivs_null_state
= ZPRIVS_RAISED
;
67 /* internal privileges state */
68 static struct _zprivs_t
70 #ifdef HAVE_CAPABILITIES
71 pstorage_t caps
; /* working storage */
72 pset_t
*syscaps_p
; /* system-type requested permitted caps */
73 pset_t
*syscaps_i
; /* system-type requested inheritable caps */
74 #endif /* HAVE_CAPABILITIES */
75 uid_t zuid
, /* uid to run as */
76 zsuid
; /* saved uid */
77 gid_t zgid
; /* gid to run as */
78 gid_t vtygrp
; /* gid for vty sockets */
81 /* externally exported but not directly accessed functions */
82 #ifdef HAVE_CAPABILITIES
83 int zprivs_change_caps (zebra_privs_ops_t
);
84 zebra_privs_current_t
zprivs_state_caps (void);
85 #endif /* HAVE_CAPABILITIES */
86 int zprivs_change_uid (zebra_privs_ops_t
);
87 zebra_privs_current_t
zprivs_state_uid (void);
88 int zprivs_change_null (zebra_privs_ops_t
);
89 zebra_privs_current_t
zprivs_state_null (void);
91 #ifdef HAVE_CAPABILITIES
92 /* internal capability API */
93 static pset_t
*zcaps2sys (zebra_capabilities_t
*, int);
94 static void zprivs_caps_init (struct zebra_privs_t
*);
95 static void zprivs_caps_terminate (void);
97 /* Map of Quagga abstract capabilities to system capabilities */
101 pvalue_t
*system_caps
;
102 } cap_map
[ZCAP_MAX
] =
104 #ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */
105 [ZCAP_SETID
] = { 2, (pvalue_t
[]) { CAP_SETGID
,
107 [ZCAP_BIND
] = { 1, (pvalue_t
[]) { CAP_NET_BIND_SERVICE
}, },
108 [ZCAP_NET_ADMIN
] = { 1, (pvalue_t
[]) { CAP_NET_ADMIN
}, },
109 [ZCAP_NET_RAW
] = { 1, (pvalue_t
[]) { CAP_NET_RAW
}, },
110 [ZCAP_CHROOT
] = { 1, (pvalue_t
[]) { CAP_SYS_CHROOT
, }, },
111 [ZCAP_NICE
] = { 1, (pvalue_t
[]) { CAP_SYS_NICE
}, },
112 [ZCAP_PTRACE
] = { 1, (pvalue_t
[]) { CAP_SYS_PTRACE
}, },
113 [ZCAP_DAC_OVERRIDE
] = { 1, (pvalue_t
[]) { CAP_DAC_OVERRIDE
}, },
114 [ZCAP_READ_SEARCH
] = { 1, (pvalue_t
[]) { CAP_DAC_READ_SEARCH
}, },
115 [ZCAP_SYS_ADMIN
] = { 1, (pvalue_t
[]) { CAP_SYS_ADMIN
}, },
116 [ZCAP_FOWNER
] = { 1, (pvalue_t
[]) { CAP_FOWNER
}, },
117 #elif defined(HAVE_SOLARIS_CAPABILITIES) /* HAVE_LCAPS */
118 /* Quagga -> Solaris privilege mappings */
119 [ZCAP_SETID
] = { 1, (pvalue_t
[]) { PRIV_PROC_SETID
}, },
120 [ZCAP_BIND
] = { 1, (pvalue_t
[]) { PRIV_NET_PRIVADDR
}, },
121 /* IP_CONFIG is a subset of NET_CONFIG and is allowed in zones */
122 #ifdef PRIV_SYS_IP_CONFIG
123 [ZCAP_NET_ADMIN
] = { 1, (pvalue_t
[]) { PRIV_SYS_IP_CONFIG
}, },
125 [ZCAP_NET_ADMIN
] = { 1, (pvalue_t
[]) { PRIV_SYS_NET_CONFIG
}, },
127 [ZCAP_NET_RAW
] = { 2, (pvalue_t
[]) { PRIV_NET_RAWACCESS
,
128 PRIV_NET_ICMPACCESS
}, },
129 [ZCAP_CHROOT
] = { 1, (pvalue_t
[]) { PRIV_PROC_CHROOT
}, },
130 [ZCAP_NICE
] = { 1, (pvalue_t
[]) { PRIV_PROC_PRIOCNTL
}, },
131 [ZCAP_PTRACE
] = { 1, (pvalue_t
[]) { PRIV_PROC_SESSION
}, },
132 [ZCAP_DAC_OVERRIDE
] = { 5, (pvalue_t
[]) { PRIV_FILE_DAC_EXECUTE
,
134 PRIV_FILE_DAC_SEARCH
,
136 PRIV_FILE_DAC_SEARCH
}, },
137 [ZCAP_READ_SEARCH
] = { 2, (pvalue_t
[]) { PRIV_FILE_DAC_SEARCH
,
138 PRIV_FILE_DAC_READ
}, },
139 [ZCAP_SYS_ADMIN
] = { 1, (pvalue_t
[]) { PRIV_SYS_ADMIN
}, },
140 [ZCAP_FOWNER
] = { 1, (pvalue_t
[]) { PRIV_FILE_OWNER
}, },
141 #endif /* HAVE_SOLARIS_CAPABILITIES */
145 /* Linux forms of capabilities methods */
146 /* convert zebras privileges to system capabilities */
148 zcaps2sys (zebra_capabilities_t
*zcaps
, int num
)
151 int i
, j
= 0, count
= 0;
156 /* first count up how many system caps we have */
157 for (i
= 0; i
< num
; i
++)
158 count
+= cap_map
[zcaps
[i
]].num
;
160 if ( (syscaps
= XCALLOC (MTYPE_PRIVS
, (sizeof(pset_t
) * num
))) == NULL
)
162 fprintf (stderr
, "%s: could not allocate syscaps!", __func__
);
166 syscaps
->caps
= XCALLOC (MTYPE_PRIVS
, (sizeof (pvalue_t
) * count
));
170 fprintf (stderr
, "%s: could not XCALLOC caps!", __func__
);
174 /* copy the capabilities over */
176 for (i
=0; i
< num
; i
++)
177 for (j
= 0; j
< cap_map
[zcaps
[i
]].num
; j
++)
178 syscaps
->caps
[count
++] = cap_map
[zcaps
[i
]].system_caps
[j
];
180 /* iterations above should be exact same as previous count, obviously.. */
181 syscaps
->num
= count
;
186 /* set or clear the effective capabilities to/from permitted */
188 zprivs_change_caps (zebra_privs_ops_t op
)
190 cap_flag_value_t cflag
;
192 /* should be no possibility of being called without valid caps */
193 assert (zprivs_state
.syscaps_p
&& zprivs_state
.caps
);
194 if (! (zprivs_state
.syscaps_p
&& zprivs_state
.caps
))
197 if (op
== ZPRIVS_RAISE
)
199 else if (op
== ZPRIVS_LOWER
)
204 if ( !cap_set_flag (zprivs_state
.caps
, CAP_EFFECTIVE
,
205 zprivs_state
.syscaps_p
->num
,
206 zprivs_state
.syscaps_p
->caps
,
208 return cap_set_proc (zprivs_state
.caps
);
212 zebra_privs_current_t
213 zprivs_state_caps (void)
216 cap_flag_value_t val
;
218 /* should be no possibility of being called without valid caps */
219 assert (zprivs_state
.syscaps_p
&& zprivs_state
.caps
);
220 if (! (zprivs_state
.syscaps_p
&& zprivs_state
.caps
))
223 for (i
=0; i
< zprivs_state
.syscaps_p
->num
; i
++)
225 if ( cap_get_flag (zprivs_state
.caps
, zprivs_state
.syscaps_p
->caps
[i
],
226 CAP_EFFECTIVE
, &val
) )
228 zlog_warn ("zprivs_state_caps: could not cap_get_flag, %s",
229 safe_strerror (errno
) );
230 return ZPRIVS_UNKNOWN
;
233 return ZPRIVS_RAISED
;
235 return ZPRIVS_LOWERED
;
239 zprivs_caps_init (struct zebra_privs_t
*zprivs
)
241 zprivs_state
.syscaps_p
= zcaps2sys (zprivs
->caps_p
, zprivs
->cap_num_p
);
242 zprivs_state
.syscaps_i
= zcaps2sys (zprivs
->caps_i
, zprivs
->cap_num_i
);
244 /* Tell kernel we want caps maintained across uid changes */
245 if ( prctl(PR_SET_KEEPCAPS
, 1, 0, 0, 0) == -1 )
247 fprintf (stderr
, "privs_init: could not set PR_SET_KEEPCAPS, %s\n",
248 safe_strerror (errno
) );
252 /* we have caps, we have no need to ever change back the original user */
253 /* only change uid if we don't have the correct one */
254 if ((zprivs_state
.zuid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
))
256 if ( setreuid (zprivs_state
.zuid
, zprivs_state
.zuid
) )
258 fprintf (stderr
, "zprivs_init (cap): could not setreuid, %s\n",
259 safe_strerror (errno
));
264 if ( !zprivs_state
.syscaps_p
)
267 if ( !(zprivs_state
.caps
= cap_init()) )
269 fprintf (stderr
, "privs_init: failed to cap_init, %s\n",
270 safe_strerror (errno
));
274 if ( cap_clear (zprivs_state
.caps
) )
276 fprintf (stderr
, "privs_init: failed to cap_clear, %s\n",
277 safe_strerror (errno
));
281 /* set permitted caps */
282 cap_set_flag(zprivs_state
.caps
, CAP_PERMITTED
,
283 zprivs_state
.syscaps_p
->num
,
284 zprivs_state
.syscaps_p
->caps
,
287 /* set inheritable caps, if any */
288 if (zprivs_state
.syscaps_i
&& zprivs_state
.syscaps_i
->num
)
290 cap_set_flag(zprivs_state
.caps
, CAP_INHERITABLE
,
291 zprivs_state
.syscaps_i
->num
,
292 zprivs_state
.syscaps_i
->caps
,
296 /* apply caps. CAP_EFFECTIVE is cleared. we'll raise the caps as
297 * and when, and only when, they are needed.
299 if ( cap_set_proc (zprivs_state
.caps
) )
302 char *current_caps_text
= NULL
;
303 char *wanted_caps_text
= NULL
;
305 fprintf(stderr
, "privs_init: initial cap_set_proc failed: %s\n",
306 safe_strerror(errno
));
308 current_caps
= cap_get_proc();
311 current_caps_text
= cap_to_text(current_caps
, NULL
);
312 cap_free(current_caps
);
315 wanted_caps_text
= cap_to_text(zprivs_state
.caps
, NULL
);
316 fprintf(stderr
, "Wanted caps: %s\n", wanted_caps_text
? wanted_caps_text
: "???");
317 fprintf(stderr
, "Have caps: %s\n", current_caps_text
? current_caps_text
: "???");
318 if (current_caps_text
)
319 cap_free(current_caps_text
);
320 if (wanted_caps_text
)
321 cap_free(wanted_caps_text
);
326 /* set methods for the caller to use */
327 zprivs
->change
= zprivs_change_caps
;
328 zprivs
->current_state
= zprivs_state_caps
;
332 zprivs_caps_terminate (void)
334 /* clear all capabilities */
335 if (zprivs_state
.caps
)
336 cap_clear (zprivs_state
.caps
);
338 /* and boom, capabilities are gone forever */
339 if ( cap_set_proc (zprivs_state
.caps
) )
341 fprintf (stderr
, "privs_terminate: cap_set_proc failed, %s",
342 safe_strerror (errno
) );
346 /* free up private state */
347 if (zprivs_state
.syscaps_p
->num
)
349 XFREE (MTYPE_PRIVS
, zprivs_state
.syscaps_p
->caps
);
350 XFREE (MTYPE_PRIVS
, zprivs_state
.syscaps_p
);
353 if (zprivs_state
.syscaps_i
&& zprivs_state
.syscaps_i
->num
)
355 XFREE (MTYPE_PRIVS
, zprivs_state
.syscaps_i
->caps
);
356 XFREE (MTYPE_PRIVS
, zprivs_state
.syscaps_i
);
359 cap_free (zprivs_state
.caps
);
361 #elif defined (HAVE_SOLARIS_CAPABILITIES) /* !HAVE_LCAPS */
363 /* Solaris specific capability/privilege methods
366 * - the 'privileges' man page
367 * - http://cvs.opensolaris.org
368 * - http://blogs.sun.com/roller/page/gbrunett?entry=privilege_enabling_set_id_programs1
372 zprivs_caps_minimal ()
376 if ((minimal
= priv_str_to_set("basic", ",", NULL
)) == NULL
)
378 fprintf (stderr
, "%s: couldn't get basic set!\n", __func__
);
382 /* create a minimal privilege set from the basic set */
383 (void) priv_delset(minimal
, PRIV_PROC_EXEC
);
384 (void) priv_delset(minimal
, PRIV_PROC_INFO
);
385 (void) priv_delset(minimal
, PRIV_PROC_SESSION
);
386 (void) priv_delset(minimal
, PRIV_FILE_LINK_ANY
);
391 /* convert zebras privileges to system capabilities */
393 zcaps2sys (zebra_capabilities_t
*zcaps
, int num
)
398 if ((syscaps
= priv_allocset()) == NULL
)
400 fprintf (stderr
, "%s: could not allocate syscaps!\n", __func__
);
404 priv_emptyset (syscaps
);
406 for (i
=0; i
< num
; i
++)
407 for (j
= 0; j
< cap_map
[zcaps
[i
]].num
; j
++)
408 priv_addset (syscaps
, cap_map
[zcaps
[i
]].system_caps
[j
]);
413 /* callback exported to users to RAISE and LOWER effective privileges
414 * from nothing to the given permitted set and back down
417 zprivs_change_caps (zebra_privs_ops_t op
)
421 /* should be no possibility of being called without valid caps */
422 assert (zprivs_state
.syscaps_p
);
423 if (!zprivs_state
.syscaps_p
)
425 fprintf (stderr
, "%s: Eek, missing privileged caps!", __func__
);
429 assert (zprivs_state
.caps
);
430 if (!zprivs_state
.caps
)
432 fprintf (stderr
, "%s: Eek, missing caps!", __func__
);
436 /* to raise: copy original permitted as our working effective set
437 * to lower: copy regular effective set stored in zprivs_state.caps
439 if (op
== ZPRIVS_RAISE
)
440 privset
= zprivs_state
.syscaps_p
;
441 else if (op
== ZPRIVS_LOWER
)
442 privset
= zprivs_state
.caps
;
446 if (setppriv (PRIV_SET
, PRIV_EFFECTIVE
, privset
) != 0)
452 /* Retrieve current privilege state, is it RAISED or LOWERED? */
453 zebra_privs_current_t
454 zprivs_state_caps (void)
456 zebra_privs_current_t result
;
459 if ( (effective
= priv_allocset()) == NULL
)
461 fprintf (stderr
, "%s: failed to get priv_allocset! %s\n", __func__
,
462 safe_strerror (errno
));
463 return ZPRIVS_UNKNOWN
;
466 if (getppriv (PRIV_EFFECTIVE
, effective
))
468 fprintf (stderr
, "%s: failed to get state! %s\n", __func__
,
469 safe_strerror (errno
));
470 result
= ZPRIVS_UNKNOWN
;
474 if (priv_isequalset (effective
, zprivs_state
.syscaps_p
))
475 result
= ZPRIVS_RAISED
;
476 else if (priv_isequalset (effective
, zprivs_state
.caps
))
477 result
= ZPRIVS_LOWERED
;
479 result
= ZPRIVS_UNKNOWN
;
482 priv_freeset (effective
);
487 zprivs_caps_init (struct zebra_privs_t
*zprivs
)
492 /* the specified sets */
493 zprivs_state
.syscaps_p
= zcaps2sys (zprivs
->caps_p
, zprivs
->cap_num_p
);
494 zprivs_state
.syscaps_i
= zcaps2sys (zprivs
->caps_i
, zprivs
->cap_num_i
);
496 /* nonsensical to have gotten here but not have capabilities */
497 if (!zprivs_state
.syscaps_p
)
499 fprintf (stderr
, "%s: capabilities enabled, "
500 "but no valid capabilities supplied\n",
504 /* We retain the basic set in our permitted set, as Linux has no
505 * equivalent. The basic set on Linux hence is implicit, always
508 if ((basic
= priv_str_to_set("basic", ",", NULL
)) == NULL
)
510 fprintf (stderr
, "%s: couldn't get basic set!\n", __func__
);
514 /* Add the basic set to the permitted set */
515 priv_union (basic
, zprivs_state
.syscaps_p
);
516 priv_freeset (basic
);
518 /* Hey kernel, we know about privileges!
519 * this isn't strictly required, use of setppriv should have same effect
521 if (setpflags (PRIV_AWARE
, 1))
523 fprintf (stderr
, "%s: error setting PRIV_AWARE!, %s\n", __func__
,
524 safe_strerror (errno
) );
528 /* need either valid or empty sets for both p and i.. */
529 assert (zprivs_state
.syscaps_i
&& zprivs_state
.syscaps_p
);
531 /* we have caps, we have no need to ever change back the original user
532 * change real, effective and saved to the specified user.
534 /* only change uid if we don't have the correct one */
535 if ((zprivs_state
.zuid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
))
537 if ( setreuid (zprivs_state
.zuid
, zprivs_state
.zuid
) )
539 fprintf (stderr
, "%s: could not setreuid, %s\n",
540 __func__
, safe_strerror (errno
));
545 /* set the permitted set */
546 if (setppriv (PRIV_SET
, PRIV_PERMITTED
, zprivs_state
.syscaps_p
))
548 fprintf (stderr
, "%s: error setting permitted set!, %s\n", __func__
,
549 safe_strerror (errno
) );
553 /* set the inheritable set */
554 if (setppriv (PRIV_SET
, PRIV_INHERITABLE
, zprivs_state
.syscaps_i
))
556 fprintf (stderr
, "%s: error setting inheritable set!, %s\n", __func__
,
557 safe_strerror (errno
) );
561 /* we need a minimal basic set for 'effective', potentially for inheritable too */
562 minimal
= zprivs_caps_minimal();
564 /* now set the effective set with a subset of basic privileges */
565 if (setppriv (PRIV_SET
, PRIV_EFFECTIVE
, minimal
))
567 fprintf (stderr
, "%s: error setting effective set!, %s\n", __func__
,
568 safe_strerror (errno
) );
572 /* we'll use the minimal set as our working-storage privset */
573 zprivs_state
.caps
= minimal
;
575 /* set methods for the caller to use */
576 zprivs
->change
= zprivs_change_caps
;
577 zprivs
->current_state
= zprivs_state_caps
;
581 zprivs_caps_terminate (void)
583 assert (zprivs_state
.caps
);
585 /* clear all capabilities by using working-storage privset */
586 setppriv (PRIV_SET
, PRIV_EFFECTIVE
, zprivs_state
.caps
);
587 setppriv (PRIV_SET
, PRIV_PERMITTED
, zprivs_state
.caps
);
588 setppriv (PRIV_SET
, PRIV_INHERITABLE
, zprivs_state
.caps
);
590 /* free up private state */
591 if (zprivs_state
.syscaps_p
)
592 priv_freeset (zprivs_state
.syscaps_p
);
593 if (zprivs_state
.syscaps_i
)
594 priv_freeset (zprivs_state
.syscaps_i
);
596 priv_freeset (zprivs_state
.caps
);
598 #else /* !HAVE_LCAPS && ! HAVE_SOLARIS_CAPABILITIES */
599 #error "Neither Solaris nor Linux capabilities, dazed and confused..."
600 #endif /* HAVE_LCAPS */
601 #endif /* HAVE_CAPABILITIES */
604 zprivs_change_uid (zebra_privs_ops_t op
)
606 if (zprivs_state
.zsuid
== zprivs_state
.zuid
)
608 if (op
== ZPRIVS_RAISE
)
609 return seteuid (zprivs_state
.zsuid
);
610 else if (op
== ZPRIVS_LOWER
)
611 return seteuid (zprivs_state
.zuid
);
616 zebra_privs_current_t
617 zprivs_state_uid (void)
619 return ( (zprivs_state
.zuid
== geteuid()) ? ZPRIVS_LOWERED
: ZPRIVS_RAISED
);
623 zprivs_change_null (zebra_privs_ops_t op
)
628 zebra_privs_current_t
629 zprivs_state_null (void)
631 return zprivs_null_state
;
634 #ifndef HAVE_GETGROUPLIST
635 /* Solaris 11 has no getgrouplist() */
637 getgrouplist(const char *user
, gid_t group
, gid_t
*groups
, int *ngroups
)
648 while ((grp
= getgrent()))
650 if (grp
->gr_gid
== group
)
652 for (usridx
= 0; grp
->gr_mem
[usridx
] != NULL
; usridx
++)
653 if (!strcmp (grp
->gr_mem
[usridx
], user
))
656 groups
[pos
] = grp
->gr_gid
;
663 ret
= (pos
<= *ngroups
) ? pos
: -1;
667 #endif /* HAVE_GETGROUPLIST */
670 zprivs_init(struct zebra_privs_t
*zprivs
)
672 struct passwd
*pwentry
= NULL
;
673 struct group
*grentry
= NULL
;
674 gid_t groups
[NGROUPS_MAX
];
680 fprintf (stderr
, "zprivs_init: called with NULL arg!\n");
684 if (zprivs
->vty_group
)
686 /* in a "NULL" setup, this is allowed to fail too, but still try. */
687 if ((grentry
= getgrnam (zprivs
->vty_group
)))
688 zprivs_state
.vtygrp
= grentry
->gr_gid
;
690 zprivs_state
.vtygrp
= (gid_t
)-1;
694 if (! (zprivs
->user
|| zprivs
->group
695 || zprivs
->cap_num_p
|| zprivs
->cap_num_i
) )
697 zprivs
->change
= zprivs_change_null
;
698 zprivs
->current_state
= zprivs_state_null
;
704 if ( (pwentry
= getpwnam (zprivs
->user
)) == NULL
)
706 /* cant use log.h here as it depends on vty */
707 fprintf (stderr
, "privs_init: could not lookup user %s\n",
712 zprivs_state
.zuid
= pwentry
->pw_uid
;
713 zprivs_state
.zgid
= pwentry
->pw_gid
;
720 if ( (grentry
= getgrnam (zprivs
->group
)) == NULL
)
722 fprintf (stderr
, "privs_init: could not lookup group %s\n",
727 zprivs_state
.zgid
= grentry
->gr_gid
;
732 ngroups
= sizeof(groups
);
733 if (getgrouplist (zprivs
->user
, zprivs_state
.zgid
, groups
, &ngroups
) < 0)
735 /* cant use log.h here as it depends on vty */
736 fprintf (stderr
, "privs_init: could not getgrouplist for user %s\n",
742 if (zprivs
->vty_group
)
743 /* Add the vty_group to the supplementary groups so it can be chowned to */
745 if (zprivs_state
.vtygrp
== (gid_t
)-1)
747 fprintf (stderr
, "privs_init: could not lookup vty group %s\n",
752 for ( i
= 0; i
< ngroups
; i
++ )
753 if ( groups
[i
] == zprivs_state
.vtygrp
)
761 fprintf (stderr
, "privs_init: user(%s) is not part of vty group specified(%s)\n",
762 zprivs
->user
, zprivs
->vty_group
);
765 if ( i
>= ngroups
&& ngroups
< (int) ZEBRA_NUM_OF(groups
) )
767 groups
[i
] = zprivs_state
.vtygrp
;
771 zprivs_state
.zsuid
= geteuid(); /* initial uid */
772 /* add groups only if we changed uid - otherwise skip */
773 if ((ngroups
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
))
775 if ( setgroups (ngroups
, groups
) )
777 fprintf (stderr
, "privs_init: could not setgroups, %s\n",
778 safe_strerror (errno
) );
783 /* change gid only if we changed uid - otherwise skip */
784 if ((zprivs_state
.zgid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
))
786 /* change group now, forever. uid we do later */
787 if ( setregid (zprivs_state
.zgid
, zprivs_state
.zgid
) )
789 fprintf (stderr
, "zprivs_init: could not setregid, %s\n",
790 safe_strerror (errno
) );
795 #ifdef HAVE_CAPABILITIES
796 zprivs_caps_init (zprivs
);
797 #else /* !HAVE_CAPABILITIES */
798 /* we dont have caps. we'll need to maintain rid and saved uid
799 * and change euid back to saved uid (who we presume has all neccessary
800 * privileges) whenever we are asked to raise our privileges.
802 * This is not worth that much security wise, but all we can do.
804 zprivs_state
.zsuid
= geteuid();
805 /* only change uid if we don't have the correct one */
806 if (( zprivs_state
.zuid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
))
808 if ( setreuid (-1, zprivs_state
.zuid
) )
810 fprintf (stderr
, "privs_init (uid): could not setreuid, %s\n",
811 safe_strerror (errno
));
816 zprivs
->change
= zprivs_change_uid
;
817 zprivs
->current_state
= zprivs_state_uid
;
818 #endif /* HAVE_CAPABILITIES */
822 zprivs_terminate (struct zebra_privs_t
*zprivs
)
826 fprintf (stderr
, "%s: no privs struct given, terminating", __func__
);
830 #ifdef HAVE_CAPABILITIES
831 zprivs_caps_terminate();
832 #else /* !HAVE_CAPABILITIES */
833 /* only change uid if we don't have the correct one */
834 if ((zprivs_state
.zuid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
))
836 if ( setreuid (zprivs_state
.zuid
, zprivs_state
.zuid
) )
838 fprintf (stderr
, "privs_terminate: could not setreuid, %s",
839 safe_strerror (errno
) );
843 #endif /* HAVE_LCAPS */
845 zprivs
->change
= zprivs_change_null
;
846 zprivs
->current_state
= zprivs_state_null
;
847 zprivs_null_state
= ZPRIVS_LOWERED
;
852 zprivs_get_ids(struct zprivs_ids_t
*ids
)
855 ids
->uid_priv
= getuid();
856 (zprivs_state
.zuid
) ? (ids
->uid_normal
= zprivs_state
.zuid
)
857 : (ids
->uid_normal
= -1);
858 (zprivs_state
.zgid
) ? (ids
->gid_normal
= zprivs_state
.zgid
)
859 : (ids
->gid_normal
= -1);
860 (zprivs_state
.vtygrp
) ? (ids
->gid_vty
= zprivs_state
.vtygrp
)
861 : (ids
->gid_vty
= -1);