4 * Copyright (C) 2003 Paul Jakma.
5 * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
7 * This file is part of GNU Zebra.
9 * GNU Zebra is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2, or (at your option) any
14 * GNU Zebra is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; see the file COPYING; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
27 #include "lib_errors.h"
29 #ifdef HAVE_CAPABILITIES
31 DEFINE_MTYPE_STATIC(LIB
, PRIVS
, "Privilege information")
33 /* sort out some generic internal types for:
35 * privilege values (cap_value_t, priv_t) -> pvalue_t
36 * privilege set (..., priv_set_t) -> pset_t
37 * privilege working storage (cap_t, ...) -> pstorage_t
39 * values we think of as numeric (they're ints really, but we dont know)
40 * sets are mostly opaque, to hold a set of privileges, related in some way.
41 * storage binds together a set of sets we're interested in.
42 * (in reality: cap_value_t and priv_t are ints)
45 /* Linux doesn't have a 'set' type: a set of related privileges */
50 typedef cap_value_t pvalue_t
;
51 typedef struct _pset pset_t
;
52 typedef cap_t pstorage_t
;
54 #elif defined(HAVE_SOLARIS_CAPABILITIES)
55 typedef priv_t pvalue_t
;
56 typedef priv_set_t pset_t
;
57 typedef priv_set_t
*pstorage_t
;
58 #else /* neither LCAPS nor SOLARIS_CAPABILITIES */
59 #error "HAVE_CAPABILITIES defined, but neither LCAPS nor Solaris Capabilties!"
60 #endif /* HAVE_LCAPS */
61 #endif /* HAVE_CAPABILITIES */
63 /* the default NULL state we report is RAISED, but could be LOWERED if
64 * zprivs_terminate is called and the NULL handler is installed.
66 static zebra_privs_current_t zprivs_null_state
= ZPRIVS_RAISED
;
68 /* internal privileges state */
69 static struct _zprivs_t
{
70 #ifdef HAVE_CAPABILITIES
71 pstorage_t caps
; /* working storage */
72 pset_t
*syscaps_p
; /* system-type requested permitted caps */
73 pset_t
*syscaps_i
; /* system-type requested inheritable caps */
74 #endif /* HAVE_CAPABILITIES */
75 uid_t zuid
, /* uid to run as */
76 zsuid
; /* saved uid */
77 gid_t zgid
; /* gid to run as */
78 gid_t vtygrp
; /* gid for vty sockets */
81 /* externally exported but not directly accessed functions */
82 #ifdef HAVE_CAPABILITIES
83 int zprivs_change_caps(zebra_privs_ops_t
);
84 zebra_privs_current_t
zprivs_state_caps(void);
85 #endif /* HAVE_CAPABILITIES */
86 int zprivs_change_uid(zebra_privs_ops_t
);
87 zebra_privs_current_t
zprivs_state_uid(void);
88 int zprivs_change_null(zebra_privs_ops_t
);
89 zebra_privs_current_t
zprivs_state_null(void);
91 #ifdef HAVE_CAPABILITIES
92 /* internal capability API */
93 static pset_t
*zcaps2sys(zebra_capabilities_t
*, int);
94 static void zprivs_caps_init(struct zebra_privs_t
*);
95 static void zprivs_caps_terminate(void);
97 /* Map of Quagga abstract capabilities to system capabilities */
100 pvalue_t
*system_caps
;
101 } cap_map
[ZCAP_MAX
] = {
102 #ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */
105 2, (pvalue_t
[]){CAP_SETGID
, CAP_SETUID
},
109 1, (pvalue_t
[]){CAP_NET_BIND_SERVICE
},
113 1, (pvalue_t
[]){CAP_NET_ADMIN
},
117 1, (pvalue_t
[]){CAP_NET_RAW
},
128 1, (pvalue_t
[]){CAP_SYS_NICE
},
132 1, (pvalue_t
[]){CAP_SYS_PTRACE
},
134 [ZCAP_DAC_OVERRIDE
] =
136 1, (pvalue_t
[]){CAP_DAC_OVERRIDE
},
140 1, (pvalue_t
[]){CAP_DAC_READ_SEARCH
},
144 1, (pvalue_t
[]){CAP_SYS_ADMIN
},
148 1, (pvalue_t
[]){CAP_FOWNER
},
150 #elif defined(HAVE_SOLARIS_CAPABILITIES) /* HAVE_LCAPS */
151 /* Quagga -> Solaris privilege mappings */
154 1, (pvalue_t
[]){PRIV_PROC_SETID
},
158 1, (pvalue_t
[]){PRIV_NET_PRIVADDR
},
160 /* IP_CONFIG is a subset of NET_CONFIG and is allowed in zones */
161 #ifdef PRIV_SYS_IP_CONFIG
164 1, (pvalue_t
[]){PRIV_SYS_IP_CONFIG
},
169 1, (pvalue_t
[]){PRIV_SYS_NET_CONFIG
},
174 2, (pvalue_t
[]){PRIV_NET_RAWACCESS
,
175 PRIV_NET_ICMPACCESS
},
179 1, (pvalue_t
[]){PRIV_PROC_CHROOT
},
183 1, (pvalue_t
[]){PRIV_PROC_PRIOCNTL
},
187 1, (pvalue_t
[]){PRIV_PROC_SESSION
},
189 [ZCAP_DAC_OVERRIDE
] =
191 5, (pvalue_t
[]){PRIV_FILE_DAC_EXECUTE
,
193 PRIV_FILE_DAC_SEARCH
,
195 PRIV_FILE_DAC_SEARCH
},
199 2, (pvalue_t
[]){PRIV_FILE_DAC_SEARCH
,
204 1, (pvalue_t
[]){PRIV_SYS_ADMIN
},
208 1, (pvalue_t
[]){PRIV_FILE_OWNER
},
210 #endif /* HAVE_SOLARIS_CAPABILITIES */
214 /* Linux forms of capabilities methods */
215 /* convert zebras privileges to system capabilities */
216 static pset_t
*zcaps2sys(zebra_capabilities_t
*zcaps
, int num
)
219 int i
, j
= 0, count
= 0;
224 /* first count up how many system caps we have */
225 for (i
= 0; i
< num
; i
++)
226 count
+= cap_map
[zcaps
[i
]].num
;
228 if ((syscaps
= XCALLOC(MTYPE_PRIVS
, (sizeof(pset_t
) * num
))) == NULL
) {
229 fprintf(stderr
, "%s: could not allocate syscaps!", __func__
);
233 syscaps
->caps
= XCALLOC(MTYPE_PRIVS
, (sizeof(pvalue_t
) * count
));
235 if (!syscaps
->caps
) {
236 fprintf(stderr
, "%s: could not XCALLOC caps!", __func__
);
240 /* copy the capabilities over */
242 for (i
= 0; i
< num
; i
++)
243 for (j
= 0; j
< cap_map
[zcaps
[i
]].num
; j
++)
244 syscaps
->caps
[count
++] =
245 cap_map
[zcaps
[i
]].system_caps
[j
];
247 /* iterations above should be exact same as previous count, obviously..
249 syscaps
->num
= count
;
254 /* set or clear the effective capabilities to/from permitted */
255 int zprivs_change_caps(zebra_privs_ops_t op
)
257 cap_flag_value_t cflag
;
259 /* should be no possibility of being called without valid caps */
260 assert(zprivs_state
.syscaps_p
&& zprivs_state
.caps
);
261 if (!(zprivs_state
.syscaps_p
&& zprivs_state
.caps
))
264 if (op
== ZPRIVS_RAISE
)
266 else if (op
== ZPRIVS_LOWER
)
271 if (!cap_set_flag(zprivs_state
.caps
, CAP_EFFECTIVE
,
272 zprivs_state
.syscaps_p
->num
,
273 zprivs_state
.syscaps_p
->caps
, cflag
))
274 return cap_set_proc(zprivs_state
.caps
);
278 zebra_privs_current_t
zprivs_state_caps(void)
281 cap_flag_value_t val
;
283 /* should be no possibility of being called without valid caps */
284 assert(zprivs_state
.syscaps_p
&& zprivs_state
.caps
);
285 if (!(zprivs_state
.syscaps_p
&& zprivs_state
.caps
))
288 for (i
= 0; i
< zprivs_state
.syscaps_p
->num
; i
++) {
289 if (cap_get_flag(zprivs_state
.caps
,
290 zprivs_state
.syscaps_p
->caps
[i
], CAP_EFFECTIVE
,
294 "zprivs_state_caps: could not cap_get_flag, %s",
295 safe_strerror(errno
));
296 return ZPRIVS_UNKNOWN
;
299 return ZPRIVS_RAISED
;
301 return ZPRIVS_LOWERED
;
304 static void zprivs_caps_init(struct zebra_privs_t
*zprivs
)
306 zprivs_state
.syscaps_p
= zcaps2sys(zprivs
->caps_p
, zprivs
->cap_num_p
);
307 zprivs_state
.syscaps_i
= zcaps2sys(zprivs
->caps_i
, zprivs
->cap_num_i
);
309 /* Tell kernel we want caps maintained across uid changes */
310 if (prctl(PR_SET_KEEPCAPS
, 1, 0, 0, 0) == -1) {
312 "privs_init: could not set PR_SET_KEEPCAPS, %s\n",
313 safe_strerror(errno
));
317 /* we have caps, we have no need to ever change back the original user
319 /* only change uid if we don't have the correct one */
320 if ((zprivs_state
.zuid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
)) {
321 if (setreuid(zprivs_state
.zuid
, zprivs_state
.zuid
)) {
323 "zprivs_init (cap): could not setreuid, %s\n",
324 safe_strerror(errno
));
329 if (!zprivs_state
.syscaps_p
)
332 if (!(zprivs_state
.caps
= cap_init())) {
333 fprintf(stderr
, "privs_init: failed to cap_init, %s\n",
334 safe_strerror(errno
));
338 if (cap_clear(zprivs_state
.caps
)) {
339 fprintf(stderr
, "privs_init: failed to cap_clear, %s\n",
340 safe_strerror(errno
));
344 /* set permitted caps */
345 cap_set_flag(zprivs_state
.caps
, CAP_PERMITTED
,
346 zprivs_state
.syscaps_p
->num
, zprivs_state
.syscaps_p
->caps
,
349 /* set inheritable caps, if any */
350 if (zprivs_state
.syscaps_i
&& zprivs_state
.syscaps_i
->num
) {
351 cap_set_flag(zprivs_state
.caps
, CAP_INHERITABLE
,
352 zprivs_state
.syscaps_i
->num
,
353 zprivs_state
.syscaps_i
->caps
, CAP_SET
);
356 /* apply caps. CAP_EFFECTIVE is cleared. we'll raise the caps as
357 * and when, and only when, they are needed.
359 if (cap_set_proc(zprivs_state
.caps
)) {
361 char *current_caps_text
= NULL
;
362 char *wanted_caps_text
= NULL
;
364 fprintf(stderr
, "privs_init: initial cap_set_proc failed: %s\n",
365 safe_strerror(errno
));
367 current_caps
= cap_get_proc();
369 current_caps_text
= cap_to_text(current_caps
, NULL
);
370 cap_free(current_caps
);
373 wanted_caps_text
= cap_to_text(zprivs_state
.caps
, NULL
);
374 fprintf(stderr
, "Wanted caps: %s\n",
375 wanted_caps_text
? wanted_caps_text
: "???");
376 fprintf(stderr
, "Have caps: %s\n",
377 current_caps_text
? current_caps_text
: "???");
378 if (current_caps_text
)
379 cap_free(current_caps_text
);
380 if (wanted_caps_text
)
381 cap_free(wanted_caps_text
);
386 /* set methods for the caller to use */
387 zprivs
->change
= zprivs_change_caps
;
388 zprivs
->current_state
= zprivs_state_caps
;
391 static void zprivs_caps_terminate(void)
393 /* clear all capabilities */
394 if (zprivs_state
.caps
)
395 cap_clear(zprivs_state
.caps
);
397 /* and boom, capabilities are gone forever */
398 if (cap_set_proc(zprivs_state
.caps
)) {
399 fprintf(stderr
, "privs_terminate: cap_set_proc failed, %s",
400 safe_strerror(errno
));
404 /* free up private state */
405 if (zprivs_state
.syscaps_p
->num
) {
406 XFREE(MTYPE_PRIVS
, zprivs_state
.syscaps_p
->caps
);
407 XFREE(MTYPE_PRIVS
, zprivs_state
.syscaps_p
);
410 if (zprivs_state
.syscaps_i
&& zprivs_state
.syscaps_i
->num
) {
411 XFREE(MTYPE_PRIVS
, zprivs_state
.syscaps_i
->caps
);
412 XFREE(MTYPE_PRIVS
, zprivs_state
.syscaps_i
);
415 cap_free(zprivs_state
.caps
);
417 #elif defined(HAVE_SOLARIS_CAPABILITIES) /* !HAVE_LCAPS */
419 /* Solaris specific capability/privilege methods
422 * - the 'privileges' man page
423 * - http://cvs.opensolaris.org
425 * http://blogs.sun.com/roller/page/gbrunett?entry=privilege_enabling_set_id_programs1
428 static pset_t
*zprivs_caps_minimal()
432 if ((minimal
= priv_str_to_set("basic", ",", NULL
)) == NULL
) {
433 fprintf(stderr
, "%s: couldn't get basic set!\n", __func__
);
437 /* create a minimal privilege set from the basic set */
438 (void)priv_delset(minimal
, PRIV_PROC_EXEC
);
439 (void)priv_delset(minimal
, PRIV_PROC_INFO
);
440 (void)priv_delset(minimal
, PRIV_PROC_SESSION
);
441 (void)priv_delset(minimal
, PRIV_FILE_LINK_ANY
);
446 /* convert zebras privileges to system capabilities */
447 static pset_t
*zcaps2sys(zebra_capabilities_t
*zcaps
, int num
)
452 if ((syscaps
= priv_allocset()) == NULL
) {
453 fprintf(stderr
, "%s: could not allocate syscaps!\n", __func__
);
457 priv_emptyset(syscaps
);
459 for (i
= 0; i
< num
; i
++)
460 for (j
= 0; j
< cap_map
[zcaps
[i
]].num
; j
++)
461 priv_addset(syscaps
, cap_map
[zcaps
[i
]].system_caps
[j
]);
466 /* callback exported to users to RAISE and LOWER effective privileges
467 * from nothing to the given permitted set and back down
469 int zprivs_change_caps(zebra_privs_ops_t op
)
473 /* should be no possibility of being called without valid caps */
474 assert(zprivs_state
.syscaps_p
);
475 if (!zprivs_state
.syscaps_p
) {
476 fprintf(stderr
, "%s: Eek, missing privileged caps!", __func__
);
480 assert(zprivs_state
.caps
);
481 if (!zprivs_state
.caps
) {
482 fprintf(stderr
, "%s: Eek, missing caps!", __func__
);
486 /* to raise: copy original permitted as our working effective set
487 * to lower: copy regular effective set stored in zprivs_state.caps
489 if (op
== ZPRIVS_RAISE
)
490 privset
= zprivs_state
.syscaps_p
;
491 else if (op
== ZPRIVS_LOWER
)
492 privset
= zprivs_state
.caps
;
496 if (setppriv(PRIV_SET
, PRIV_EFFECTIVE
, privset
) != 0)
502 /* Retrieve current privilege state, is it RAISED or LOWERED? */
503 zebra_privs_current_t
zprivs_state_caps(void)
505 zebra_privs_current_t result
;
508 if ((effective
= priv_allocset()) == NULL
) {
509 fprintf(stderr
, "%s: failed to get priv_allocset! %s\n",
510 __func__
, safe_strerror(errno
));
511 return ZPRIVS_UNKNOWN
;
514 if (getppriv(PRIV_EFFECTIVE
, effective
)) {
515 fprintf(stderr
, "%s: failed to get state! %s\n", __func__
,
516 safe_strerror(errno
));
517 result
= ZPRIVS_UNKNOWN
;
519 if (priv_isequalset(effective
, zprivs_state
.syscaps_p
))
520 result
= ZPRIVS_RAISED
;
521 else if (priv_isequalset(effective
, zprivs_state
.caps
))
522 result
= ZPRIVS_LOWERED
;
524 result
= ZPRIVS_UNKNOWN
;
527 priv_freeset(effective
);
531 static void zprivs_caps_init(struct zebra_privs_t
*zprivs
)
536 /* the specified sets */
537 zprivs_state
.syscaps_p
= zcaps2sys(zprivs
->caps_p
, zprivs
->cap_num_p
);
538 zprivs_state
.syscaps_i
= zcaps2sys(zprivs
->caps_i
, zprivs
->cap_num_i
);
540 /* nonsensical to have gotten here but not have capabilities */
541 if (!zprivs_state
.syscaps_p
) {
543 "%s: capabilities enabled, "
544 "but no valid capabilities supplied\n",
548 /* We retain the basic set in our permitted set, as Linux has no
549 * equivalent. The basic set on Linux hence is implicit, always
552 if ((basic
= priv_str_to_set("basic", ",", NULL
)) == NULL
) {
553 fprintf(stderr
, "%s: couldn't get basic set!\n", __func__
);
557 /* Add the basic set to the permitted set */
558 priv_union(basic
, zprivs_state
.syscaps_p
);
561 /* Hey kernel, we know about privileges!
562 * this isn't strictly required, use of setppriv should have same effect
564 if (setpflags(PRIV_AWARE
, 1)) {
565 fprintf(stderr
, "%s: error setting PRIV_AWARE!, %s\n", __func__
,
566 safe_strerror(errno
));
570 /* need either valid or empty sets for both p and i.. */
571 assert(zprivs_state
.syscaps_i
&& zprivs_state
.syscaps_p
);
573 /* we have caps, we have no need to ever change back the original user
574 * change real, effective and saved to the specified user.
576 /* only change uid if we don't have the correct one */
577 if ((zprivs_state
.zuid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
)) {
578 if (setreuid(zprivs_state
.zuid
, zprivs_state
.zuid
)) {
579 fprintf(stderr
, "%s: could not setreuid, %s\n",
580 __func__
, safe_strerror(errno
));
585 /* set the permitted set */
586 if (setppriv(PRIV_SET
, PRIV_PERMITTED
, zprivs_state
.syscaps_p
)) {
587 fprintf(stderr
, "%s: error setting permitted set!, %s\n",
588 __func__
, safe_strerror(errno
));
592 /* set the inheritable set */
593 if (setppriv(PRIV_SET
, PRIV_INHERITABLE
, zprivs_state
.syscaps_i
)) {
594 fprintf(stderr
, "%s: error setting inheritable set!, %s\n",
595 __func__
, safe_strerror(errno
));
599 /* we need a minimal basic set for 'effective', potentially for
601 minimal
= zprivs_caps_minimal();
603 /* now set the effective set with a subset of basic privileges */
604 if (setppriv(PRIV_SET
, PRIV_EFFECTIVE
, minimal
)) {
605 fprintf(stderr
, "%s: error setting effective set!, %s\n",
606 __func__
, safe_strerror(errno
));
610 /* we'll use the minimal set as our working-storage privset */
611 zprivs_state
.caps
= minimal
;
613 /* set methods for the caller to use */
614 zprivs
->change
= zprivs_change_caps
;
615 zprivs
->current_state
= zprivs_state_caps
;
618 static void zprivs_caps_terminate(void)
620 assert(zprivs_state
.caps
);
622 /* clear all capabilities by using working-storage privset */
623 setppriv(PRIV_SET
, PRIV_EFFECTIVE
, zprivs_state
.caps
);
624 setppriv(PRIV_SET
, PRIV_PERMITTED
, zprivs_state
.caps
);
625 setppriv(PRIV_SET
, PRIV_INHERITABLE
, zprivs_state
.caps
);
627 /* free up private state */
628 if (zprivs_state
.syscaps_p
)
629 priv_freeset(zprivs_state
.syscaps_p
);
630 if (zprivs_state
.syscaps_i
)
631 priv_freeset(zprivs_state
.syscaps_i
);
633 priv_freeset(zprivs_state
.caps
);
635 #else /* !HAVE_LCAPS && ! HAVE_SOLARIS_CAPABILITIES */
636 #error "Neither Solaris nor Linux capabilities, dazed and confused..."
637 #endif /* HAVE_LCAPS */
638 #endif /* HAVE_CAPABILITIES */
640 int zprivs_change_uid(zebra_privs_ops_t op
)
642 if (zprivs_state
.zsuid
== zprivs_state
.zuid
)
644 if (op
== ZPRIVS_RAISE
)
645 return seteuid(zprivs_state
.zsuid
);
646 else if (op
== ZPRIVS_LOWER
)
647 return seteuid(zprivs_state
.zuid
);
652 zebra_privs_current_t
zprivs_state_uid(void)
654 return ((zprivs_state
.zuid
== geteuid()) ? ZPRIVS_LOWERED
658 int zprivs_change_null(zebra_privs_ops_t op
)
663 zebra_privs_current_t
zprivs_state_null(void)
665 return zprivs_null_state
;
668 #ifndef HAVE_GETGROUPLIST
669 /* Solaris 11 has no getgrouplist() */
670 static int getgrouplist(const char *user
, gid_t group
, gid_t
*groups
,
682 while ((grp
= getgrent())) {
683 if (grp
->gr_gid
== group
)
685 for (usridx
= 0; grp
->gr_mem
[usridx
] != NULL
; usridx
++)
686 if (!strcmp(grp
->gr_mem
[usridx
], user
)) {
688 groups
[pos
] = grp
->gr_gid
;
695 ret
= (pos
<= *ngroups
) ? pos
: -1;
699 #endif /* HAVE_GETGROUPLIST */
701 struct zebra_privs_t
*_zprivs_raise(struct zebra_privs_t
*privs
,
702 const char *funcname
)
704 int save_errno
= errno
;
710 if (privs
->change(ZPRIVS_RAISE
)) {
711 zlog_err("%s: Failed to raise privileges (%s)",
712 funcname
, safe_strerror(errno
));
715 privs
->raised_in_funcname
= funcname
;
719 void _zprivs_lower(struct zebra_privs_t
**privs
)
721 int save_errno
= errno
;
727 if ((*privs
)->change(ZPRIVS_LOWER
)) {
728 zlog_err("%s: Failed to lower privileges (%s)",
729 (*privs
)->raised_in_funcname
, safe_strerror(errno
));
732 (*privs
)->raised_in_funcname
= NULL
;
736 void zprivs_preinit(struct zebra_privs_t
*zprivs
)
738 struct passwd
*pwentry
= NULL
;
739 struct group
*grentry
= NULL
;
742 fprintf(stderr
, "zprivs_init: called with NULL arg!\n");
746 if (zprivs
->vty_group
) {
747 /* in a "NULL" setup, this is allowed to fail too, but still
749 if ((grentry
= getgrnam(zprivs
->vty_group
)))
750 zprivs_state
.vtygrp
= grentry
->gr_gid
;
752 zprivs_state
.vtygrp
= (gid_t
)-1;
756 if (!(zprivs
->user
|| zprivs
->group
|| zprivs
->cap_num_p
757 || zprivs
->cap_num_i
)) {
758 zprivs
->change
= zprivs_change_null
;
759 zprivs
->current_state
= zprivs_state_null
;
764 if ((pwentry
= getpwnam(zprivs
->user
)) == NULL
) {
765 /* cant use log.h here as it depends on vty */
767 "privs_init: could not lookup user %s\n",
772 zprivs_state
.zuid
= pwentry
->pw_uid
;
773 zprivs_state
.zgid
= pwentry
->pw_gid
;
779 if ((grentry
= getgrnam(zprivs
->group
)) == NULL
) {
781 "privs_init: could not lookup group %s\n",
786 zprivs_state
.zgid
= grentry
->gr_gid
;
790 void zprivs_init(struct zebra_privs_t
*zprivs
)
792 gid_t groups
[NGROUPS_MAX
];
797 if (!(zprivs
->user
|| zprivs
->group
|| zprivs
->cap_num_p
798 || zprivs
->cap_num_i
))
802 ngroups
= sizeof(groups
);
803 if (getgrouplist(zprivs
->user
, zprivs_state
.zgid
, groups
,
806 /* cant use log.h here as it depends on vty */
808 "privs_init: could not getgrouplist for user %s\n",
814 if (zprivs
->vty_group
)
815 /* Add the vty_group to the supplementary groups so it can be chowned to
818 if (zprivs_state
.vtygrp
== (gid_t
)-1) {
820 "privs_init: could not lookup vty group %s\n",
825 for (i
= 0; i
< ngroups
; i
++)
826 if (groups
[i
] == zprivs_state
.vtygrp
) {
833 "privs_init: user(%s) is not part of vty group specified(%s)\n",
834 zprivs
->user
, zprivs
->vty_group
);
837 if (i
>= ngroups
&& ngroups
< (int)ZEBRA_NUM_OF(groups
)) {
838 groups
[i
] = zprivs_state
.vtygrp
;
842 zprivs_state
.zsuid
= geteuid(); /* initial uid */
843 /* add groups only if we changed uid - otherwise skip */
844 if ((ngroups
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
)) {
845 if (setgroups(ngroups
, groups
)) {
846 fprintf(stderr
, "privs_init: could not setgroups, %s\n",
847 safe_strerror(errno
));
852 /* change gid only if we changed uid - otherwise skip */
853 if ((zprivs_state
.zgid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
)) {
854 /* change group now, forever. uid we do later */
855 if (setregid(zprivs_state
.zgid
, zprivs_state
.zgid
)) {
856 fprintf(stderr
, "zprivs_init: could not setregid, %s\n",
857 safe_strerror(errno
));
862 #ifdef HAVE_CAPABILITIES
863 zprivs_caps_init(zprivs
);
866 * If we have initialized the system with no requested
867 * capabilities, change will not have been set
868 * to anything by zprivs_caps_init, As such
869 * we should make sure that when we attempt
870 * to raize privileges that we actually have
871 * a do nothing function to call instead of a
875 zprivs
->change
= zprivs_change_null
;
877 #else /* !HAVE_CAPABILITIES */
878 /* we dont have caps. we'll need to maintain rid and saved uid
879 * and change euid back to saved uid (who we presume has all neccessary
880 * privileges) whenever we are asked to raise our privileges.
882 * This is not worth that much security wise, but all we can do.
884 zprivs_state
.zsuid
= geteuid();
885 /* only change uid if we don't have the correct one */
886 if ((zprivs_state
.zuid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
)) {
887 if (setreuid(-1, zprivs_state
.zuid
)) {
889 "privs_init (uid): could not setreuid, %s\n",
890 safe_strerror(errno
));
895 zprivs
->change
= zprivs_change_uid
;
896 zprivs
->current_state
= zprivs_state_uid
;
897 #endif /* HAVE_CAPABILITIES */
900 void zprivs_terminate(struct zebra_privs_t
*zprivs
)
903 fprintf(stderr
, "%s: no privs struct given, terminating",
908 #ifdef HAVE_CAPABILITIES
909 if (zprivs
->user
|| zprivs
->group
|| zprivs
->cap_num_p
910 || zprivs
->cap_num_i
)
911 zprivs_caps_terminate();
912 #else /* !HAVE_CAPABILITIES */
913 /* only change uid if we don't have the correct one */
914 if ((zprivs_state
.zuid
) && (zprivs_state
.zsuid
!= zprivs_state
.zuid
)) {
915 if (setreuid(zprivs_state
.zuid
, zprivs_state
.zuid
)) {
917 "privs_terminate: could not setreuid, %s",
918 safe_strerror(errno
));
922 #endif /* HAVE_LCAPS */
924 zprivs
->change
= zprivs_change_null
;
925 zprivs
->current_state
= zprivs_state_null
;
926 zprivs_null_state
= ZPRIVS_LOWERED
;
930 void zprivs_get_ids(struct zprivs_ids_t
*ids
)
933 ids
->uid_priv
= getuid();
934 (zprivs_state
.zuid
) ? (ids
->uid_normal
= zprivs_state
.zuid
)
935 : (ids
->uid_normal
= -1);
936 (zprivs_state
.zgid
) ? (ids
->gid_normal
= zprivs_state
.zgid
)
937 : (ids
->gid_normal
= -1);
938 (zprivs_state
.vtygrp
) ? (ids
->gid_vty
= zprivs_state
.vtygrp
)
939 : (ids
->gid_vty
= -1);