]> git.proxmox.com Git - mirror_frr.git/blame - lib/privs.c
projects / mirror_frr.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
zebra: Allow ns delete to happen after under/over flow checks
[mirror_frr.git] / lib / privs.c
CommitLineData
d62a17ae 1/*
01245821 2 * Zebra privileges.
3 *
4 * Copyright (C) 2003 Paul Jakma.
01070b9e 5 * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
01245821 6 *
7 * This file is part of GNU Zebra.
8 *
9 * GNU Zebra is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2, or (at your option) any
12 * later version.
13 *
14 * GNU Zebra is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
18 *
896014f4
DL		 19 * You should have received a copy of the GNU General Public License along
20 * with this program; see the file COPYING; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
01245821 22 */
01245821 23#include <zebra.h>
24#include "log.h"
25#include "privs.h"
26#include "memory.h"
ff245f0e 27#include "lib_errors.h"
01245821 28
ceacedba 29#ifdef HAVE_CAPABILITIES
4a1ab8e4
DL		 30
31DEFINE_MTYPE_STATIC(LIB, PRIVS, "Privilege information")
32
ceacedba 33/* sort out some generic internal types for:
34 *
35 * privilege values (cap_value_t, priv_t) -> pvalue_t
36 * privilege set (..., priv_set_t) -> pset_t
37 * privilege working storage (cap_t, ...) -> pstorage_t
38 *
39 * values we think of as numeric (they're ints really, but we dont know)
40 * sets are mostly opaque, to hold a set of privileges, related in some way.
41 * storage binds together a set of sets we're interested in.
42 * (in reality: cap_value_t and priv_t are ints)
d62a17ae 43 */
ceacedba 44#ifdef HAVE_LCAPS
45/* Linux doesn't have a 'set' type: a set of related privileges */
46struct _pset {
d62a17ae 47 int num;
48 cap_value_t *caps;
ceacedba 49};
50typedef cap_value_t pvalue_t;
51typedef struct _pset pset_t;
52typedef cap_t pstorage_t;
6b0655a2 53
d62a17ae 54#elif defined(HAVE_SOLARIS_CAPABILITIES)
ceacedba 55typedef priv_t pvalue_t;
56typedef priv_set_t pset_t;
57typedef priv_set_t *pstorage_t;
58#else /* neither LCAPS nor SOLARIS_CAPABILITIES */
59#error "HAVE_CAPABILITIES defined, but neither LCAPS nor Solaris Capabilties!"
60#endif /* HAVE_LCAPS */
61#endif /* HAVE_CAPABILITIES */
6b0655a2 62
ceacedba 63/* the default NULL state we report is RAISED, but could be LOWERED if
64 * zprivs_terminate is called and the NULL handler is installed.
65 */
66static zebra_privs_current_t zprivs_null_state = ZPRIVS_RAISED;
67
01245821 68/* internal privileges state */
d62a17ae 69static struct _zprivs_t {
ceacedba 70#ifdef HAVE_CAPABILITIES
d62a17ae 71 pstorage_t caps; /* working storage */
72 pset_t *syscaps_p; /* system-type requested permitted caps */
73 pset_t *syscaps_i; /* system-type requested inheritable caps */
74#endif /* HAVE_CAPABILITIES */
75 uid_t zuid, /* uid to run as */
76 zsuid; /* saved uid */
77 gid_t zgid; /* gid to run as */
78 gid_t vtygrp; /* gid for vty sockets */
01245821 79} zprivs_state;
80
81/* externally exported but not directly accessed functions */
ceacedba 82#ifdef HAVE_CAPABILITIES
d62a17ae 83int zprivs_change_caps(zebra_privs_ops_t);
84zebra_privs_current_t zprivs_state_caps(void);
ceacedba 85#endif /* HAVE_CAPABILITIES */
d62a17ae 86int zprivs_change_uid(zebra_privs_ops_t);
87zebra_privs_current_t zprivs_state_uid(void);
88int zprivs_change_null(zebra_privs_ops_t);
89zebra_privs_current_t zprivs_state_null(void);
01245821 90
ceacedba 91#ifdef HAVE_CAPABILITIES
92/* internal capability API */
d62a17ae 93static pset_t *zcaps2sys(zebra_capabilities_t *, int);
94static void zprivs_caps_init(struct zebra_privs_t *);
95static void zprivs_caps_terminate(void);
ceacedba 96
97/* Map of Quagga abstract capabilities to system capabilities */
d62a17ae 98static struct {
99 int num;
100 pvalue_t *system_caps;
101} cap_map[ZCAP_MAX] = {
ceacedba 102#ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */
9d303b37
DL		 103 [ZCAP_SETID] =
104 {
105 2, (pvalue_t[]){CAP_SETGID, CAP_SETUID},
106 },
107 [ZCAP_BIND] =
108 {
109 1, (pvalue_t[]){CAP_NET_BIND_SERVICE},
110 },
111 [ZCAP_NET_ADMIN] =
112 {
113 1, (pvalue_t[]){CAP_NET_ADMIN},
114 },
115 [ZCAP_NET_RAW] =
116 {
117 1, (pvalue_t[]){CAP_NET_RAW},
118 },
119 [ZCAP_CHROOT] =
120 {
121 1,
122 (pvalue_t[]){
123 CAP_SYS_CHROOT,
124 },
125 },
126 [ZCAP_NICE] =
127 {
128 1, (pvalue_t[]){CAP_SYS_NICE},
129 },
130 [ZCAP_PTRACE] =
131 {
132 1, (pvalue_t[]){CAP_SYS_PTRACE},
133 },
134 [ZCAP_DAC_OVERRIDE] =
135 {
136 1, (pvalue_t[]){CAP_DAC_OVERRIDE},
137 },
138 [ZCAP_READ_SEARCH] =
139 {
140 1, (pvalue_t[]){CAP_DAC_READ_SEARCH},
141 },
142 [ZCAP_SYS_ADMIN] =
143 {
144 1, (pvalue_t[]){CAP_SYS_ADMIN},
145 },
146 [ZCAP_FOWNER] =
147 {
148 1, (pvalue_t[]){CAP_FOWNER},
d62a17ae 149 },
ceacedba 150#elif defined(HAVE_SOLARIS_CAPABILITIES) /* HAVE_LCAPS */
9d303b37
DL		 151 /* Quagga -> Solaris privilege mappings */
152 [ZCAP_SETID] =
153 {
154 1, (pvalue_t[]){PRIV_PROC_SETID},
155 },
156 [ZCAP_BIND] =
157 {
158 1, (pvalue_t[]){PRIV_NET_PRIVADDR},
159 },
d62a17ae 160/* IP_CONFIG is a subset of NET_CONFIG and is allowed in zones */
6b148faa 161#ifdef PRIV_SYS_IP_CONFIG
9d303b37
DL		 162 [ZCAP_NET_ADMIN] =
163 {
164 1, (pvalue_t[]){PRIV_SYS_IP_CONFIG},
165 },
6b148faa 166#else
9d303b37
DL		 167 [ZCAP_NET_ADMIN] =
168 {
169 1, (pvalue_t[]){PRIV_SYS_NET_CONFIG},
170 },
6b148faa 171#endif
9d303b37
DL		 172 [ZCAP_NET_RAW] =
173 {
174 2, (pvalue_t[]){PRIV_NET_RAWACCESS,
175 PRIV_NET_ICMPACCESS},
176 },
177 [ZCAP_CHROOT] =
178 {
179 1, (pvalue_t[]){PRIV_PROC_CHROOT},
180 },
181 [ZCAP_NICE] =
182 {
183 1, (pvalue_t[]){PRIV_PROC_PRIOCNTL},
184 },
185 [ZCAP_PTRACE] =
186 {
187 1, (pvalue_t[]){PRIV_PROC_SESSION},
188 },
189 [ZCAP_DAC_OVERRIDE] =
190 {
191 5, (pvalue_t[]){PRIV_FILE_DAC_EXECUTE,
192 PRIV_FILE_DAC_READ,
193 PRIV_FILE_DAC_SEARCH,
194 PRIV_FILE_DAC_WRITE,
195 PRIV_FILE_DAC_SEARCH},
196 },
197 [ZCAP_READ_SEARCH] =
198 {
199 2, (pvalue_t[]){PRIV_FILE_DAC_SEARCH,
200 PRIV_FILE_DAC_READ},
201 },
202 [ZCAP_SYS_ADMIN] =
203 {
204 1, (pvalue_t[]){PRIV_SYS_ADMIN},
205 },
206 [ZCAP_FOWNER] =
207 {
208 1, (pvalue_t[]){PRIV_FILE_OWNER},
209 },
ceacedba 210#endif /* HAVE_SOLARIS_CAPABILITIES */
01245821 211};
6b0655a2 212
ceacedba 213#ifdef HAVE_LCAPS
214/* Linux forms of capabilities methods */
01245821 215/* convert zebras privileges to system capabilities */
d62a17ae 216static pset_t *zcaps2sys(zebra_capabilities_t *zcaps, int num)
01245821 217{
d62a17ae 218 pset_t *syscaps;
219 int i, j = 0, count = 0;
220
221 if (!num)
222 return NULL;
223
224 /* first count up how many system caps we have */
225 for (i = 0; i < num; i++)
226 count += cap_map[zcaps[i]].num;
227
228 if ((syscaps = XCALLOC(MTYPE_PRIVS, (sizeof(pset_t) * num))) == NULL) {
229 fprintf(stderr, "%s: could not allocate syscaps!", __func__);
230 return NULL;
231 }
232
233 syscaps->caps = XCALLOC(MTYPE_PRIVS, (sizeof(pvalue_t) * count));
234
235 if (!syscaps->caps) {
236 fprintf(stderr, "%s: could not XCALLOC caps!", __func__);
237 return NULL;
238 }
239
240 /* copy the capabilities over */
241 count = 0;
242 for (i = 0; i < num; i++)
243 for (j = 0; j < cap_map[zcaps[i]].num; j++)
244 syscaps->caps[count++] =
245 cap_map[zcaps[i]].system_caps[j];
246
247 /* iterations above should be exact same as previous count, obviously..
248 */
249 syscaps->num = count;
250
251 return syscaps;
01245821 252}
253
254/* set or clear the effective capabilities to/from permitted */
d62a17ae 255int zprivs_change_caps(zebra_privs_ops_t op)
01245821 256{
d62a17ae 257 cap_flag_value_t cflag;
258
259 /* should be no possibility of being called without valid caps */
260 assert(zprivs_state.syscaps_p && zprivs_state.caps);
261 if (!(zprivs_state.syscaps_p && zprivs_state.caps))
262 exit(1);
263
264 if (op == ZPRIVS_RAISE)
265 cflag = CAP_SET;
266 else if (op == ZPRIVS_LOWER)
267 cflag = CAP_CLEAR;
268 else
269 return -1;
270
271 if (!cap_set_flag(zprivs_state.caps, CAP_EFFECTIVE,
272 zprivs_state.syscaps_p->num,
273 zprivs_state.syscaps_p->caps, cflag))
274 return cap_set_proc(zprivs_state.caps);
275 return -1;
01245821 276}
277
d62a17ae 278zebra_privs_current_t zprivs_state_caps(void)
01245821 279{
d62a17ae 280 int i;
281 cap_flag_value_t val;
282
283 /* should be no possibility of being called without valid caps */
284 assert(zprivs_state.syscaps_p && zprivs_state.caps);
285 if (!(zprivs_state.syscaps_p && zprivs_state.caps))
286 exit(1);
287
288 for (i = 0; i < zprivs_state.syscaps_p->num; i++) {
289 if (cap_get_flag(zprivs_state.caps,
290 zprivs_state.syscaps_p->caps[i], CAP_EFFECTIVE,
291 &val)) {
ff245f0e 292 flog_err(
450971aa 293 EC_LIB_SYSTEM_CALL,
d62a17ae 294 "zprivs_state_caps: could not cap_get_flag, %s",
295 safe_strerror(errno));
296 return ZPRIVS_UNKNOWN;
297 }
298 if (val == CAP_SET)
299 return ZPRIVS_RAISED;
300 }
301 return ZPRIVS_LOWERED;
01245821 302}
303
d62a17ae 304static void zprivs_caps_init(struct zebra_privs_t *zprivs)
ceacedba 305{
d62a17ae 306 zprivs_state.syscaps_p = zcaps2sys(zprivs->caps_p, zprivs->cap_num_p);
307 zprivs_state.syscaps_i = zcaps2sys(zprivs->caps_i, zprivs->cap_num_i);
308
309 /* Tell kernel we want caps maintained across uid changes */
310 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
311 fprintf(stderr,
312 "privs_init: could not set PR_SET_KEEPCAPS, %s\n",
313 safe_strerror(errno));
314 exit(1);
315 }
316
317 /* we have caps, we have no need to ever change back the original user
318 */
319 /* only change uid if we don't have the correct one */
320 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
321 if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) {
322 fprintf(stderr,
323 "zprivs_init (cap): could not setreuid, %s\n",
324 safe_strerror(errno));
325 exit(1);
326 }
327 }
328
329 if (!zprivs_state.syscaps_p)
330 return;
331
332 if (!(zprivs_state.caps = cap_init())) {
333 fprintf(stderr, "privs_init: failed to cap_init, %s\n",
334 safe_strerror(errno));
335 exit(1);
336 }
337
338 if (cap_clear(zprivs_state.caps)) {
339 fprintf(stderr, "privs_init: failed to cap_clear, %s\n",
340 safe_strerror(errno));
341 exit(1);
342 }
343
344 /* set permitted caps */
345 cap_set_flag(zprivs_state.caps, CAP_PERMITTED,
346 zprivs_state.syscaps_p->num, zprivs_state.syscaps_p->caps,
347 CAP_SET);
348
349 /* set inheritable caps, if any */
350 if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) {
351 cap_set_flag(zprivs_state.caps, CAP_INHERITABLE,
352 zprivs_state.syscaps_i->num,
353 zprivs_state.syscaps_i->caps, CAP_SET);
354 }
355
356 /* apply caps. CAP_EFFECTIVE is cleared. we'll raise the caps as
357 * and when, and only when, they are needed.
358 */
359 if (cap_set_proc(zprivs_state.caps)) {
360 cap_t current_caps;
361 char *current_caps_text = NULL;
362 char *wanted_caps_text = NULL;
363
364 fprintf(stderr, "privs_init: initial cap_set_proc failed: %s\n",
365 safe_strerror(errno));
366
367 current_caps = cap_get_proc();
368 if (current_caps) {
369 current_caps_text = cap_to_text(current_caps, NULL);
370 cap_free(current_caps);
371 }
372
373 wanted_caps_text = cap_to_text(zprivs_state.caps, NULL);
374 fprintf(stderr, "Wanted caps: %s\n",
375 wanted_caps_text ? wanted_caps_text : "???");
376 fprintf(stderr, "Have caps: %s\n",
377 current_caps_text ? current_caps_text : "???");
378 if (current_caps_text)
379 cap_free(current_caps_text);
380 if (wanted_caps_text)
381 cap_free(wanted_caps_text);
382
383 exit(1);
384 }
385
386 /* set methods for the caller to use */
387 zprivs->change = zprivs_change_caps;
388 zprivs->current_state = zprivs_state_caps;
ceacedba 389}
390
d62a17ae 391static void zprivs_caps_terminate(void)
ceacedba 392{
d62a17ae 393 /* clear all capabilities */
394 if (zprivs_state.caps)
395 cap_clear(zprivs_state.caps);
396
397 /* and boom, capabilities are gone forever */
398 if (cap_set_proc(zprivs_state.caps)) {
399 fprintf(stderr, "privs_terminate: cap_set_proc failed, %s",
400 safe_strerror(errno));
401 exit(1);
402 }
403
404 /* free up private state */
405 if (zprivs_state.syscaps_p->num) {
406 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p->caps);
407 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p);
408 }
409
410 if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) {
411 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_i->caps);
412 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_i);
413 }
414
415 cap_free(zprivs_state.caps);
ceacedba 416}
d62a17ae 417#elif defined(HAVE_SOLARIS_CAPABILITIES) /* !HAVE_LCAPS */
6b0655a2 418
d62a17ae 419/* Solaris specific capability/privilege methods
ceacedba 420 *
421 * Resources:
422 * - the 'privileges' man page
423 * - http://cvs.opensolaris.org
d62a17ae 424 * -
425 * http://blogs.sun.com/roller/page/gbrunett?entry=privilege_enabling_set_id_programs1
ceacedba 426 */
427
d62a17ae 428static pset_t *zprivs_caps_minimal()
01070b9e 429{
d62a17ae 430 pset_t *minimal;
01070b9e 431
d62a17ae 432 if ((minimal = priv_str_to_set("basic", ",", NULL)) == NULL) {
433 fprintf(stderr, "%s: couldn't get basic set!\n", __func__);
434 exit(1);
435 }
01070b9e 436
d62a17ae 437 /* create a minimal privilege set from the basic set */
438 (void)priv_delset(minimal, PRIV_PROC_EXEC);
439 (void)priv_delset(minimal, PRIV_PROC_INFO);
440 (void)priv_delset(minimal, PRIV_PROC_SESSION);
441 (void)priv_delset(minimal, PRIV_FILE_LINK_ANY);
01070b9e 442
d62a17ae 443 return minimal;
01070b9e
BB		 444}
445
ceacedba 446/* convert zebras privileges to system capabilities */
d62a17ae 447static pset_t *zcaps2sys(zebra_capabilities_t *zcaps, int num)
ceacedba 448{
d62a17ae 449 pset_t *syscaps;
450 int i, j = 0;
451
452 if ((syscaps = priv_allocset()) == NULL) {
453 fprintf(stderr, "%s: could not allocate syscaps!\n", __func__);
454 exit(1);
455 }
456
457 priv_emptyset(syscaps);
458
459 for (i = 0; i < num; i++)
460 for (j = 0; j < cap_map[zcaps[i]].num; j++)
461 priv_addset(syscaps, cap_map[zcaps[i]].system_caps[j]);
462
463 return syscaps;
ceacedba 464}
465
466/* callback exported to users to RAISE and LOWER effective privileges
467 * from nothing to the given permitted set and back down
468 */
d62a17ae 469int zprivs_change_caps(zebra_privs_ops_t op)
ceacedba 470{
d62a17ae 471 pset_t *privset;
472
473 /* should be no possibility of being called without valid caps */
474 assert(zprivs_state.syscaps_p);
475 if (!zprivs_state.syscaps_p) {
476 fprintf(stderr, "%s: Eek, missing privileged caps!", __func__);
477 exit(1);
478 }
479
480 assert(zprivs_state.caps);
481 if (!zprivs_state.caps) {
482 fprintf(stderr, "%s: Eek, missing caps!", __func__);
483 exit(1);
484 }
485
486 /* to raise: copy original permitted as our working effective set
487 * to lower: copy regular effective set stored in zprivs_state.caps
488 */
489 if (op == ZPRIVS_RAISE)
490 privset = zprivs_state.syscaps_p;
491 else if (op == ZPRIVS_LOWER)
492 privset = zprivs_state.caps;
493 else
494 return -1;
495
496 if (setppriv(PRIV_SET, PRIV_EFFECTIVE, privset) != 0)
497 return -1;
498
499 return 0;
ceacedba 500}
501
502/* Retrieve current privilege state, is it RAISED or LOWERED? */
d62a17ae 503zebra_privs_current_t zprivs_state_caps(void)
ceacedba 504{
d62a17ae 505 zebra_privs_current_t result;
506 pset_t *effective;
507
508 if ((effective = priv_allocset()) == NULL) {
509 fprintf(stderr, "%s: failed to get priv_allocset! %s\n",
510 __func__, safe_strerror(errno));
511 return ZPRIVS_UNKNOWN;
512 }
513
514 if (getppriv(PRIV_EFFECTIVE, effective)) {
515 fprintf(stderr, "%s: failed to get state! %s\n", __func__,
516 safe_strerror(errno));
517 result = ZPRIVS_UNKNOWN;
518 } else {
519 if (priv_isequalset(effective, zprivs_state.syscaps_p))
520 result = ZPRIVS_RAISED;
521 else if (priv_isequalset(effective, zprivs_state.caps))
522 result = ZPRIVS_LOWERED;
523 else
524 result = ZPRIVS_UNKNOWN;
525 }
526
527 priv_freeset(effective);
528 return result;
ceacedba 529}
530
d62a17ae 531static void zprivs_caps_init(struct zebra_privs_t *zprivs)
ceacedba 532{
d62a17ae 533 pset_t *basic;
534 pset_t *minimal;
535
536 /* the specified sets */
537 zprivs_state.syscaps_p = zcaps2sys(zprivs->caps_p, zprivs->cap_num_p);
538 zprivs_state.syscaps_i = zcaps2sys(zprivs->caps_i, zprivs->cap_num_i);
539
540 /* nonsensical to have gotten here but not have capabilities */
541 if (!zprivs_state.syscaps_p) {
542 fprintf(stderr,
543 "%s: capabilities enabled, "
544 "but no valid capabilities supplied\n",
545 __func__);
546 }
547
548 /* We retain the basic set in our permitted set, as Linux has no
549 * equivalent. The basic set on Linux hence is implicit, always
550 * there.
551 */
552 if ((basic = priv_str_to_set("basic", ",", NULL)) == NULL) {
553 fprintf(stderr, "%s: couldn't get basic set!\n", __func__);
554 exit(1);
555 }
556
557 /* Add the basic set to the permitted set */
558 priv_union(basic, zprivs_state.syscaps_p);
559 priv_freeset(basic);
560
561 /* Hey kernel, we know about privileges!
562 * this isn't strictly required, use of setppriv should have same effect
563 */
564 if (setpflags(PRIV_AWARE, 1)) {
565 fprintf(stderr, "%s: error setting PRIV_AWARE!, %s\n", __func__,
566 safe_strerror(errno));
567 exit(1);
568 }
569
570 /* need either valid or empty sets for both p and i.. */
571 assert(zprivs_state.syscaps_i && zprivs_state.syscaps_p);
572
573 /* we have caps, we have no need to ever change back the original user
574 * change real, effective and saved to the specified user.
575 */
576 /* only change uid if we don't have the correct one */
577 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
578 if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) {
579 fprintf(stderr, "%s: could not setreuid, %s\n",
580 __func__, safe_strerror(errno));
581 exit(1);
582 }
583 }
584
585 /* set the permitted set */
586 if (setppriv(PRIV_SET, PRIV_PERMITTED, zprivs_state.syscaps_p)) {
587 fprintf(stderr, "%s: error setting permitted set!, %s\n",
588 __func__, safe_strerror(errno));
589 exit(1);
590 }
591
592 /* set the inheritable set */
593 if (setppriv(PRIV_SET, PRIV_INHERITABLE, zprivs_state.syscaps_i)) {
594 fprintf(stderr, "%s: error setting inheritable set!, %s\n",
595 __func__, safe_strerror(errno));
596 exit(1);
597 }
598
599 /* we need a minimal basic set for 'effective', potentially for
600 * inheritable too */
601 minimal = zprivs_caps_minimal();
602
603 /* now set the effective set with a subset of basic privileges */
604 if (setppriv(PRIV_SET, PRIV_EFFECTIVE, minimal)) {
605 fprintf(stderr, "%s: error setting effective set!, %s\n",
606 __func__, safe_strerror(errno));
607 exit(1);
608 }
609
610 /* we'll use the minimal set as our working-storage privset */
611 zprivs_state.caps = minimal;
612
613 /* set methods for the caller to use */
614 zprivs->change = zprivs_change_caps;
615 zprivs->current_state = zprivs_state_caps;
ceacedba 616}
617
d62a17ae 618static void zprivs_caps_terminate(void)
ceacedba 619{
d62a17ae 620 assert(zprivs_state.caps);
621
622 /* clear all capabilities by using working-storage privset */
623 setppriv(PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps);
624 setppriv(PRIV_SET, PRIV_PERMITTED, zprivs_state.caps);
625 setppriv(PRIV_SET, PRIV_INHERITABLE, zprivs_state.caps);
626
627 /* free up private state */
628 if (zprivs_state.syscaps_p)
629 priv_freeset(zprivs_state.syscaps_p);
630 if (zprivs_state.syscaps_i)
631 priv_freeset(zprivs_state.syscaps_i);
632
633 priv_freeset(zprivs_state.caps);
ceacedba 634}
635#else /* !HAVE_LCAPS && ! HAVE_SOLARIS_CAPABILITIES */
636#error "Neither Solaris nor Linux capabilities, dazed and confused..."
637#endif /* HAVE_LCAPS */
638#endif /* HAVE_CAPABILITIES */
6b0655a2 639
d62a17ae 640int zprivs_change_uid(zebra_privs_ops_t op)
01245821 641{
d62a17ae 642 if (zprivs_state.zsuid == zprivs_state.zuid)
643 return 0;
644 if (op == ZPRIVS_RAISE)
645 return seteuid(zprivs_state.zsuid);
646 else if (op == ZPRIVS_LOWER)
647 return seteuid(zprivs_state.zuid);
648 else
649 return -1;
01245821 650}
651
d62a17ae 652zebra_privs_current_t zprivs_state_uid(void)
01245821 653{
d62a17ae 654 return ((zprivs_state.zuid == geteuid()) ? ZPRIVS_LOWERED
655 : ZPRIVS_RAISED);
01245821 656}
657
d62a17ae 658int zprivs_change_null(zebra_privs_ops_t op)
01245821 659{
d62a17ae 660 return 0;
01245821 661}
662
d62a17ae 663zebra_privs_current_t zprivs_state_null(void)
01245821 664{
d62a17ae 665 return zprivs_null_state;
01245821 666}
667
4a9ea50e
DL		 668#ifndef HAVE_GETGROUPLIST
669/* Solaris 11 has no getgrouplist() */
d62a17ae 670static int getgrouplist(const char *user, gid_t group, gid_t *groups,
671 int *ngroups)
4a9ea50e 672{
d62a17ae 673 struct group *grp;
674 size_t usridx;
675 int pos = 0, ret;
676
677 if (pos < *ngroups)
678 groups[pos] = group;
679 pos++;
680
681 setgrent();
682 while ((grp = getgrent())) {
683 if (grp->gr_gid == group)
684 continue;
685 for (usridx = 0; grp->gr_mem[usridx] != NULL; usridx++)
686 if (!strcmp(grp->gr_mem[usridx], user)) {
687 if (pos < *ngroups)
688 groups[pos] = grp->gr_gid;
689 pos++;
690 break;
691 }
692 }
693 endgrent();
694
695 ret = (pos <= *ngroups) ? pos : -1;
696 *ngroups = pos;
697 return ret;
4a9ea50e
DL		 698}
699#endif /* HAVE_GETGROUPLIST */
700
6017c3a2
DL		 701struct zebra_privs_t *_zprivs_raise(struct zebra_privs_t *privs,
702 const char *funcname)
703{
704 int save_errno = errno;
705
706 if (!privs)
707 return NULL;
708
709 errno = 0;
710 if (privs->change(ZPRIVS_RAISE)) {
711 zlog_err("%s: Failed to raise privileges (%s)",
712 funcname, safe_strerror(errno));
713 }
714 errno = save_errno;
715 privs->raised_in_funcname = funcname;
716 return privs;
717}
718
719void _zprivs_lower(struct zebra_privs_t **privs)
720{
721 int save_errno = errno;
722
723 if (!*privs)
724 return;
725
726 errno = 0;
727 if ((*privs)->change(ZPRIVS_LOWER)) {
728 zlog_err("%s: Failed to lower privileges (%s)",
729 (*privs)->raised_in_funcname, safe_strerror(errno));
730 }
731 errno = save_errno;
732 (*privs)->raised_in_funcname = NULL;
733 *privs = NULL;
734}
735
37a1f2fb 736void zprivs_preinit(struct zebra_privs_t *zprivs)
01245821 737{
d62a17ae 738 struct passwd *pwentry = NULL;
739 struct group *grentry = NULL;
d62a17ae 740
741 if (!zprivs) {
742 fprintf(stderr, "zprivs_init: called with NULL arg!\n");
743 exit(1);
744 }
745
746 if (zprivs->vty_group) {
747 /* in a "NULL" setup, this is allowed to fail too, but still
748 * try. */
749 if ((grentry = getgrnam(zprivs->vty_group)))
750 zprivs_state.vtygrp = grentry->gr_gid;
751 else
752 zprivs_state.vtygrp = (gid_t)-1;
753 }
754
755 /* NULL privs */
756 if (!(zprivs->user || zprivs->group || zprivs->cap_num_p
757 || zprivs->cap_num_i)) {
758 zprivs->change = zprivs_change_null;
759 zprivs->current_state = zprivs_state_null;
760 return;
761 }
762
763 if (zprivs->user) {
764 if ((pwentry = getpwnam(zprivs->user)) == NULL) {
765 /* cant use log.h here as it depends on vty */
766 fprintf(stderr,
767 "privs_init: could not lookup user %s\n",
768 zprivs->user);
769 exit(1);
770 }
771
772 zprivs_state.zuid = pwentry->pw_uid;
773 zprivs_state.zgid = pwentry->pw_gid;
774 }
775
776 grentry = NULL;
777
778 if (zprivs->group) {
779 if ((grentry = getgrnam(zprivs->group)) == NULL) {
780 fprintf(stderr,
781 "privs_init: could not lookup group %s\n",
782 zprivs->group);
783 exit(1);
784 }
785
786 zprivs_state.zgid = grentry->gr_gid;
787 }
37a1f2fb
DL		 788}
789
790void zprivs_init(struct zebra_privs_t *zprivs)
791{
792 gid_t groups[NGROUPS_MAX];
793 int i, ngroups = 0;
794 int found = 0;
795
796 /* NULL privs */
797 if (!(zprivs->user || zprivs->group || zprivs->cap_num_p
798 || zprivs->cap_num_i))
799 return;
d62a17ae 800
801 if (zprivs->user) {
802 ngroups = sizeof(groups);
803 if (getgrouplist(zprivs->user, zprivs_state.zgid, groups,
804 &ngroups)
805 < 0) {
806 /* cant use log.h here as it depends on vty */
807 fprintf(stderr,
808 "privs_init: could not getgrouplist for user %s\n",
809 zprivs->user);
810 exit(1);
811 }
812 }
813
814 if (zprivs->vty_group)
815 /* Add the vty_group to the supplementary groups so it can be chowned to
9d303b37 816 */
d62a17ae 817 {
818 if (zprivs_state.vtygrp == (gid_t)-1) {
819 fprintf(stderr,
820 "privs_init: could not lookup vty group %s\n",
821 zprivs->vty_group);
822 exit(1);
823 }
824
825 for (i = 0; i < ngroups; i++)
826 if (groups[i] == zprivs_state.vtygrp) {
827 found++;
828 break;
829 }
830
831 if (!found) {
832 fprintf(stderr,
833 "privs_init: user(%s) is not part of vty group specified(%s)\n",
834 zprivs->user, zprivs->vty_group);
835 exit(1);
836 }
837 if (i >= ngroups && ngroups < (int)ZEBRA_NUM_OF(groups)) {
838 groups[i] = zprivs_state.vtygrp;
839 }
840 }
841
842 zprivs_state.zsuid = geteuid(); /* initial uid */
843 /* add groups only if we changed uid - otherwise skip */
844 if ((ngroups) && (zprivs_state.zsuid != zprivs_state.zuid)) {
845 if (setgroups(ngroups, groups)) {
846 fprintf(stderr, "privs_init: could not setgroups, %s\n",
847 safe_strerror(errno));
848 exit(1);
849 }
850 }
851
852 /* change gid only if we changed uid - otherwise skip */
853 if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
854 /* change group now, forever. uid we do later */
855 if (setregid(zprivs_state.zgid, zprivs_state.zgid)) {
856 fprintf(stderr, "zprivs_init: could not setregid, %s\n",
857 safe_strerror(errno));
858 exit(1);
859 }
860 }
861
ceacedba 862#ifdef HAVE_CAPABILITIES
d62a17ae 863 zprivs_caps_init(zprivs);
8e04538c
DS		 864
865 /*
866 * If we have initialized the system with no requested
867 * capabilities, change will not have been set
868 * to anything by zprivs_caps_init, As such
869 * we should make sure that when we attempt
870 * to raize privileges that we actually have
871 * a do nothing function to call instead of a
872 * crash :).
873 */
874 if (!zprivs->change)
875 zprivs->change = zprivs_change_null;
876
d62a17ae 877#else /* !HAVE_CAPABILITIES */
878 /* we dont have caps. we'll need to maintain rid and saved uid
879 * and change euid back to saved uid (who we presume has all neccessary
880 * privileges) whenever we are asked to raise our privileges.
881 *
882 * This is not worth that much security wise, but all we can do.
883 */
884 zprivs_state.zsuid = geteuid();
885 /* only change uid if we don't have the correct one */
886 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
887 if (setreuid(-1, zprivs_state.zuid)) {
888 fprintf(stderr,
889 "privs_init (uid): could not setreuid, %s\n",
890 safe_strerror(errno));
891 exit(1);
892 }
893 }
894
895 zprivs->change = zprivs_change_uid;
896 zprivs->current_state = zprivs_state_uid;
ceacedba 897#endif /* HAVE_CAPABILITIES */
01245821 898}
899
d62a17ae 900void zprivs_terminate(struct zebra_privs_t *zprivs)
01245821 901{
d62a17ae 902 if (!zprivs) {
903 fprintf(stderr, "%s: no privs struct given, terminating",
904 __func__);
905 exit(0);
906 }
907
ceacedba 908#ifdef HAVE_CAPABILITIES
4093d47b
DL		 909 if (zprivs->user || zprivs->group || zprivs->cap_num_p
910 || zprivs->cap_num_i)
911 zprivs_caps_terminate();
d62a17ae 912#else /* !HAVE_CAPABILITIES */
913 /* only change uid if we don't have the correct one */
914 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
915 if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) {
916 fprintf(stderr,
917 "privs_terminate: could not setreuid, %s",
918 safe_strerror(errno));
919 exit(1);
920 }
921 }
01245821 922#endif /* HAVE_LCAPS */
ceacedba 923
d62a17ae 924 zprivs->change = zprivs_change_null;
925 zprivs->current_state = zprivs_state_null;
926 zprivs_null_state = ZPRIVS_LOWERED;
927 return;
01245821 928}
ba3a0bc5 929
d62a17ae 930void zprivs_get_ids(struct zprivs_ids_t *ids)
ba3a0bc5 931{
932
d62a17ae 933 ids->uid_priv = getuid();
934 (zprivs_state.zuid) ? (ids->uid_normal = zprivs_state.zuid)
935 : (ids->uid_normal = -1);
936 (zprivs_state.zgid) ? (ids->gid_normal = zprivs_state.zgid)
937 : (ids->gid_normal = -1);
938 (zprivs_state.vtygrp) ? (ids->gid_vty = zprivs_state.vtygrp)
939 : (ids->gid_vty = -1);
940
941 return;
ba3a0bc5 942}
FRRouting mirror