]> git.proxmox.com Git - mirror_frr.git/blob - lib/privs.c
projects / mirror_frr.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
zebra, lib: fix the ZEBRA_INTERFACE_VRF_UPDATE zapi message
[mirror_frr.git] / lib / privs.c
1 /*
2 * Zebra privileges.
3 *
4 * Copyright (C) 2003 Paul Jakma.
5 * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
6 *
7 * This file is part of GNU Zebra.
8 *
9 * GNU Zebra is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2, or (at your option) any
12 * later version.
13 *
14 * GNU Zebra is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; see the file COPYING; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
22 */
23 #include <zebra.h>
24 #include "log.h"
25 #include "privs.h"
26 #include "memory.h"
27 #include "lib_errors.h"
28
29 #ifdef HAVE_CAPABILITIES
30
31 DEFINE_MTYPE_STATIC(LIB, PRIVS, "Privilege information")
32
33 /* sort out some generic internal types for:
34 *
35 * privilege values (cap_value_t, priv_t) -> pvalue_t
36 * privilege set (..., priv_set_t) -> pset_t
37 * privilege working storage (cap_t, ...) -> pstorage_t
38 *
39 * values we think of as numeric (they're ints really, but we dont know)
40 * sets are mostly opaque, to hold a set of privileges, related in some way.
41 * storage binds together a set of sets we're interested in.
42 * (in reality: cap_value_t and priv_t are ints)
43 */
44 #ifdef HAVE_LCAPS
45 /* Linux doesn't have a 'set' type: a set of related privileges */
46 struct _pset {
47 int num;
48 cap_value_t *caps;
49 };
50 typedef cap_value_t pvalue_t;
51 typedef struct _pset pset_t;
52 typedef cap_t pstorage_t;
53
54 #elif defined(HAVE_SOLARIS_CAPABILITIES)
55 typedef priv_t pvalue_t;
56 typedef priv_set_t pset_t;
57 typedef priv_set_t *pstorage_t;
58 #else /* neither LCAPS nor SOLARIS_CAPABILITIES */
59 #error "HAVE_CAPABILITIES defined, but neither LCAPS nor Solaris Capabilties!"
60 #endif /* HAVE_LCAPS */
61 #endif /* HAVE_CAPABILITIES */
62
63 /* the default NULL state we report is RAISED, but could be LOWERED if
64 * zprivs_terminate is called and the NULL handler is installed.
65 */
66 static zebra_privs_current_t zprivs_null_state = ZPRIVS_RAISED;
67
68 /* internal privileges state */
69 static struct _zprivs_t {
70 #ifdef HAVE_CAPABILITIES
71 pstorage_t caps; /* working storage */
72 pset_t *syscaps_p; /* system-type requested permitted caps */
73 pset_t *syscaps_i; /* system-type requested inheritable caps */
74 #endif /* HAVE_CAPABILITIES */
75 uid_t zuid, /* uid to run as */
76 zsuid; /* saved uid */
77 gid_t zgid; /* gid to run as */
78 gid_t vtygrp; /* gid for vty sockets */
79 } zprivs_state;
80
81 /* externally exported but not directly accessed functions */
82 #ifdef HAVE_CAPABILITIES
83 int zprivs_change_caps(zebra_privs_ops_t);
84 zebra_privs_current_t zprivs_state_caps(void);
85 #endif /* HAVE_CAPABILITIES */
86 int zprivs_change_uid(zebra_privs_ops_t);
87 zebra_privs_current_t zprivs_state_uid(void);
88 int zprivs_change_null(zebra_privs_ops_t);
89 zebra_privs_current_t zprivs_state_null(void);
90
91 #ifdef HAVE_CAPABILITIES
92 /* internal capability API */
93 static pset_t *zcaps2sys(zebra_capabilities_t *, int);
94 static void zprivs_caps_init(struct zebra_privs_t *);
95 static void zprivs_caps_terminate(void);
96
97 /* Map of Quagga abstract capabilities to system capabilities */
98 static struct {
99 int num;
100 pvalue_t *system_caps;
101 } cap_map[ZCAP_MAX] = {
102 #ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */
103 [ZCAP_SETID] =
104 {
105 2, (pvalue_t[]){CAP_SETGID, CAP_SETUID},
106 },
107 [ZCAP_BIND] =
108 {
109 1, (pvalue_t[]){CAP_NET_BIND_SERVICE},
110 },
111 [ZCAP_NET_ADMIN] =
112 {
113 1, (pvalue_t[]){CAP_NET_ADMIN},
114 },
115 [ZCAP_NET_RAW] =
116 {
117 1, (pvalue_t[]){CAP_NET_RAW},
118 },
119 [ZCAP_CHROOT] =
120 {
121 1,
122 (pvalue_t[]){
123 CAP_SYS_CHROOT,
124 },
125 },
126 [ZCAP_NICE] =
127 {
128 1, (pvalue_t[]){CAP_SYS_NICE},
129 },
130 [ZCAP_PTRACE] =
131 {
132 1, (pvalue_t[]){CAP_SYS_PTRACE},
133 },
134 [ZCAP_DAC_OVERRIDE] =
135 {
136 1, (pvalue_t[]){CAP_DAC_OVERRIDE},
137 },
138 [ZCAP_READ_SEARCH] =
139 {
140 1, (pvalue_t[]){CAP_DAC_READ_SEARCH},
141 },
142 [ZCAP_SYS_ADMIN] =
143 {
144 1, (pvalue_t[]){CAP_SYS_ADMIN},
145 },
146 [ZCAP_FOWNER] =
147 {
148 1, (pvalue_t[]){CAP_FOWNER},
149 },
150 #elif defined(HAVE_SOLARIS_CAPABILITIES) /* HAVE_LCAPS */
151 /* Quagga -> Solaris privilege mappings */
152 [ZCAP_SETID] =
153 {
154 1, (pvalue_t[]){PRIV_PROC_SETID},
155 },
156 [ZCAP_BIND] =
157 {
158 1, (pvalue_t[]){PRIV_NET_PRIVADDR},
159 },
160 /* IP_CONFIG is a subset of NET_CONFIG and is allowed in zones */
161 #ifdef PRIV_SYS_IP_CONFIG
162 [ZCAP_NET_ADMIN] =
163 {
164 1, (pvalue_t[]){PRIV_SYS_IP_CONFIG},
165 },
166 #else
167 [ZCAP_NET_ADMIN] =
168 {
169 1, (pvalue_t[]){PRIV_SYS_NET_CONFIG},
170 },
171 #endif
172 [ZCAP_NET_RAW] =
173 {
174 2, (pvalue_t[]){PRIV_NET_RAWACCESS,
175 PRIV_NET_ICMPACCESS},
176 },
177 [ZCAP_CHROOT] =
178 {
179 1, (pvalue_t[]){PRIV_PROC_CHROOT},
180 },
181 [ZCAP_NICE] =
182 {
183 1, (pvalue_t[]){PRIV_PROC_PRIOCNTL},
184 },
185 [ZCAP_PTRACE] =
186 {
187 1, (pvalue_t[]){PRIV_PROC_SESSION},
188 },
189 [ZCAP_DAC_OVERRIDE] =
190 {
191 5, (pvalue_t[]){PRIV_FILE_DAC_EXECUTE,
192 PRIV_FILE_DAC_READ,
193 PRIV_FILE_DAC_SEARCH,
194 PRIV_FILE_DAC_WRITE,
195 PRIV_FILE_DAC_SEARCH},
196 },
197 [ZCAP_READ_SEARCH] =
198 {
199 2, (pvalue_t[]){PRIV_FILE_DAC_SEARCH,
200 PRIV_FILE_DAC_READ},
201 },
202 [ZCAP_SYS_ADMIN] =
203 {
204 1, (pvalue_t[]){PRIV_SYS_ADMIN},
205 },
206 [ZCAP_FOWNER] =
207 {
208 1, (pvalue_t[]){PRIV_FILE_OWNER},
209 },
210 #endif /* HAVE_SOLARIS_CAPABILITIES */
211 };
212
213 #ifdef HAVE_LCAPS
214 /* Linux forms of capabilities methods */
215 /* convert zebras privileges to system capabilities */
216 static pset_t *zcaps2sys(zebra_capabilities_t *zcaps, int num)
217 {
218 pset_t *syscaps;
219 int i, j = 0, count = 0;
220
221 if (!num)
222 return NULL;
223
224 /* first count up how many system caps we have */
225 for (i = 0; i < num; i++)
226 count += cap_map[zcaps[i]].num;
227
228 if ((syscaps = XCALLOC(MTYPE_PRIVS, (sizeof(pset_t) * num))) == NULL) {
229 fprintf(stderr, "%s: could not allocate syscaps!", __func__);
230 return NULL;
231 }
232
233 syscaps->caps = XCALLOC(MTYPE_PRIVS, (sizeof(pvalue_t) * count));
234
235 if (!syscaps->caps) {
236 fprintf(stderr, "%s: could not XCALLOC caps!", __func__);
237 return NULL;
238 }
239
240 /* copy the capabilities over */
241 count = 0;
242 for (i = 0; i < num; i++)
243 for (j = 0; j < cap_map[zcaps[i]].num; j++)
244 syscaps->caps[count++] =
245 cap_map[zcaps[i]].system_caps[j];
246
247 /* iterations above should be exact same as previous count, obviously..
248 */
249 syscaps->num = count;
250
251 return syscaps;
252 }
253
254 /* set or clear the effective capabilities to/from permitted */
255 int zprivs_change_caps(zebra_privs_ops_t op)
256 {
257 cap_flag_value_t cflag;
258
259 /* should be no possibility of being called without valid caps */
260 assert(zprivs_state.syscaps_p && zprivs_state.caps);
261 if (!(zprivs_state.syscaps_p && zprivs_state.caps))
262 exit(1);
263
264 if (op == ZPRIVS_RAISE)
265 cflag = CAP_SET;
266 else if (op == ZPRIVS_LOWER)
267 cflag = CAP_CLEAR;
268 else
269 return -1;
270
271 if (!cap_set_flag(zprivs_state.caps, CAP_EFFECTIVE,
272 zprivs_state.syscaps_p->num,
273 zprivs_state.syscaps_p->caps, cflag))
274 return cap_set_proc(zprivs_state.caps);
275 return -1;
276 }
277
278 zebra_privs_current_t zprivs_state_caps(void)
279 {
280 int i;
281 cap_flag_value_t val;
282
283 /* should be no possibility of being called without valid caps */
284 assert(zprivs_state.syscaps_p && zprivs_state.caps);
285 if (!(zprivs_state.syscaps_p && zprivs_state.caps))
286 exit(1);
287
288 for (i = 0; i < zprivs_state.syscaps_p->num; i++) {
289 if (cap_get_flag(zprivs_state.caps,
290 zprivs_state.syscaps_p->caps[i], CAP_EFFECTIVE,
291 &val)) {
292 flog_err(
293 EC_LIB_SYSTEM_CALL,
294 "zprivs_state_caps: could not cap_get_flag, %s",
295 safe_strerror(errno));
296 return ZPRIVS_UNKNOWN;
297 }
298 if (val == CAP_SET)
299 return ZPRIVS_RAISED;
300 }
301 return ZPRIVS_LOWERED;
302 }
303
304 static void zprivs_caps_init(struct zebra_privs_t *zprivs)
305 {
306 zprivs_state.syscaps_p = zcaps2sys(zprivs->caps_p, zprivs->cap_num_p);
307 zprivs_state.syscaps_i = zcaps2sys(zprivs->caps_i, zprivs->cap_num_i);
308
309 /* Tell kernel we want caps maintained across uid changes */
310 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
311 fprintf(stderr,
312 "privs_init: could not set PR_SET_KEEPCAPS, %s\n",
313 safe_strerror(errno));
314 exit(1);
315 }
316
317 /* we have caps, we have no need to ever change back the original user
318 */
319 /* only change uid if we don't have the correct one */
320 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
321 if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) {
322 fprintf(stderr,
323 "zprivs_init (cap): could not setreuid, %s\n",
324 safe_strerror(errno));
325 exit(1);
326 }
327 }
328
329 if (!zprivs_state.syscaps_p)
330 return;
331
332 if (!(zprivs_state.caps = cap_init())) {
333 fprintf(stderr, "privs_init: failed to cap_init, %s\n",
334 safe_strerror(errno));
335 exit(1);
336 }
337
338 if (cap_clear(zprivs_state.caps)) {
339 fprintf(stderr, "privs_init: failed to cap_clear, %s\n",
340 safe_strerror(errno));
341 exit(1);
342 }
343
344 /* set permitted caps */
345 cap_set_flag(zprivs_state.caps, CAP_PERMITTED,
346 zprivs_state.syscaps_p->num, zprivs_state.syscaps_p->caps,
347 CAP_SET);
348
349 /* set inheritable caps, if any */
350 if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) {
351 cap_set_flag(zprivs_state.caps, CAP_INHERITABLE,
352 zprivs_state.syscaps_i->num,
353 zprivs_state.syscaps_i->caps, CAP_SET);
354 }
355
356 /* apply caps. CAP_EFFECTIVE is cleared. we'll raise the caps as
357 * and when, and only when, they are needed.
358 */
359 if (cap_set_proc(zprivs_state.caps)) {
360 cap_t current_caps;
361 char *current_caps_text = NULL;
362 char *wanted_caps_text = NULL;
363
364 fprintf(stderr, "privs_init: initial cap_set_proc failed: %s\n",
365 safe_strerror(errno));
366
367 current_caps = cap_get_proc();
368 if (current_caps) {
369 current_caps_text = cap_to_text(current_caps, NULL);
370 cap_free(current_caps);
371 }
372
373 wanted_caps_text = cap_to_text(zprivs_state.caps, NULL);
374 fprintf(stderr, "Wanted caps: %s\n",
375 wanted_caps_text ? wanted_caps_text : "???");
376 fprintf(stderr, "Have caps: %s\n",
377 current_caps_text ? current_caps_text : "???");
378 if (current_caps_text)
379 cap_free(current_caps_text);
380 if (wanted_caps_text)
381 cap_free(wanted_caps_text);
382
383 exit(1);
384 }
385
386 /* set methods for the caller to use */
387 zprivs->change = zprivs_change_caps;
388 zprivs->current_state = zprivs_state_caps;
389 }
390
391 static void zprivs_caps_terminate(void)
392 {
393 /* clear all capabilities */
394 if (zprivs_state.caps)
395 cap_clear(zprivs_state.caps);
396
397 /* and boom, capabilities are gone forever */
398 if (cap_set_proc(zprivs_state.caps)) {
399 fprintf(stderr, "privs_terminate: cap_set_proc failed, %s",
400 safe_strerror(errno));
401 exit(1);
402 }
403
404 /* free up private state */
405 if (zprivs_state.syscaps_p->num) {
406 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p->caps);
407 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p);
408 }
409
410 if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) {
411 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_i->caps);
412 XFREE(MTYPE_PRIVS, zprivs_state.syscaps_i);
413 }
414
415 cap_free(zprivs_state.caps);
416 }
417 #elif defined(HAVE_SOLARIS_CAPABILITIES) /* !HAVE_LCAPS */
418
419 /* Solaris specific capability/privilege methods
420 *
421 * Resources:
422 * - the 'privileges' man page
423 * - http://cvs.opensolaris.org
424 * -
425 * http://blogs.sun.com/roller/page/gbrunett?entry=privilege_enabling_set_id_programs1
426 */
427
428 static pset_t *zprivs_caps_minimal()
429 {
430 pset_t *minimal;
431
432 if ((minimal = priv_str_to_set("basic", ",", NULL)) == NULL) {
433 fprintf(stderr, "%s: couldn't get basic set!\n", __func__);
434 exit(1);
435 }
436
437 /* create a minimal privilege set from the basic set */
438 (void)priv_delset(minimal, PRIV_PROC_EXEC);
439 (void)priv_delset(minimal, PRIV_PROC_INFO);
440 (void)priv_delset(minimal, PRIV_PROC_SESSION);
441 (void)priv_delset(minimal, PRIV_FILE_LINK_ANY);
442
443 return minimal;
444 }
445
446 /* convert zebras privileges to system capabilities */
447 static pset_t *zcaps2sys(zebra_capabilities_t *zcaps, int num)
448 {
449 pset_t *syscaps;
450 int i, j = 0;
451
452 if ((syscaps = priv_allocset()) == NULL) {
453 fprintf(stderr, "%s: could not allocate syscaps!\n", __func__);
454 exit(1);
455 }
456
457 priv_emptyset(syscaps);
458
459 for (i = 0; i < num; i++)
460 for (j = 0; j < cap_map[zcaps[i]].num; j++)
461 priv_addset(syscaps, cap_map[zcaps[i]].system_caps[j]);
462
463 return syscaps;
464 }
465
466 /* callback exported to users to RAISE and LOWER effective privileges
467 * from nothing to the given permitted set and back down
468 */
469 int zprivs_change_caps(zebra_privs_ops_t op)
470 {
471 pset_t *privset;
472
473 /* should be no possibility of being called without valid caps */
474 assert(zprivs_state.syscaps_p);
475 if (!zprivs_state.syscaps_p) {
476 fprintf(stderr, "%s: Eek, missing privileged caps!", __func__);
477 exit(1);
478 }
479
480 assert(zprivs_state.caps);
481 if (!zprivs_state.caps) {
482 fprintf(stderr, "%s: Eek, missing caps!", __func__);
483 exit(1);
484 }
485
486 /* to raise: copy original permitted as our working effective set
487 * to lower: copy regular effective set stored in zprivs_state.caps
488 */
489 if (op == ZPRIVS_RAISE)
490 privset = zprivs_state.syscaps_p;
491 else if (op == ZPRIVS_LOWER)
492 privset = zprivs_state.caps;
493 else
494 return -1;
495
496 if (setppriv(PRIV_SET, PRIV_EFFECTIVE, privset) != 0)
497 return -1;
498
499 return 0;
500 }
501
502 /* Retrieve current privilege state, is it RAISED or LOWERED? */
503 zebra_privs_current_t zprivs_state_caps(void)
504 {
505 zebra_privs_current_t result;
506 pset_t *effective;
507
508 if ((effective = priv_allocset()) == NULL) {
509 fprintf(stderr, "%s: failed to get priv_allocset! %s\n",
510 __func__, safe_strerror(errno));
511 return ZPRIVS_UNKNOWN;
512 }
513
514 if (getppriv(PRIV_EFFECTIVE, effective)) {
515 fprintf(stderr, "%s: failed to get state! %s\n", __func__,
516 safe_strerror(errno));
517 result = ZPRIVS_UNKNOWN;
518 } else {
519 if (priv_isequalset(effective, zprivs_state.syscaps_p))
520 result = ZPRIVS_RAISED;
521 else if (priv_isequalset(effective, zprivs_state.caps))
522 result = ZPRIVS_LOWERED;
523 else
524 result = ZPRIVS_UNKNOWN;
525 }
526
527 priv_freeset(effective);
528 return result;
529 }
530
531 static void zprivs_caps_init(struct zebra_privs_t *zprivs)
532 {
533 pset_t *basic;
534 pset_t *minimal;
535
536 /* the specified sets */
537 zprivs_state.syscaps_p = zcaps2sys(zprivs->caps_p, zprivs->cap_num_p);
538 zprivs_state.syscaps_i = zcaps2sys(zprivs->caps_i, zprivs->cap_num_i);
539
540 /* nonsensical to have gotten here but not have capabilities */
541 if (!zprivs_state.syscaps_p) {
542 fprintf(stderr,
543 "%s: capabilities enabled, "
544 "but no valid capabilities supplied\n",
545 __func__);
546 }
547
548 /* We retain the basic set in our permitted set, as Linux has no
549 * equivalent. The basic set on Linux hence is implicit, always
550 * there.
551 */
552 if ((basic = priv_str_to_set("basic", ",", NULL)) == NULL) {
553 fprintf(stderr, "%s: couldn't get basic set!\n", __func__);
554 exit(1);
555 }
556
557 /* Add the basic set to the permitted set */
558 priv_union(basic, zprivs_state.syscaps_p);
559 priv_freeset(basic);
560
561 /* Hey kernel, we know about privileges!
562 * this isn't strictly required, use of setppriv should have same effect
563 */
564 if (setpflags(PRIV_AWARE, 1)) {
565 fprintf(stderr, "%s: error setting PRIV_AWARE!, %s\n", __func__,
566 safe_strerror(errno));
567 exit(1);
568 }
569
570 /* need either valid or empty sets for both p and i.. */
571 assert(zprivs_state.syscaps_i && zprivs_state.syscaps_p);
572
573 /* we have caps, we have no need to ever change back the original user
574 * change real, effective and saved to the specified user.
575 */
576 /* only change uid if we don't have the correct one */
577 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
578 if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) {
579 fprintf(stderr, "%s: could not setreuid, %s\n",
580 __func__, safe_strerror(errno));
581 exit(1);
582 }
583 }
584
585 /* set the permitted set */
586 if (setppriv(PRIV_SET, PRIV_PERMITTED, zprivs_state.syscaps_p)) {
587 fprintf(stderr, "%s: error setting permitted set!, %s\n",
588 __func__, safe_strerror(errno));
589 exit(1);
590 }
591
592 /* set the inheritable set */
593 if (setppriv(PRIV_SET, PRIV_INHERITABLE, zprivs_state.syscaps_i)) {
594 fprintf(stderr, "%s: error setting inheritable set!, %s\n",
595 __func__, safe_strerror(errno));
596 exit(1);
597 }
598
599 /* we need a minimal basic set for 'effective', potentially for
600 * inheritable too */
601 minimal = zprivs_caps_minimal();
602
603 /* now set the effective set with a subset of basic privileges */
604 if (setppriv(PRIV_SET, PRIV_EFFECTIVE, minimal)) {
605 fprintf(stderr, "%s: error setting effective set!, %s\n",
606 __func__, safe_strerror(errno));
607 exit(1);
608 }
609
610 /* we'll use the minimal set as our working-storage privset */
611 zprivs_state.caps = minimal;
612
613 /* set methods for the caller to use */
614 zprivs->change = zprivs_change_caps;
615 zprivs->current_state = zprivs_state_caps;
616 }
617
618 static void zprivs_caps_terminate(void)
619 {
620 assert(zprivs_state.caps);
621
622 /* clear all capabilities by using working-storage privset */
623 setppriv(PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps);
624 setppriv(PRIV_SET, PRIV_PERMITTED, zprivs_state.caps);
625 setppriv(PRIV_SET, PRIV_INHERITABLE, zprivs_state.caps);
626
627 /* free up private state */
628 if (zprivs_state.syscaps_p)
629 priv_freeset(zprivs_state.syscaps_p);
630 if (zprivs_state.syscaps_i)
631 priv_freeset(zprivs_state.syscaps_i);
632
633 priv_freeset(zprivs_state.caps);
634 }
635 #else /* !HAVE_LCAPS && ! HAVE_SOLARIS_CAPABILITIES */
636 #error "Neither Solaris nor Linux capabilities, dazed and confused..."
637 #endif /* HAVE_LCAPS */
638 #endif /* HAVE_CAPABILITIES */
639
640 int zprivs_change_uid(zebra_privs_ops_t op)
641 {
642 if (zprivs_state.zsuid == zprivs_state.zuid)
643 return 0;
644 if (op == ZPRIVS_RAISE)
645 return seteuid(zprivs_state.zsuid);
646 else if (op == ZPRIVS_LOWER)
647 return seteuid(zprivs_state.zuid);
648 else
649 return -1;
650 }
651
652 zebra_privs_current_t zprivs_state_uid(void)
653 {
654 return ((zprivs_state.zuid == geteuid()) ? ZPRIVS_LOWERED
655 : ZPRIVS_RAISED);
656 }
657
658 int zprivs_change_null(zebra_privs_ops_t op)
659 {
660 return 0;
661 }
662
663 zebra_privs_current_t zprivs_state_null(void)
664 {
665 return zprivs_null_state;
666 }
667
668 #ifndef HAVE_GETGROUPLIST
669 /* Solaris 11 has no getgrouplist() */
670 static int getgrouplist(const char *user, gid_t group, gid_t *groups,
671 int *ngroups)
672 {
673 struct group *grp;
674 size_t usridx;
675 int pos = 0, ret;
676
677 if (pos < *ngroups)
678 groups[pos] = group;
679 pos++;
680
681 setgrent();
682 while ((grp = getgrent())) {
683 if (grp->gr_gid == group)
684 continue;
685 for (usridx = 0; grp->gr_mem[usridx] != NULL; usridx++)
686 if (!strcmp(grp->gr_mem[usridx], user)) {
687 if (pos < *ngroups)
688 groups[pos] = grp->gr_gid;
689 pos++;
690 break;
691 }
692 }
693 endgrent();
694
695 ret = (pos <= *ngroups) ? pos : -1;
696 *ngroups = pos;
697 return ret;
698 }
699 #endif /* HAVE_GETGROUPLIST */
700
701 struct zebra_privs_t *_zprivs_raise(struct zebra_privs_t *privs,
702 const char *funcname)
703 {
704 int save_errno = errno;
705
706 if (!privs)
707 return NULL;
708
709 errno = 0;
710 if (privs->change(ZPRIVS_RAISE)) {
711 zlog_err("%s: Failed to raise privileges (%s)",
712 funcname, safe_strerror(errno));
713 }
714 errno = save_errno;
715 privs->raised_in_funcname = funcname;
716 return privs;
717 }
718
719 void _zprivs_lower(struct zebra_privs_t **privs)
720 {
721 int save_errno = errno;
722
723 if (!*privs)
724 return;
725
726 errno = 0;
727 if ((*privs)->change(ZPRIVS_LOWER)) {
728 zlog_err("%s: Failed to lower privileges (%s)",
729 (*privs)->raised_in_funcname, safe_strerror(errno));
730 }
731 errno = save_errno;
732 (*privs)->raised_in_funcname = NULL;
733 *privs = NULL;
734 }
735
736 void zprivs_preinit(struct zebra_privs_t *zprivs)
737 {
738 struct passwd *pwentry = NULL;
739 struct group *grentry = NULL;
740
741 if (!zprivs) {
742 fprintf(stderr, "zprivs_init: called with NULL arg!\n");
743 exit(1);
744 }
745
746 if (zprivs->vty_group) {
747 /* in a "NULL" setup, this is allowed to fail too, but still
748 * try. */
749 if ((grentry = getgrnam(zprivs->vty_group)))
750 zprivs_state.vtygrp = grentry->gr_gid;
751 else
752 zprivs_state.vtygrp = (gid_t)-1;
753 }
754
755 /* NULL privs */
756 if (!(zprivs->user || zprivs->group || zprivs->cap_num_p
757 || zprivs->cap_num_i)) {
758 zprivs->change = zprivs_change_null;
759 zprivs->current_state = zprivs_state_null;
760 return;
761 }
762
763 if (zprivs->user) {
764 if ((pwentry = getpwnam(zprivs->user)) == NULL) {
765 /* cant use log.h here as it depends on vty */
766 fprintf(stderr,
767 "privs_init: could not lookup user %s\n",
768 zprivs->user);
769 exit(1);
770 }
771
772 zprivs_state.zuid = pwentry->pw_uid;
773 zprivs_state.zgid = pwentry->pw_gid;
774 }
775
776 grentry = NULL;
777
778 if (zprivs->group) {
779 if ((grentry = getgrnam(zprivs->group)) == NULL) {
780 fprintf(stderr,
781 "privs_init: could not lookup group %s\n",
782 zprivs->group);
783 exit(1);
784 }
785
786 zprivs_state.zgid = grentry->gr_gid;
787 }
788 }
789
790 void zprivs_init(struct zebra_privs_t *zprivs)
791 {
792 gid_t groups[NGROUPS_MAX];
793 int i, ngroups = 0;
794 int found = 0;
795
796 /* NULL privs */
797 if (!(zprivs->user || zprivs->group || zprivs->cap_num_p
798 || zprivs->cap_num_i))
799 return;
800
801 if (zprivs->user) {
802 ngroups = sizeof(groups);
803 if (getgrouplist(zprivs->user, zprivs_state.zgid, groups,
804 &ngroups)
805 < 0) {
806 /* cant use log.h here as it depends on vty */
807 fprintf(stderr,
808 "privs_init: could not getgrouplist for user %s\n",
809 zprivs->user);
810 exit(1);
811 }
812 }
813
814 if (zprivs->vty_group)
815 /* Add the vty_group to the supplementary groups so it can be chowned to
816 */
817 {
818 if (zprivs_state.vtygrp == (gid_t)-1) {
819 fprintf(stderr,
820 "privs_init: could not lookup vty group %s\n",
821 zprivs->vty_group);
822 exit(1);
823 }
824
825 for (i = 0; i < ngroups; i++)
826 if (groups[i] == zprivs_state.vtygrp) {
827 found++;
828 break;
829 }
830
831 if (!found) {
832 fprintf(stderr,
833 "privs_init: user(%s) is not part of vty group specified(%s)\n",
834 zprivs->user, zprivs->vty_group);
835 exit(1);
836 }
837 if (i >= ngroups && ngroups < (int)ZEBRA_NUM_OF(groups)) {
838 groups[i] = zprivs_state.vtygrp;
839 }
840 }
841
842 zprivs_state.zsuid = geteuid(); /* initial uid */
843 /* add groups only if we changed uid - otherwise skip */
844 if ((ngroups) && (zprivs_state.zsuid != zprivs_state.zuid)) {
845 if (setgroups(ngroups, groups)) {
846 fprintf(stderr, "privs_init: could not setgroups, %s\n",
847 safe_strerror(errno));
848 exit(1);
849 }
850 }
851
852 /* change gid only if we changed uid - otherwise skip */
853 if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
854 /* change group now, forever. uid we do later */
855 if (setregid(zprivs_state.zgid, zprivs_state.zgid)) {
856 fprintf(stderr, "zprivs_init: could not setregid, %s\n",
857 safe_strerror(errno));
858 exit(1);
859 }
860 }
861
862 #ifdef HAVE_CAPABILITIES
863 zprivs_caps_init(zprivs);
864
865 /*
866 * If we have initialized the system with no requested
867 * capabilities, change will not have been set
868 * to anything by zprivs_caps_init, As such
869 * we should make sure that when we attempt
870 * to raize privileges that we actually have
871 * a do nothing function to call instead of a
872 * crash :).
873 */
874 if (!zprivs->change)
875 zprivs->change = zprivs_change_null;
876
877 #else /* !HAVE_CAPABILITIES */
878 /* we dont have caps. we'll need to maintain rid and saved uid
879 * and change euid back to saved uid (who we presume has all neccessary
880 * privileges) whenever we are asked to raise our privileges.
881 *
882 * This is not worth that much security wise, but all we can do.
883 */
884 zprivs_state.zsuid = geteuid();
885 /* only change uid if we don't have the correct one */
886 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
887 if (setreuid(-1, zprivs_state.zuid)) {
888 fprintf(stderr,
889 "privs_init (uid): could not setreuid, %s\n",
890 safe_strerror(errno));
891 exit(1);
892 }
893 }
894
895 zprivs->change = zprivs_change_uid;
896 zprivs->current_state = zprivs_state_uid;
897 #endif /* HAVE_CAPABILITIES */
898 }
899
900 void zprivs_terminate(struct zebra_privs_t *zprivs)
901 {
902 if (!zprivs) {
903 fprintf(stderr, "%s: no privs struct given, terminating",
904 __func__);
905 exit(0);
906 }
907
908 #ifdef HAVE_CAPABILITIES
909 if (zprivs->user || zprivs->group || zprivs->cap_num_p
910 || zprivs->cap_num_i)
911 zprivs_caps_terminate();
912 #else /* !HAVE_CAPABILITIES */
913 /* only change uid if we don't have the correct one */
914 if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {
915 if (setreuid(zprivs_state.zuid, zprivs_state.zuid)) {
916 fprintf(stderr,
917 "privs_terminate: could not setreuid, %s",
918 safe_strerror(errno));
919 exit(1);
920 }
921 }
922 #endif /* HAVE_LCAPS */
923
924 zprivs->change = zprivs_change_null;
925 zprivs->current_state = zprivs_state_null;
926 zprivs_null_state = ZPRIVS_LOWERED;
927 return;
928 }
929
930 void zprivs_get_ids(struct zprivs_ids_t *ids)
931 {
932
933 ids->uid_priv = getuid();
934 (zprivs_state.zuid) ? (ids->uid_normal = zprivs_state.zuid)
935 : (ids->uid_normal = -1);
936 (zprivs_state.zgid) ? (ids->gid_normal = zprivs_state.zgid)
937 : (ids->gid_normal = -1);
938 (zprivs_state.vtygrp) ? (ids->gid_vty = zprivs_state.vtygrp)
939 : (ids->gid_vty = -1);
940
941 return;
942 }
FRRouting mirror