diff --git a/README b/README index ce1d9ef..8ac40af 100644 --- a/README +++ b/README @@ -43,8 +43,8 @@ programs to LibreSSL in order to use it, just as in moving from OpenSSL 0.9.8 to 1.0.1. The project attempts to provide working alternatives for operating systems with -limited or broken security primitives (e.g. arc4random(3), issetugid(2)) and -assists with improving OS-native implementations where possible. +limited or broken security primitives (e.g. arc4random(3)) and assists with +improving OS-native implementations where possible. LibreSSL portable will build on any reasonably modern version of Linux, Solaris, or OSX with a standards-compliant compiler and C library. diff --git a/configure.ac b/configure.ac index 75a1ec2..2cd9814 100644 --- a/configure.ac +++ b/configure.ac @@ -220,7 +220,7 @@ CFLAGS="$save_cflags $AM_CFLAGS" AM_PROG_AS AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval]) -AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray]) +AC_CHECK_FUNCS([getentropy memmem poll reallocarray]) AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum]) AC_CHECK_FUNCS([symlink]) AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp]) @@ -230,7 +230,6 @@ AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes]) AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes]) AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes]) -AM_CONDITIONAL([HAVE_ISSETUGID], [test "x$ac_cv_func_issetugid" = xyes]) AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes]) AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes]) AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes]) @@ -251,11 +250,6 @@ AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], -a "x$HOST_OS" != xnetbsd \ -a "x$ac_cv_func_arc4random_buf" = xyes]) -# overrides for issetugid implementations with known issues -AM_CONDITIONAL([HAVE_ISSETUGID], - [test "x$HOST_OS" != xdarwin \ - -a "x$ac_cv_func_issetugid" = xyes]) - AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include diff --git a/crypto/Makefile.am b/crypto/Makefile.am index 83bf0c6..757197f 100644 --- a/crypto/Makefile.am +++ b/crypto/Makefile.am @@ -97,24 +97,6 @@ endif endif -if !HAVE_ISSETUGID -if HOST_AIX -libcompat_la_SOURCES += compat/issetugid_aix.c -endif -if HOST_LINUX -libcompat_la_SOURCES += compat/issetugid_linux.c -endif -if HOST_HPUX -libcompat_la_SOURCES += compat/issetugid_hpux.c -endif -if HOST_DARWIN -libcompat_la_SOURCES += compat/issetugid_osx.c -endif -if HOST_WIN -libcompat_la_SOURCES += compat/issetugid_win.c -endif -endif - noinst_HEADERS = noinst_HEADERS += compat/arc4random.h noinst_HEADERS += compat/arc4random_aix.h diff --git a/crypto/compat/issetugid_aix.c b/crypto/compat/issetugid_aix.c deleted file mode 100644 index 16f0a6d..0000000 --- a/crypto/compat/issetugid_aix.c +++ /dev/null @@ -1,107 +0,0 @@ -/* $OpenBSD: $ */ - -/* - * Copyright (c) 2015 Michael Felt - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - */ - -#include -#include - -#include -#include - -/* - * AIX does not have issetugid(). - * This experimental implementation uses getpriv() and get*id(). - * First, try getpriv() and check equality of pv_priv values - * When these values are equal, using get*id() including login uid. - * - */ -int issetugid(void) -{ - /* - * Return fail-safe while we evaluate primitives in AIX. There does - * not yet appear to be a single atomic test to tell if privileges of - * the process changed from that of the user who is in control of the - * environment. - */ - return (1); - -#define PEPRIV(a,b) a.pv_priv[b] - /* - * effective priv is what I can do now - * inherited priv is what the caller gave or could have given - * basically when inherited == 0 and effective != 0 then - * some kind of priv escalation has occurred - * when 'demoted' -- inherited != 0 but effective == 0 - * there is also a change, so, will report 1 as well - to be safe - * PROBABLY there needs more study re: how RBAC subtley affects - * the priv_t values - for now, they are either zero - nothing added - * or non-zero - something added - */ - priv_t effective,inherited; - int luid; - int euid, ruid; - - getpriv(PRIV_EFFECTIVE, &effective, sizeof(priv_t)); - getpriv(PRIV_INHERITED, &inherited, sizeof(priv_t)); - - if (PEPRIV(effective,0) | PEPRIV(effective,1)) { /* have something */ - if ((PEPRIV(inherited,0) | PEPRIV(inherited,1)) == 0) /* had nothing - classic u+s bit */ - return (1); - } else { - /* - * effective priv elevation is NULL/NONE - * was there something and removed via setuid()? - */ - if (PEPRIV(inherited,0) | PEPRIV(inherited,1)) - return (1); - } - - /* - * if we get this far, then "no" differences in process priv noted - * compare the different uid - * the comparision of login id with effective says "TRUE" when different. - * this may not work as expected when using sudo for elevation - * again, looking at RBAC affects on priv may be more truthful - * - * ruid - real uid - * euid - effictive uid - * luid - login uid - */ - - /* - * if these differ (not common on AIX), return changed - */ - ruid = getuid(); - euid = geteuid(); - if (euid != ruid) - return (1); - - if (getgid() != getegid()) - return (1); - - /* - * luid == login id, su/sudo do not/cannot change this afaik - * perhaps this is "too strict", but same as in - * issetugid_win.c - err on the safe side for now - */ - luid = getuidx(ID_LOGIN); - if (euid != luid) - return (1); - - return (0); -} diff --git a/crypto/compat/issetugid_hpux.c b/crypto/compat/issetugid_hpux.c deleted file mode 100644 index ca0e42c..0000000 --- a/crypto/compat/issetugid_hpux.c +++ /dev/null @@ -1,17 +0,0 @@ -#include -#include -#include - -/* - * HP-UX does not have issetugid(). - * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call - * cannot be used, assume we must be running in a privileged environment. - */ -int issetugid(void) -{ - struct pst_status buf; - if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 && - !(buf.pst_flag & PS_CHANGEDPRIV)) - return 0; - return 1; -} diff --git a/crypto/compat/issetugid_linux.c b/crypto/compat/issetugid_linux.c deleted file mode 100644 index 669edce..0000000 --- a/crypto/compat/issetugid_linux.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * issetugid implementation for Linux - * Public domain - */ - -#include -#include -#include -#include -#include - -/* - * Linux-specific glibc 2.16+ interface for determining if a process was - * launched setuid/setgid or with additional capabilities. - */ -#ifdef HAVE_GETAUXVAL -#include -#endif - -int issetugid(void) -{ -#ifdef HAVE_GETAUXVAL - /* - * The API for glibc < 2.19 does not indicate if there is an error with - * getauxval. While it should not be the case that any 2.6 or greater - * kernel ever does not supply AT_SECURE, an emulated software environment - * might rewrite the aux vector. - * - * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846 - * - * Perhaps this code should just read the aux vector itself, so we have - * backward-compatibility and error handling in older glibc versions. - * info: http://lwn.net/Articles/519085/ - * - */ - const char *glcv = gnu_get_libc_version(); - if (strverscmp(glcv, "2.19") >= 0) { - errno = 0; - if (getauxval(AT_SECURE) == 0) { - if (errno != ENOENT) { - return 0; - } - } - } -#endif - return 1; -} diff --git a/crypto/compat/issetugid_osx.c b/crypto/compat/issetugid_osx.c deleted file mode 100644 index ad6cb58..0000000 --- a/crypto/compat/issetugid_osx.c +++ /dev/null @@ -1,16 +0,0 @@ -/* - * issetugid implementation for OS X - * Public domain - */ - -#include - -/* - * OS X has issetugid, but it is not fork-safe as of version 10.10. - * See this Solaris report for test code that fails similarly: - * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug - */ -int issetugid(void) -{ - return 1; -} diff --git a/crypto/compat/issetugid_win.c b/crypto/compat/issetugid_win.c deleted file mode 100644 index d0c598d..0000000 --- a/crypto/compat/issetugid_win.c +++ /dev/null @@ -1,26 +0,0 @@ -/* - * issetugid implementation for Windows - * Public domain - */ - -#include - -/* - * Windows does not have a native setuid/setgid functionality. - * A user must enter credentials each time a process elevates its - * privileges. - * - * So, in theory, this could always return 0, given what I know currently. - * However, it makes sense to stub out initially in 'safe' mode until we - * understand more (and determine if any disabled functionality is actually - * useful on Windows anyway). - * - * Future versions of this function that are made more 'open' should thoroughly - * consider the case of this code running as a privileged service with saved - * user credentials or privilege escalations by other means (e.g. the old - * RunAsEx utility.) - */ -int issetugid(void) -{ - return 1; -} diff --git a/include/unistd.h b/include/unistd.h index 3aecd68..9b12034 100644 --- a/include/unistd.h +++ b/include/unistd.h @@ -12,8 +12,4 @@ int getentropy(void *buf, size_t buflen); #endif -#ifndef HAVE_ISSETUGID -int issetugid(void); -#endif - #endif