remove issetuigid wrappers, now that all getenv calls are gone.

From deraadt@ upstream: Remove all getenv() calls, especially those wrapped by issetugid(). getenv()'s wrapped by issetugid() are safe, but issetugid() is ... difficult to impliment on many operating systems. By accident, a grand experiment was run over the last year, where issetugid() returned 1 (the safe value) on a few operating systems. Noone noticed & complained that certain environment variables were not working.......
2015-04-14 07:55:23 -05:00
parent fe3f7fc636
commit 3096ab0e45
9 changed files with 3 additions and 244 deletions
--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -97,24 +97,6 @@ endif

 endif

-if !HAVE_ISSETUGID
-if HOST_AIX
-libcompat_la_SOURCES += compat/issetugid_aix.c
-endif
-if HOST_LINUX
-libcompat_la_SOURCES += compat/issetugid_linux.c
-endif
-if HOST_HPUX
-libcompat_la_SOURCES += compat/issetugid_hpux.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/issetugid_osx.c
-endif
-if HOST_WIN
-libcompat_la_SOURCES += compat/issetugid_win.c
-endif
-endif
-
 noinst_HEADERS =
 noinst_HEADERS += compat/arc4random.h
 noinst_HEADERS += compat/arc4random_aix.h
--- a/crypto/compat/issetugid_aix.c
+++ b/crypto/compat/issetugid_aix.c
@@ -1,107 +0,0 @@
-/*	  $OpenBSD: $	 */
-
-/*
- * Copyright (c) 2015 Michael Felt <aixtools@gmail.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- */
-
-#include <sys/id.h>
-#include <sys/priv.h>
-
-#include <stdio.h>
-#include <unistd.h>
-
-/*
- * AIX does not have issetugid().
- * This experimental implementation uses getpriv() and get*id().
- * First, try getpriv() and check equality of pv_priv values
- * When these values are equal, using get*id() including login uid.
- *
- */
-int issetugid(void)
-{
-	/*
-	 * Return fail-safe while we evaluate primitives in AIX. There does
-	 * not yet appear to be a single atomic test to tell if privileges of
-	 * the process changed from that of the user who is in control of the
-	 * environment.
-	 */
-	return (1);
-
-#define PEPRIV(a,b) a.pv_priv[b]
-	/*
-	 * effective priv is what I can do now
-	 * inherited priv is what the caller gave or could have given
-	 * basically when inherited == 0 and effective != 0 then
-	 * some kind of priv escalation has occurred
-	 * when 'demoted' -- inherited != 0 but effective == 0
-	 * there is also a change, so, will report 1 as well - to be safe
-	 * PROBABLY there needs more study re: how RBAC subtley affects
-	 * the priv_t values - for now, they are either zero - nothing added
-	 * or non-zero - something added
-	 */
-	priv_t effective,inherited;
-	int luid;
-	int euid, ruid;
-
-	getpriv(PRIV_EFFECTIVE, &effective, sizeof(priv_t));
-	getpriv(PRIV_INHERITED, &inherited, sizeof(priv_t));
-
-	if (PEPRIV(effective,0) | PEPRIV(effective,1)) { /* have something */
-		if ((PEPRIV(inherited,0) | PEPRIV(inherited,1)) == 0) /* had nothing - classic u+s  bit */
-			return (1);
-	} else {
-		/*
-		 * effective priv elevation is NULL/NONE
-		 * was there something and removed via setuid()?
-		 */
-		if (PEPRIV(inherited,0) | PEPRIV(inherited,1))
-			return (1);
-	}
-
-	/*
-	 * if we get this far, then "no" differences in process priv noted
-	 * compare the different uid
-	 * the comparision of login id with effective says "TRUE" when different.
-	 * this may not work as expected when using sudo for elevation
-	 * again, looking at RBAC affects on priv may be more truthful
-	 *
-	 * ruid - real uid
-	 * euid - effictive uid
-	 * luid - login uid
-	 */
-
-	/*
-	 * if these differ (not common on AIX), return changed
-	 */
-	ruid = getuid();
-	euid = geteuid();
-	if (euid != ruid)
-		return (1);
-
-	if (getgid() != getegid())
-		return (1);
-
-	/*
-	 * luid == login id, su/sudo do not/cannot change this afaik
-	 * perhaps this is "too strict", but same as in
-	 * issetugid_win.c - err on the safe side for now
-	 */
-	luid = getuidx(ID_LOGIN);
-	if (euid != luid)
-		return (1);
-
-	return (0);
-}
--- a/crypto/compat/issetugid_hpux.c
+++ b/crypto/compat/issetugid_hpux.c
@@ -1,17 +0,0 @@
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/pstat.h>
-
-/*
- * HP-UX does not have issetugid().
- * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
- * cannot be used, assume we must be running in a privileged environment.
- */
-int issetugid(void)
-{
-	struct pst_status buf;
-	if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
-	    !(buf.pst_flag & PS_CHANGEDPRIV))
-		return 0;
-	return 1;
-}
--- a/crypto/compat/issetugid_linux.c
+++ b/crypto/compat/issetugid_linux.c
@@ -1,47 +0,0 @@
-/*
- * issetugid implementation for Linux
- * Public domain
- */
-
-#include <errno.h>
-#include <gnu/libc-version.h>
-#include <string.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-/*
- * Linux-specific glibc 2.16+ interface for determining if a process was
- * launched setuid/setgid or with additional capabilities.
- */
-#ifdef HAVE_GETAUXVAL
-#include <sys/auxv.h>
-#endif
-
-int issetugid(void)
-{
-#ifdef HAVE_GETAUXVAL
-	/*
-	 * The API for glibc < 2.19 does not indicate if there is an error with
-	 * getauxval. While it should not be the case that any 2.6 or greater
-	 * kernel ever does not supply AT_SECURE, an emulated software environment
-	 * might rewrite the aux vector.
-	 *
-	 * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
-	 *
-	 * Perhaps this code should just read the aux vector itself, so we have
-	 * backward-compatibility and error handling in older glibc versions.
-	 * info: http://lwn.net/Articles/519085/
-	 *
-	 */
-	const char *glcv = gnu_get_libc_version();
-	if (strverscmp(glcv, "2.19") >= 0) {
-		errno = 0;
-		if (getauxval(AT_SECURE) == 0) {
-			if (errno != ENOENT) {
-				return 0;
-			}
-		}
-	}
-#endif
-	return 1;
-}
--- a/crypto/compat/issetugid_osx.c
+++ b/crypto/compat/issetugid_osx.c
@@ -1,16 +0,0 @@
-/*
- * issetugid implementation for OS X
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * OS X has issetugid, but it is not fork-safe as of version 10.10.
- * See this Solaris report for test code that fails similarly:
- * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
- */
-int issetugid(void)
-{
-	return 1;
-}
--- a/crypto/compat/issetugid_win.c
+++ b/crypto/compat/issetugid_win.c
@@ -1,26 +0,0 @@
-/*
- * issetugid implementation for Windows
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * Windows does not have a native setuid/setgid functionality.
- * A user must enter credentials each time a process elevates its
- * privileges.
- *
- * So, in theory, this could always return 0, given what I know currently.
- * However, it makes sense to stub out initially in 'safe' mode until we
- * understand more (and determine if any disabled functionality is actually
- * useful on Windows anyway).
- *
- * Future versions of this function that are made more 'open' should thoroughly
- * consider the case of this code running as a privileged service with saved
- * user credentials or privilege escalations by other means (e.g. the old
- * RunAsEx utility.)
- */
-int issetugid(void)
-{
-	return 1;
-}