remove issetuigid wrappers, now that all getenv calls are gone.
From deraadt@ upstream: Remove all getenv() calls, especially those wrapped by issetugid(). getenv()'s wrapped by issetugid() are safe, but issetugid() is ... difficult to impliment on many operating systems. By accident, a grand experiment was run over the last year, where issetugid() returned 1 (the safe value) on a few operating systems. Noone noticed & complained that certain environment variables were not working.......
This commit is contained in:
Brent Cook
@@ -1,107 +0,0 @@
|
||||
/* $OpenBSD: $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2015 Michael Felt <aixtools@gmail.com>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <sys/id.h>
|
||||
#include <sys/priv.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
/*
|
||||
* AIX does not have issetugid().
|
||||
* This experimental implementation uses getpriv() and get*id().
|
||||
* First, try getpriv() and check equality of pv_priv values
|
||||
* When these values are equal, using get*id() including login uid.
|
||||
*
|
||||
*/
|
||||
int issetugid(void)
|
||||
{
|
||||
/*
|
||||
* Return fail-safe while we evaluate primitives in AIX. There does
|
||||
* not yet appear to be a single atomic test to tell if privileges of
|
||||
* the process changed from that of the user who is in control of the
|
||||
* environment.
|
||||
*/
|
||||
return (1);
|
||||
|
||||
#define PEPRIV(a,b) a.pv_priv[b]
|
||||
/*
|
||||
* effective priv is what I can do now
|
||||
* inherited priv is what the caller gave or could have given
|
||||
* basically when inherited == 0 and effective != 0 then
|
||||
* some kind of priv escalation has occurred
|
||||
* when 'demoted' -- inherited != 0 but effective == 0
|
||||
* there is also a change, so, will report 1 as well - to be safe
|
||||
* PROBABLY there needs more study re: how RBAC subtley affects
|
||||
* the priv_t values - for now, they are either zero - nothing added
|
||||
* or non-zero - something added
|
||||
*/
|
||||
priv_t effective,inherited;
|
||||
int luid;
|
||||
int euid, ruid;
|
||||
|
||||
getpriv(PRIV_EFFECTIVE, &effective, sizeof(priv_t));
|
||||
getpriv(PRIV_INHERITED, &inherited, sizeof(priv_t));
|
||||
|
||||
if (PEPRIV(effective,0) | PEPRIV(effective,1)) { /* have something */
|
||||
if ((PEPRIV(inherited,0) | PEPRIV(inherited,1)) == 0) /* had nothing - classic u+s bit */
|
||||
return (1);
|
||||
} else {
|
||||
/*
|
||||
* effective priv elevation is NULL/NONE
|
||||
* was there something and removed via setuid()?
|
||||
*/
|
||||
if (PEPRIV(inherited,0) | PEPRIV(inherited,1))
|
||||
return (1);
|
||||
}
|
||||
|
||||
/*
|
||||
* if we get this far, then "no" differences in process priv noted
|
||||
* compare the different uid
|
||||
* the comparision of login id with effective says "TRUE" when different.
|
||||
* this may not work as expected when using sudo for elevation
|
||||
* again, looking at RBAC affects on priv may be more truthful
|
||||
*
|
||||
* ruid - real uid
|
||||
* euid - effictive uid
|
||||
* luid - login uid
|
||||
*/
|
||||
|
||||
/*
|
||||
* if these differ (not common on AIX), return changed
|
||||
*/
|
||||
ruid = getuid();
|
||||
euid = geteuid();
|
||||
if (euid != ruid)
|
||||
return (1);
|
||||
|
||||
if (getgid() != getegid())
|
||||
return (1);
|
||||
|
||||
/*
|
||||
* luid == login id, su/sudo do not/cannot change this afaik
|
||||
* perhaps this is "too strict", but same as in
|
||||
* issetugid_win.c - err on the safe side for now
|
||||
*/
|
||||
luid = getuidx(ID_LOGIN);
|
||||
if (euid != luid)
|
||||
return (1);
|
||||
|
||||
return (0);
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/pstat.h>
|
||||
|
||||
/*
|
||||
* HP-UX does not have issetugid().
|
||||
* Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
|
||||
* cannot be used, assume we must be running in a privileged environment.
|
||||
*/
|
||||
int issetugid(void)
|
||||
{
|
||||
struct pst_status buf;
|
||||
if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
|
||||
!(buf.pst_flag & PS_CHANGEDPRIV))
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
@@ -1,47 +0,0 @@
|
||||
/*
|
||||
* issetugid implementation for Linux
|
||||
* Public domain
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
#include <gnu/libc-version.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
|
||||
/*
|
||||
* Linux-specific glibc 2.16+ interface for determining if a process was
|
||||
* launched setuid/setgid or with additional capabilities.
|
||||
*/
|
||||
#ifdef HAVE_GETAUXVAL
|
||||
#include <sys/auxv.h>
|
||||
#endif
|
||||
|
||||
int issetugid(void)
|
||||
{
|
||||
#ifdef HAVE_GETAUXVAL
|
||||
/*
|
||||
* The API for glibc < 2.19 does not indicate if there is an error with
|
||||
* getauxval. While it should not be the case that any 2.6 or greater
|
||||
* kernel ever does not supply AT_SECURE, an emulated software environment
|
||||
* might rewrite the aux vector.
|
||||
*
|
||||
* See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
|
||||
*
|
||||
* Perhaps this code should just read the aux vector itself, so we have
|
||||
* backward-compatibility and error handling in older glibc versions.
|
||||
* info: http://lwn.net/Articles/519085/
|
||||
*
|
||||
*/
|
||||
const char *glcv = gnu_get_libc_version();
|
||||
if (strverscmp(glcv, "2.19") >= 0) {
|
||||
errno = 0;
|
||||
if (getauxval(AT_SECURE) == 0) {
|
||||
if (errno != ENOENT) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
/*
|
||||
* issetugid implementation for OS X
|
||||
* Public domain
|
||||
*/
|
||||
|
||||
#include <unistd.h>
|
||||
|
||||
/*
|
||||
* OS X has issetugid, but it is not fork-safe as of version 10.10.
|
||||
* See this Solaris report for test code that fails similarly:
|
||||
* http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
|
||||
*/
|
||||
int issetugid(void)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
@@ -1,26 +0,0 @@
|
||||
/*
|
||||
* issetugid implementation for Windows
|
||||
* Public domain
|
||||
*/
|
||||
|
||||
#include <unistd.h>
|
||||
|
||||
/*
|
||||
* Windows does not have a native setuid/setgid functionality.
|
||||
* A user must enter credentials each time a process elevates its
|
||||
* privileges.
|
||||
*
|
||||
* So, in theory, this could always return 0, given what I know currently.
|
||||
* However, it makes sense to stub out initially in 'safe' mode until we
|
||||
* understand more (and determine if any disabled functionality is actually
|
||||
* useful on Windows anyway).
|
||||
*
|
||||
* Future versions of this function that are made more 'open' should thoroughly
|
||||
* consider the case of this code running as a privileged service with saved
|
||||
* user credentials or privilege escalations by other means (e.g. the old
|
||||
* RunAsEx utility.)
|
||||
*/
|
||||
int issetugid(void)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
Reference in New Issue
Block a user