Setuid_linux.c 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  14. */
  15. #include "util/Setuid.h"
  16. #include "memory/Allocator.h"
  17. #include "exception/Except.h"
  18. //#include <stdio.h>
  19. #include <stdlib.h>
  20. #include <unistd.h>
  21. #include <string.h>
  22. #include <errno.h>
  23. #include <sys/socket.h>
  24. #include <netinet/in.h>
  25. #include <arpa/inet.h>
  26. #include <linux/capability.h>
  27. #include <sys/prctl.h>
  28. #ifndef CAP_TO_MASK
  29. #define CAP_TO_MASK(X) (1 << ((X) & 31))
  30. #endif
  31. #ifndef _LINUX_CAPABILITY_VERSION_3
  32. #define _LINUX_CAPABILITY_VERSION_3 0x20080522
  33. #endif
  34. #define PERMITTED_MASK CAP_TO_MASK(CAP_NET_ADMIN)
  35. static inline int capSet(cap_user_header_t hdr, cap_user_data_t data)
  36. {
  37. int capset(cap_user_header_t hdr, cap_user_data_t data);
  38. return capset(hdr, data);
  39. }
  40. static inline int capGet(cap_user_header_t hdr, cap_user_data_t data)
  41. {
  42. int capget(cap_user_header_t hdr, cap_user_data_t data);
  43. return capget(hdr, data);
  44. }
  45. void Setuid_preSetuid(struct Allocator* alloc, struct Except* eh)
  46. {
  47. cap_user_header_t hdr = Allocator_calloc(alloc, sizeof(*hdr), 1);
  48. cap_user_data_t data = Allocator_calloc(alloc, sizeof(*data), 2);
  49. hdr->version = _LINUX_CAPABILITY_VERSION_3;
  50. hdr->pid = 0;
  51. if (capGet(hdr, data)) {
  52. Except_throw(eh, "Error getting capabilities: [errno:%d (%s)]", errno, strerror(errno));
  53. }
  54. data->permitted &= PERMITTED_MASK | CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID);
  55. data->effective = data->permitted;
  56. data->inheritable = 0;
  57. if (capSet(hdr, data)) {
  58. Except_throw(eh, "Error setting capabilities: [errno:%d (%s)]", errno, strerror(errno));
  59. }
  60. if (prctl(PR_SET_KEEPCAPS, 1)) {
  61. Except_throw(eh, "Error keeping capabilities: [errno:%d (%s)]", errno, strerror(errno));
  62. }
  63. }
  64. void Setuid_postSetuid(struct Allocator* alloc, struct Except* eh)
  65. {
  66. cap_user_header_t hdr = Allocator_calloc(alloc, sizeof(*hdr), 1);
  67. cap_user_data_t data = Allocator_calloc(alloc, sizeof(*data), 2);
  68. hdr->version = _LINUX_CAPABILITY_VERSION_3;
  69. hdr->pid = 0;
  70. if (capGet(hdr, data)) {
  71. Except_throw(eh, "Error getting capabilities (post-setuid): [errno:%d (%s)]",
  72. errno, strerror(errno));
  73. }
  74. data->permitted &= PERMITTED_MASK;
  75. data->effective = data->permitted;
  76. data->inheritable = 0;
  77. if (capSet(hdr, data)) {
  78. Except_throw(eh, "Error setting capabilities (post-setuid): [errno:%d (%s)]",
  79. errno, strerror(errno));
  80. }
  81. if (prctl(PR_SET_KEEPCAPS, 0)) {
  82. Except_throw(eh, "Error un-keeping capabilities (post-setuid): [errno:%d (%s)]",
  83. errno, strerror(errno));
  84. }
  85. }