void
__libc_init_secure (void)
{
if (__libc_enable_secure_decided == 0)
__libc_enable_secure = (__geteuid () != __getuid ()
|| __getegid () != __getgid ());
}
static int
__msgwrite (int sock, void *data, size_t cnt)
{
#ifndef SCM_CREDENTIALS
/* We cannot implement this reliably. */
__set_errno (ENOSYS);
return -1;
#else
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg = &cm.cmsg;
struct ucred cred;
int len;
/* XXX I'm not sure, if gete?id() is always correct, or if we should use
get?id(). But since keyserv needs geteuid(), we have no other chance.
It would be much better, if the kernel could pass both to the server. */
cred.pid = __getpid ();
cred.uid = __geteuid ();
cred.gid = __getegid ();
memcpy (CMSG_DATA(cmsg), &cred, sizeof (struct ucred));
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_CREDENTIALS;
cmsg->cmsg_len = sizeof(*cmsg) + sizeof(struct ucred);
iov.iov_base = data;
iov.iov_len = cnt;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = CMSG_ALIGN(cmsg->cmsg_len);
msg.msg_flags = 0;
restart:
len = sendmsg (sock, &msg, 0);
if (len >= 0)
return len;
if (errno == EINTR)
goto restart;
return -1;
#endif
}
int
faccessat (int fd, const char *file, int mode, int flag)
{
if (flag & ~(AT_SYMLINK_NOFOLLOW | AT_EACCESS))
return INLINE_SYSCALL_ERROR_RETURN_VALUE (EINVAL);
if ((flag == 0 || ((flag & ~AT_EACCESS) == 0 && ! __libc_enable_secure)))
return INLINE_SYSCALL (faccessat, 3, fd, file, mode);
struct stat64 stats;
if (__fxstatat64 (_STAT_VER, fd, file, &stats, flag & AT_SYMLINK_NOFOLLOW))
return -1;
mode &= (X_OK | W_OK | R_OK); /* Clear any bogus bits. */
#if R_OK != S_IROTH || W_OK != S_IWOTH || X_OK != S_IXOTH
# error Oops, portability assumptions incorrect.
#endif
if (mode == F_OK)
return 0; /* The file exists. */
uid_t uid = (flag & AT_EACCESS) ? __geteuid () : __getuid ();
/* The super-user can read and write any file, and execute any file
that anyone can execute. */
if (uid == 0 && ((mode & X_OK) == 0
|| (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))))
return 0;
int granted = (uid == stats.st_uid
? (unsigned int) (stats.st_mode & (mode << 6)) >> 6
: (stats.st_gid == ((flag & AT_EACCESS)
? __getegid () : __getgid ())
|| __group_member (stats.st_gid))
? (unsigned int) (stats.st_mode & (mode << 3)) >> 3
: (stats.st_mode & mode));
if (granted == mode)
return 0;
return INLINE_SYSCALL_ERROR_RETURN_VALUE (EACCES);
}
static bool_t
rendezvous_request (SVCXPRT *xprt, struct rpc_msg *errmsg)
{
int sock;
struct unix_rendezvous *r;
struct sockaddr_un addr;
struct sockaddr_in in_addr;
socklen_t len;
r = (struct unix_rendezvous *) xprt->xp_p1;
again:
len = sizeof (struct sockaddr_un);
if ((sock = accept (xprt->xp_sock, (struct sockaddr *) &addr, &len)) < 0)
{
if (errno == EINTR)
goto again;
if (errno == EMFILE)
{
struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
__nanosleep(&ts , NULL);
}
return FALSE;
}
/*
* make a new transporter (re-uses xprt)
*/
memset (&in_addr, '\0', sizeof (in_addr));
in_addr.sin_family = AF_UNIX;
xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr));
xprt->xp_addrlen = len;
return FALSE; /* there is never an rpc msg to be processed */
}
static enum xprt_stat
rendezvous_stat (SVCXPRT *xprt)
{
return XPRT_IDLE;
}
static void
svcunix_destroy (SVCXPRT *xprt)
{
struct unix_conn *cd = (struct unix_conn *) xprt->xp_p1;
xprt_unregister (xprt);
__close (xprt->xp_sock);
if (xprt->xp_port != 0)
{
/* a rendezvouser socket */
xprt->xp_port = 0;
}
else
{
/* an actual connection socket */
XDR_DESTROY (&(cd->xdrs));
}
mem_free ((caddr_t) cd, sizeof (struct unix_conn));
mem_free ((caddr_t) xprt, sizeof (SVCXPRT));
}
#ifdef SCM_CREDENTIALS
struct cmessage {
struct cmsghdr cmsg;
struct ucred cmcred;
/* hack to make sure we have enough memory */
char dummy[(CMSG_ALIGN (sizeof (struct ucred)) - sizeof (struct ucred) + sizeof (long))];
};
/* XXX This is not thread safe, but since the main functions in svc.c
and the rpcgen generated *_svc functions for the daemon are also not
thread safe and uses static global variables, it doesn't matter. */
static struct cmessage cm;
#endif
static int
__msgread (int sock, void *data, size_t cnt)
{
struct iovec iov;
struct msghdr msg;
int len;
iov.iov_base = data;
iov.iov_len = cnt;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
#ifdef SCM_CREDENTIALS
msg.msg_control = (caddr_t) &cm;
msg.msg_controllen = sizeof (struct cmessage);
#endif
msg.msg_flags = 0;
#ifdef SO_PASSCRED
{
int on = 1;
if (__setsockopt (sock, SOL_SOCKET, SO_PASSCRED, &on, sizeof (on)))
return -1;
}
#endif
restart:
len = __recvmsg (sock, &msg, 0);
if (len >= 0)
{
if (msg.msg_flags & MSG_CTRUNC || len == 0)
return 0;
else
return len;
}
if (errno == EINTR)
goto restart;
return -1;
}
static int
__msgwrite (int sock, void *data, size_t cnt)
{
#ifndef SCM_CREDENTIALS
/* We cannot implement this reliably. */
__set_errno (ENOSYS);
return -1;
#else
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg = &cm.cmsg;
struct ucred cred;
int len;
/* XXX I'm not sure, if gete?id() is always correct, or if we should use
get?id(). But since keyserv needs geteuid(), we have no other chance.
It would be much better, if the kernel could pass both to the server. */
cred.pid = __getpid ();
cred.uid = __geteuid ();
cred.gid = __getegid ();
memcpy (CMSG_DATA(cmsg), &cred, sizeof (struct ucred));
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_CREDENTIALS;
cmsg->cmsg_len = sizeof(*cmsg) + sizeof(struct ucred);
iov.iov_base = data;
iov.iov_len = cnt;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = CMSG_ALIGN(cmsg->cmsg_len);
msg.msg_flags = 0;
restart:
len = __sendmsg (sock, &msg, 0);
if (len >= 0)
return len;
if (errno == EINTR)
goto restart;
return -1;
#endif
}
init_secure (void)
{
__libc_enable_secure = (__geteuid () != __getuid () ||
__getegid () != __getgid ());
}
if (stat64 (path, &stats))
return -1;
mode &= (X_OK | W_OK | R_OK); /* Clear any bogus bits. */
#if R_OK != S_IROTH || W_OK != S_IWOTH || X_OK != S_IXOTH
?error Oops, portability assumptions incorrect.
#endif
if (mode == F_OK)
return 0; /* The file exists. */
#ifdef _LIBC
/* Now we need the IDs. */
euid = __geteuid ();
egid = __getegid ();
if (__getuid () == euid && __getgid () == egid)
/* If we are not set-uid or set-gid, access does the same. */
return __access (path, mode);
#endif
/* The super-user can read and write any file, and execute any file
that anyone can execute. */
if (euid == 0 && ((mode & X_OK) == 0
|| (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))))
return 0;
if (euid == stats.st_uid)
granted = (unsigned int) (stats.st_mode & (mode << 6)) >> 6;
else if (egid == stats.st_gid || group_member (stats.st_gid))
