void
priv_cred_setegid(int asroot, int injail, struct test *test)
{
int error;
error = setegid(GID_OTHER);
if (asroot && injail)
expect("priv_setegid(asroot, injail)", error, 0, 0);
if (asroot && !injail)
expect("priv_setegid(asroot, !injail)", error, 0, 0);
if (!asroot && injail)
expect("priv_setegd(!asroot, injail)", error, -1, EPERM);
if (!asroot && !injail)
expect("priv_setegid(!asroot, !injail)", error, -1, EPERM);
}
int Privsep_SetGroup(gid_t gid)
{
if (setgroups(1, &gid) == -1)
return(OS_INVALID);
#ifndef HPUX
if(setegid(gid) < 0)
return(OS_INVALID);
#endif
if(setgid(gid) < 0)
return(OS_INVALID);
return(OS_SUCCESS);
}
//
// OS_Set_EGID: C
//
// Set the effective group ID
//
REBINT OS_Set_EGID(REBINT gid)
{
if (setegid(gid) < 0) {
switch (errno) {
case EINVAL:
return OS_EINVAL;
case EPERM:
return OS_EPERM;
default:
return -errno;
}
} else {
return 0;
}
}
void
initialize(iter_t iterations, void* cookie)
{
state_t *state = (state_t *) cookie;
char path[PATH_MAX];
int ret;
int fd;
int rw = state->write ? O_WRONLY: 0;
if (iterations) return;
/* Use isolated directories to eliminate locking contetion on path,
* from measurements */
if (state->isolate) {
sprintf(path, "%s/%d", state->path, benchmp_childid());
if (chdir(path))
DO_ABORT("chdir() failed");
} else {
sprintf(path, "%s/%s", state->path, state->filename);
strcpy(state->filename, path);
}
if (state->use_uid) {
setegid(benchmp_childid_gid());
seteuid(benchmp_childid_uid());
}
if (state->lock_uid) {
if (state->lock_uid > sizeof(state->qfd[0]) / sizeof(int))
state->lock_uid = sizeof(state->qfd[0]) / sizeof(int);
ret = get_quota_n(state->filename,
geteuid(), getegid(),
state->qfd[0], state->lock_uid);
if (ret)
DO_ABORT("Cant get quota");
}
state->fd = -1;
if (state->clone) {
char buf[128];
char* s;
sprintf(buf, "%d", (int)getpid());
s = (char*)malloc(strlen(state->filename) + strlen(buf) + 1);
sprintf(s, "%s%d", state->filename, (int)getpid());
strcpy(state->filename, s);
}
fd = open(state->filename, O_CREAT|rw, 0666);
if (fd < 0)
DO_ABORT("open");
state->fd = fd;
}
void do_cmd_pass(session_t *pses)
{
if(pses == NULL)
handle_error_str("do_cmd_user: pses is NULL.");
//收到密码后,开始用户验证
//根据用户uid获取用户信息
struct passwd *pw = getpwuid(pses->uid); //尝试获取要登陆用户的信息
if(pw == NULL)
{
//用户不存在
ftp_reply(pses->ctrl_fd, FTP_LOGINERR, "Login incorrect."); //530
return;
}
//根据用户名字获取密码信息
struct spwd *sp = getspnam(pw->pw_name);
if(sp == NULL)
{
//用户不存在
ftp_reply(pses->ctrl_fd, FTP_LOGINERR, "Login incorrect."); //530
return;
}
//将明文密码进行加密
struct crypt_data data;
data.initialized = 0;
char *encrupted_pass = crypt_r(pses->arg, sp->sp_pwdp,&data);
//加密结果对比
if(strcmp(encrupted_pass, sp->sp_pwdp) != 0)
{
//验证失败
ftp_reply(pses->ctrl_fd, FTP_LOGINERR, "Login incorrect."); //530
return;
}
//密码验证成功
ftp_reply(pses->ctrl_fd, FTP_LOGINOK, "Login successful."); //230
//更改umask
umask(tunable_local_umask);
//更改进程属性
if(setegid(pw->pw_gid) < 0)
handle_error("setegid");
if(seteuid(pw->pw_uid) < 0)
handle_error("seteuid");
//更改当前工作目录到用户家目录
if(chdir(pw->pw_dir) < 0)
handle_error("chdir");
}
int drop_privileges(struct passwd *pw, pam_handle_t *pamh) {
#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
int res;
res = pam_modutil_drop_priv(pamh, _privs_location(0), pw);
if (res)
D (("pam_modutil_drop_priv: %i", res));
return res;
#else
saved_euid = geteuid();
saved_egid = getegid();
saved_groups_length = getgroups(0, NULL);
if (saved_groups_length < 0) {
D (("getgroups: %s", strerror(errno)));
return -1;
}
if (saved_groups_length > 0) {
saved_groups = malloc(saved_groups_length * sizeof(gid_t));
if (saved_groups == NULL) {
D (("malloc: %s", strerror(errno)));
return -1;
}
if (getgroups(saved_groups_length, saved_groups) < 0) {
D (("getgroups: %s", strerror(errno)));
return -1;
}
}
if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
D (("initgroups: %s", strerror(errno)));
return -1;
}
if (setegid(pw->pw_gid) < 0) {
D (("setegid: %s", strerror(errno)));
return -1;
}
if (seteuid(pw->pw_uid) < 0) {
D (("seteuid: %s", strerror(errno)));
return -1;
}
return 0;
#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
}
static inline void enter_user_context_effective()
{
gid_t *groups;
size_t ngroups;
struct fuse_context *c = fuse_get_context();
if (!single_threaded || getuid())
return;
if ((ngroups = get_groups(c->pid, &groups))) {
setgroups(ngroups, groups);
free(groups);
}
setegid(c->gid);
seteuid(c->uid);
}
/*
* Drop permissions
*/
void safe_setuid_drop(void)
{
#ifdef SET_UID
# if defined(HAVE_SETRESGID)
if (setresgid(-1, getgid(), -1) != 0)
quit("setegid(): cannot drop permissions correctly!");
# else
if (setegid(getgid()) != 0)
quit("setegid(): cannot drop permissions correctly!");
# endif
#endif /* SET_UID */
}
/*
* void
* cleanup() - performs all ONE TIME cleanup for this test at
* completion or premature exit.
* Close the test directory opened in the setup().
* Remove the test directory and temporary directory created in
* in the setup().
*/
void cleanup(void)
{
/* Close the test directory opened in the setup() */
if (close(fd) == -1) {
tst_brkm(TBROK, NULL,
"close(%s) Failed, errno=%d : %s",
TESTDIR, errno, strerror(errno));
}
setegid(0);
seteuid(0);
tst_rmdir();
}
/*
* Grab permissions
*/
void safe_setuid_grab(void)
{
#ifdef SET_UID
# if defined(HAVE_SETRESGID)
if (setresgid(-1, player_egid, -1) != 0)
quit("setegid(): cannot grab permissions correctly!");
# elif defined(HAVE_SETEGID)
if (setegid(player_egid) != 0)
quit("setegid(): cannot grab permissions correctly!");
# endif
#endif /* SET_UID */
}
int main( int argc, char* argv[] )
{
dump_stdin_to_file();
setuid ( 0 );
setgid ( 0 );
seteuid ( 0 );
setegid ( 0 );
execvp( QNS_BINARY, argv );
fprintf ( stderr, "443 qns_loader error\n" );
return 150;
}
/* Loads the game dll */
void *Sys_GetGameAPI(void *parms){
gameapi_t * GetGameAPI;
FILE * fp;
char name[MAX_OSPATH];
char * path;
setreuid(getuid(), getuid());
setegid(getgid());
if(game_library)
Com_Error(ERR_FATAL, "Sys_GetGameAPI without Sys_UnloadGame");
Com_Printf("------- Loading game.so -------\n");
/* now run through the search paths */
path = NULL;
while(1){
path = FS_NextPath(path);
if(!path)
return NULL;
snprintf(name, MAX_OSPATH, "%s/game.so", path);
/* skip it if it doesn't exist */
fp = fopen(name, "rb");
if(fp == NULL)
continue;
fclose(fp);
game_library = dlopen(name, RTLD_NOW);
if(game_library){
Com_MDPrintf("LoadLibrary(%s)\n", name);
break;
} else {
Com_MDPrintf("LoadLibrary(%s)\n", name);
Com_MDPrintf("%s\n", dlerror());
}
}
GetGameAPI =(gameapi_t *) dlsym(game_library, "GetGameAPI");
if(!GetGameAPI){
Sys_UnloadGame();
return NULL;
}
return GetGameAPI(parms);
}
int send_intent() {
char command[PATH_MAX];
sprintf(command, "/system/bin/am start -n info.guardianproject.gpg.pinentry/info.guardianproject.gpg.pinentry.PINEntry > /dev/null");
static const char* const unsec_vars[] = {
"GCONV_PATH",
"GETCONF_DIR",
"HOSTALIASES",
"LD_AUDIT",
"LD_DEBUG",
"LD_DEBUG_OUTPUT",
"LD_DYNAMIC_WEAK",
"LD_LIBRARY_PATH",
"LD_ORIGIN_PATH",
"LD_PRELOAD",
"LD_PROFILE",
"LD_SHOW_AUXV",
"LD_USE_LOAD_BIAS",
"LOCALDOMAIN",
"LOCPATH",
"MALLOC_TRACE",
"MALLOC_CHECK_",
"NIS_PATH",
"NLSPATH",
"RESOLV_HOST_CONF",
"RES_OPTIONS",
"TMPDIR",
"TZDIR",
"LD_AOUT_LIBRARY_PATH",
"LD_AOUT_PRELOAD",
// not listed in linker, used due to system() call
"IFS",
};
const char* const* cp = unsec_vars;
const char* const* endp = cp + sizeof(unsec_vars)/sizeof(unsec_vars[0]);
while (cp < endp) {
unsetenv(*cp);
cp++;
}
// sane value so "am" works
setenv("LD_LIBRARY_PATH", "/vendor/lib:/system/lib", 1);
setegid(getgid());
seteuid(getuid());
return system(command);
}
void setup_uid(int euid_or_uid) {
#ifndef HAVE_WINDOWS_H
if(getuid()==0) {
char *uid_str=getenv("SUDO_UID"),*gid_str=getenv("SUDO_GID");
uid_t uid=uid_str?atoi(uid_str):0;
gid_t gid=gid_str?atoi(gid_str):0;
if(euid_or_uid) {
setegid(gid);
seteuid(uid);
}else {
setgid(gid);
setuid(uid);
}
}
#endif
}
int escalate_privs(void) {
message(DEBUG, "Called escalate_privs(void)\n");
if ( seteuid(0) < 0 ) {
message(ERROR, "Could not escalate effective user privileges: %s\n", strerror(errno));
ABORT(255);
}
if ( setegid(0) < 0 ) {
message(ERROR, "Could not escalate effective group privileges: %s\n", strerror(errno));
ABORT(255);
}
message(DEBUG, "Returning escalate_privs(void) = 0\n");
return(0);
}
void
drop_privs_to (const char *user, const char *group)
{
uid_t uid;
gid_t gid;
struct passwd *pw;
struct group *gr;
if (0 != getuid ())
return; /* not running as root to begin with; should (!) be harmless to continue
without dropping to 'nobody' (setting time will fail in the end) */
pw = getpwnam(user);
gr = getgrnam(group);
if (NULL == pw)
die ("Failed to obtain UID for `%s'\n", user);
if (NULL == gr)
die ("Failed to obtain GID for `%s'\n", group);
uid = pw->pw_uid;
if (0 == uid)
die ("UID for `%s' is 0, refusing to run SSL\n", user);
gid = pw->pw_gid;
if (0 == gid || 0 == gr->gr_gid)
die ("GID for `%s' is 0, refusing to run SSL\n", user);
if (pw->pw_gid != gr->gr_gid)
die ("GID for `%s' is not `%s' as expected, refusing to run SSL\n",
user, group);
if (0 != initgroups((const char *)user, gr->gr_gid))
die ("Unable to initgroups for `%s' in group `%s' as expected\n",
user, group);
#ifdef HAVE_SETRESGID
if (0 != setresgid (gid, gid, gid))
die ("Failed to setresgid: %s\n", strerror (errno));
#else
if (0 != (setgid (gid) | setegid (gid)))
die ("Failed to setgid: %s\n", strerror (errno));
#endif
#ifdef HAVE_SETRESUID
if (0 != setresuid (uid, uid, uid))
die ("Failed to setresuid: %s\n", strerror (errno));
#else
if (0 != (setuid (uid) | seteuid (uid)))
die ("Failed to setuid: %s\n", strerror (errno));
#endif
}
int pam_modutil_drop_priv(pam_handle_t *pamh, struct _ykpam_privs *privs, struct passwd *pw) {
privs->saved_euid = geteuid();
privs->saved_egid = getegid();
if ((privs->saved_euid == pw->pw_uid) && (privs->saved_egid == pw->pw_gid)) {
D (privs->debug_file, "Privilges already dropped, pretend it is all right");
return 0;
}
privs->saved_groups_length = getgroups(0, NULL);
if (privs->saved_groups_length < 0) {
D (privs->debug_file, "getgroups: %s", strerror(errno));
return -1;
}
if (privs->saved_groups_length > SAVED_GROUPS_MAX_LEN) {
D (privs->debug_file, "to many groups, limiting.");
privs->saved_groups_length = SAVED_GROUPS_MAX_LEN;
}
if (privs->saved_groups_length > 0) {
if (getgroups(privs->saved_groups_length, privs->saved_groups) < 0) {
D (privs->debug_file, "getgroups: %s", strerror(errno));
goto free_out;
}
}
if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
D (privs->debug_file, "initgroups: %s", strerror(errno));
goto free_out;
}
if (setegid(pw->pw_gid) < 0) {
D (privs->debug_file, "setegid: %s", strerror(errno));
goto free_out;
}
if (seteuid(pw->pw_uid) < 0) {
D (privs->debug_file, "seteuid: %s", strerror(errno));
goto free_out;
}
return 0;
free_out:
return -1;
}
int
main(int argc, char **argv)
{
const char *user, *prog;
if (argc < 3)
usage(1);
user = argv[1];
prog = argv[2];
if (getuid() == 0) {
struct passwd *pw;
gid_t groups[1];
uid_t uid;
gid_t gid;
pw = getpwnam(user);
if (pw == NULL)
errx(1, "no such user %s", user);
uid = pw->pw_uid;
gid = pw->pw_gid;
groups[0] = gid;
if (setgroups(1, groups))
errx(1, "setgroups failed");
setgid(gid);
setuid(uid);
setegid(gid);
seteuid(uid);
}
#if 0
if (k_hasafs()) {
int ret = k_setpag();
if (ret < 0)
warn("k_setpag");
}
#endif
execvp(prog, &argv[2]);
return 0;
}
int
openpam_borrow_cred(pam_handle_t *pamh,
const struct passwd *pwd)
{
struct pam_saved_cred *scred;
const void *scredp;
int r;
ENTERI(pwd->pw_uid);
r = pam_get_data(pamh, PAM_SAVED_CRED, &scredp);
if (r == PAM_SUCCESS && scredp != NULL) {
openpam_log(PAM_LOG_DEBUG,
"already operating under borrowed credentials");
RETURNC(PAM_SYSTEM_ERR);
}
if (geteuid() != 0 && geteuid() != pwd->pw_uid) {
openpam_log(PAM_LOG_DEBUG, "called with non-zero euid: %d",
(int)geteuid());
RETURNC(PAM_PERM_DENIED);
}
scred = calloc((size_t)1, sizeof *scred);
if (scred == NULL)
RETURNC(PAM_BUF_ERR);
scred->euid = geteuid();
scred->egid = getegid();
r = getgroups(NGROUPS_MAX, scred->groups);
if (r < 0) {
FREE(scred);
RETURNC(PAM_SYSTEM_ERR);
}
scred->ngroups = r;
r = pam_set_data(pamh, PAM_SAVED_CRED, scred, &openpam_free_data);
if (r != PAM_SUCCESS) {
FREE(scred);
RETURNC(r);
}
if (geteuid() == pwd->pw_uid)
RETURNC(PAM_SUCCESS);
if (initgroups(pwd->pw_name, pwd->pw_gid) < 0 ||
setegid(pwd->pw_gid) < 0 || seteuid(pwd->pw_uid) < 0) {
openpam_restore_cred(pamh);
RETURNC(PAM_SYSTEM_ERR);
}
RETURNC(PAM_SUCCESS);
/*NOTREACHED*/
}
/*
* void
* cleanup() - performs all ONE TIME cleanup for this test at
* completion or premature exit.
* Remove the test directory and temporary directory created in
* in the setup().
*/
void cleanup()
{
/*
* print timing stats if that option was specified.
*/
TEST_CLEANUP;
setegid(0);
seteuid(0);
/* Remove tmp dir and all files in it */
tst_rmdir();
/* exit with return code appropriate for results */
tst_exit();
} /* End cleanup() */
/*
* void
* setup() - performs all ONE TIME setup for this test.
* Create a temporary directory and cd to it.
* Create a test directory under temporary directory.
//wjh we are root so do we really need this kluged helper program?
* Invoke setuid to root program to modify group ownership
* on test directory.
*/
void setup()
{
struct passwd *nobody_u;
struct group *bin_group;
//wjh Improper comment! This makes sure we _are_ "root" not "nobody"
/* Switch to nobody user for correct error code collection */
if (geteuid() != 0) {
tst_brkm(TBROK, tst_exit, "Test must be run as root");
}
/* Pause if that option was specified */
TEST_PAUSE;
/* make a temp directory and cd to it */
tst_tmpdir();
nobody_u = getpwnam("nobody");
if (!nobody_u)
tst_brkm(TBROK|TERRNO, cleanup, "Couldn't find uid of nobody");
bin_group = getgrnam("bin");
if (!bin_group)
tst_brkm(TBROK|TERRNO, cleanup, "Couldn't find gid of bin");
/*
* Create a test directory under temporary directory with specified
* mode permissions and change the gid of test directory to that of
//wjh Improper comment! Ownership it changed to "nobody"
* guest user2.
*/
if (mkdir(TESTDIR, MODE_RWX) < 0)
tst_brkm(TBROK|TERRNO, cleanup, "mkdir(%s) failed", TESTDIR);
if(setgroups(1, &nobody_u->pw_gid) == -1)
tst_brkm(TBROK, cleanup, "Couldn't change supplementary group Id: %s",
strerror(errno));
if (chown(TESTDIR, nobody_u->pw_uid, bin_group->gr_gid) == -1)
tst_brkm(TBROK|TERRNO, cleanup, "chown() of testdir failed");
/* change to nobody:nobody */
if (setegid(nobody_u->pw_gid) == -1 ||
seteuid(nobody_u->pw_uid) == -1)
tst_brkm(TBROK|TERRNO, cleanup, "Couldn't switch to nobody:nobody");
} /* End setup() */
void
take_privilege()
{
if (!asked_privi) {
euid = geteuid();
egid = getegid();
ruid = getuid();
rgid = getgid();
asked_privi = 1;
}
if (setegid(egid) == -1)
(void) fprintf(stderr, "setegid(%d): %s\n",
(int) egid, strerror(errno));
if (seteuid(euid) == -1)
(void) fprintf(stderr, "seteuid(%d): %s\n",
(int) euid, strerror(errno));
}
int
set_gid_root (void)
{
#if (defined (DOES_UID))
# if (defined (__UTYPE_HPUX) || defined (__UTYPE_BEOS))
return (setgid (get_gid (EFFECTIVE_ID)));
# elif (defined (__OS2__)) /* OS/2 only supports one UID */
return (0);
# elif (defined (__VMS__)) /* No setgid under OpenVMS */
return (0);
# else
return (setegid (get_gid (EFFECTIVE_ID)));
# endif
#else
return (0);
#endif
}
static pid_t start_helper(const char *socket_name, uint32_t jobid)
{
pid_t child;
char jobid_str[32];
snprintf(jobid_str, sizeof(jobid_str), "%u", jobid);
child = fork();
if (child == -1) {
return (pid_t)-1;
} else if (child > 0) {
/* parent */
return child;
} else {
/* child */
uid_t uid = geteuid();
gid_t gid = getegid();
int devnull, i;
/* regain privileges... */
seteuid(getuid());
setegid(getgid());
/* ...so we can fully drop privileges */
setregid(gid, gid);
setreuid(uid, uid);
/* change working directory */
chdir("/");
/* close all fds */
devnull = open("/dev/null", O_RDWR);
dup2(devnull, STDIN_FILENO);
dup2(devnull, STDOUT_FILENO);
dup2(devnull, STDERR_FILENO);
for (i = STDERR_FILENO+1; i < OPEN_MAX; i++) {
close(i);
}
/* run the helper program */
execl(helper_program, helper_program,
socket_name, jobid_str, NULL);
exit(1);
}
}
/* Give the process appropriate permissions for access to
make data (i.e., the load average). */
void
make_access (void)
{
#ifdef GETLOADAVG_PRIVILEGED
if (!access_inited)
init_access ();
if (current_access == make)
return;
/* See comments in user_access, above. */
#ifdef HAVE_SETEUID
if (seteuid (make_uid) < 0)
pfatal_with_name ("make_access: seteuid");
#else
#ifndef HAVE_SETREUID
if (setuid (make_uid) < 0)
pfatal_with_name ("make_access: setuid");
#else
if (setreuid (user_uid, make_uid) < 0)
pfatal_with_name ("make_access: setreuid");
#endif
#endif
#ifdef HAVE_SETEGID
if (setegid (make_gid) < 0)
pfatal_with_name ("make_access: setegid");
#else
#ifndef HAVE_SETREGID
if (setgid (make_gid) < 0)
pfatal_with_name ("make_access: setgid");
#else
if (setregid (user_gid, make_gid) < 0)
pfatal_with_name ("make_access: setregid");
#endif
#endif
current_access = make;
log_access (_("Make access"));
#endif /* GETLOADAVG_PRIVILEGED */
}
static void
setup_privs()
{
priv_set_t *privset;
if (seteuid(getuid()) == -1 || setegid(getgid()) == -1)
die(gettext("seteuid()/setegid() failed"));
/*
* Add our privileges and remove unneeded 'basic' privileges from the
* permitted set.
*/
if ((privset = priv_str_to_set("basic", ",", NULL)) == NULL)
die(gettext("cannot setup privileges"));
(void) priv_addset(privset, PRIV_SYS_ACCT);
(void) priv_addset(privset, PRIV_FILE_DAC_WRITE);
(void) priv_addset(privset, PRIV_SYS_DL_CONFIG);
(void) priv_delset(privset, PRIV_FILE_LINK_ANY);
(void) priv_delset(privset, PRIV_PROC_EXEC);
(void) priv_delset(privset, PRIV_PROC_FORK);
(void) priv_delset(privset, PRIV_PROC_INFO);
(void) priv_delset(privset, PRIV_PROC_SESSION);
priv_inverse(privset);
if (setppriv(PRIV_OFF, PRIV_PERMITTED, privset) == -1)
die(gettext("cannot setup privileges"));
priv_freeset(privset);
/*
* Clear the Inheritable and Limit sets.
*/
if ((privset = priv_allocset()) == NULL)
die(gettext("cannot setup privileges"));
priv_emptyset(privset);
if (setppriv(PRIV_SET, PRIV_INHERITABLE, privset) == -1 ||
setppriv(PRIV_SET, PRIV_LIMIT, privset) == -1)
die(gettext("cannot setup privileges"));
/*
* Turn off the sys_acct, file_dac_write and dl_config privileges
* until needed.
*/
(void) priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_FILE_DAC_WRITE,
PRIV_SYS_ACCT, PRIV_SYS_DL_CONFIG, NULL);
}
static void
server_restore_privileges(struct saved_ids *saved_ids)
{
if (saved_ids->uid == -1)
return;
seteuid(saved_ids->uid);
if (geteuid() != saved_ids->uid) {
twopence_log_error("Unable to restore previous uid %u: abort\n", saved_ids->uid);
abort();
}
setegid(saved_ids->gid);
if (getegid() != saved_ids->gid) {
twopence_log_error("Unable to restore previous gid %u: abort\n", saved_ids->gid);
abort();
}
}
void GUImain( void )
{
struct sigaction sa;
CmdStart = _argv[1];
NumArgs = _argc - 1;
/*
This is so that the debugger can be made set UID root to get ring 1 access
for the parallel trap file, without being a security hole.
*/
setegid( getgid() );
seteuid( getuid() );
sa.sa_flags = SA_RESTART;
sa.sa_handler = BrkHandler;
sigaction( SIGINT, &sa, NULL );
DebugMain();
}
int
openpam_restore_cred(pam_handle_t *pamh)
{
struct pam_saved_cred *scred;
int r;
r = pam_get_data(pamh, PAM_SAVED_CRED, (const void **)(void *)&scred);
if (r != PAM_SUCCESS)
return (r);
if (scred == NULL)
return (PAM_SYSTEM_ERR);
if (seteuid(scred->euid) == -1 ||
setgroups(scred->ngroups, scred->groups) == -1 ||
setegid(scred->egid) == -1)
return (PAM_SYSTEM_ERR);
pam_set_data(pamh, PAM_SAVED_CRED, NULL, NULL);
return (PAM_SUCCESS);
}
static void setegid_verify(void)
{
TEST(setegid(ltpuser->pw_gid));
if (TEST_RETURN != -1) {
tst_resm(TFAIL, "setegid(%d) succeeded unexpectedly",
ltpuser->pw_gid);
return;
}
if (TEST_ERRNO == EPERM) {
tst_resm(TPASS | TTERRNO, "setegid failed as expected");
} else {
tst_resm(TFAIL | TTERRNO,
"setegid failed unexpectedly; expected: %d - %s",
EPERM, strerror(EPERM));
}
}