Example #1
0
void set_identity(unsigned int uid) {
    /*
     * Set effective uid back to root, otherwise setres[ug]id will fail
     * if uid isn't root.
     */
    if (seteuid(0)) {
        PLOGE("seteuid (root)");
        exit(EXIT_FAILURE);
    }
    if (setresgid(uid, uid, uid)) {
        PLOGE("setresgid (%u)", uid);
        exit(EXIT_FAILURE);
    }
    if (setresuid(uid, uid, uid)) {
        PLOGE("setresuid (%u)", uid);
        exit(EXIT_FAILURE);
    }
}
Example #2
0
void fr_suid_down(void)
{
	if (!doing_setuid) return;

	if (setresuid(-1, server_uid, geteuid()) < 0) {
		fprintf(stderr, "%s: Failed switching to uid %s: %s\n",
			progname, uid_name, fr_syserror(errno));
		fr_exit_now(1);
	}

	if (geteuid() != server_uid) {
		fprintf(stderr, "%s: Failed switching uid: UID is incorrect\n",
			progname);
		fr_exit_now(1);
	}

	fr_set_dumpable(allow_core_dumps);
}
Example #3
0
File: os.c Project: 274914765/C
static void setperms (uid_t uid, gid_t gid)
{
    char strbuf[ISC_STRERRORSIZE];

#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
    gid_t oldgid, tmpg;
#endif
#if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID)
    uid_t olduid, tmpu;
#endif
#if defined(HAVE_SETEGID)
    if (getegid () != gid && setegid (gid) == -1)
    {
        isc__strerror (errno, strbuf, sizeof (strbuf));
        ns_main_earlywarning ("unable to set effective gid to %ld: %s", (long) gid, strbuf);
    }
#elif defined(HAVE_SETRESGID)
    if (getresgid (&tmpg, &oldgid, &tmpg) == -1 || oldgid != gid)
    {
        if (setresgid (-1, gid, -1) == -1)
        {
            isc__strerror (errno, strbuf, sizeof (strbuf));
            ns_main_earlywarning ("unable to set effective " "gid to %d: %s", gid, strbuf);
        }
    }
#endif

#if defined(HAVE_SETEUID)
    if (geteuid () != uid && seteuid (uid) == -1)
    {
        isc__strerror (errno, strbuf, sizeof (strbuf));
        ns_main_earlywarning ("unable to set effective uid to %ld: %s", (long) uid, strbuf);
    }
#elif defined(HAVE_SETRESUID)
    if (getresuid (&tmpu, &olduid, &tmpu) == -1 || olduid != uid)
    {
        if (setresuid (-1, uid, -1) == -1)
        {
            isc__strerror (errno, strbuf, sizeof (strbuf));
            ns_main_earlywarning ("unable to set effective " "uid to %d: %s", uid, strbuf);
        }
    }
#endif
}
Example #4
0
/*
 * Create the context as the user (not as root).
 *
 * Note that we change the *real* uid here, as changing the effective uid is
 * not sufficient. This is due to an unfortunate historical error in the MIT
 * krb5 libs, where they used %{uid} in the default_ccache_name. Changing that
 * now might break some applications so we're sort of stuck with it.
 *
 * Unfortunately, doing this leaves the forked child vulnerable to signals and
 * renicing, but this is the best we can do. In the event that a child is
 * signalled before downcalling, the kernel will just eventually time out the
 * upcall attempt.
 */
static int
change_identity(uid_t uid)
{
	struct passwd	*pw;

	/* drop list of supplimentary groups first */
	if (setgroups(0, NULL) != 0) {
		printerr(0, "WARNING: unable to drop supplimentary groups!");
		return errno;
	}

	/* try to get pwent for user */
	pw = getpwuid(uid);
	if (!pw) {
		/* if that doesn't work, try to get one for "nobody" */
		errno = 0;
		pw = getpwnam("nobody");
		if (!pw) {
			printerr(0, "WARNING: unable to determine gid for uid %u\n", uid);
			return errno ? errno : ENOENT;
		}
	}

	/*
	 * Switch the GIDs. Note that we leave the saved-set-gid alone in an
	 * attempt to prevent attacks via ptrace()
	 */
	if (setresgid(pw->pw_gid, pw->pw_gid, -1) != 0) {
		printerr(0, "WARNING: failed to set gid to %u!\n", pw->pw_gid);
		return errno;
	}

	/*
	 * Switch UIDs, but leave saved-set-uid alone to prevent ptrace() by
	 * other processes running with this uid.
	 */
	if (setresuid(uid, uid, -1) != 0) {
		printerr(0, "WARNING: Failed to setuid for user with uid %u\n",
				uid);
		return errno;
	}

	return 0;
}
Example #5
0
/****************************************************************************
 Become the specified uid and gid - permanently !
 there should be no way back if possible
****************************************************************************/
void become_user_permanently(uid_t uid, gid_t gid)
{
	/*
	 * First - gain root privilege. We do this to ensure
	 * we can lose it again.
	 */

	gain_root_privilege();
	gain_root_group_privilege();

#if USE_SETRESUID
	setresgid(gid,gid,gid);
	setgid(gid);
	setresuid(uid,uid,uid);
	setuid(uid);
#endif

#if USE_SETREUID
	setregid(gid,gid);
	setgid(gid);
	setreuid(uid,uid);
	setuid(uid);
#endif

#if USE_SETEUID
	setegid(gid);
	setgid(gid);
	setuid(uid);
	seteuid(uid);
	setuid(uid);
#endif

#if USE_SETUIDX
	setgidx(ID_REAL, gid);
	setgidx(ID_EFFECTIVE, gid);
	setgid(gid);
	setuidx(ID_REAL, uid);
	setuidx(ID_EFFECTIVE, uid);
	setuid(uid);
#endif
	
	assert_uid(uid, uid);
	assert_gid(gid, gid);
}
Example #6
0
void
drop_privs_to (const char *user, const char *group)
{
  uid_t uid;
  gid_t gid;
  struct passwd *pw;
  struct group  *gr;

  if (0 != getuid ())
    return; /* not running as root to begin with; should (!) be harmless to continue
         without dropping to 'nobody' (setting time will fail in the end) */
  pw = getpwnam (user);
  gr = getgrnam (group);
  if (NULL == pw)
    die ("Failed to obtain UID for `%s'\n", user);
  if (NULL == gr)
    die ("Failed to obtain GID for `%s'\n", group);
  uid = pw->pw_uid;
  if (0 == uid)
    die ("UID for `%s' is 0, refusing to run SSL\n", user);
  gid = pw->pw_gid;
  if (0 == gid || 0 == gr->gr_gid)
    die ("GID for `%s' is 0, refusing to run SSL\n", user);
  if (pw->pw_gid != gr->gr_gid)
    die ("GID for `%s' is not `%s' as expected, refusing to run SSL\n",
         user, group);
  if (0 != initgroups ( (const char *) user, gr->gr_gid))
    die ("Unable to initgroups for `%s' in group `%s' as expected\n",
         user, group);
#ifdef HAVE_SETRESGID
  if (0 != setresgid (gid, gid, gid))
    die ("Failed to setresgid: %s\n", strerror (errno));
#else
  if (0 != (setgid (gid) | setegid (gid)))
    die ("Failed to setgid: %s\n", strerror (errno));
#endif
#ifdef HAVE_SETRESUID
  if (0 != setresuid (uid, uid, uid))
    die ("Failed to setresuid: %s\n", strerror (errno));
#else
  if (0 != (setuid (uid) | seteuid (uid)))
    die ("Failed to setuid: %s\n", strerror (errno));
#endif
}
Example #7
0
/*
 * Do the real work of dropping privileges.  Checks to
 * see what the current uid/gid are, sets res gid and
 * uid to the specified user's uid/gid and verifies
 * that privs can't be restored to the initial uid/gid
 */
int drop_privs(struct passwd *pw) {
   char *dir;
   int uid = getuid();
   int gid = getgid();
   int result = -1;
#if defined DO_CHROOT
   dir = "/";
   if (chroot(pw->pw_dir) == -1) {;
#ifdef DEBUG      
      perror("chroot");
      fprintf(stderr, "Failed chroot to %s", pw->pw_dir);
#endif
      return -1;
   }
#else
   dir = pw->pw_dir;
#endif
   initgroups(pw->pw_name, pw->pw_gid);
   if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) return -1;
   if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) return -1;
   if (pw->pw_gid != gid && (setgid(gid) != -1 || setegid(gid) != -1)) {
#ifdef DEBUG      
      printf(ERROR_BAD_GID, getgid(), pw->pw_gid);
#endif
      return -1;
   }
   if (pw->pw_uid != uid && (setuid(uid) != -1 || seteuid(uid) != -1)) {
#ifdef DEBUG      
      printf(ERROR_BAD_UID, getuid(), pw->pw_uid);
#endif
      return -1;
   }
   if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) return -1;
   if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) return -1;

   if (chdir(dir) == -1) {;
#ifdef DEBUG      
      perror("chdir");
      fprintf(stderr, "Failed chdir to %s", dir);
#endif
      return -1;
   }
   return 0;
}
Example #8
0
int change_rights ()
{
	if (getuid () == 0 ) {
		struct passwd *pw;
		struct group *gr;
		gid_t gid;
		if ((gr = getgrnam(conf_group))) {
			gid = gr->gr_gid;
			if (setresgid(gid, gid, gid) != 0) {
				log(LOG_WARNING, "cannot change gid");
				return (1);
			}
			if (initgroups(conf_user, gid) == -1) {
				log(LOG_WARNING, "cannot change gid");
				return (1);
			}
		}
		else {
			log(LOG_WARNING, "cannot find group %s on system", 
			    conf_group);
			return (1);
		}
		if ((pw = getpwnam(conf_user))) {
			if (chown(conf_socket_path, pw->pw_uid, gid) == -1) {
				log(LOG_WARNING, "cannot change owner of "
				    "%s : %m", conf_socket_path);
				return (1);
			}
			if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0){
				log(LOG_WARNING, "cannot change uid");
				return (1);
			}
		}
		else {
			log(LOG_WARNING, "cannot find user %s on system", 
			    conf_user);
			return (1);
		}
		return (0);
	}
	log(LOG_WARNING, "User isn't root");
	return (1);
}
Example #9
0
void fr_suid_up(void)
{
	uid_t ruid, euid, suid;
	
	if (getresuid(&ruid, &euid, &suid) < 0) {
		radlog(L_ERR, "Failed getting saved UID's");
		_exit(1);
	}

	if (setresuid(-1, suid, -1) < 0) {
		radlog(L_ERR, "Failed switching to privileged user");
		_exit(1);
	}

	if (geteuid() != suid) {
		radlog(L_ERR, "Switched to unknown UID");
		_exit(1);
	}
}
Example #10
0
static void
test_setresuid4 (enum ACTION action, int tno)
{
  if (action == PREPARE)
    {
      if (setresuid (nobody_uid, nobody_uid, -1) < 0)
	{
	  printf ("setresuid failed: %m\n");
	  exit (1);
	}

      prev_ruid = nobody_uid;
      prev_euid = nobody_uid;
      nobody_uid = prev_suid;
      return;
    }

  test_setresuid1 (action, tno);
}
Example #11
0
gboolean RevertToSelf (void)
{
#ifdef HAVE_GETRESUID
	uid_t ruid, euid;
#endif
	uid_t suid = -1;

#ifdef HAVE_GETRESUID
	if (getresuid (&ruid, &euid, &suid) < 0)
		return FALSE;
#endif
#ifdef HAVE_SETRESUID
	if (setresuid (-1, suid, -1) < 0)
		return FALSE;
#else
	return TRUE;
#endif
	return (geteuid () == suid);
}
Example #12
0
static void
child(const char *root, char *cmd[])
{
    pid_t pid = (pid_t)syscall(SYS_getpid);
    assert(pid == 1);

    // die when parent dies
    NONNEGATIVE(prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0));

    NONNEGATIVE(sethostname(POE_HOSTNAME, strlen(POE_HOSTNAME)));
    NONNEGATIVE(mount(NULL, "/",        NULL,           MS_PRIVATE | MS_REC, NULL));
    NONNEGATIVE(mount(root, root,       "bind",         MS_BIND | MS_REC, NULL));
    NONNEGATIVE(chroot(root));
    // NONNEGATIVE(mount(NULL, "/proc",    "proc",         MS_NOSUID | MS_NOEXEC | MS_NODEV, NULL));
    // NONNEGATIVE(mount(NULL, "/dev",     "devtmpfs",     MS_NOSUID | MS_NOEXEC, NULL));
    // NONNEGATIVE(mount(NULL, "/dev/shm", "tmpfs",        MS_NOSUID | MS_NODEV, NULL));

    struct passwd *pw = getpwnam(POE_USERNAME);
    if (!pw) ERROR("getpwnam() failed");

    NONNEGATIVE(chdir("/tmp"));
    NONNEGATIVE(setsid());
    NONNEGATIVE(initgroups(POE_USERNAME, pw->pw_gid));
    NONNEGATIVE(setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid));
    NONNEGATIVE(setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid));

    char *env[] = {
        "PATH=/opt/bin:/usr/bin",
        "USER="******"LOGNAME=" POE_USERNAME,
        NULL,
        NULL
    };
    NONNEGATIVE(asprintf(env + 3, "HOME=%s", pw->pw_dir));

    // wait parent
    NONNEGATIVE(kill(pid, SIGSTOP));

    NONNEGATIVE(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
    poe_init_seccomp(SCMP_ACT_TRACE(0));

    NONNEGATIVE(execvpe(cmd[0], cmd, env));
}
Example #13
0
void
privdrop(void)
{
	struct passwd *pw;
	struct stat sb;

	if ((pw = getpwnam(SNDIO_USER)) == NULL)
		errx(1, "unknown user %s", SNDIO_USER);
	if (stat(pw->pw_dir, &sb) < 0)
		err(1, "stat(\"%s\")", pw->pw_dir);
	if (sb.st_uid != 0 || (sb.st_mode & 022) != 0)
		errx(1, "%s has wrong permissions", pw->pw_dir);
	if (setpriority(PRIO_PROCESS, 0, SNDIO_PRIO) < 0)
		err(1, "setpriority");
	if (setgroups(1, &pw->pw_gid) ||
	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
		err(1, "cannot drop privileges");
}
Example #14
0
static void restore_re_uid_fromroot(void)
{
#if USE_SETRESUID
	setresuid(saved_ruid, saved_euid, -1);
#elif USE_SETREUID
	setreuid(saved_ruid, -1);
	setreuid(-1,saved_euid);
#elif USE_SETUIDX
	setuidx(ID_REAL, saved_ruid);
	setuidx(ID_EFFECTIVE, saved_euid);
#else
	set_effective_uid(saved_euid);
	if (getuid() != saved_ruid)
		setuid(saved_ruid);
	set_effective_uid(saved_euid);
#endif

	assert_uid(saved_ruid, saved_euid);
}
Example #15
0
int main(int argc, char **argv) {
  char **newargv;
  int i;

  if (argc <= 1) {
    exit(1);
  }
  newargv = argv + 1;

  if (setresuid((uid_t)0, (uid_t)0, (uid_t)0)) {
      perror("setresuid");
  }
  
  if (setresgid((gid_t)0, (gid_t)0, (gid_t)0)) {
      perror("setresgid");
  }
  
  exit(execvp(newargv[0], newargv));
}
Example #16
0
int
main(int argc, char *argv[])
{
	int		 ch, status;
	struct passwd	*pw;

	if (getuid() != 0)
		errx(EX_USAGE, "must be run as root");

	while ((ch = getopt(argc, argv, "o:h")) != -1)
		switch (ch) {
		case 'o':
			open_file(optarg);
			break;
ex_usage:
		case 'h':
			usage();
			exit(EX_USAGE);
			/* NOTREACHED */
		default:
			exit(EX_USAGE);
		}

	argc -= optind;
	argv += optind;

	if (argc < 2)
		goto ex_usage;

	/* Drop privileges */
	if ((pw = getpwnam(*argv)) == NULL)
		errx(EX_USAGE, "getpwnam(%s) failed", *argv);
	if (setgroups(1, &pw->pw_gid) ||
	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
		err(EX_OSERR, "cannot drop privileges");

	argc--;
	argv++;
	status = execvp(*argv, argv);
	err(status, "execvp(%s)", *argv);
}
Example #17
0
int main(int ac, char **av)
{
	int lc;
	const char *msg;

	if ((msg = parse_opts(ac, av, NULL, NULL)) != NULL) {
		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);

	}

	setup();

	for (lc = 0; TEST_LOOPING(lc); lc++) {
		int i;

		/* reset tst_count in case we are looping */
		tst_count = 0;

		for (i = 0; i < TST_TOTAL; i++) {
			/* Set the real, effective or user id */
			TEST(setresuid(*test_data[i].real_uid,
				       *test_data[i].eff_uid,
				       *test_data[i].sav_uid));

			if (TEST_RETURN == -1) {
				TEST_ERROR_LOG(TEST_ERRNO);
				tst_resm(TFAIL, "setresuid(%d, %d, %d) failed",
					 *test_data[i].real_uid,
					 *test_data[i].eff_uid,
					 *test_data[i].sav_uid);
			} else {
				uid_verify(test_data[i].exp_real_usr,
					   test_data[i].exp_eff_usr,
					   test_data[i].exp_sav_usr,
					   test_data[i].test_msg);
			}
		}
	}

	cleanup();
	tst_exit();
}
Example #18
0
int
priv_sched_rtprio_setup(int asroot, int injail, struct test *test)
{
	int another_uid, need_child;

	/*
	 * Some tests require a second process with specific credentials.
	 * Set that up here, and kill in cleanup.
	 */
	need_child = 0;
	if (test->t_test_func == priv_sched_rtprio_aproc_normal ||
	    test->t_test_func == priv_sched_rtprio_aproc_idle ||
	    test->t_test_func == priv_sched_rtprio_aproc_realtime) {
		need_child = 1;
		another_uid = 1;
	}
	if (test->t_test_func == priv_sched_rtprio_myproc_normal ||
	    test->t_test_func == priv_sched_rtprio_myproc_idle ||
	    test->t_test_func == priv_sched_rtprio_myproc_realtime) {
		need_child = 1;
	}

	if (need_child) {
		childproc = fork();
		if (childproc < 0) {
			warn("priv_sched_setup: fork");
			return (-1);
		}
		if (childproc == 0) {
			if (another_uid) {
				if (setresuid(UID_THIRD, UID_THIRD,
				    UID_THIRD) < 0)
				err(-1, "setresuid(%d)", UID_THIRD);
			}
			while (1)
				sleep(1);
		}
		childproc_running = 1;
		sleep(1);	/* Allow dummy thread to change uids. */
	}
	return (0);
}
Example #19
0
int
main(int argc, char *argv[])
{
	struct kinfo_proc	 kproc;
	struct passwd		*pw;
	char			*toexec = NULL;
	uid_t			 uid;

	if (argc > 1) {
		argv ++;
		if ((toexec = strdup(argv[0])) == NULL)
			err(1, "strdup");
	}

	if ((pw = getpwnam(_SETUID_REGRESS_USER)) == NULL)
		err(1, "unknown user \"%s\"", _SETUID_REGRESS_USER);

	uid = getuid();

	if (setresuid(pw->pw_uid, -1, -1) == -1)
		err(1, "setuid");
	checkuids(pw->pw_uid, uid, uid, "setuid");

	/* should only respond to setuid upon exec */
	if (issetugid())
		errx(1, "process incorrectly as issetugid()");

	if (read_kproc_pid(&kproc, getpid()) == -1)
		err(1, "kproc read failed");

	if (!(kproc.p_psflags & PS_SUGID))
		errx(1, "PS_SUGID not set");
	if (kproc.p_psflags & PS_SUGIDEXEC)
		errx(1, "PS_SUGIDEXEC incorrectly set");

	if (toexec != NULL)
		if (execv(toexec, argv) == -1)
			err(1, "exec of %s failed", toexec);
	free(toexec);

	exit(0);
}
Example #20
0
static void
test_setuid2 (enum ACTION action, int tno)
{
  if (action == PREPARE)
    {
      if (setresuid (nobody_uid, nobody_uid, -1) < 0)
	{
	  printf ("setresuid failed: %m\n");
	  exit (1);
	}

      prev_ruid = nobody_uid;
      prev_euid = nobody_uid;
      return;
    }

  if (action != CHECK_AFTER)
    check_prev_uid (tno);

  if (action == SET && setuid (prev_suid) < 0)
    {
      printf ("setuid failed: %m\n");
      exit (1);
    }

  if (action != CHECK_BEFORE)
    {
      uid_t ruid, euid, suid;
      if (getresuid (&ruid, &euid, &suid) < 0)
	{
	  printf ("getresuid failed: %d %m\n", tno);
	  exit (1);
	}

      if (ruid != nobody_uid || euid != prev_suid || suid != prev_suid)
	{
	  printf ("after setuid %d (%d %d %d) != (%d %d %d)\n", tno,
		  ruid, euid, suid, nobody_uid, prev_suid, prev_suid);
	  exit (1);
	}
    }
}
Example #21
0
int main(int argc, char **argv){
	uid_t uid;
	gid_t gid, gid_list[MAX_SUPPLEMENTAL_GROUPS];

	int i;
	char *end_ptr;

	if(argc < 3){
		fprintf(stderr, "Usage: %s uid:gid[:gid1:gid2:...] COMMAND [ARGS]\n", argv[0]);
		exit(-1);
	}

	memset(gid_list, 0, sizeof(gid_list));
	uid = (uid_t) strtol(argv[1], &end_ptr, 10);
	gid = (gid_t) strtol(end_ptr + 1, &end_ptr, 10);
	if(errno){
		fprintf(stderr, "Usage: %s uid:gid[:gid1:gid2:...] COMMAND [ARGS]\n", argv[0]);
		exit(-1);
	}

	i = 0;
	while(*end_ptr != 0){
		gid_list[i++] = (gid_t) strtol(end_ptr + 1, &end_ptr, 10);
	}

	if(setgroups((size_t) i, gid_list)){
		error(-1, errno, "setgroups()");
	}

	if(setresgid(gid, gid, gid)){
		error(-1, errno, "setresgid()");
	}

	if(setresuid(uid, uid, uid)){
		error(-1, errno, "setresuid()");
	}

	execvp(argv[2], argv + 2);
	error(-1, errno, "execv()");

	return(-1);
}
Example #22
0
static void __dead
checkconfig(const char *confpath, int argc, char **argv,
    uid_t uid, gid_t *groups, int ngroups, uid_t target)
{
	struct rule *rule;

	setresuid(uid, uid, uid);
	parseconfig(confpath, 0);
	if (!argc)
		exit(0);

	if (permit(uid, groups, ngroups, &rule, target, argv[0],
	    (const char **)argv + 1)) {
		printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
		exit(0);
	} else {
		printf("deny\n");
		exit(1);
	}
}
Example #23
0
File: uid.c Project: dongmu/trinity
bool drop_privs(struct childdata *child)
{
	if (setresgid(nobody_gid, nobody_gid, nobody_gid) < 0) {
		output(0, "Error setting nobody gid (%s)\n", strerror(errno));
		exit(EXIT_FAILURE);
	}

	if (setgroups(0, NULL) == -1) {
		;
	}

	if (setresuid(nobody_uid, nobody_uid, nobody_uid) < 0) {
		output(0, "Error setting nobody uid (%s)\n", strerror(errno));
		exit(EXIT_FAILURE);
	}

//	debugf("set uid to %u and gid to %d (nobody)\n", nobody_uid, nobody_gid);
	child->dropped_privs = TRUE;
	return TRUE;
}
Example #24
0
/****************************************************************************
 Set *only* the effective uid.
 we want to end up with ruid==0 and euid==uid
****************************************************************************/
void set_effective_uid(uid_t uid)
{
#if USE_SETRESUID
	setresuid(-1,uid,-1);
#endif

#if USE_SETREUID
	setreuid(-1,uid);
#endif

#if USE_SETEUID
	seteuid(uid);
#endif

#if USE_SETUIDX
	setuidx(ID_EFFECTIVE, uid);
#endif

	assert_uid(-1, uid);
}
Example #25
0
VGAuthError
VGAuthEndImpersonationImpl(VGAuthContext *ctx)
{
   char buffer[BUFSIZ];
   struct passwd pw;
   struct passwd *ppw = &pw;
   int error;
   int ret;

   if ((error = getpwuid_r(0, &pw, buffer, sizeof buffer, &ppw)) != 0 ||
       !ppw) {
      Warning("Failed to lookup root (%d)\n", error);
      return VGAUTH_E_INVALID_ARGUMENT;
   }

   // first change back user
   ret = setresuid(ppw->pw_uid, ppw->pw_uid, 0);
   if (ret < 0) {
      Warning("Failed to setresuid() for root (%d)\n", errno);
      return VGAUTH_E_FAIL;
   }

   // now group
   ret = setresgid(ppw->pw_gid, ppw->pw_gid, ppw->pw_gid);
   if (ret < 0) {
      Warning("Failed to setresgid() for root (%d)\n", errno);
      return VGAUTH_E_FAIL;
   }
   ret = initgroups(ppw->pw_name, ppw->pw_gid);
   if (ret < 0) {
      Warning("Failed to initgroups() for root (%d)\n", errno);
      return VGAUTH_E_FAIL;
   }

   // set env
   setenv("USER", ppw->pw_name, 1);
   setenv("HOME", ppw->pw_dir, 1);
   setenv("SHELL", ppw->pw_shell, 1);

   return VGAUTH_E_OK;
}
Example #26
0
int main(int argc, char **argv) {
        int score = 0;
        printf("CollageBored (R) Advanced Placement Literature Grader\n");
        if (argc != 2) {
                printf("Usage: %s [essay]\n", argv[0]);
                return 1;
        }
        char buf[700];
        strcpy(buf, argv[1]);
        printf("-------------- YOUR SUBMISSION --------------\n");
        printf("%s\n", buf);
        printf("---------------------------------------------\n");
        printf("According to our analysis, your response received a grade of %d!\n", score);
        if (score > 12) {
                uid_t uid = geteuid();
                setresuid(uid, uid, uid);
                FILE *fp;
                fp = fopen("flag.txt", "r");
                char flag[64];
                fgets(flag, 64, (FILE*) fp);
                printf("Wow, you're an HONOR student! Here's a flag: %s\n", flag);
        } else {
                printf("Sorry, you can only view the FLAG if you received a score greater than 12.\n");
                printf("\n");
                printf("If you didn't do as well as you wanted, be sure to take a look at our rubric\n");
                printf("to see how we grade your essay!\n");
                printf("********* RUBRIC ************ \n");
                printf("* 0 - your essay sucks      * \n");
                printf("* 1 - impossible to achieve * \n");
                printf("* 2 - impossible to achieve * \n");
                printf("* 3 - impossible to achieve * \n");
                printf("* 4 - impossible to achieve * \n");
                printf("* 5 - impossible to achieve * \n");
                printf("* 6 - impossible to achieve * \n");
                printf("* 7 - impossible to achieve * \n");
                printf("* 8 - impossible to achieve * \n");
                printf("* 9 - impossible to achieve * \n");
                printf("***************************** \n");
        }
        return 0;
}
int main(int argc, char **argv)
{
	char	*command;
	uid_t	user=getuid(); 
	int		isNTFS=1;
	int		what;

	if(argc==4)
		{
			isNTFS=checkForNTFS(argv[1]);
			setresuid(0,user,user);
			asprintf(&command,"mkdir -p %s &>/dev/null",argv[2]);
			system(command);
			free(command);
			what=atoi(argv[3]);
			switch(what)
				{
					case 1:
						if(isNTFS==0)
							asprintf(&command,"mount -o user,uid=%i,gid=%i UUID=\"%s\" \"%s\"",user,user,argv[1],argv[2]);
						else
							asprintf(&command,"mount UUID=\"%s\" \"%s\"",argv[1],argv[2]);
						break;
					case 2:
						asprintf(&command,"umount UUID=\"%s\"",argv[1]);
						system(command);
						free(command);			
						asprintf(&command,"rmdir \"%s\"",argv[2]);
						break;
					case 3:
						asprintf(&command,"eject UUID=\"%s\" &",argv[1]);
						system(command);
						free(command);			
						asprintf(&command,"rmdir \"%s\"",argv[2]);
						break;
				}
			system(command);
			free(command);			
		}
	return 0;
}
Example #28
0
File: suid.c Project: blaa/OTPasswd
void drop_pernamently(void)
{
	/* On systems without setres* use setre*. But make sure it works */
	const int gid = getgid(), uid = getuid();

	if (setresuid(uid, uid, uid) != 0)
		goto error;
	if (setresgid(gid, gid, gid) != 0)
		goto error;

	/* Paranoid check */
	if (geteuid() != getuid() || getegid() != getgid()) {
		printf("d_t: fun\n");
		goto error;
	}

	return;
error:
	printf("d_p: failure\n");
	exit(EXIT_FAILURE);
}
Example #29
0
/*
Used to drop process privilage (though in theory it's more general than that). Should return -1 on failure, 0 otherwise.
Inspired/informed by http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
@param user to be used (c string). Group ID is derived from the user id.
@return 0 on success, -1 on failure.
*/
int set_privilage(char * new_user)
{
  struct passwd * working_user_passwd;
  working_user_passwd = getpwnam(new_user);
  print_to_log("Attempting to drop privilage", LOG_INFO);
  printf("working uid = %x, gid = %x, name = %s\n", working_user_passwd->pw_uid, working_user_passwd->pw_gid, working_user_passwd->pw_name);
  if (setresgid(working_user_passwd->pw_gid, working_user_passwd->pw_gid, working_user_passwd->pw_gid)<0)
  {
    perror("setresgid");
    print_to_log("Setresgid has failed. Cannot move to least privilage user.", LOG_EMERG);
    return -1;
  }
  if (setresuid(working_user_passwd->pw_uid, working_user_passwd->pw_uid, working_user_passwd->pw_uid)<0)
  {
    perror("setresuid");
    print_to_log("Setresuid has failed. Cannot move to least privilage user.", LOG_EMERG);
    return -1;
  }
  print_to_log("Process has successfully dropped privilage", LOG_INFO);
  return 0;
}
Example #30
0
File: suid.c Project: blaa/OTPasswd
void restore(void)
{
	/* On systems without setres* use setre*. But make sure it works */

	/* 0 should be remembered before! */
	if (setresuid(real_uid, set_uid, set_uid) != 0)
		goto error;
	if (setresgid(real_gid, set_gid, set_gid) != 0)
		goto error;

	/* Paranoid check */
	if (geteuid() != set_uid || getegid() != set_gid) {
		printf("d_t: fun\n");
		goto error;
	}

	return;
error:
	printf("d_p: failure\n");
	exit(EXIT_FAILURE);
}