/****************************************************************************
set the real AND effective uid to the current effective uid in a way that
allows root to be regained.
This is only possible on some platforms.
****************************************************************************/
int set_re_uid(void)
{
uid_t uid = geteuid();
#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
samba_setresuid(uid, uid, -1);
#endif
#if USE_SETREUID
samba_setreuid(0, 0);
samba_setreuid(uid, -1);
samba_setreuid(-1, uid);
#endif
#if USE_SETEUID
/* can't be done */
return -1;
#endif
#if USE_SETUIDX
/* can't be done */
return -1;
#endif
assert_uid(uid, uid);
return 0;
}
/****************************************************************************
set the real AND effective uid to the current effective uid in a way that
allows root to be regained.
This is only possible on some platforms.
****************************************************************************/
int set_re_uid(void)
{
uid_t uid = geteuid();
#if USE_SETRESUID
setresuid(geteuid(), -1, -1);
#endif
#if USE_SETREUID
setreuid(0, 0);
setreuid(uid, -1);
setreuid(-1, uid);
#endif
#if USE_SETEUID
/* can't be done */
return -1;
#endif
#if USE_SETUIDX
/* can't be done */
return -1;
#endif
assert_uid(uid, uid);
return 0;
}
/****************************************************************************
Set effective uid, and possibly the real uid too.
We want to end up with either:
ruid==uid and euid==uid
or
ruid==0 and euid==uid
depending on what the local OS will allow us to regain root from.
****************************************************************************/
void set_effective_uid(uid_t uid)
{
#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
/* Set the effective as well as the real uid. */
if (samba_setresuid(uid,uid,-1) == -1) {
if (errno == EAGAIN) {
DEBUG(0, ("samba_setresuid failed with EAGAIN. uid(%d) "
"might be over its NPROC limit\n",
(int)uid));
}
}
#endif
#if USE_SETREUID
samba_setreuid(-1,uid);
#endif
#if USE_SETEUID
samba_seteuid(uid);
#endif
#if USE_SETUIDX
samba_setuidx(ID_EFFECTIVE, uid);
#endif
assert_uid(-1, uid);
}
/****************************************************************************
Become the specified uid and gid - permanently !
there should be no way back if possible
****************************************************************************/
void become_user_permanently(uid_t uid, gid_t gid)
{
/*
* First - gain root privilege. We do this to ensure
* we can lose it again.
*/
gain_root_privilege();
gain_root_group_privilege();
#if USE_SETRESUID
setresgid(gid,gid,gid);
setgid(gid);
setresuid(uid,uid,uid);
setuid(uid);
#endif
#if USE_SETREUID
setregid(gid,gid);
setgid(gid);
setreuid(uid,uid);
setuid(uid);
#endif
#if USE_SETEUID
setegid(gid);
setgid(gid);
setuid(uid);
seteuid(uid);
setuid(uid);
#endif
#if USE_SETUIDX
setgidx(ID_REAL, gid);
setgidx(ID_EFFECTIVE, gid);
setgid(gid);
setuidx(ID_REAL, uid);
setuidx(ID_EFFECTIVE, uid);
setuid(uid);
#endif
assert_uid(uid, uid);
assert_gid(gid, gid);
}
static void restore_re_uid_fromroot(void)
{
#if USE_SETRESUID
setresuid(saved_ruid, saved_euid, -1);
#elif USE_SETREUID
setreuid(saved_ruid, -1);
setreuid(-1,saved_euid);
#elif USE_SETUIDX
setuidx(ID_REAL, saved_ruid);
setuidx(ID_EFFECTIVE, saved_euid);
#else
set_effective_uid(saved_euid);
if (getuid() != saved_ruid)
setuid(saved_ruid);
set_effective_uid(saved_euid);
#endif
assert_uid(saved_ruid, saved_euid);
}
void restore_re_uid_fromroot(void)
{
#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
samba_setresuid(saved_ruid, saved_euid, -1);
#elif USE_SETREUID
samba_setreuid(saved_ruid, -1);
samba_setreuid(-1,saved_euid);
#elif USE_SETUIDX
samba_setuidx(ID_REAL, saved_ruid);
samba_setuidx(ID_EFFECTIVE, saved_euid);
#else
set_effective_uid(saved_euid);
if (getuid() != saved_ruid)
samba_setuid(saved_ruid);
set_effective_uid(saved_euid);
#endif
assert_uid(saved_ruid, saved_euid);
}
/****************************************************************************
Set *only* the effective uid.
we want to end up with ruid==0 and euid==uid
****************************************************************************/
void set_effective_uid(uid_t uid)
{
#if USE_SETRESUID
setresuid(-1,uid,-1);
#endif
#if USE_SETREUID
setreuid(-1,uid);
#endif
#if USE_SETEUID
seteuid(uid);
#endif
#if USE_SETUIDX
setuidx(ID_EFFECTIVE, uid);
#endif
assert_uid(-1, uid);
}
/****************************************************************************
Set effective uid, and possibly the real uid too.
We want to end up with either:
ruid==uid and euid==uid
or
ruid==0 and euid==uid
depending on what the local OS will allow us to regain root from.
****************************************************************************/
void set_effective_uid(uid_t uid)
{
#if USE_SETRESUID
/* Set the effective as well as the real uid. */
setresuid(uid,uid,-1);
#endif
#if USE_SETREUID
setreuid(-1,uid);
#endif
#if USE_SETEUID
seteuid(uid);
#endif
#if USE_SETUIDX
setuidx(ID_EFFECTIVE, uid);
#endif
assert_uid(-1, uid);
}
/****************************************************************************
Gain root privilege before doing something.
We want to end up with ruid==euid==0
****************************************************************************/
void gain_root_privilege(void)
{
#if USE_SETRESUID
setresuid(0,0,0);
#endif
#if USE_SETEUID
seteuid(0);
#endif
#if USE_SETREUID
setreuid(0, 0);
#endif
#if USE_SETUIDX
setuidx(ID_EFFECTIVE, 0);
setuidx(ID_REAL, 0);
#endif
/* this is needed on some systems */
setuid(0);
assert_uid(0, 0);
}
/****************************************************************************
Gain root privilege before doing something.
We want to end up with ruid==euid==0
****************************************************************************/
void gain_root_privilege(void)
{
#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
samba_setresuid(0,0,0);
#endif
#if USE_SETEUID
samba_seteuid(0);
#endif
#if USE_SETREUID
samba_setreuid(0, 0);
#endif
#if USE_SETUIDX
samba_setuidx(ID_EFFECTIVE, 0);
samba_setuidx(ID_REAL, 0);
#endif
/* this is needed on some systems */
samba_setuid(0);
assert_uid(0, 0);
}
