void
__libc_init_secure (void)
{
if (__libc_enable_secure_decided == 0)
__libc_enable_secure = (__geteuid () != __getuid ()
|| __getegid () != __getgid ());
}
int
getnetname (char name[MAXNETNAMELEN + 1])
{
uid_t uid;
int dummy;
uid = __geteuid ();
if (uid == 0)
dummy = host2netname (name, NULL, NULL);
else
dummy = user2netname (name, uid, NULL);
return (dummy);
}
static int
__msgwrite (int sock, void *data, size_t cnt)
{
#ifndef SCM_CREDENTIALS
/* We cannot implement this reliably. */
__set_errno (ENOSYS);
return -1;
#else
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg = &cm.cmsg;
struct ucred cred;
int len;
/* XXX I'm not sure, if gete?id() is always correct, or if we should use
get?id(). But since keyserv needs geteuid(), we have no other chance.
It would be much better, if the kernel could pass both to the server. */
cred.pid = __getpid ();
cred.uid = __geteuid ();
cred.gid = __getegid ();
memcpy (CMSG_DATA(cmsg), &cred, sizeof (struct ucred));
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_CREDENTIALS;
cmsg->cmsg_len = sizeof(*cmsg) + sizeof(struct ucred);
iov.iov_base = data;
iov.iov_len = cnt;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = CMSG_ALIGN(cmsg->cmsg_len);
msg.msg_flags = 0;
restart:
len = sendmsg (sock, &msg, 0);
if (len >= 0)
return len;
if (errno == EINTR)
goto restart;
return -1;
#endif
}
int
faccessat (int fd, const char *file, int mode, int flag)
{
if (flag & ~(AT_SYMLINK_NOFOLLOW | AT_EACCESS))
return INLINE_SYSCALL_ERROR_RETURN_VALUE (EINVAL);
if ((flag == 0 || ((flag & ~AT_EACCESS) == 0 && ! __libc_enable_secure)))
return INLINE_SYSCALL (faccessat, 3, fd, file, mode);
struct stat64 stats;
if (__fxstatat64 (_STAT_VER, fd, file, &stats, flag & AT_SYMLINK_NOFOLLOW))
return -1;
mode &= (X_OK | W_OK | R_OK); /* Clear any bogus bits. */
#if R_OK != S_IROTH || W_OK != S_IWOTH || X_OK != S_IXOTH
# error Oops, portability assumptions incorrect.
#endif
if (mode == F_OK)
return 0; /* The file exists. */
uid_t uid = (flag & AT_EACCESS) ? __geteuid () : __getuid ();
/* The super-user can read and write any file, and execute any file
that anyone can execute. */
if (uid == 0 && ((mode & X_OK) == 0
|| (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))))
return 0;
int granted = (uid == stats.st_uid
? (unsigned int) (stats.st_mode & (mode << 6)) >> 6
: (stats.st_gid == ((flag & AT_EACCESS)
? __getegid () : __getgid ())
|| __group_member (stats.st_gid))
? (unsigned int) (stats.st_mode & (mode << 3)) >> 3
: (stats.st_mode & mode));
if (granted == mode)
return 0;
return INLINE_SYSCALL_ERROR_RETURN_VALUE (EACCES);
}
static int
internal_function
key_call_keyenvoy (u_long proc, xdrproc_t xdr_arg, char *arg,
xdrproc_t xdr_rslt, char *rslt)
{
XDR xdrargs;
XDR xdrrslt;
FILE *fargs;
FILE *frslt;
sigset_t oldmask, mask;
union wait status;
int pid;
int success;
uid_t ruid;
uid_t euid;
static const char MESSENGER[] = "/usr/etc/keyenvoy";
success = 1;
sigemptyset (&mask);
sigaddset (&mask, SIGCHLD);
__sigprocmask (SIG_BLOCK, &mask, &oldmask);
/*
* We are going to exec a set-uid program which makes our effective uid
* zero, and authenticates us with our real uid. We need to make the
* effective uid be the real uid for the setuid program, and
* the real uid be the effective uid so that we can change things back.
*/
euid = __geteuid ();
ruid = __getuid ();
__setreuid (euid, ruid);
pid = _openchild (MESSENGER, &fargs, &frslt);
__setreuid (ruid, euid);
if (pid < 0)
{
debug ("open_streams");
__sigprocmask (SIG_SETMASK, &oldmask, NULL);
return (0);
}
xdrstdio_create (&xdrargs, fargs, XDR_ENCODE);
xdrstdio_create (&xdrrslt, frslt, XDR_DECODE);
if (!INTUSE(xdr_u_long) (&xdrargs, &proc) || !(*xdr_arg) (&xdrargs, arg))
{
debug ("xdr args");
success = 0;
}
fclose (fargs);
if (success && !(*xdr_rslt) (&xdrrslt, rslt))
{
debug ("xdr rslt");
success = 0;
}
fclose(frslt);
wait_again:
if (__wait4 (pid, &status, 0, NULL) < 0)
{
if (errno == EINTR)
goto wait_again;
debug ("wait4");
if (errno == ECHILD || errno == ESRCH)
perror ("wait");
else
success = 0;
}
else
if (status.w_retcode)
{
debug ("wait4 1");
success = 0;
}
__sigprocmask (SIG_SETMASK, &oldmask, NULL);
return success;
}
static bool_t
rendezvous_request (SVCXPRT *xprt, struct rpc_msg *errmsg)
{
int sock;
struct unix_rendezvous *r;
struct sockaddr_un addr;
struct sockaddr_in in_addr;
socklen_t len;
r = (struct unix_rendezvous *) xprt->xp_p1;
again:
len = sizeof (struct sockaddr_un);
if ((sock = accept (xprt->xp_sock, (struct sockaddr *) &addr, &len)) < 0)
{
if (errno == EINTR)
goto again;
if (errno == EMFILE)
{
struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
__nanosleep(&ts , NULL);
}
return FALSE;
}
/*
* make a new transporter (re-uses xprt)
*/
memset (&in_addr, '\0', sizeof (in_addr));
in_addr.sin_family = AF_UNIX;
xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr));
xprt->xp_addrlen = len;
return FALSE; /* there is never an rpc msg to be processed */
}
static enum xprt_stat
rendezvous_stat (SVCXPRT *xprt)
{
return XPRT_IDLE;
}
static void
svcunix_destroy (SVCXPRT *xprt)
{
struct unix_conn *cd = (struct unix_conn *) xprt->xp_p1;
xprt_unregister (xprt);
__close (xprt->xp_sock);
if (xprt->xp_port != 0)
{
/* a rendezvouser socket */
xprt->xp_port = 0;
}
else
{
/* an actual connection socket */
XDR_DESTROY (&(cd->xdrs));
}
mem_free ((caddr_t) cd, sizeof (struct unix_conn));
mem_free ((caddr_t) xprt, sizeof (SVCXPRT));
}
#ifdef SCM_CREDENTIALS
struct cmessage {
struct cmsghdr cmsg;
struct ucred cmcred;
/* hack to make sure we have enough memory */
char dummy[(CMSG_ALIGN (sizeof (struct ucred)) - sizeof (struct ucred) + sizeof (long))];
};
/* XXX This is not thread safe, but since the main functions in svc.c
and the rpcgen generated *_svc functions for the daemon are also not
thread safe and uses static global variables, it doesn't matter. */
static struct cmessage cm;
#endif
static int
__msgread (int sock, void *data, size_t cnt)
{
struct iovec iov;
struct msghdr msg;
int len;
iov.iov_base = data;
iov.iov_len = cnt;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
#ifdef SCM_CREDENTIALS
msg.msg_control = (caddr_t) &cm;
msg.msg_controllen = sizeof (struct cmessage);
#endif
msg.msg_flags = 0;
#ifdef SO_PASSCRED
{
int on = 1;
if (__setsockopt (sock, SOL_SOCKET, SO_PASSCRED, &on, sizeof (on)))
return -1;
}
#endif
restart:
len = __recvmsg (sock, &msg, 0);
if (len >= 0)
{
if (msg.msg_flags & MSG_CTRUNC || len == 0)
return 0;
else
return len;
}
if (errno == EINTR)
goto restart;
return -1;
}
static int
__msgwrite (int sock, void *data, size_t cnt)
{
#ifndef SCM_CREDENTIALS
/* We cannot implement this reliably. */
__set_errno (ENOSYS);
return -1;
#else
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg = &cm.cmsg;
struct ucred cred;
int len;
/* XXX I'm not sure, if gete?id() is always correct, or if we should use
get?id(). But since keyserv needs geteuid(), we have no other chance.
It would be much better, if the kernel could pass both to the server. */
cred.pid = __getpid ();
cred.uid = __geteuid ();
cred.gid = __getegid ();
memcpy (CMSG_DATA(cmsg), &cred, sizeof (struct ucred));
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_CREDENTIALS;
cmsg->cmsg_len = sizeof(*cmsg) + sizeof(struct ucred);
iov.iov_base = data;
iov.iov_len = cnt;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = CMSG_ALIGN(cmsg->cmsg_len);
msg.msg_flags = 0;
restart:
len = __sendmsg (sock, &msg, 0);
if (len >= 0)
return len;
if (errno == EINTR)
goto restart;
return -1;
#endif
}
init_secure (void)
{
__libc_enable_secure = (__geteuid () != __getuid () ||
__getegid () != __getgid ());
}
#endif
if (stat64 (path, &stats))
return -1;
mode &= (X_OK | W_OK | R_OK); /* Clear any bogus bits. */
#if R_OK != S_IROTH || W_OK != S_IWOTH || X_OK != S_IXOTH
?error Oops, portability assumptions incorrect.
#endif
if (mode == F_OK)
return 0; /* The file exists. */
#ifdef _LIBC
/* Now we need the IDs. */
euid = __geteuid ();
egid = __getegid ();
if (__getuid () == euid && __getgid () == egid)
/* If we are not set-uid or set-gid, access does the same. */
return __access (path, mode);
#endif
/* The super-user can read and write any file, and execute any file
that anyone can execute. */
if (euid == 0 && ((mode & X_OK) == 0
|| (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))))
return 0;
if (euid == stats.st_uid)
granted = (unsigned int) (stats.st_mode & (mode << 6)) >> 6;
