/*-------------------------------------------------------------------*/ DLL_EXPORT int drop_all_caps(void) { uid_t uid; cap_t c; int rc; int failed; int have_capt; /* If *real* userid is root, no need to do all this */ uid=getuid(); if(!uid) return 0; failed=1; have_capt=0; do { c=cap_from_text("all-eip"); if(!c) break; have_capt=1; rc=cap_set_proc(c); if(rc<0) break; failed=0; } while(0); if(have_capt) cap_free(c); return failed; }
/* Returns 1 if memory was locked, 0 if not. */ int secmem_init( size_t n ) { if( !n ) { #ifndef __riscos__ #ifdef USE_CAPABILITIES /* drop all capabilities */ cap_set_proc( cap_from_text("all-eip") ); #elif !defined(HAVE_DOSISH_SYSTEM) uid_t uid; disable_secmem=1; uid = getuid(); if( uid != geteuid() ) { if( setuid( uid ) || getuid() != geteuid() || !setuid(0) ) log_fatal("failed to drop setuid\n" ); } #endif #endif /* !__riscos__ */ } else { if( n < DEFAULT_POOLSIZE ) n = DEFAULT_POOLSIZE; if( !pool_okay ) init_pool(n); else log_error("Oops, secure memory pool already initialized\n"); } return !show_warning; }
int do_cap_set_file (const char *path, const char *capstr) { cap_t cap; int r; cap = cap_from_text (capstr); if (cap == NULL) { reply_with_perror ("could not parse cap string: %s: cap_from_text", capstr); return -1; } CHROOT_IN; r = cap_set_file (path, cap); CHROOT_OUT; if (r == -1) { reply_with_perror ("%s", path); cap_free (cap); return -1; } cap_free (cap); return 0; }
static int bin_cap(char *nam, char **argv, UNUSED(Options ops), UNUSED(int func)) { int ret = 0; cap_t caps; if(*argv) { unmetafy(*argv, NULL); caps = cap_from_text(*argv); if(!caps) { zwarnnam(nam, "invalid capability string"); return 1; } if(cap_set_proc(caps)) { zwarnnam(nam, "can't change capabilities: %e", errno); ret = 1; } } else { char *result = NULL; ssize_t length; caps = cap_get_proc(); if(caps) result = cap_to_text(caps, &length); if(!caps || !result) { zwarnnam(nam, "can't get capabilities: %e", errno); ret = 1; } else puts(result); } cap_free(caps); return ret; }
static PyObject * strcaps_set_file(PyObject *self, PyObject *args) { // (str) caps, (int) fd / (str) path / (file) file char *strcaps; PyObject *file; if (!PyArg_ParseTuple(args, "etO", Py_FileSystemDefaultEncoding, &strcaps, &file)) return NULL; cap_t caps; if ((caps = cap_from_text(strcaps)) == NULL) { PyErr_SetString(PyExc_ValueError, "Invalid capability specification"); PyMem_Free(strcaps); return NULL; } PyMem_Free(strcaps); int err; if (PyFile_Check(file)) err = cap_set_fd(PyObject_AsFileDescriptor(file), caps); else if (PyInt_Check(file)) err = cap_set_fd(PyInt_AsLong(file), caps); else if (PyString_Check(file)) err = cap_set_file(PyString_AsString(file), caps); else if (PyUnicode_Check(file)) { PyObject *file_dec = PyUnicode_AsEncodedString( file, Py_FileSystemDefaultEncoding, "strict" ); if (file_dec == NULL) return NULL; err = cap_set_file(PyString_AsString(file_dec), caps); Py_DECREF(file_dec); } else { PyErr_SetString( PyExc_TypeError, "Expecting file object, descriptor int or path string" ); cap_free(caps); return NULL; } cap_free(caps); if (err) { PyErr_SetFromErrno(PyExc_OSError); return NULL; } Py_RETURN_NONE; };
/** * g_process_change_caps: * * Change the current capset to the value specified by the user. causes the * startup process to fail if this function returns FALSE, but we only do * this if the capset cannot be parsed, otherwise a failure changing the * capabilities will not result in failure * * Returns: TRUE to indicate success **/ static gboolean g_process_change_caps(void) { if (g_process_is_cap_enabled()) { cap_t cap = cap_from_text(process_opts.caps); if (cap == NULL) { g_process_message("Error parsing capabilities: %s", process_opts.caps); process_opts.caps = NULL; process_opts.enable_caps = FALSE; return FALSE; } else { if (cap_set_proc(cap) == -1) { g_process_message("Error setting capabilities, capability management disabled; error='%s'", g_strerror(errno)); process_opts.caps = NULL; process_opts.enable_caps = FALSE; } cap_free(cap); } } return TRUE; }
PyObject* do_set_cap(PyObject *self, PyObject *args) { const char *cap_text; cap_t caps; if (!PyArg_ParseTuple(args, "s", &cap_text)) { return NULL; } caps = cap_from_text(cap_text); if (!caps) { PyErr_SetFromErrno(ImmunityException); return NULL; } if (cap_set_proc(caps) == -1) { PyErr_SetFromErrno(ImmunityException); return NULL; } if (cap_free(caps)) { PyErr_SetFromErrno(ImmunityException); return NULL; } Py_INCREF(Py_None); return Py_None; }
int fork_drop_and_exec(int keepperms, cap_t expected_caps) { int pid; int ret = 0; char buf[200], *p; char *capstxt; cap_t actual_caps; static int seqno; pid = fork(); if (pid < 0) tst_brkm(TFAIL | TERRNO, NULL, "%s: failed fork\n", __func__); if (pid == 0) { drop_root(keepperms); print_my_caps(); sprintf(buf, "%d", seqno); ret = execlp(TSTPATH, TSTPATH, buf, NULL); capstxt = cap_to_text(expected_caps, NULL); snprintf(buf, 200, "failed to run as %s\n", capstxt); cap_free(capstxt); write_to_fifo(buf); tst_brkm(TFAIL, NULL, "%s: exec failed\n", __func__); } else { p = buf; while (1) { int c, s; read_from_fifo(buf); c = sscanf(buf, "%d", &s); if (c == 1 && s == seqno) break; tst_resm(TINFO, "got a bad seqno (c=%d, s=%d, seqno=%d)", c, s, seqno); } p = index(buf, '.'); if (!p) tst_brkm(TFAIL, NULL, "got a bad message from print_caps\n"); p += 1; actual_caps = cap_from_text(p); if (cap_compare(actual_caps, expected_caps) != 0) { capstxt = cap_to_text(expected_caps, NULL); tst_resm(TINFO, "Expected to run as .%s., ran as .%s..\n", capstxt, p); tst_resm(TINFO, "those are not the same\n"); cap_free(capstxt); ret = -1; } cap_free(actual_caps); seqno++; } return ret; }
static void set_caps() { if (capsText != NULL) { cap_t caps = cap_from_text(capsText); if (caps == NULL) errx(50, "Failed to parse capabilities: %s", capsText); if (cap_set_proc(caps) < 0) err(50, "Failed to set capabilities"); cap_free(caps); } }
int main() { #ifdef HAVE_LIBCAP cap_t caps, caps2; int ret; caps = cap_from_text("cap_setpcap+ep"); caps2 = cap_from_text("cap_setpcap+ep"); ret = cap_set_proc(caps); ret = cap_compare(caps, caps2); printf("Caps were %sthe same\n", ret ? "not " : ""); cap_free(caps); cap_free(caps2); return ret; #else printf("System doesn't support full POSIX capabilities.\n"); return 1; #endif }
void *chg_uid_gid(void *arg) { cap_t newcaps; cap_t mycaps; int ret; test_msg("Aux thread runs as UID: %d; GID: %d\n", getuid(), getgid()); newcaps = cap_from_text("cap_setgid,cap_setuid=+eip"); if (!newcaps) { pr_perror("Failed to get capability struct\n"); exit(1); } ret = cap_set_proc(newcaps); if (ret) { pr_perror("Failed to set capabilities for the process\n"); exit(1); } mycaps = cap_get_proc(); if (!mycaps) { pr_perror("Failed to get child thread capabilities\n"); exit_group(2); } test_msg("Child capabilities: %s\n", cap_to_text(mycaps, NULL)); test_msg("Changing UID/GID in child thread to %d:%d\n", uid, gid); ret = syscall(SYS_setresgid, gid, gid, gid); if (ret >= 0) { syscall(SYS_setresuid, uid, uid, uid); } else if (ret < 0) { pr_perror("Failed to change UID/GID\n"); exit_group(2); } gid = getgid(); uid = getuid(); test_msg("Now aux thread runs as UID: %d; GID: %d\n", uid, gid); test_msg("Child thread is waiting for main thread's signal\n"); task_waiter_complete(&t, 1); pthread_mutex_lock(&mutex); while (!done) { pthread_cond_wait(&cond, &mutex); } pthread_mutex_unlock(&mutex); test_msg("Child thread returns\n"); return NULL; }
int set_caps_from_text(char *capstr) { cap_t caps = cap_from_text(capstr); int ret; if (!caps) { tst_resm(TFAIL, "Bad capability name: %s\n", capstr); return 1; } ret = cap_set_proc(caps); cap_free(caps); return ret; }
static int fsmSetFCaps(const char *path, const char *captxt) { int rc = 0; #if WITH_CAP if (captxt && *captxt != '\0') { cap_t fcaps = cap_from_text(captxt); if (fcaps == NULL || cap_set_file(path, fcaps) != 0) { rc = RPMERR_SETCAP_FAILED; } cap_free(fcaps); } #endif return rc; }
int main(int argc, char *argv[]) { #if HAVE_SYS_CAPABILITY_H #ifdef HAVE_LIBCAP int ret = 1; cap_flag_value_t f; cap_t cur = 0; /* Make sure CAP_SYS_ADMIN is in pI */ cur = cap_from_text("all=eip"); if (!cur) { tst_resm(TBROK, "Failed to create cap_sys_admin+i cap_t (errno %d)\n", errno); tst_exit(); } ret = cap_set_proc(cur); if (ret) { tst_resm(TBROK, "Failed to cap_set_proc with cap_sys_admin+i (ret %d errno %d)\n", ret, errno); tst_exit(); } cap_free(cur); cur = cap_get_proc(); ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f); if (ret || f != CAP_SET) { tst_resm(TBROK, "Failed to add CAP_SYS_ADMIN to pI\n"); tst_exit(); } cap_free(cur); /* drop the capability from bounding set */ ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN); if (ret) { tst_resm(TFAIL, "Failed to drop CAP_SYS_ADMIN from bounding set.\n"); tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno); tst_exit(); } /* execute "check_pe 1" */ execl("check_pe", "check_pe", "1", NULL); tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno); #else /* HAVE_LIBCAP */ tst_resm(TCONF, "System doesn't have POSIX capabilities."); #endif #else /* HAVE_SYS_CAPABILITY_H */ tst_resm(TCONF, "System doesn't have sys/capability.h."); #endif tst_exit(); }
/* * See documentation in vqe_caps.h */ vqe_cap_ret_t vqe_keep_cap (uid_t new_uid, gid_t new_gid, const char *cap_string) { boolean retval = FALSE; cap_t caps; /* Create cap object from text string, be sure to keep CAP_SETUID */ caps = cap_from_text(cap_string); if (!caps) { retval = VQE_CAP_TEXTCAP; goto bail; } /* Set option to keep capabilities through a UID/GID change */ if (prctl(PR_SET_KEEPCAPS, 1) != 0) { retval = VQE_CAP_PRCTL; goto bail; } /* Drop capabilities to a lower user/group */ if (setgid(new_gid) != 0) { retval = VQE_CAP_SETGID; goto bail; } if (setuid(new_uid) != 0) { retval = VQE_CAP_SETUID; goto bail; } /* Set capabilities to given set */ if (cap_set_proc(caps) == -1) { retval = VQE_CAP_SETCAP; goto bail; } bail: if (caps) cap_free(caps); return (retval); }
static _Bool nsm_clear_capabilities(void) { cap_t caps; caps = cap_from_text("cap_net_bind_service=ep"); if (caps == NULL) { xlog(L_ERROR, "Failed to allocate capability: %m"); return false; } if (cap_set_proc(caps) == -1) { xlog(L_ERROR, "Failed to set capability flags: %m"); (void)cap_free(caps); return false; } (void)cap_free(caps); return true; }
static PyObject * strcaps_set_process(PyObject *self, PyObject *args) { // (str) caps, (int) pid or None char *strcaps; int pid = 0; if (!PyArg_ParseTuple(args, "et|i", Py_FileSystemDefaultEncoding, &strcaps, &pid)) return NULL; cap_t caps; if ((caps = cap_from_text(strcaps)) == NULL) { PyErr_SetString(PyExc_ValueError, "Invalid capability specification"); PyMem_Free(strcaps); return NULL; } PyMem_Free(strcaps); int err; if (!pid) err = cap_set_proc(caps); else err = capsetp(pid, caps); if (err) { PyErr_SetFromErrno(PyExc_OSError); cap_free(caps); return NULL; } cap_free(caps); Py_RETURN_NONE; };
/* See _gcry_secmem_init. This function is expected to be called with the secmem lock held. */ static void secmem_init (size_t n) { if (!n) { #ifdef USE_CAPABILITIES /* drop all capabilities */ { cap_t cap; cap = cap_from_text ("all-eip"); cap_set_proc (cap); cap_free (cap); } #elif !defined(HAVE_DOSISH_SYSTEM) uid_t uid; disable_secmem = 1; uid = getuid (); if (uid != geteuid ()) { if (setuid (uid) || getuid () != geteuid () || !setuid (0)) log_fatal ("failed to drop setuid\n"); } #endif } else { if (n < MINIMUM_POOL_SIZE) n = MINIMUM_POOL_SIZE; if (! pool_okay) { init_pool (n); lock_pool (pool, n); } else log_error ("Oops, secure memory pool already initialized\n"); } }
static int bin_setcap(char *nam, char **argv, UNUSED(Options ops), UNUSED(int func)) { cap_t caps; int ret = 0; unmetafy(*argv, NULL); caps = cap_from_text(*argv++); if(!caps) { zwarnnam(nam, "invalid capability string"); return 1; } do { if(cap_set_file(unmetafy(dupstring(*argv), NULL), caps)) { zwarnnam(nam, "%s: %e", *argv, errno); ret = 1; } } while(*++argv); cap_free(caps); return ret; }
static PyObject * pycap_set_proc(PyObject *self, PyObject *args) { char *cap_str; cap_t cap; if (!PyArg_ParseTuple(args, "s", &cap_str)) { return NULL; } if ((cap = cap_from_text(cap_str)) == NULL) { PyErr_SetFromErrno(PyExc_OSError); return NULL; } if (cap_set_proc(cap)) { PyErr_SetFromErrno(PyExc_OSError); cap_free(cap); return NULL; } cap_free(cap); Py_RETURN_NONE; }
/* Initialize the secure memory system. If running with the necessary privileges, the secure memory pool will be locked into the core in order to prevent page-outs of the data. Furthermore allocated secure memory will be wiped out when released. */ void _gcry_secmem_init (size_t n) { SECMEM_LOCK; if (!n) { #ifdef USE_CAPABILITIES /* drop all capabilities */ cap_set_proc (cap_from_text ("all-eip")); #elif !defined(HAVE_DOSISH_SYSTEM) uid_t uid; disable_secmem = 1; uid = getuid (); if (uid != geteuid ()) { if (setuid (uid) || getuid () != geteuid () || !setuid (0)) log_fatal ("failed to drop setuid\n"); } #endif } else { if (n < DEFAULT_POOL_SIZE) n = DEFAULT_POOL_SIZE; if (! pool_okay) { init_pool (n); lock_pool (pool, n); } else log_error ("Oops, secure memory pool already initialized\n"); } SECMEM_UNLOCK; }
void drop_root(int keep_perms) { int ret; if (keep_perms) prctl(PR_SET_KEEPCAPS, 1); ret = setresuid(1000, 1000, 1000); if (ret) { tst_brkm(TFAIL | TERRNO, NULL, "Error dropping root privs\n"); tst_exit(); } if (keep_perms) { cap_t cap = cap_from_text("=eip"); int ret; if (!cap) tst_brkm(TBROK | TERRNO, NULL, "cap_from_text failed\n"); ret = cap_set_proc(cap); if (ret < 0) tst_brkm(TBROK | TERRNO, NULL, "cap_set_proc failed\n"); cap_free(cap); } }
int perms_test(void) { int ret; cap_t cap; drop_root(DROP_PERMS); cap = cap_from_text("all=eip"); if (!cap) { tst_resm(TFAIL, "could not get cap from text for perms test\n"); return 1; } ret = cap_set_file(TSTPATH, cap); if (ret) { tst_resm(TPASS, "could not set capabilities as non-root\n"); ret = 0; } else { tst_resm(TFAIL, "could set capabilities as non-root\n"); ret = 1; } cap_free(cap); return ret; }
int hasCaps() { #ifdef HAVE_LCAP cap_t caps; cap_value_t capval; cap_flag_value_t capflag; caps = cap_from_text("cap_net_raw=eip"); if (caps == NULL) { SPINE_LOG_DEBUG(("WARNING: cap_from_text failed.")); return FALSE; } for (capval=0; ;capval++) { if (cap_get_flag(caps, capval, CAP_EFFECTIVE, &capflag)) break; if (capflag != CAP_SET) return FALSE; } return TRUE; #else return FALSE; #endif }
int main(int argc, char **argv) { pthread_t diff_cred_thread; cap_t newcaps; int maingroup; int mainuser; int ret; test_init(argc, argv); task_waiter_init(&t); if (getuid() != 0) { fail("Test is expected to be run with root privileges\n"); exit(1); } test_msg("Acquiring CAP_SETGID and CAP_SETUID...\n"); newcaps = cap_from_text("cap_setgid,cap_setuid=+eip"); if (!newcaps) { pr_perror("Failed to get capability struct\n"); exit(1); } ret = cap_set_proc(newcaps); if (ret) { pr_perror("Failed to set capabilities for the process\n"); exit(1); } ret = prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); if (ret) { pr_perror("Unable to set KEEPCAPS\n"); exit(1); } test_msg("Main thread runs as UID: %d; GID: %d\n", getuid(), getgid()); gid = 99; uid = 99; maingroup = 8; mainuser = 12; test_msg("Creating thread with different UID/GID\n"); ret = pthread_create(&diff_cred_thread, NULL, &chg_uid_gid, NULL); task_waiter_wait4(&t, 1); test_msg("Relinquishing root privileges\n"); ret = syscall(SYS_setresgid, maingroup, maingroup, maingroup); if (ret >= 0) { ret = syscall(SYS_setresuid, mainuser, mainuser, mainuser); } else if (ret < 0) { pr_perror("Failed to drop privileges\n"); exit(1); } test_msg("Now main thread runs as UID: %d; GID: %d\n", getuid(), getgid()); if (gid == getgid() || uid == getuid()) { pr_perror("Thread credentials match\n"); exit(1); } test_msg("Main thread is waiting for signal\n"); test_daemon(); test_waitsig(); if (gid == getgid() || uid == getuid()) { pr_perror("Thread credentials match after restore\n"); exit(1); } pthread_mutex_lock(&mutex); done = 1; pthread_cond_signal(&cond); pthread_mutex_unlock(&mutex); pthread_join(diff_cred_thread, NULL); test_msg("Threads joined\n"); pass(); return 0; }
static void lock_pool( void *p, size_t n ) { #if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK) int err; cap_set_proc( cap_from_text("cap_ipc_lock+ep") ); err = mlock( p, n ); if( err && errno ) err = errno; cap_set_proc( cap_from_text("cap_ipc_lock+p") ); if( err ) { if( errno != EPERM #ifdef EAGAIN /* OpenBSD returns this */ && errno != EAGAIN #endif #ifdef ENOSYS /* Some SCOs return this (function not implemented) */ && errno != ENOSYS #endif #ifdef ENOMEM /* Linux can return this */ && errno != ENOMEM #endif ) log_error("can't lock memory: %s\n", strerror(err)); show_warning = 1; } #elif defined(HAVE_MLOCK) uid_t uid; int err; uid = getuid(); #ifdef HAVE_BROKEN_MLOCK /* ick. but at least we get secured memory. about to lock entire data segment. */ #ifdef HAVE_PLOCK # ifdef _AIX /* The configure for AIX returns broken mlock but the plock has the strange requirement to somehow set the stack limit first. The problem might turn out in indeterministic program behaviour and hanging processes which can somehow be solved when enough processes are clogging up the memory. To get this problem out of the way we simply don't try to lock the memory at all. */ errno = EPERM; err = errno; # else /* !_AIX */ err = plock( DATLOCK ); if( err && errno ) err = errno; # endif /*_AIX*/ #else /*!HAVE_PLOCK*/ if( uid ) { errno = EPERM; err = errno; } else { err = mlock( p, n ); if( err && errno ) err = errno; } #endif /*!HAVE_PLOCK*/ #else err = mlock( p, n ); if( err && errno ) err = errno; #endif if( uid && !geteuid() ) { /* check that we really dropped the privs. * Note: setuid(0) should always fail */ if( setuid( uid ) || getuid() != geteuid() || !setuid(0) ) log_fatal("failed to reset uid: %s\n", strerror(errno)); } if( err ) { if( errno != EPERM #ifdef EAGAIN /* OpenBSD returns this */ && errno != EAGAIN #endif #ifdef ENOSYS /* Some SCOs return this (function not implemented) */ && errno != ENOSYS #endif #ifdef ENOMEM /* Linux can return this */ && errno != ENOMEM #endif ) #ifdef __VMS log_warning ("can't lock memory: %s\n", strerror(err)); #else log_error ("can't lock memory: %s\n", strerror(err)); #endif show_warning = 1; } #elif defined ( __QNX__ ) /* QNX does not page at all, so the whole secure memory stuff does * not make much sense. However it is still of use because it * wipes out the memory on a free(). * Therefore it is sufficient to suppress the warning */ #elif defined (HAVE_DOSISH_SYSTEM) || defined (__CYGWIN__) /* It does not make sense to print such a warning, given the fact that * this whole Windows !@#$% and their user base are inherently insecure */ #elif defined (__riscos__) /* no virtual memory on RISC OS, so no pages are swapped to disc, * besides we don't have mmap, so we don't use it! ;-) * But don't complain, as explained above. */ #else log_info("Please note that you don't have secure memory on this system\n"); #endif }
/** * Drop any root privileges we might be holding. */ static void supR3HardenedMainDropPrivileges(void) { /* * Try use setre[ug]id since this will clear the save uid/gid and thus * leave fewer traces behind that libs like GTK+ may pick up. */ uid_t euid, ruid, suid; gid_t egid, rgid, sgid; # if defined(RT_OS_DARWIN) /* The really great thing here is that setreuid isn't available on OS X 10.4, libc emulates it. While 10.4 have a slightly different and non-standard setuid implementation compared to 10.5, the following works the same way with both version since we're super user (10.5 req). The following will set all three variants of the group and user IDs. */ setgid(g_gid); setuid(g_uid); euid = geteuid(); ruid = suid = getuid(); egid = getegid(); rgid = sgid = getgid(); # elif defined(RT_OS_SOLARIS) /* Solaris doesn't have setresuid, but the setreuid interface is BSD compatible and will set the saved uid to euid when we pass it a ruid that isn't -1 (which we do). */ setregid(g_gid, g_gid); setreuid(g_uid, g_uid); euid = geteuid(); ruid = suid = getuid(); egid = getegid(); rgid = sgid = getgid(); # else /* This is the preferred one, full control no questions about semantics. PORTME: If this isn't work, try join one of two other gangs above. */ setresgid(g_gid, g_gid, g_gid); setresuid(g_uid, g_uid, g_uid); if (getresuid(&ruid, &euid, &suid) != 0) { euid = geteuid(); ruid = suid = getuid(); } if (getresgid(&rgid, &egid, &sgid) != 0) { egid = getegid(); rgid = sgid = getgid(); } # endif /* Check that it worked out all right. */ if ( euid != g_uid || ruid != g_uid || suid != g_uid || egid != g_gid || rgid != g_gid || sgid != g_gid) supR3HardenedFatal("SUPR3HardenedMain: failed to drop root privileges!" " (euid=%d ruid=%d suid=%d egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n", euid, ruid, suid, egid, rgid, sgid, g_uid, g_gid); # if RT_OS_LINUX /* * Re-enable the cap_net_raw capability which was disabled during setresuid. */ if (g_uCaps != 0) { # ifdef USE_LIB_PCAP /** @todo Warn if that does not work? */ /* XXX cap_net_bind_service */ cap_set_proc(cap_from_text("cap_net_raw+ep")); # else cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr)); cap_user_data_t cap = (cap_user_data_t)alloca(sizeof(*cap)); memset(hdr, 0, sizeof(*hdr)); hdr->version = _LINUX_CAPABILITY_VERSION; memset(cap, 0, sizeof(*cap)); cap->effective = g_uCaps; cap->permitted = g_uCaps; /** @todo Warn if that does not work? */ capset(hdr, cap); # endif /* !USE_LIB_PCAP */ } # endif }
int main(int argc, char *argv[], char *envp[]) { pid_t child; unsigned i; child = 0; for (i=1; i<argc; ++i) { if (!memcmp("--drop=", argv[i], 4)) { char *ptr; cap_t orig, raised_for_setpcap; /* * We need to do this here because --inh=XXX may have reset * orig and it isn't until we are within the --drop code that * we know what the prevailing (orig) pI value is. */ orig = cap_get_proc(); if (orig == NULL) { perror("Capabilities not available"); exit(1); } raised_for_setpcap = cap_dup(orig); if (raised_for_setpcap == NULL) { fprintf(stderr, "BSET modification requires CAP_SETPCAP\n"); exit(1); } if (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1, raise_setpcap, CAP_SET) != 0) { perror("unable to select CAP_SETPCAP"); exit(1); } if (strcmp("all", argv[i]+7) == 0) { unsigned j = 0; while (CAP_IS_SUPPORTED(j)) { if (cap_drop_bound(j) != 0) { char *name_ptr; name_ptr = cap_to_name(j); fprintf(stderr, "Unable to drop bounding capability [%s]\n", name_ptr); cap_free(name_ptr); exit(1); } j++; } } else { for (ptr = argv[i]+7; (ptr = strtok(ptr, ",")); ptr = NULL) { /* find name for token */ cap_value_t cap; int status; if (cap_from_name(ptr, &cap) != 0) { fprintf(stderr, "capability [%s] is unknown to libcap\n", ptr); exit(1); } if (cap_set_proc(raised_for_setpcap) != 0) { perror("unable to raise CAP_SETPCAP for BSET changes"); exit(1); } status = prctl(PR_CAPBSET_DROP, cap); if (cap_set_proc(orig) != 0) { perror("unable to lower CAP_SETPCAP post BSET change"); exit(1); } if (status) { fprintf(stderr, "failed to drop [%s=%u]\n", ptr, cap); exit(1); } } } cap_free(raised_for_setpcap); cap_free(orig); } else if (!memcmp("--inh=", argv[i], 6)) { cap_t all, raised_for_setpcap; char *text; char *ptr; all = cap_get_proc(); if (all == NULL) { perror("Capabilities not available"); exit(1); } if (cap_clear_flag(all, CAP_INHERITABLE) != 0) { perror("libcap:cap_clear_flag() internal error"); exit(1); } raised_for_setpcap = cap_dup(all); if ((raised_for_setpcap != NULL) && (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1, raise_setpcap, CAP_SET) != 0)) { cap_free(raised_for_setpcap); raised_for_setpcap = NULL; } text = cap_to_text(all, NULL); cap_free(all); if (text == NULL) { perror("Fatal error concerning process capabilities"); exit(1); } ptr = malloc(10 + strlen(argv[i]+6) + strlen(text)); if (ptr == NULL) { perror("Out of memory for inh set"); exit(1); } if (argv[i][6] && strcmp("none", argv[i]+6)) { sprintf(ptr, "%s %s+i", text, argv[i]+6); } else { strcpy(ptr, text); } all = cap_from_text(ptr); if (all == NULL) { perror("Fatal error internalizing capabilities"); exit(1); } cap_free(text); free(ptr); if (raised_for_setpcap != NULL) { /* * This is only for the case that pP does not contain * the requested change to pI.. Failing here is not * indicative of the cap_set_proc(all) failing (always). */ (void) cap_set_proc(raised_for_setpcap); cap_free(raised_for_setpcap); raised_for_setpcap = NULL; } if (cap_set_proc(all) != 0) { perror("Unable to set inheritable capabilities"); exit(1); } /* * Since status is based on orig, we don't want to restore * the previous value of 'all' again here! */ cap_free(all); } else if (!memcmp("--caps=", argv[i], 7)) { cap_t all, raised_for_setpcap; raised_for_setpcap = cap_get_proc(); if (raised_for_setpcap == NULL) { perror("Capabilities not available"); exit(1); } if ((raised_for_setpcap != NULL) && (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1, raise_setpcap, CAP_SET) != 0)) { cap_free(raised_for_setpcap); raised_for_setpcap = NULL; } all = cap_from_text(argv[i]+7); if (all == NULL) { fprintf(stderr, "unable to interpret [%s]\n", argv[i]); exit(1); } if (raised_for_setpcap != NULL) { /* * This is only for the case that pP does not contain * the requested change to pI.. Failing here is not * indicative of the cap_set_proc(all) failing (always). */ (void) cap_set_proc(raised_for_setpcap); cap_free(raised_for_setpcap); raised_for_setpcap = NULL; } if (cap_set_proc(all) != 0) { fprintf(stderr, "Unable to set capabilities [%s]\n", argv[i]); exit(1); } /* * Since status is based on orig, we don't want to restore * the previous value of 'all' again here! */ cap_free(all); } else if (!memcmp("--keep=", argv[i], 7)) { unsigned value; int set; value = strtoul(argv[i]+7, NULL, 0); set = prctl(PR_SET_KEEPCAPS, value); if (set < 0) { fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n", value, strerror(errno)); exit(1); } } else if (!memcmp("--chroot=", argv[i], 9)) { int status; cap_t orig, raised_for_chroot; orig = cap_get_proc(); if (orig == NULL) { perror("Capabilities not available"); exit(1); } raised_for_chroot = cap_dup(orig); if (raised_for_chroot == NULL) { perror("Unable to duplicate capabilities"); exit(1); } if (cap_set_flag(raised_for_chroot, CAP_EFFECTIVE, 1, raise_chroot, CAP_SET) != 0) { perror("unable to select CAP_SET_SYS_CHROOT"); exit(1); } if (cap_set_proc(raised_for_chroot) != 0) { perror("unable to raise CAP_SYS_CHROOT"); exit(1); } cap_free(raised_for_chroot); status = chroot(argv[i]+9); if (cap_set_proc(orig) != 0) { perror("unable to lower CAP_SYS_CHROOT"); exit(1); } /* * Given we are now in a new directory tree, its good practice * to start off in a sane location */ status = chdir("/"); cap_free(orig); if (status != 0) { fprintf(stderr, "Unable to chroot/chdir to [%s]", argv[i]+9); exit(1); } } else if (!memcmp("--secbits=", argv[i], 10)) { unsigned value; int status; value = strtoul(argv[i]+10, NULL, 0); status = prctl(PR_SET_SECUREBITS, value); if (status < 0) { fprintf(stderr, "failed to set securebits to 0%o/0x%x\n", value, value); exit(1); } } else if (!memcmp("--forkfor=", argv[i], 10)) { unsigned value; value = strtoul(argv[i]+10, NULL, 0); if (value == 0) { goto usage; } child = fork(); if (child < 0) { perror("unable to fork()"); } else if (!child) { sleep(value); exit(0); } } else if (!memcmp("--killit=", argv[i], 9)) { int retval, status; pid_t result; unsigned value; value = strtoul(argv[i]+9, NULL, 0); if (!child) { fprintf(stderr, "no forked process to kill\n"); exit(1); } retval = kill(child, value); if (retval != 0) { perror("Unable to kill child process"); exit(1); } result = waitpid(child, &status, 0); if (result != child) { fprintf(stderr, "waitpid didn't match child: %u != %u\n", child, result); exit(1); } if (WTERMSIG(status) != value) { fprintf(stderr, "child terminated with odd signal (%d != %d)\n" , value, WTERMSIG(status)); exit(1); } } else if (!memcmp("--uid=", argv[i], 6)) { unsigned value; int status; value = strtoul(argv[i]+6, NULL, 0); status = setuid(value); if (status < 0) { fprintf(stderr, "Failed to set uid=%u: %s\n", value, strerror(errno)); exit(1); } } else if (!memcmp("--gid=", argv[i], 6)) { unsigned value; int status; value = strtoul(argv[i]+6, NULL, 0); status = setgid(value); if (status < 0) { fprintf(stderr, "Failed to set gid=%u: %s\n", value, strerror(errno)); exit(1); } } else if (!memcmp("--groups=", argv[i], 9)) { char *ptr, *buf; long length, max_groups; gid_t *group_list; int g_count; length = sysconf(_SC_GETGR_R_SIZE_MAX); buf = calloc(1, length); if (NULL == buf) { fprintf(stderr, "No memory for [%s] operation\n", argv[i]); exit(1); } max_groups = sysconf(_SC_NGROUPS_MAX); group_list = calloc(max_groups, sizeof(gid_t)); if (NULL == group_list) { fprintf(stderr, "No memory for gid list\n"); exit(1); } g_count = 0; for (ptr = argv[i] + 9; (ptr = strtok(ptr, ",")); ptr = NULL, g_count++) { if (max_groups <= g_count) { fprintf(stderr, "Too many groups specified (%d)\n", g_count); exit(1); } if (!isdigit(*ptr)) { struct group *g, grp; getgrnam_r(ptr, &grp, buf, length, &g); if (NULL == g) { fprintf(stderr, "Failed to identify gid for group [%s]\n", ptr); exit(1); } group_list[g_count] = g->gr_gid; } else { group_list[g_count] = strtoul(ptr, NULL, 0); } } free(buf); if (setgroups(g_count, group_list) != 0) { fprintf(stderr, "Failed to setgroups.\n"); exit(1); } free(group_list); } else if (!memcmp("--user="******"User [%s] not known\n", user); exit(1); } ngroups = MAX_GROUPS; status = getgrouplist(user, pwd->pw_gid, groups, &ngroups); if (status < 1) { perror("Unable to get group list for user"); exit(1); } status = setgroups(ngroups, groups); if (status != 0) { perror("Unable to set group list for user"); exit(1); } status = setgid(pwd->pw_gid); if (status < 0) { fprintf(stderr, "Failed to set gid=%u(user=%s): %s\n", pwd->pw_gid, user, strerror(errno)); exit(1); } status = setuid(pwd->pw_uid); if (status < 0) { fprintf(stderr, "Failed to set uid=%u(user=%s): %s\n", pwd->pw_uid, user, strerror(errno)); exit(1); } } else if (!memcmp("--decode=", argv[i], 9)) { unsigned long long value; unsigned cap; const char *sep = ""; /* Note, if capabilities become longer than 64-bits we'll need to fixup the following code.. */ value = strtoull(argv[i]+9, NULL, 16); printf("0x%016llx=", value); for (cap=0; (cap < 64) && (value >> cap); ++cap) { if (value & (1ULL << cap)) { char *ptr; ptr = cap_to_name(cap); if (ptr != NULL) { printf("%s%s", sep, ptr); cap_free(ptr); } else { printf("%s%u", sep, cap); } sep = ","; } } printf("\n"); } else if (!memcmp("--supports=", argv[i], 11)) {
int ntpdmain( int argc, char *argv[] ) { l_fp now; struct recvbuf *rbuf; const char * logfilename; # ifdef HAVE_UMASK mode_t uv; # endif # if defined(HAVE_GETUID) && !defined(MPE) /* MPE lacks the concept of root */ uid_t uid; # endif # if defined(HAVE_WORKING_FORK) long wait_sync = 0; int pipe_fds[2]; int rc; int exit_code; # ifdef _AIX struct sigaction sa; # endif # if !defined(HAVE_SETSID) && !defined (HAVE_SETPGID) && defined(TIOCNOTTY) int fid; # endif # endif /* HAVE_WORKING_FORK*/ # ifdef SCO5_CLOCK int fd; int zero; # endif # ifdef NEED_PTHREAD_WARMUP my_pthread_warmup(); # endif # ifdef HAVE_UMASK uv = umask(0); if (uv) umask(uv); else umask(022); # endif saved_argc = argc; saved_argv = argv; progname = argv[0]; initializing = TRUE; /* mark that we are initializing */ parse_cmdline_opts(&argc, &argv); # ifdef DEBUG debug = OPT_VALUE_SET_DEBUG_LEVEL; # ifdef HAVE_SETLINEBUF setlinebuf(stdout); # endif # endif if (HAVE_OPT(NOFORK) || HAVE_OPT(QUIT) # ifdef DEBUG || debug # endif || HAVE_OPT(SAVECONFIGQUIT)) nofork = TRUE; init_logging(progname, NLOG_SYNCMASK, TRUE); /* honor -l/--logfile option to log to a file */ if (HAVE_OPT(LOGFILE)) { logfilename = OPT_ARG(LOGFILE); syslogit = FALSE; change_logfile(logfilename, FALSE); } else { logfilename = NULL; if (nofork) msyslog_term = TRUE; if (HAVE_OPT(SAVECONFIGQUIT)) syslogit = FALSE; } msyslog(LOG_NOTICE, "%s: Starting", Version); { int i; char buf[1024]; /* Secret knowledge of msyslog buf length */ char *cp = buf; /* Note that every arg has an initial space character */ snprintf(cp, sizeof(buf), "Command line:"); cp += strlen(cp); for (i = 0; i < saved_argc ; ++i) { snprintf(cp, sizeof(buf) - (cp - buf), " %s", saved_argv[i]); cp += strlen(cp); } msyslog(LOG_INFO, "%s", buf); } /* * Install trap handlers to log errors and assertion failures. * Default handlers print to stderr which doesn't work if detached. */ isc_assertion_setcallback(assertion_failed); isc_error_setfatal(library_fatal_error); isc_error_setunexpected(library_unexpected_error); /* MPE lacks the concept of root */ # if defined(HAVE_GETUID) && !defined(MPE) uid = getuid(); if (uid && !HAVE_OPT( SAVECONFIGQUIT )) { msyslog_term = TRUE; msyslog(LOG_ERR, "must be run as root, not uid %ld", (long)uid); exit(1); } # endif /* * Enable the Multi-Media Timer for Windows? */ # ifdef SYS_WINNT if (HAVE_OPT( MODIFYMMTIMER )) set_mm_timer(MM_TIMER_HIRES); # endif #ifdef HAVE_DNSREGISTRATION /* * Enable mDNS registrations? */ if (HAVE_OPT( MDNS )) { mdnsreg = TRUE; } #endif /* HAVE_DNSREGISTRATION */ if (HAVE_OPT( NOVIRTUALIPS )) listen_to_virtual_ips = 0; /* * --interface, listen on specified interfaces */ if (HAVE_OPT( INTERFACE )) { int ifacect = STACKCT_OPT( INTERFACE ); const char** ifaces = STACKLST_OPT( INTERFACE ); sockaddr_u addr; while (ifacect-- > 0) { add_nic_rule( is_ip_address(*ifaces, AF_UNSPEC, &addr) ? MATCH_IFADDR : MATCH_IFNAME, *ifaces, -1, ACTION_LISTEN); ifaces++; } } if (HAVE_OPT( NICE )) priority_done = 0; # ifdef HAVE_SCHED_SETSCHEDULER if (HAVE_OPT( PRIORITY )) { config_priority = OPT_VALUE_PRIORITY; config_priority_override = 1; priority_done = 0; } # endif # ifdef HAVE_WORKING_FORK /* make sure the FDs are initialised */ pipe_fds[0] = -1; pipe_fds[1] = -1; do { /* 'loop' once */ if (!HAVE_OPT( WAIT_SYNC )) break; wait_sync = OPT_VALUE_WAIT_SYNC; if (wait_sync <= 0) { wait_sync = 0; break; } /* -w requires a fork() even with debug > 0 */ nofork = FALSE; if (pipe(pipe_fds)) { exit_code = (errno) ? errno : -1; msyslog(LOG_ERR, "Pipe creation failed for --wait-sync: %m"); exit(exit_code); } waitsync_fd_to_close = pipe_fds[1]; } while (0); /* 'loop' once */ # endif /* HAVE_WORKING_FORK */ init_lib(); # ifdef SYS_WINNT /* * Start interpolation thread, must occur before first * get_systime() */ init_winnt_time(); # endif /* * Initialize random generator and public key pair */ get_systime(&now); ntp_srandom((int)(now.l_i * now.l_uf)); /* * Detach us from the terminal. May need an #ifndef GIZMO. */ if (!nofork) { # ifdef HAVE_WORKING_FORK rc = fork(); if (-1 == rc) { exit_code = (errno) ? errno : -1; msyslog(LOG_ERR, "fork: %m"); exit(exit_code); } if (rc > 0) { /* parent */ exit_code = wait_child_sync_if(pipe_fds[0], wait_sync); exit(exit_code); } /* * child/daemon * close all open files excepting waitsync_fd_to_close. * msyslog() unreliable until after init_logging(). */ closelog(); if (syslog_file != NULL) { fclose(syslog_file); syslog_file = NULL; syslogit = TRUE; } close_all_except(waitsync_fd_to_close); INSIST(0 == open("/dev/null", 0) && 1 == dup2(0, 1) \ && 2 == dup2(0, 2)); init_logging(progname, 0, TRUE); /* we lost our logfile (if any) daemonizing */ setup_logfile(logfilename); # ifdef SYS_DOMAINOS { uid_$t puid; status_$t st; proc2_$who_am_i(&puid); proc2_$make_server(&puid, &st); } # endif /* SYS_DOMAINOS */ # ifdef HAVE_SETSID if (setsid() == (pid_t)-1) msyslog(LOG_ERR, "setsid(): %m"); # elif defined(HAVE_SETPGID) if (setpgid(0, 0) == -1) msyslog(LOG_ERR, "setpgid(): %m"); # else /* !HAVE_SETSID && !HAVE_SETPGID follows */ # ifdef TIOCNOTTY fid = open("/dev/tty", 2); if (fid >= 0) { ioctl(fid, (u_long)TIOCNOTTY, NULL); close(fid); } # endif /* TIOCNOTTY */ ntp_setpgrp(0, getpid()); # endif /* !HAVE_SETSID && !HAVE_SETPGID */ # ifdef _AIX /* Don't get killed by low-on-memory signal. */ sa.sa_handler = catch_danger; sigemptyset(&sa.sa_mask); sa.sa_flags = SA_RESTART; sigaction(SIGDANGER, &sa, NULL); # endif /* _AIX */ # endif /* HAVE_WORKING_FORK */ } # ifdef SCO5_CLOCK /* * SCO OpenServer's system clock offers much more precise timekeeping * on the base CPU than the other CPUs (for multiprocessor systems), * so we must lock to the base CPU. */ fd = open("/dev/at1", O_RDONLY); if (fd >= 0) { zero = 0; if (ioctl(fd, ACPU_LOCK, &zero) < 0) msyslog(LOG_ERR, "cannot lock to base CPU: %m"); close(fd); } # endif /* Setup stack size in preparation for locking pages in memory. */ # if defined(HAVE_MLOCKALL) # ifdef HAVE_SETRLIMIT ntp_rlimit(RLIMIT_STACK, DFLT_RLIMIT_STACK * 4096, 4096, "4k"); # ifdef RLIMIT_MEMLOCK /* * The default RLIMIT_MEMLOCK is very low on Linux systems. * Unless we increase this limit malloc calls are likely to * fail if we drop root privilege. To be useful the value * has to be larger than the largest ntpd resident set size. */ ntp_rlimit(RLIMIT_MEMLOCK, DFLT_RLIMIT_MEMLOCK * 1024 * 1024, 1024 * 1024, "MB"); # endif /* RLIMIT_MEMLOCK */ # endif /* HAVE_SETRLIMIT */ # else /* !HAVE_MLOCKALL follows */ # ifdef HAVE_PLOCK # ifdef PROCLOCK # ifdef _AIX /* * set the stack limit for AIX for plock(). * see get_aix_stack() for more info. */ if (ulimit(SET_STACKLIM, (get_aix_stack() - 8 * 4096)) < 0) msyslog(LOG_ERR, "Cannot adjust stack limit for plock: %m"); # endif /* _AIX */ # endif /* PROCLOCK */ # endif /* HAVE_PLOCK */ # endif /* !HAVE_MLOCKALL */ /* * Set up signals we pay attention to locally. */ # ifdef SIGDIE1 signal_no_reset(SIGDIE1, finish); signal_no_reset(SIGDIE2, finish); signal_no_reset(SIGDIE3, finish); signal_no_reset(SIGDIE4, finish); # endif # ifdef SIGBUS signal_no_reset(SIGBUS, finish); # endif # if !defined(SYS_WINNT) && !defined(VMS) # ifdef DEBUG (void) signal_no_reset(MOREDEBUGSIG, moredebug); (void) signal_no_reset(LESSDEBUGSIG, lessdebug); # else (void) signal_no_reset(MOREDEBUGSIG, no_debug); (void) signal_no_reset(LESSDEBUGSIG, no_debug); # endif /* DEBUG */ # endif /* !SYS_WINNT && !VMS */ /* * Set up signals we should never pay attention to. */ # ifdef SIGPIPE signal_no_reset(SIGPIPE, SIG_IGN); # endif /* * Call the init_ routines to initialize the data structures. * * Exactly what command-line options are we expecting here? */ INIT_SSL(); init_auth(); init_util(); init_restrict(); init_mon(); init_timer(); init_request(); init_control(); init_peer(); # ifdef REFCLOCK init_refclock(); # endif set_process_priority(); init_proto(); /* Call at high priority */ init_io(); init_loopfilter(); mon_start(MON_ON); /* monitor on by default now */ /* turn off in config if unwanted */ /* * Get the configuration. This is done in a separate module * since this will definitely be different for the gizmo board. */ getconfig(argc, argv); if (-1 == cur_memlock) { # if defined(HAVE_MLOCKALL) /* * lock the process into memory */ if ( !HAVE_OPT(SAVECONFIGQUIT) # ifdef RLIMIT_MEMLOCK && -1 != DFLT_RLIMIT_MEMLOCK # endif && 0 != mlockall(MCL_CURRENT|MCL_FUTURE)) msyslog(LOG_ERR, "mlockall(): %m"); # else /* !HAVE_MLOCKALL follows */ # ifdef HAVE_PLOCK # ifdef PROCLOCK /* * lock the process into memory */ if (!HAVE_OPT(SAVECONFIGQUIT) && 0 != plock(PROCLOCK)) msyslog(LOG_ERR, "plock(PROCLOCK): %m"); # else /* !PROCLOCK follows */ # ifdef TXTLOCK /* * Lock text into ram */ if (!HAVE_OPT(SAVECONFIGQUIT) && 0 != plock(TXTLOCK)) msyslog(LOG_ERR, "plock(TXTLOCK) error: %m"); # else /* !TXTLOCK follows */ msyslog(LOG_ERR, "plock() - don't know what to lock!"); # endif /* !TXTLOCK */ # endif /* !PROCLOCK */ # endif /* HAVE_PLOCK */ # endif /* !HAVE_MLOCKALL */ } loop_config(LOOP_DRIFTINIT, 0); report_event(EVNT_SYSRESTART, NULL, NULL); initializing = FALSE; # ifdef HAVE_DROPROOT if (droproot) { /* Drop super-user privileges and chroot now if the OS supports this */ # ifdef HAVE_LINUX_CAPABILITIES /* set flag: keep privileges accross setuid() call (we only really need cap_sys_time): */ if (prctl( PR_SET_KEEPCAPS, 1L, 0L, 0L, 0L ) == -1) { msyslog( LOG_ERR, "prctl( PR_SET_KEEPCAPS, 1L ) failed: %m" ); exit(-1); } # elif HAVE_SOLARIS_PRIVS /* Nothing to do here */ # else /* we need a user to switch to */ if (user == NULL) { msyslog(LOG_ERR, "Need user name to drop root privileges (see -u flag!)" ); exit(-1); } # endif /* HAVE_LINUX_CAPABILITIES || HAVE_SOLARIS_PRIVS */ if (user != NULL) { if (isdigit((unsigned char)*user)) { sw_uid = (uid_t)strtoul(user, &endp, 0); if (*endp != '\0') goto getuser; if ((pw = getpwuid(sw_uid)) != NULL) { free(user); user = estrdup(pw->pw_name); sw_gid = pw->pw_gid; } else { errno = 0; msyslog(LOG_ERR, "Cannot find user ID %s", user); exit (-1); } } else { getuser: errno = 0; if ((pw = getpwnam(user)) != NULL) { sw_uid = pw->pw_uid; sw_gid = pw->pw_gid; } else { if (errno) msyslog(LOG_ERR, "getpwnam(%s) failed: %m", user); else msyslog(LOG_ERR, "Cannot find user `%s'", user); exit (-1); } } } if (group != NULL) { if (isdigit((unsigned char)*group)) { sw_gid = (gid_t)strtoul(group, &endp, 0); if (*endp != '\0') goto getgroup; } else { getgroup: if ((gr = getgrnam(group)) != NULL) { sw_gid = gr->gr_gid; } else { errno = 0; msyslog(LOG_ERR, "Cannot find group `%s'", group); exit (-1); } } } if (chrootdir ) { /* make sure cwd is inside the jail: */ if (chdir(chrootdir)) { msyslog(LOG_ERR, "Cannot chdir() to `%s': %m", chrootdir); exit (-1); } if (chroot(chrootdir)) { msyslog(LOG_ERR, "Cannot chroot() to `%s': %m", chrootdir); exit (-1); } if (chdir("/")) { msyslog(LOG_ERR, "Cannot chdir() to`root after chroot(): %m"); exit (-1); } } # ifdef HAVE_SOLARIS_PRIVS if ((lowprivs = priv_str_to_set(LOWPRIVS, ",", NULL)) == NULL) { msyslog(LOG_ERR, "priv_str_to_set() failed:%m"); exit(-1); } if ((highprivs = priv_allocset()) == NULL) { msyslog(LOG_ERR, "priv_allocset() failed:%m"); exit(-1); } (void) getppriv(PRIV_PERMITTED, highprivs); (void) priv_intersect(highprivs, lowprivs); if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) { msyslog(LOG_ERR, "setppriv() failed:%m"); exit(-1); } # endif /* HAVE_SOLARIS_PRIVS */ if (user && initgroups(user, sw_gid)) { msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user); exit (-1); } if (group && setgid(sw_gid)) { msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group); exit (-1); } if (group && setegid(sw_gid)) { msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group); exit (-1); } if (group) { if (0 != setgroups(1, &sw_gid)) { msyslog(LOG_ERR, "setgroups(1, %d) failed: %m", sw_gid); exit (-1); } } else if (pw) if (0 != initgroups(pw->pw_name, pw->pw_gid)) { msyslog(LOG_ERR, "initgroups(<%s>, %d) filed: %m", pw->pw_name, pw->pw_gid); exit (-1); } if (user && setuid(sw_uid)) { msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user); exit (-1); } if (user && seteuid(sw_uid)) { msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user); exit (-1); } # if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) /* * for now assume that the privilege to bind to privileged ports * is associated with running with uid 0 - should be refined on * ports that allow binding to NTP_PORT with uid != 0 */ disable_dynamic_updates |= (sw_uid != 0); /* also notifies routing message listener */ # endif /* !HAVE_LINUX_CAPABILITIES && !HAVE_SOLARIS_PRIVS */ if (disable_dynamic_updates && interface_interval) { interface_interval = 0; msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking"); } # ifdef HAVE_LINUX_CAPABILITIES { /* * We may be running under non-root uid now, but we still hold full root privileges! * We drop all of them, except for the crucial one or two: cap_sys_time and * cap_net_bind_service if doing dynamic interface tracking. */ cap_t caps; char *captext; captext = (0 != interface_interval) ? "cap_sys_time,cap_net_bind_service=pe" : "cap_sys_time=pe"; caps = cap_from_text(captext); if (!caps) { msyslog(LOG_ERR, "cap_from_text(%s) failed: %m", captext); exit(-1); } if (-1 == cap_set_proc(caps)) { msyslog(LOG_ERR, "cap_set_proc() failed to drop root privs: %m"); exit(-1); } cap_free(caps); } # endif /* HAVE_LINUX_CAPABILITIES */ # ifdef HAVE_SOLARIS_PRIVS if (priv_delset(lowprivs, "proc_setid") == -1) { msyslog(LOG_ERR, "priv_delset() failed:%m"); exit(-1); } if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) { msyslog(LOG_ERR, "setppriv() failed:%m"); exit(-1); } priv_freeset(lowprivs); priv_freeset(highprivs); # endif /* HAVE_SOLARIS_PRIVS */ root_dropped = TRUE; fork_deferred_worker(); } /* if (droproot) */ # endif /* HAVE_DROPROOT */ /* libssecomp sandboxing */ #if defined (LIBSECCOMP) && (KERN_SECCOMP) scmp_filter_ctx ctx; if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0) msyslog(LOG_ERR, "%s: seccomp_init(SCMP_ACT_KILL) failed: %m", __func__); else { msyslog(LOG_DEBUG, "%s: seccomp_init(SCMP_ACT_KILL) succeeded", __func__); } #ifdef __x86_64__ int scmp_sc[] = { SCMP_SYS(adjtimex), SCMP_SYS(bind), SCMP_SYS(brk), SCMP_SYS(chdir), SCMP_SYS(clock_gettime), SCMP_SYS(clock_settime), SCMP_SYS(close), SCMP_SYS(connect), SCMP_SYS(exit_group), SCMP_SYS(fstat), SCMP_SYS(fsync), SCMP_SYS(futex), SCMP_SYS(getitimer), SCMP_SYS(getsockname), SCMP_SYS(ioctl), SCMP_SYS(lseek), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(munmap), SCMP_SYS(open), SCMP_SYS(poll), SCMP_SYS(read), SCMP_SYS(recvmsg), SCMP_SYS(rename), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigprocmask), SCMP_SYS(rt_sigreturn), SCMP_SYS(select), SCMP_SYS(sendto), SCMP_SYS(setitimer), SCMP_SYS(setsid), SCMP_SYS(socket), SCMP_SYS(stat), SCMP_SYS(time), SCMP_SYS(write), }; #endif #ifdef __i386__ int scmp_sc[] = { SCMP_SYS(_newselect), SCMP_SYS(adjtimex), SCMP_SYS(brk), SCMP_SYS(chdir), SCMP_SYS(clock_gettime), SCMP_SYS(clock_settime), SCMP_SYS(close), SCMP_SYS(exit_group), SCMP_SYS(fsync), SCMP_SYS(futex), SCMP_SYS(getitimer), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2), SCMP_SYS(munmap), SCMP_SYS(open), SCMP_SYS(poll), SCMP_SYS(read), SCMP_SYS(rename), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigprocmask), SCMP_SYS(select), SCMP_SYS(setitimer), SCMP_SYS(setsid), SCMP_SYS(sigprocmask), SCMP_SYS(sigreturn), SCMP_SYS(socketcall), SCMP_SYS(stat64), SCMP_SYS(time), SCMP_SYS(write), }; #endif { int i; for (i = 0; i < COUNTOF(scmp_sc); i++) { if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, scmp_sc[i], 0) < 0) { msyslog(LOG_ERR, "%s: seccomp_rule_add() failed: %m", __func__); } } } if (seccomp_load(ctx) < 0) msyslog(LOG_ERR, "%s: seccomp_load() failed: %m", __func__); else { msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__); } #endif /* LIBSECCOMP and KERN_SECCOMP */ # ifdef HAVE_IO_COMPLETION_PORT for (;;) { GetReceivedBuffers(); # else /* normal I/O */ BLOCK_IO_AND_ALARM(); was_alarmed = FALSE; for (;;) { if (alarm_flag) { /* alarmed? */ was_alarmed = TRUE; alarm_flag = FALSE; } if (!was_alarmed && !has_full_recv_buffer()) { /* * Nothing to do. Wait for something. */ io_handler(); } if (alarm_flag) { /* alarmed? */ was_alarmed = TRUE; alarm_flag = FALSE; } if (was_alarmed) { UNBLOCK_IO_AND_ALARM(); /* * Out here, signals are unblocked. Call timer routine * to process expiry. */ timer(); was_alarmed = FALSE; BLOCK_IO_AND_ALARM(); } # endif /* !HAVE_IO_COMPLETION_PORT */ # ifdef DEBUG_TIMING { l_fp pts; l_fp tsa, tsb; int bufcount = 0; get_systime(&pts); tsa = pts; # endif rbuf = get_full_recv_buffer(); while (rbuf != NULL) { if (alarm_flag) { was_alarmed = TRUE; alarm_flag = FALSE; } UNBLOCK_IO_AND_ALARM(); if (was_alarmed) { /* avoid timer starvation during lengthy I/O handling */ timer(); was_alarmed = FALSE; } /* * Call the data procedure to handle each received * packet. */ if (rbuf->receiver != NULL) { # ifdef DEBUG_TIMING l_fp dts = pts; L_SUB(&dts, &rbuf->recv_time); DPRINTF(2, ("processing timestamp delta %s (with prec. fuzz)\n", lfptoa(&dts, 9))); collect_timing(rbuf, "buffer processing delay", 1, &dts); bufcount++; # endif (*rbuf->receiver)(rbuf); } else { msyslog(LOG_ERR, "fatal: receive buffer callback NULL"); abort(); } BLOCK_IO_AND_ALARM(); freerecvbuf(rbuf); rbuf = get_full_recv_buffer(); } # ifdef DEBUG_TIMING get_systime(&tsb); L_SUB(&tsb, &tsa); if (bufcount) { collect_timing(NULL, "processing", bufcount, &tsb); DPRINTF(2, ("processing time for %d buffers %s\n", bufcount, lfptoa(&tsb, 9))); } } # endif /* * Go around again */ # ifdef HAVE_DNSREGISTRATION if (mdnsreg && (current_time - mdnsreg ) > 60 && mdnstries && sys_leap != LEAP_NOTINSYNC) { mdnsreg = current_time; msyslog(LOG_INFO, "Attempting to register mDNS"); if ( DNSServiceRegister (&mdns, 0, 0, NULL, "_ntp._udp", NULL, NULL, htons(NTP_PORT), 0, NULL, NULL, NULL) != kDNSServiceErr_NoError ) { if (!--mdnstries) { msyslog(LOG_ERR, "Unable to register mDNS, giving up."); } else { msyslog(LOG_INFO, "Unable to register mDNS, will try later."); } } else { msyslog(LOG_INFO, "mDNS service registered."); mdnsreg = FALSE; } } # endif /* HAVE_DNSREGISTRATION */ } UNBLOCK_IO_AND_ALARM(); return 1; } #endif /* !SIM */ #if !defined(SIM) && defined(SIGDIE1) /* * finish - exit gracefully */ static RETSIGTYPE finish( int sig ) { const char *sig_desc; sig_desc = NULL; #ifdef HAVE_STRSIGNAL sig_desc = strsignal(sig); #endif if (sig_desc == NULL) sig_desc = ""; msyslog(LOG_NOTICE, "%s exiting on signal %d (%s)", progname, sig, sig_desc); /* See Bug 2513 and Bug 2522 re the unlink of PIDFILE */ # ifdef HAVE_DNSREGISTRATION if (mdns != NULL) DNSServiceRefDeallocate(mdns); # endif peer_cleanup(); exit(0); } #endif /* !SIM && SIGDIE1 */ #ifndef SIM /* * wait_child_sync_if - implements parent side of -w/--wait-sync */ # ifdef HAVE_WORKING_FORK static int wait_child_sync_if( int pipe_read_fd, long wait_sync ) { int rc; int exit_code; time_t wait_end_time; time_t cur_time; time_t wait_rem; fd_set readset; struct timeval wtimeout; if (0 == wait_sync) return 0; /* waitsync_fd_to_close used solely by child */ close(waitsync_fd_to_close); wait_end_time = time(NULL) + wait_sync; do { cur_time = time(NULL); wait_rem = (wait_end_time > cur_time) ? (wait_end_time - cur_time) : 0; wtimeout.tv_sec = wait_rem; wtimeout.tv_usec = 0; FD_ZERO(&readset); FD_SET(pipe_read_fd, &readset); rc = select(pipe_read_fd + 1, &readset, NULL, NULL, &wtimeout); if (-1 == rc) { if (EINTR == errno) continue; exit_code = (errno) ? errno : -1; msyslog(LOG_ERR, "--wait-sync select failed: %m"); return exit_code; } if (0 == rc) { /* * select() indicated a timeout, but in case * its timeouts are affected by a step of the * system clock, select() again with a zero * timeout to confirm. */ FD_ZERO(&readset); FD_SET(pipe_read_fd, &readset); wtimeout.tv_sec = 0; wtimeout.tv_usec = 0; rc = select(pipe_read_fd + 1, &readset, NULL, NULL, &wtimeout); if (0 == rc) /* select() timeout */ break; else /* readable */ return 0; } else /* readable */ return 0; } while (wait_rem > 0); fprintf(stderr, "%s: -w/--wait-sync %ld timed out.\n", progname, wait_sync); return ETIMEDOUT; }
/* Lock the memory pages into core and drop privileges. */ static void lock_pool (void *p, size_t n) { #if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK) int err; { cap_t cap; cap = cap_from_text ("cap_ipc_lock+ep"); cap_set_proc (cap); cap_free (cap); err = no_mlock? 0 : mlock (p, n); if (err && errno) err = errno; cap = cap_from_text ("cap_ipc_lock+p"); cap_set_proc (cap); cap_free(cap); } if (err) { if (errno != EPERM #ifdef EAGAIN /* OpenBSD returns this */ && errno != EAGAIN #endif #ifdef ENOSYS /* Some SCOs return this (function not implemented) */ && errno != ENOSYS #endif #ifdef ENOMEM /* Linux might return this. */ && errno != ENOMEM #endif ) log_error ("can't lock memory: %s\n", strerror (err)); show_warning = 1; not_locked = 1; } #elif defined(HAVE_MLOCK) uid_t uid; int err; uid = getuid (); #ifdef HAVE_BROKEN_MLOCK /* Under HP/UX mlock segfaults if called by non-root. Note, we have noch checked whether mlock does really work under AIX where we also detected a broken nlock. Note further, that using plock () is not a good idea under AIX. */ if (uid) { errno = EPERM; err = errno; } else { err = no_mlock? 0 : mlock (p, n); if (err && errno) err = errno; } #else /* !HAVE_BROKEN_MLOCK */ err = no_mlock? 0 : mlock (p, n); if (err && errno) err = errno; #endif /* !HAVE_BROKEN_MLOCK */ /* Test whether we are running setuid(0). */ if (uid && ! geteuid ()) { /* Yes, we are. */ if (!no_priv_drop) { /* Check that we really dropped the privs. * Note: setuid(0) should always fail */ if (setuid (uid) || getuid () != geteuid () || !setuid (0)) log_fatal ("failed to reset uid: %s\n", strerror (errno)); } } if (err) { if (errno != EPERM #ifdef EAGAIN /* OpenBSD returns this. */ && errno != EAGAIN #endif #ifdef ENOSYS /* Some SCOs return this (function not implemented). */ && errno != ENOSYS #endif #ifdef ENOMEM /* Linux might return this. */ && errno != ENOMEM #endif ) log_error ("can't lock memory: %s\n", strerror (err)); show_warning = 1; not_locked = 1; } #elif defined ( __QNX__ ) /* QNX does not page at all, so the whole secure memory stuff does * not make much sense. However it is still of use because it * wipes out the memory on a free(). * Therefore it is sufficient to suppress the warning. */ (void)p; (void)n; #elif defined (HAVE_DOSISH_SYSTEM) || defined (__CYGWIN__) /* It does not make sense to print such a warning, given the fact that * this whole Windows !@#$% and their user base are inherently insecure. */ (void)p; (void)n; #elif defined (__riscos__) /* No virtual memory on RISC OS, so no pages are swapped to disc, * besides we don't have mmap, so we don't use it! ;-) * But don't complain, as explained above. */ (void)p; (void)n; #else (void)p; (void)n; if (!no_mlock) log_info ("Please note that you don't have secure memory on this system\n"); #endif }