OLD | NEW |
1 // Copyright 2014 The Crashpad Authors. All rights reserved. | 1 // Copyright 2014 The Crashpad Authors. All rights reserved. |
2 // | 2 // |
3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
6 // | 6 // |
7 // http://www.apache.org/licenses/LICENSE-2.0 | 7 // http://www.apache.org/licenses/LICENSE-2.0 |
8 // | 8 // |
9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
(...skipping 13 matching lines...) Expand all Loading... |
24 uid_t uid = getuid(); | 24 uid_t uid = getuid(); |
25 | 25 |
26 #if defined(OS_MACOSX) | 26 #if defined(OS_MACOSX) |
27 // Based on the POSIX.1-2008 2013 edition documentation for setreuid() and | 27 // Based on the POSIX.1-2008 2013 edition documentation for setreuid() and |
28 // setregid(), setreuid() and setregid() alone should be sufficient to drop | 28 // setregid(), setreuid() and setregid() alone should be sufficient to drop |
29 // privileges. The standard specifies that the saved ID should be set to the | 29 // privileges. The standard specifies that the saved ID should be set to the |
30 // effective ID whenever the real ID is not -1, or whenever the effective ID | 30 // effective ID whenever the real ID is not -1, or whenever the effective ID |
31 // is set not equal to the real ID. This code never specifies -1, so the | 31 // is set not equal to the real ID. This code never specifies -1, so the |
32 // setreuid() and setregid() alone should work according to the standard. | 32 // setreuid() and setregid() alone should work according to the standard. |
33 // | 33 // |
34 // In practice, on Mac OS X, setuid() and setgid() (or seteuid() and | 34 // In practice, on older versions of macOS, setuid() and setgid() (or |
35 // setegid()) must be called first. Otherwise, setreuid() and setregid() do | 35 // seteuid() and setegid()) must be called first. Otherwise, setreuid() and |
36 // not alter the saved IDs, leaving open the possibility for future privilege | 36 // setregid() do not alter the saved IDs, leaving open the possibility for |
37 // escalation. | 37 // future privilege escalation. |
38 // | 38 // |
39 // The problem exists in 10.9.5 xnu-2422.115.4/bsd/kern/kern_prot.c | 39 // The problem exists in 10.9.5 xnu-2422.115.4/bsd/kern/kern_prot.c |
40 // setreuid(). Based on its comments, it purports to set the svuid to the new | 40 // setreuid(). Based on its comments, it purports to set the svuid to the new |
41 // euid when the old svuid doesn’t match one of the new ruid and euid. This | 41 // euid when the old svuid doesn’t match one of the new ruid and euid. This |
42 // isn’t how POSIX.1-2008 says it should behave, but it should work for this | 42 // isn’t how POSIX.1-2008 says it should behave, but it should work for this |
43 // function’s purposes. In reality, setreuid() doesn’t even do this: it sets | 43 // function’s purposes. In reality, setreuid() doesn’t even do this: it sets |
44 // the svuid to the old euid, which does not drop privileges when the old euid | 44 // the svuid to the old euid, which does not drop privileges when the old euid |
45 // is different from the desired euid. The workaround of calling setuid() or | 45 // is different from the desired euid. The workaround of calling setuid() or |
46 // seteuid() before setreuid() works because it sets the euid so that by the | 46 // seteuid() before setreuid() works because it sets the euid so that by the |
47 // time setreuid() runs, the old euid is actually the value that ought to be | 47 // time setreuid() runs, the old euid is actually the value that ought to be |
48 // set as the svuid. setregid() is similar. This bug is filed as radar | 48 // set as the svuid. setregid() is similar. This bug was reported as radar |
49 // 18987552. | 49 // 18987552, fixed in 10.10.3 and security updates to 10.9.5 and 10.8.5. |
50 // | 50 // |
51 // setuid() and setgid() alone will only set the saved IDs when running as | 51 // setuid() and setgid() alone will only set the saved IDs when running as |
52 // root. When running a setuid non-root or setgid program, they do not alter | 52 // root. When running a setuid non-root or setgid program, they do not alter |
53 // the saved ID, and do not effect a permanent privilege drop. | 53 // the saved ID, and do not effect a permanent privilege drop. |
54 gid_t egid = getegid(); | 54 gid_t egid = getegid(); |
55 PCHECK(setgid(gid) == 0) << "setgid"; | 55 PCHECK(setgid(gid) == 0) << "setgid"; |
56 PCHECK(setregid(gid, gid) == 0) << "setregid"; | 56 PCHECK(setregid(gid, gid) == 0) << "setregid"; |
57 | 57 |
58 uid_t euid = geteuid(); | 58 uid_t euid = geteuid(); |
59 PCHECK(setuid(uid) == 0) << "setuid"; | 59 PCHECK(setuid(uid) == 0) << "setuid"; |
(...skipping 22 matching lines...) Expand all Loading... |
82 // processes. Since the setresXid() interface is well-defined, it shouldn’t be | 82 // processes. Since the setresXid() interface is well-defined, it shouldn’t be |
83 // necessary to perform any additional checking anyway. | 83 // necessary to perform any additional checking anyway. |
84 // | 84 // |
85 // TODO(mark): Drop CAP_SETUID and CAP_SETGID if present and non-root? | 85 // TODO(mark): Drop CAP_SETUID and CAP_SETGID if present and non-root? |
86 #else | 86 #else |
87 #error Port this function to your system. | 87 #error Port this function to your system. |
88 #endif | 88 #endif |
89 } | 89 } |
90 | 90 |
91 } // namespace crashpad | 91 } // namespace crashpad |
OLD | NEW |