OLD | NEW |
1 // Copyright 2014 The Crashpad Authors. All rights reserved. | 1 // Copyright 2014 The Crashpad Authors. All rights reserved. |
2 // | 2 // |
3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
6 // | 6 // |
7 // http://www.apache.org/licenses/LICENSE-2.0 | 7 // http://www.apache.org/licenses/LICENSE-2.0 |
8 // | 8 // |
9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 // See the License for the specific language governing permissions and | 12 // See the License for the specific language governing permissions and |
13 // limitations under the License. | 13 // limitations under the License. |
14 | 14 |
15 #include <unistd.h> | 15 #include <unistd.h> |
16 | 16 |
17 #include "base/logging.h" | 17 #include "base/logging.h" |
18 #include "build/build_config.h" | 18 #include "build/build_config.h" |
19 | 19 |
20 namespace crashpad { | 20 namespace crashpad { |
21 | 21 |
22 void DropPrivileges() { | 22 void DropPrivileges() { |
23 gid_t gid = getgid(); | 23 gid_t gid = getgid(); |
24 uid_t uid = getuid(); | 24 uid_t uid = getuid(); |
25 | 25 |
26 #if defined(OS_MACOSX) | 26 #if defined(OS_MACOSX) |
27 // Based on the POSIX.1-2008 2013 edition documentation for setreuid() and | 27 // Based on the POSIX.1-2008 2013 edition documentation for setreuid() and |
28 // setregid(), setreuid() and setregid() alone should be sufficient to drop | 28 // setregid(), setreuid() and setregid() alone should be sufficient to drop |
29 // privileges. The standard specifies that the saved ID should be set to the | 29 // privileges. The standard specifies that the saved ID should be set to the |
30 // effective ID whenever the real ID is not -1, and whenever the effective ID | 30 // effective ID whenever the real ID is not -1, or whenever the effective ID |
31 // is set not equal to the real ID. This code never specifies -1, so the | 31 // is set not equal to the real ID. This code never specifies -1, so the |
32 // setreuid() and setregid() alone should work according to the standard. | 32 // setreuid() and setregid() alone should work according to the standard. |
33 // | 33 // |
34 // In practice, on Mac OS X, setuid() and setgid() (or seteuid() and | 34 // In practice, on Mac OS X, setuid() and setgid() (or seteuid() and |
35 // setegid()) must be called first, otherwise, setreuid() and setregid() do | 35 // setegid()) must be called first. Otherwise, setreuid() and setregid() do |
36 // not alter the saved IDs, leaving open the possibility for future privilege | 36 // not alter the saved IDs, leaving open the possibility for future privilege |
37 // escalation. This bug is filed as radar 18987552. | 37 // escalation. |
| 38 // |
| 39 // The problem exists in 10.9.5 xnu-2422.115.4/bsd/kern/kern_prot.c |
| 40 // setreuid(). Based on its comments, it purports to set the svuid to the new |
| 41 // euid when the old svuid doesn’t match one of the new ruid and euid. This |
| 42 // isn’t how POSIX.1-2008 says it should behave, but it should work for this |
| 43 // function’s purposes. In reality, setreuid() doesn’t even do this: it sets |
| 44 // the svuid to the old euid, which does not drop privileges when the old euid |
| 45 // is different from the desired euid. The workaround of calling setuid() or |
| 46 // seteuid() before setreuid() works because it sets the euid so that by the |
| 47 // time setreuid() runs, the old euid is actually the value that ought to be |
| 48 // set as the svuid. setregid() is similar. This bug is filed as radar |
| 49 // 18987552. |
| 50 // |
| 51 // setuid() and setgid() alone will only set the saved IDs when running as |
| 52 // root. When running a setuid non-root or setgid program, they do not alter |
| 53 // the saved ID, and do not effect a permanent privilege drop. |
38 gid_t egid = getegid(); | 54 gid_t egid = getegid(); |
39 PCHECK(setgid(gid) == 0) << "setgid"; | 55 PCHECK(setgid(gid) == 0) << "setgid"; |
40 PCHECK(setregid(gid, gid) == 0) << "setregid"; | 56 PCHECK(setregid(gid, gid) == 0) << "setregid"; |
41 | 57 |
42 uid_t euid = geteuid(); | 58 uid_t euid = geteuid(); |
43 PCHECK(setuid(uid) == 0) << "setuid"; | 59 PCHECK(setuid(uid) == 0) << "setuid"; |
44 PCHECK(setreuid(uid, uid) == 0) << "setreuid"; | 60 PCHECK(setreuid(uid, uid) == 0) << "setreuid"; |
45 | 61 |
46 if (uid != 0) { | 62 if (uid != 0) { |
47 // Because the setXid()+setreXid() interface to change IDs is fragile, | 63 // Because the setXid()+setreXid() interface to change IDs is fragile, |
(...skipping 10 matching lines...) Expand all Loading... |
58 #elif defined(OS_LINUX) | 74 #elif defined(OS_LINUX) |
59 PCHECK(setresgid(gid, gid, gid) == 0) << "setresgid"; | 75 PCHECK(setresgid(gid, gid, gid) == 0) << "setresgid"; |
60 PCHECK(setresuid(uid, uid, uid) == 0) << "setresuid"; | 76 PCHECK(setresuid(uid, uid, uid) == 0) << "setresuid"; |
61 | 77 |
62 // Don’t check to see if privileges can be regained on Linux, because on | 78 // Don’t check to see if privileges can be regained on Linux, because on |
63 // Linux, it’s not as simple as ensuring that this can’t be done if non-root. | 79 // Linux, it’s not as simple as ensuring that this can’t be done if non-root. |
64 // Instead, the ability to change user and group IDs are controlled by the | 80 // Instead, the ability to change user and group IDs are controlled by the |
65 // CAP_SETUID and CAP_SETGID capabilities, which may be granted to non-root | 81 // CAP_SETUID and CAP_SETGID capabilities, which may be granted to non-root |
66 // processes. Since the setresXid() interface is well-defined, it shouldn’t be | 82 // processes. Since the setresXid() interface is well-defined, it shouldn’t be |
67 // necessary to perform any additional checking anyway. | 83 // necessary to perform any additional checking anyway. |
| 84 // |
| 85 // TODO(mark): Drop CAP_SETUID and CAP_SETGID if present and non-root? |
68 #else | 86 #else |
69 #error Port this function to your system. | 87 #error Port this function to your system. |
70 #endif | 88 #endif |
71 } | 89 } |
72 | 90 |
73 } // namespace crashpad | 91 } // namespace crashpad |
OLD | NEW |