Chromium Code Reviews Chromium Code Reviews
Issue 727053002:
Add DropPrivileges() (Closed)
Base URL: https://chromium.googlesource.com/crashpad/crashpad@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Crashpad Authors. All rights reserved. | |
| 2 // | |
| 3 // Licensed under the Apache License, Version 2.0 (the "License"); | |
| 4 // you may not use this file except in compliance with the License. | |
| 5 // You may obtain a copy of the License at | |
| 6 // | |
| 7 // http://www.apache.org/licenses/LICENSE-2.0 | |
| 8 // | |
| 9 // Unless required by applicable law or agreed to in writing, software | |
| 10 // distributed under the License is distributed on an "AS IS" BASIS, | |
| 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 12 // See the License for the specific language governing permissions and | |
| 13 // limitations under the License. | |
| 14 | |
| 15 #include <unistd.h> | |
| 16 | |
| 17 #include "base/logging.h" | |
| 18 #include "build/build_config.h" | |
| 19 | |
| 20 namespace crashpad { | |
| 21 | |
| 22 void DropPrivileges() { | |
| 23 gid_t gid = getgid(); | |
| 24 uid_t uid = getuid(); | |
| 25 | |
| 26 #if defined(OS_MACOSX) | |
| 27 // Based on the POSIX.1-2008 2013 edition documentation for setreuid() and | |
| 28 // setregid(), setreuid() and setregid() alone should be sufficient to drop | |
| 29 // privileges. The standard specifies that the saved ID should be set to the | |
| 30 // effective ID whenever the real ID is not -1, and whenever the effective ID | |
| 31 // is set not equal to the real ID. This code never specifies -1, so the | |
| 32 // setreuid() and setregid() alone should work according to the standard. | |
| 33 // | |
| 34 // In practice, on Mac OS X, setuid() and setgid() (or seteuid() and | |
| 35 // setegid()) must be called first, otherwise, setreuid() and setregid() do | |
| 36 // not alter the saved IDs, leaving open the possibility for future privilege | |
| 37 // escalation. This bug is filed as radar 18987552. | |
| 38 gid_t egid = getegid(); | |
| 39 PCHECK(setgid(gid) == 0) << "setgid"; | |
| 40 PCHECK(setregid(gid, gid) == 0) << "setregid"; | |
| 41 | |
| 42 uid_t euid = geteuid(); | |
| 43 PCHECK(setuid(uid) == 0) << "setuid"; | |
| 44 PCHECK(setreuid(uid, uid) == 0) << "setreuid"; | |
| 45 | |
| 46 if (uid != 0) { | |
| 47 // Because the setXid()+setreXid() interface to change IDs is fragile, | |
| 48 // ensure that privileges cannot be regained. This can only be done if the | |
| 49 // real user ID (and now the effective user ID as well) is not root, because | |
| 50 // root always has permission to change identity. | |
| 51 if (euid != uid) { | |
| 52 CHECK_EQ(seteuid(euid), -1); | |
| 53 } | |
| 54 if (egid != gid) { | |
| 55 CHECK_EQ(setegid(egid), -1); | |
| 56 } | |
| 57 } | |
| 58 #elif defined(OS_LINUX) | |
| 59 PCHECK(setresgid(gid, gid, gid) == 0) << "setresgid"; | |
| 60 PCHECK(setresuid(uid, uid, uid) == 0) << "setresuid"; | |
| 61 | |
| 62 // Don’t check to see if privileges can be regained on Linux, because on | |
| 63 // Linux, it’s not as simple as ensuring that this can’t be done if non-root. | |
| 64 // Instead, the ability to change user and group IDs are controlled by the | |
| 65 // CAP_SETUID and CAP_SETGID capabilities, which may be granted to non-root | |
|
Robert Sesek
2014/11/14 23:36:03
Arguably, this function should drop those capabili
| |
| 66 // processes. Since the setresXid() interface is well-defined, it shouldn’t be | |
| 67 // necessary to perform any additional checking anyway. | |
| 68 #else | |
| 69 #error Port this function to your system. | |
| 70 #endif | |
| 71 } | |
| 72 | |
| 73 } // namespace crashpad | |
| OLD | NEW |
