2 * Copyright (c) 2009 Andrew Tridgell
3 * Copyright (c) 2011-2013 Andreas Schneider <asn@samba.org>
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include <sys/types.h>
30 #ifdef HAVE_SYS_SYSCALL_H
31 #include <sys/syscall.h>
40 #ifdef HAVE_GCC_THREAD_LOCAL_STORAGE
41 # define UWRAP_THREAD __thread
47 #define UWRAP_DEBUG(...)
49 #define UWRAP_DEBUG(...) fprintf(stderr, __VA_ARGS__)
52 #define UWRAP_DLIST_ADD(list,item) do { \
54 (item)->prev = NULL; \
55 (item)->next = NULL; \
58 (item)->prev = NULL; \
59 (item)->next = (list); \
60 (list)->prev = (item); \
65 #define UWRAP_DLIST_REMOVE(list,item) do { \
66 if ((list) == (item)) { \
67 (list) = (item)->next; \
69 (list)->prev = NULL; \
73 (item)->prev->next = (item)->next; \
76 (item)->next->prev = (item)->prev; \
79 (item)->prev = NULL; \
80 (item)->next = NULL; \
83 #define LIBC_NAME "libc.so"
85 struct uwrap_libc_fns {
86 int (*_libc_setuid)(uid_t uid);
87 uid_t (*_libc_getuid)(void);
90 int (*_libc_seteuid)(uid_t euid);
93 int (*_libc_setreuid)(uid_t ruid, uid_t euid);
96 int (*_libc_setresuid)(uid_t ruid, uid_t euid, uid_t suid);
98 uid_t (*_libc_geteuid)(void);
100 int (*_libc_setgid)(gid_t gid);
101 gid_t (*_libc_getgid)(void);
103 int (*_libc_setegid)(uid_t egid);
106 int (*_libc_setregid)(uid_t rgid, uid_t egid);
109 int (*_libc_setresgid)(uid_t rgid, uid_t egid, uid_t sgid);
111 gid_t (*_libc_getegid)(void);
112 int (*_libc_getgroups)(int size, gid_t list[]);
113 int (*_libc_setgroups)(size_t size, const gid_t *list);
115 long int (*_libc_syscall)(long int sysno, ...);
120 * We keep the virtualised euid/egid/groups information here
122 struct uwrap_thread {
137 struct uwrap_thread *next;
138 struct uwrap_thread *prev;
144 struct uwrap_libc_fns fns;
153 struct uwrap_thread *ids;
156 static struct uwrap uwrap;
158 /* Shortcut to the list item */
159 static UWRAP_THREAD struct uwrap_thread *uwrap_tls_id;
161 /* The mutex or accessing the id */
162 static pthread_mutex_t uwrap_id_mutex = PTHREAD_MUTEX_INITIALIZER;
164 /*********************************************************
165 * UWRAP LIBC LOADER FUNCTIONS
166 *********************************************************/
174 static void *uwrap_load_lib_handle(enum uwrap_lib lib)
176 int flags = RTLD_LAZY;
185 flags |= RTLD_DEEPBIND;
191 case UWRAP_LIBSOCKET:
194 if (handle == NULL) {
195 for (handle = NULL, i = 10; handle == NULL && i >= 0; i--) {
196 char soname[256] = {0};
198 snprintf(soname, sizeof(soname), "libc.so.%d", i);
199 handle = dlopen(soname, flags);
202 uwrap.libc.handle = handle;
204 handle = uwrap.libc.handle;
209 if (handle == NULL) {
211 "Failed to dlopen library: %s\n",
219 static void *_uwrap_load_lib_function(enum uwrap_lib lib, const char *fn_name)
224 handle = uwrap_load_lib_handle(lib);
226 func = dlsym(handle, fn_name);
229 "Failed to find %s: %s\n",
237 #define uwrap_load_lib_function(lib, fn_name) \
238 if (uwrap.libc.fns._libc_##fn_name == NULL) { \
239 *(void **) (&uwrap.libc.fns._libc_##fn_name) = \
240 _uwrap_load_lib_function(lib, #fn_name); \
246 * Functions expeciall from libc need to be loaded individually, you can't load
247 * all at once or gdb will segfault at startup. The same applies to valgrind and
248 * has probably something todo with with the linker.
249 * So we need load each function at the point it is called the first time.
251 static int libc_setuid(uid_t uid)
253 uwrap_load_lib_function(UWRAP_LIBC, setuid);
255 return uwrap.libc.fns._libc_setuid(uid);
258 static uid_t libc_getuid(void)
260 uwrap_load_lib_function(UWRAP_LIBC, getuid);
262 return uwrap.libc.fns._libc_getuid();
265 static void *uwrap_libc_fn(struct uwrap *u, const char *fn_name)
270 func = dlsym(RTLD_NEXT, fn_name);
272 if (u->libc.handle == NULL) {
276 func = dlsym(u->libc.handle, fn_name);
279 printf("Failed to find %s in %s: %s\n",
280 fn_name, LIBC_NAME, dlerror());
287 static void uwrap_libc_init(struct uwrap *u)
291 int flags = RTLD_LAZY;
294 flags |= RTLD_DEEPBIND;
297 for (u->libc.handle = NULL, i = 10; u->libc.handle == NULL; i--) {
298 char soname[256] = {0};
300 snprintf(soname, sizeof(soname), "%s.%u", LIBC_NAME, i);
301 u->libc.handle = dlopen(soname, flags);
304 if (u->libc.handle == NULL) {
305 printf("Failed to dlopen %s.%u: %s\n", LIBC_NAME, i, dlerror());
311 *(void **) (&u->libc.fns._libc_seteuid) = uwrap_libc_fn(u, "seteuid");
314 *(void **) (&u->libc.fns._libc_setreuid) = uwrap_libc_fn(u, "setreuid");
316 #ifdef HAVE_SETRESUID
317 *(void **) (&u->libc.fns._libc_setresuid) = uwrap_libc_fn(u, "setresuid");
319 *(void **) (&u->libc.fns._libc_geteuid) = uwrap_libc_fn(u, "geteuid");
321 *(void **) (&u->libc.fns._libc_setgid) = uwrap_libc_fn(u, "setgid");
322 *(void **) (&u->libc.fns._libc_getgid) = uwrap_libc_fn(u, "getgid");
324 *(void **) (&u->libc.fns._libc_setegid) = uwrap_libc_fn(u, "setegid");
327 *(void **) (&u->libc.fns._libc_setregid) = uwrap_libc_fn(u, "setregid");
329 #ifdef HAVE_SETRESGID
330 *(void **) (&u->libc.fns._libc_setresgid) = uwrap_libc_fn(u, "setresgid");
332 *(void **) (&u->libc.fns._libc_getegid) = uwrap_libc_fn(u, "getegid");
333 *(void **) (&u->libc.fns._libc_getgroups) = uwrap_libc_fn(u, "getgroups");
334 *(void **) (&u->libc.fns._libc_setgroups) = uwrap_libc_fn(u, "setgroups");
335 *(void **) (&u->libc.fns._libc_getgid) = uwrap_libc_fn(u, "getgid");
337 *(void **) (&u->libc.fns._libc_syscall) = uwrap_libc_fn(u, "syscall");
341 static struct uwrap_thread *find_uwrap_id(pthread_t tid)
343 struct uwrap_thread *id;
345 for (id = uwrap.ids; id; id = id->next) {
346 if (pthread_equal(id->tid, tid)) {
354 static int uwrap_new_id(pthread_t tid, bool do_alloc)
356 struct uwrap_thread *id = uwrap_tls_id;
359 id = malloc(sizeof(struct uwrap_thread));
369 id->ruid = id->euid = id->suid = uwrap.myuid;
370 id->rgid = id->egid = id->sgid = uwrap.mygid;
373 id->groups = malloc(sizeof(gid_t) * id->ngroups);
374 id->groups[0] = uwrap.mygid;
377 UWRAP_DLIST_ADD(uwrap.ids, id);
384 static void uwrap_thread_prepare(void)
386 pthread_mutex_lock(&uwrap_id_mutex);
389 * What happens if another atfork prepare functions calls a uwrap
390 * function? So disable it in case another atfork prepare function
391 * calls a (s)uid function.
393 uwrap.enabled = false;
396 static void uwrap_thread_parent(void)
398 uwrap.enabled = true;
400 pthread_mutex_unlock(&uwrap_id_mutex);
403 static void uwrap_thread_child(void)
405 uwrap.enabled = true;
407 pthread_mutex_unlock(&uwrap_id_mutex);
410 static void uwrap_init(void)
412 const char *env = getenv("UID_WRAPPER");
413 pthread_t tid = pthread_self();
417 if (uwrap.initialised) {
418 struct uwrap_thread *id = uwrap_tls_id;
425 pthread_mutex_lock(&uwrap_id_mutex);
426 id = find_uwrap_id(tid);
428 rc = uwrap_new_id(tid, 1);
433 /* We reuse an old thread id */
436 uwrap_new_id(tid, 0);
438 pthread_mutex_unlock(&uwrap_id_mutex);
444 * If we hold a lock and the application forks, then the child
445 * is not able to unlock the mutex and we are in a deadlock.
446 * This should prevent such deadlocks.
448 pthread_atfork(&uwrap_thread_prepare,
449 &uwrap_thread_parent,
450 &uwrap_thread_child);
452 pthread_mutex_lock(&uwrap_id_mutex);
454 uwrap_libc_init(&uwrap);
456 uwrap.initialised = true;
457 uwrap.enabled = false;
459 if (env != NULL && env[0] == '1') {
460 const char *root = getenv("UID_WRAPPER_ROOT");
463 /* put us in one group */
464 if (root != NULL && root[0] == '1') {
468 uwrap.myuid = uwrap.libc.fns._libc_geteuid();
469 uwrap.mygid = uwrap.libc.fns._libc_getegid();
472 rc = uwrap_new_id(tid, 1);
477 uwrap.enabled = true;
480 pthread_mutex_unlock(&uwrap_id_mutex);
483 static int uwrap_enabled(void)
487 return uwrap.enabled ? 1 : 0;
490 static int uwrap_setresuid_thread(uid_t ruid, uid_t euid, uid_t suid)
492 struct uwrap_thread *id = uwrap_tls_id;
494 if (ruid == (uid_t)-1 && euid == (uid_t)-1 && suid == (uid_t)-1) {
499 pthread_mutex_lock(&uwrap_id_mutex);
500 if (ruid != (uid_t)-1) {
504 if (euid != (uid_t)-1) {
508 if (suid != (uid_t)-1) {
511 pthread_mutex_unlock(&uwrap_id_mutex);
516 static int uwrap_setresuid(uid_t ruid, uid_t euid, uid_t suid)
518 struct uwrap_thread *id;
520 if (ruid == (uid_t)-1 && euid == (uid_t)-1 && suid == (uid_t)-1) {
525 pthread_mutex_lock(&uwrap_id_mutex);
526 for (id = uwrap.ids; id; id = id->next) {
531 if (ruid != (uid_t)-1) {
535 if (euid != (uid_t)-1) {
539 if (suid != (uid_t)-1) {
543 pthread_mutex_unlock(&uwrap_id_mutex);
551 int setuid(uid_t uid)
553 if (!uwrap_enabled()) {
554 return libc_setuid(uid);
557 return uwrap_setresuid(uid, -1, -1);
561 int seteuid(uid_t euid)
563 if (euid == (uid_t)-1) {
568 if (!uwrap_enabled()) {
569 return uwrap.libc.fns._libc_seteuid(euid);
572 return uwrap_setresuid(-1, euid, -1);
577 int setreuid(uid_t ruid, uid_t euid)
579 if (ruid == (uid_t)-1 && euid == (uid_t)-1) {
584 if (!uwrap_enabled()) {
585 return uwrap.libc.fns._libc_setreuid(ruid, euid);
588 return uwrap_setresuid(ruid, euid, -1);
592 #ifdef HAVE_SETRESUID
593 int setresuid(uid_t ruid, uid_t euid, uid_t suid)
595 if (!uwrap_enabled()) {
596 return uwrap.libc.fns._libc_setresuid(ruid, euid, suid);
599 return uwrap_setresuid(ruid, euid, suid);
606 static uid_t uwrap_getuid(void)
608 struct uwrap_thread *id = uwrap_tls_id;
611 pthread_mutex_lock(&uwrap_id_mutex);
613 pthread_mutex_unlock(&uwrap_id_mutex);
620 if (!uwrap_enabled()) {
621 return libc_getuid();
624 return uwrap_getuid();
630 static uid_t uwrap_geteuid(void)
632 const char *env = getenv("UID_WRAPPER_ROOT");
633 struct uwrap_thread *id = uwrap_tls_id;
636 pthread_mutex_lock(&uwrap_id_mutex);
638 pthread_mutex_unlock(&uwrap_id_mutex);
640 /* Disable root and return myuid */
641 if (env != NULL && env[0] == '2') {
650 if (!uwrap_enabled()) {
651 return uwrap.libc.fns._libc_geteuid();
654 return uwrap_geteuid();
657 static int uwrap_setresgid_thread(gid_t rgid, gid_t egid, gid_t sgid)
659 struct uwrap_thread *id = uwrap_tls_id;
661 if (rgid == (gid_t)-1 && egid == (gid_t)-1 && sgid == (gid_t)-1) {
666 pthread_mutex_lock(&uwrap_id_mutex);
667 if (rgid != (gid_t)-1) {
671 if (egid != (gid_t)-1) {
675 if (sgid != (gid_t)-1) {
678 pthread_mutex_unlock(&uwrap_id_mutex);
683 static int uwrap_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
685 struct uwrap_thread *id;
687 if (rgid == (gid_t)-1 && egid == (gid_t)-1 && sgid == (gid_t)-1) {
692 pthread_mutex_lock(&uwrap_id_mutex);
693 for (id = uwrap.ids; id; id = id->next) {
698 if (rgid != (gid_t)-1) {
702 if (egid != (gid_t)-1) {
706 if (sgid != (gid_t)-1) {
710 pthread_mutex_unlock(&uwrap_id_mutex);
718 int setgid(gid_t gid)
720 if (!uwrap_enabled()) {
721 return uwrap.libc.fns._libc_setgid(gid);
724 return uwrap_setresgid(gid, -1, -1);
728 int setegid(gid_t egid)
730 if (!uwrap_enabled()) {
731 return uwrap.libc.fns._libc_setegid(egid);
734 return uwrap_setresgid(-1, egid, -1);
739 int setregid(gid_t rgid, gid_t egid)
741 if (!uwrap_enabled()) {
742 return uwrap.libc.fns._libc_setregid(rgid, egid);
745 return uwrap_setresgid(rgid, egid, -1);
749 #ifdef HAVE_SETRESGID
750 int setresgid(gid_t rgid, gid_t egid, gid_t sgid)
752 if (!uwrap_enabled()) {
753 return uwrap.libc.fns._libc_setregid(rgid, egid, sgid);
756 return uwrap_setresgid(rgid, egid, sgid);
763 static gid_t uwrap_getgid(void)
765 struct uwrap_thread *id = uwrap_tls_id;
768 pthread_mutex_lock(&uwrap_id_mutex);
770 pthread_mutex_unlock(&uwrap_id_mutex);
777 if (!uwrap_enabled()) {
778 return uwrap.libc.fns._libc_getgid();
781 return uwrap_getgid();
787 static uid_t uwrap_getegid(void)
789 struct uwrap_thread *id = uwrap_tls_id;
792 pthread_mutex_lock(&uwrap_id_mutex);
794 pthread_mutex_unlock(&uwrap_id_mutex);
801 if (!uwrap_enabled()) {
802 return uwrap.libc.fns._libc_getegid();
805 return uwrap_getegid();
808 static int uwrap_setgroups_thread(size_t size, const gid_t *list)
810 struct uwrap_thread *id = uwrap_tls_id;
813 pthread_mutex_lock(&uwrap_id_mutex);
819 id->groups = malloc(sizeof(gid_t) * size);
820 if (id->groups == NULL) {
825 memcpy(id->groups, list, size * sizeof(gid_t));
830 pthread_mutex_unlock(&uwrap_id_mutex);
835 static int uwrap_setgroups(size_t size, const gid_t *list)
837 struct uwrap_thread *id;
840 pthread_mutex_lock(&uwrap_id_mutex);
841 for (id = uwrap.ids; id; id = id->next) {
847 id->groups = malloc(sizeof(gid_t) * size);
848 if (id->groups == NULL) {
853 memcpy(id->groups, list, size * sizeof(gid_t));
859 pthread_mutex_unlock(&uwrap_id_mutex);
864 #ifdef HAVE_SETGROUPS_INT
865 int setgroups(int size, const gid_t *list)
867 int setgroups(size_t size, const gid_t *list)
870 if (!uwrap_enabled()) {
871 return uwrap.libc.fns._libc_setgroups(size, list);
874 return uwrap_setgroups(size, list);
877 static int uwrap_getgroups(int size, gid_t *list)
879 struct uwrap_thread *id = uwrap_tls_id;
882 pthread_mutex_lock(&uwrap_id_mutex);
883 ngroups = id->ngroups;
885 if (size > ngroups) {
891 if (size < ngroups) {
895 memcpy(list, id->groups, size * sizeof(gid_t));
898 pthread_mutex_unlock(&uwrap_id_mutex);
903 int getgroups(int size, gid_t *list)
905 if (!uwrap_enabled()) {
906 return uwrap.libc.fns._libc_getgroups(size, list);
909 return uwrap_getgroups(size, list);
912 static long int libc_vsyscall(long int sysno, va_list va)
918 for (i = 0; i < 8; i++) {
919 args[i] = va_arg(va, long int);
922 rc = uwrap.libc.fns._libc_syscall(sysno,
935 #if (defined(HAVE_SYS_SYSCALL_H) || defined(HAVE_SYSCALL_H)) \
936 && (defined(SYS_setreuid) || defined(SYS_setreuid32))
937 static long int uwrap_syscall (long int sysno, va_list vp)
944 #ifdef HAVE_LINUX_32BIT_SYSCALLS
953 #ifdef HAVE_LINUX_32BIT_SYSCALLS
957 rc = uwrap_getegid();
960 #endif /* SYS_getegid */
962 #ifdef HAVE_LINUX_32BIT_SYSCALLS
966 gid_t gid = (gid_t) va_arg(vp, int);
968 rc = uwrap_setresgid_thread(gid, -1, -1);
972 #ifdef HAVE_LINUX_32BIT_SYSCALLS
976 uid_t rgid = (uid_t) va_arg(vp, int);
977 uid_t egid = (uid_t) va_arg(vp, int);
979 rc = uwrap_setresgid_thread(rgid, egid, -1);
984 #ifdef HAVE_LINUX_32BIT_SYSCALLS
985 case SYS_setresgid32:
988 uid_t rgid = (uid_t) va_arg(vp, int);
989 uid_t egid = (uid_t) va_arg(vp, int);
990 uid_t sgid = (uid_t) va_arg(vp, int);
992 rc = uwrap_setresgid_thread(rgid, egid, sgid);
995 #endif /* SYS_setresgid */
999 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1003 rc = uwrap_getuid();
1008 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1012 rc = uwrap_geteuid();
1015 #endif /* SYS_geteuid */
1017 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1021 uid_t uid = (uid_t) va_arg(vp, int);
1023 rc = uwrap_setresuid_thread(uid, -1, -1);
1027 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1028 case SYS_setreuid32:
1031 uid_t ruid = (uid_t) va_arg(vp, int);
1032 uid_t euid = (uid_t) va_arg(vp, int);
1034 rc = uwrap_setresuid_thread(ruid, euid, -1);
1037 #ifdef SYS_setresuid
1039 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1040 case SYS_setresuid32:
1043 uid_t ruid = (uid_t) va_arg(vp, int);
1044 uid_t euid = (uid_t) va_arg(vp, int);
1045 uid_t suid = (uid_t) va_arg(vp, int);
1047 rc = uwrap_setresuid_thread(ruid, euid, suid);
1050 #endif /* SYS_setresuid */
1054 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1055 case SYS_setgroups32:
1058 size_t size = (size_t) va_arg(vp, size_t);
1059 gid_t *list = (gid_t *) va_arg(vp, int *);
1061 rc = uwrap_setgroups_thread(size, list);
1065 UWRAP_DEBUG("UID_WRAPPER calling non-wrapped syscall "
1068 rc = libc_vsyscall(sysno, vp);
1076 #ifdef HAVE_SYSCALL_INT
1077 int syscall (int sysno, ...)
1079 long int syscall (long int sysno, ...)
1082 #ifdef HAVE_SYSCALL_INT
1089 va_start(va, sysno);
1091 if (!uwrap_enabled()) {
1092 rc = libc_vsyscall(sysno, va);
1097 rc = uwrap_syscall(sysno, va);
1102 #endif /* HAVE_SYSCALL */
1103 #endif /* HAVE_SYS_SYSCALL_H || HAVE_SYSCALL_H */
git.samba.org / uid_wrapper.git / blob