2 * Copyright (c) 2009 Andrew Tridgell
3 * Copyright (c) 2011-2013 Andreas Schneider <asn@samba.org>
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include <sys/types.h>
30 #ifdef HAVE_SYS_SYSCALL_H
31 #include <sys/syscall.h>
40 #ifdef HAVE_GCC_THREAD_LOCAL_STORAGE
41 # define UWRAP_THREAD __thread
46 # define UWRAP_LOCK(m) do { \
47 pthread_mutex_lock(&( m ## _mutex)); \
50 # define UWRAP_UNLOCK(m) do { \
51 pthread_mutex_unlock(&( m ## _mutex)); \
54 /* Add new global locks here please */
55 # define UWRAP_LOCK_ALL \
56 UWRAP_LOCK(uwrap_id); \
57 UWRAP_LOCK(libc_symbol_binding); \
58 UWRAP_LOCK(libpthread_symbol_binding)
60 # define UWRAP_UNLOCK_ALL \
61 UWRAP_UNLOCK(libpthread_symbol_binding); \
62 UWRAP_UNLOCK(libc_symbol_binding); \
63 UWRAP_UNLOCK(uwrap_id)
65 #ifdef HAVE_CONSTRUCTOR_ATTRIBUTE
66 #define CONSTRUCTOR_ATTRIBUTE __attribute__ ((constructor))
68 #define CONSTRUCTOR_ATTRIBUTE
69 #endif /* HAVE_CONSTRUCTOR_ATTRIBUTE */
71 #ifdef HAVE_DESTRUCTOR_ATTRIBUTE
72 #define DESTRUCTOR_ATTRIBUTE __attribute__ ((destructor))
74 #define DESTRUCTOR_ATTRIBUTE
75 #endif /* HAVE_DESTRUCTOR_ATTRIBUTE */
77 #ifdef HAVE_ADDRESS_SANITIZER_ATTRIBUTE
78 #define DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE __attribute__((no_sanitize_address))
79 #else /* DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE */
80 #define DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE
81 #endif /* DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE */
83 /* GCC have printf type attribute check. */
84 #ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT
85 #define PRINTF_ATTRIBUTE(a,b) __attribute__ ((__format__ (__printf__, a, b)))
87 #define PRINTF_ATTRIBUTE(a,b)
88 #endif /* HAVE_FUNCTION_ATTRIBUTE_FORMAT */
90 #define UWRAP_DLIST_ADD(list,item) do { \
92 (item)->prev = NULL; \
93 (item)->next = NULL; \
96 (item)->prev = NULL; \
97 (item)->next = (list); \
98 (list)->prev = (item); \
103 #define UWRAP_DLIST_REMOVE(list,item) do { \
104 if ((list) == (item)) { \
105 (list) = (item)->next; \
107 (list)->prev = NULL; \
110 if ((item)->prev) { \
111 (item)->prev->next = (item)->next; \
113 if ((item)->next) { \
114 (item)->next->prev = (item)->prev; \
117 (item)->prev = NULL; \
118 (item)->next = NULL; \
122 #define SAFE_FREE(x) do { if ((x) != NULL) {free(x); (x)=NULL;} } while(0)
129 enum uwrap_dbglvl_e {
137 # define UWRAP_LOG(...)
139 static void uwrap_log(enum uwrap_dbglvl_e dbglvl, const char *function, const char *format, ...) PRINTF_ATTRIBUTE(3, 4);
140 # define UWRAP_LOG(dbglvl, ...) uwrap_log((dbglvl), __func__, __VA_ARGS__)
142 static void uwrap_log(enum uwrap_dbglvl_e dbglvl, const char *function, const char *format, ...)
147 unsigned int lvl = 0;
149 d = getenv("UID_WRAPPER_DEBUGLEVEL");
154 va_start(va, format);
155 vsnprintf(buffer, sizeof(buffer), format, va);
161 case UWRAP_LOG_ERROR:
162 prefix = "UWRAP_ERROR";
165 prefix = "UWRAP_WARN";
167 case UWRAP_LOG_DEBUG:
168 prefix = "UWRAP_DEBUG";
170 case UWRAP_LOG_TRACE:
171 prefix = "UWRAP_TRACE";
189 #define LIBC_NAME "libc.so"
191 typedef int (*__libc_setuid)(uid_t uid);
193 typedef uid_t (*__libc_getuid)(void);
196 typedef int (*__libc_seteuid)(uid_t euid);
200 typedef int (*__libc_setreuid)(uid_t ruid, uid_t euid);
203 #ifdef HAVE_SETRESUID
204 typedef int (*__libc_setresuid)(uid_t ruid, uid_t euid, uid_t suid);
207 #ifdef HAVE_GETRESUID
208 typedef int (*__libc_getresuid)(uid_t *ruid, uid_t *euid, uid_t *suid);
211 typedef uid_t (*__libc_geteuid)(void);
213 typedef int (*__libc_setgid)(gid_t gid);
215 typedef gid_t (*__libc_getgid)(void);
218 typedef int (*__libc_setegid)(uid_t egid);
222 typedef int (*__libc_setregid)(uid_t rgid, uid_t egid);
225 #ifdef HAVE_SETRESGID
226 typedef int (*__libc_setresgid)(uid_t rgid, uid_t egid, uid_t sgid);
229 #ifdef HAVE_GETRESGID
230 typedef int (*__libc_getresgid)(gid_t *rgid, gid_t *egid, gid_t *sgid);
233 typedef gid_t (*__libc_getegid)(void);
235 typedef int (*__libc_getgroups)(int size, gid_t list[]);
237 typedef int (*__libc_setgroups)(size_t size, const gid_t *list);
240 typedef long int (*__libc_syscall)(long int sysno, ...);
243 #define UWRAP_SYMBOL_ENTRY(i) \
249 struct uwrap_libc_symbols {
250 UWRAP_SYMBOL_ENTRY(setuid);
251 UWRAP_SYMBOL_ENTRY(getuid);
253 UWRAP_SYMBOL_ENTRY(seteuid);
256 UWRAP_SYMBOL_ENTRY(setreuid);
258 #ifdef HAVE_SETRESUID
259 UWRAP_SYMBOL_ENTRY(setresuid);
261 #ifdef HAVE_GETRESUID
262 UWRAP_SYMBOL_ENTRY(getresuid);
264 UWRAP_SYMBOL_ENTRY(geteuid);
265 UWRAP_SYMBOL_ENTRY(setgid);
266 UWRAP_SYMBOL_ENTRY(getgid);
268 UWRAP_SYMBOL_ENTRY(setegid);
271 UWRAP_SYMBOL_ENTRY(setregid);
273 #ifdef HAVE_SETRESGID
274 UWRAP_SYMBOL_ENTRY(setresgid);
276 #ifdef HAVE_GETRESGID
277 UWRAP_SYMBOL_ENTRY(getresgid);
279 UWRAP_SYMBOL_ENTRY(getegid);
280 UWRAP_SYMBOL_ENTRY(getgroups);
281 UWRAP_SYMBOL_ENTRY(setgroups);
283 UWRAP_SYMBOL_ENTRY(syscall);
286 #undef UWRAP_SYMBOL_ENTRY
291 /* Yeah... I'm pig. I overloading macro here... So what? */
292 #define UWRAP_SYMBOL_ENTRY(i) \
294 __libpthread_##i f; \
298 typedef int (*__libpthread_pthread_create)(pthread_t *thread,
299 const pthread_attr_t *attr,
300 void *(*start_routine) (void *),
302 typedef void (*__libpthread_pthread_exit)(void *retval);
304 struct uwrap_libpthread_symbols {
305 UWRAP_SYMBOL_ENTRY(pthread_create);
306 UWRAP_SYMBOL_ENTRY(pthread_exit);
308 #undef UWRAP_SYMBOL_ENTRY
311 * We keep the virtualised euid/egid/groups information here
313 struct uwrap_thread {
327 struct uwrap_thread *next;
328 struct uwrap_thread *prev;
334 struct uwrap_libc_symbols symbols;
339 struct uwrap_libpthread_symbols symbols;
344 /* Real uid and gid of user who run uid wrapper */
348 struct uwrap_thread *ids;
351 static struct uwrap uwrap;
353 /* Shortcut to the list item */
354 static UWRAP_THREAD struct uwrap_thread *uwrap_tls_id;
356 /* The mutex or accessing the id */
357 static pthread_mutex_t uwrap_id_mutex = PTHREAD_MUTEX_INITIALIZER;
359 /* The mutex for accessing the global libc.symbols */
360 static pthread_mutex_t libc_symbol_binding_mutex = PTHREAD_MUTEX_INITIALIZER;
362 /* The mutex for accessing the global libpthread.symbols */
363 static pthread_mutex_t libpthread_symbol_binding_mutex = PTHREAD_MUTEX_INITIALIZER;
365 /*********************************************************
367 *********************************************************/
369 bool uid_wrapper_enabled(void);
370 void uwrap_constructor(void) CONSTRUCTOR_ATTRIBUTE;
371 void uwrap_destructor(void) DESTRUCTOR_ATTRIBUTE;
373 /*********************************************************
374 * UWRAP LIBC LOADER FUNCTIONS
375 *********************************************************/
384 static void *uwrap_load_lib_handle(enum uwrap_lib lib)
386 int flags = RTLD_LAZY;
391 flags |= RTLD_DEEPBIND;
397 case UWRAP_LIBSOCKET:
400 handle = uwrap.libc.handle;
401 if (handle == NULL) {
402 for (i = 10; i >= 0; i--) {
403 char soname[256] = {0};
405 snprintf(soname, sizeof(soname), "libc.so.%d", i);
406 handle = dlopen(soname, flags);
407 if (handle != NULL) {
412 uwrap.libc.handle = handle;
415 case UWRAP_LIBPTHREAD:
416 handle = uwrap.libpthread.handle;
417 if (handle == NULL) {
418 handle = dlopen("libpthread.so.0", flags);
419 if (handle != NULL) {
426 if (handle == NULL) {
428 handle = uwrap.libc.handle = RTLD_NEXT;
431 "Failed to dlopen library: %s\n",
440 static void *_uwrap_bind_symbol(enum uwrap_lib lib, const char *fn_name)
445 handle = uwrap_load_lib_handle(lib);
447 func = dlsym(handle, fn_name);
450 "Failed to find %s: %s\n",
458 #define uwrap_bind_symbol_libc(sym_name) \
459 UWRAP_LOCK(libc_symbol_binding); \
460 if (uwrap.libc.symbols._libc_##sym_name.obj == NULL) { \
461 uwrap.libc.symbols._libc_##sym_name.obj = \
462 _uwrap_bind_symbol(UWRAP_LIBC, #sym_name); \
464 UWRAP_UNLOCK(libc_symbol_binding)
466 #define uwrap_bind_symbol_libpthread(sym_name) \
467 UWRAP_LOCK(libpthread_symbol_binding); \
468 if (uwrap.libpthread.symbols._libpthread_##sym_name.obj == NULL) { \
469 uwrap.libpthread.symbols._libpthread_##sym_name.obj = \
470 _uwrap_bind_symbol(UWRAP_LIBPTHREAD, #sym_name); \
472 UWRAP_UNLOCK(libpthread_symbol_binding)
477 * Functions expeciall from libc need to be loaded individually, you can't load
478 * all at once or gdb will segfault at startup. The same applies to valgrind and
479 * has probably something todo with with the linker.
480 * So we need load each function at the point it is called the first time.
482 static int libc_setuid(uid_t uid)
484 uwrap_bind_symbol_libc(setuid);
486 return uwrap.libc.symbols._libc_setuid.f(uid);
489 static uid_t libc_getuid(void)
491 uwrap_bind_symbol_libc(getuid);
493 return uwrap.libc.symbols._libc_getuid.f();
497 static int libc_seteuid(uid_t euid)
499 uwrap_bind_symbol_libc(seteuid);
501 return uwrap.libc.symbols._libc_seteuid.f(euid);
506 static int libc_setreuid(uid_t ruid, uid_t euid)
508 uwrap_bind_symbol_libc(setreuid);
510 return uwrap.libc.symbols._libc_setreuid.f(ruid, euid);
514 #ifdef HAVE_SETRESUID
515 static int libc_setresuid(uid_t ruid, uid_t euid, uid_t suid)
517 uwrap_bind_symbol_libc(setresuid);
519 return uwrap.libc.symbols._libc_setresuid.f(ruid, euid, suid);
523 #ifdef HAVE_GETRESUID
524 static int libc_getresuid(uid_t *ruid, uid_t *euid, uid_t *suid)
526 uwrap_bind_symbol_libc(getresuid);
528 return uwrap.libc.symbols._libc_getresuid.f(ruid, euid, suid);
532 static uid_t libc_geteuid(void)
534 uwrap_bind_symbol_libc(geteuid);
536 return uwrap.libc.symbols._libc_geteuid.f();
539 static int libc_setgid(gid_t gid)
541 uwrap_bind_symbol_libc(setgid);
543 return uwrap.libc.symbols._libc_setgid.f(gid);
546 static gid_t libc_getgid(void)
548 uwrap_bind_symbol_libc(getgid);
550 return uwrap.libc.symbols._libc_getgid.f();
554 static int libc_setegid(gid_t egid)
556 uwrap_bind_symbol_libc(setegid);
558 return uwrap.libc.symbols._libc_setegid.f(egid);
563 static int libc_setregid(gid_t rgid, gid_t egid)
565 uwrap_bind_symbol_libc(setregid);
567 return uwrap.libc.symbols._libc_setregid.f(rgid, egid);
571 #ifdef HAVE_SETRESGID
572 static int libc_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
574 uwrap_bind_symbol_libc(setresgid);
576 return uwrap.libc.symbols._libc_setresgid.f(rgid, egid, sgid);
580 #ifdef HAVE_GETRESGID
581 static int libc_getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid)
583 uwrap_bind_symbol_libc(setresgid);
585 return uwrap.libc.symbols._libc_getresgid.f(rgid, egid, sgid);
589 static gid_t libc_getegid(void)
591 uwrap_bind_symbol_libc(getegid);
593 return uwrap.libc.symbols._libc_getegid.f();
596 static int libc_getgroups(int size, gid_t list[])
598 uwrap_bind_symbol_libc(getgroups);
600 return uwrap.libc.symbols._libc_getgroups.f(size, list);
603 static int libc_setgroups(size_t size, const gid_t *list)
605 uwrap_bind_symbol_libc(setgroups);
607 return uwrap.libc.symbols._libc_setgroups.f(size, list);
611 DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE
612 static long int libc_vsyscall(long int sysno, va_list va)
618 uwrap_bind_symbol_libc(syscall);
620 for (i = 0; i < 8; i++) {
621 args[i] = va_arg(va, long int);
624 rc = uwrap.libc.symbols._libc_syscall.f(sysno,
639 * This part is "optimistic".
640 * Thread can ends without pthread_exit call.
642 static void libpthread_pthread_exit(void *retval)
644 uwrap_bind_symbol_libpthread(pthread_exit);
646 uwrap.libpthread.symbols._libpthread_pthread_exit.f(retval);
649 static void uwrap_pthread_exit(void *retval)
651 struct uwrap_thread *id = uwrap_tls_id;
653 UWRAP_LOG(UWRAP_LOG_DEBUG, "Cleanup thread");
655 UWRAP_LOCK(uwrap_id);
657 UWRAP_UNLOCK(uwrap_id);
658 libpthread_pthread_exit(retval);
662 UWRAP_DLIST_REMOVE(uwrap.ids, id);
663 SAFE_FREE(id->groups);
667 UWRAP_UNLOCK(uwrap_id);
669 libpthread_pthread_exit(retval);
672 void pthread_exit(void *retval)
674 if (!uid_wrapper_enabled()) {
675 libpthread_pthread_exit(retval);
678 uwrap_pthread_exit(retval);
680 /* Calm down gcc warning. */
684 static int libpthread_pthread_create(pthread_t *thread,
685 const pthread_attr_t *attr,
686 void *(*start_routine) (void *),
689 uwrap_bind_symbol_libpthread(pthread_create);
690 return uwrap.libpthread.symbols._libpthread_pthread_create.f(thread,
696 struct uwrap_pthread_create_args {
697 struct uwrap_thread *id;
698 void *(*start_routine) (void *);
702 static void *uwrap_pthread_create_start(void *_a)
704 struct uwrap_pthread_create_args *a =
705 (struct uwrap_pthread_create_args *)_a;
706 void *(*start_routine) (void *) = a->start_routine;
708 struct uwrap_thread *id = a->id;
714 return start_routine(arg);
717 static int uwrap_pthread_create(pthread_t *thread,
718 const pthread_attr_t *attr,
719 void *(*start_routine) (void *),
722 struct uwrap_pthread_create_args *args;
723 struct uwrap_thread *src_id = uwrap_tls_id;
726 args = malloc(sizeof(struct uwrap_pthread_create_args));
728 UWRAP_LOG(UWRAP_LOG_ERROR,
729 "uwrap_pthread_create: Unable to allocate memory");
733 args->start_routine = start_routine;
736 args->id = calloc(1, sizeof(struct uwrap_thread));
737 if (args->id == NULL) {
739 UWRAP_LOG(UWRAP_LOG_ERROR,
740 "uwrap_pthread_create: Unable to allocate memory");
745 UWRAP_LOCK(uwrap_id);
747 args->id->groups = malloc(sizeof(gid_t) * src_id->ngroups);
748 if (args->id->groups == NULL) {
749 UWRAP_UNLOCK(uwrap_id);
752 UWRAP_LOG(UWRAP_LOG_ERROR,
753 "uwrap_pthread_create: Unable to allocate memory again");
758 args->id->ruid = src_id->ruid;
759 args->id->euid = src_id->euid;
760 args->id->suid = src_id->suid;
762 args->id->rgid = src_id->rgid;
763 args->id->egid = src_id->egid;
764 args->id->sgid = src_id->sgid;
766 args->id->enabled = src_id->enabled;
768 args->id->ngroups = src_id->ngroups;
769 if (src_id->groups != NULL) {
770 memcpy(args->id->groups, src_id->groups,
771 sizeof(gid_t) * src_id->ngroups);
773 SAFE_FREE(args->id->groups);
776 UWRAP_DLIST_ADD(uwrap.ids, args->id);
777 UWRAP_UNLOCK(uwrap_id);
779 ret = libpthread_pthread_create(thread, attr,
780 uwrap_pthread_create_start,
789 int pthread_create(pthread_t *thread,
790 const pthread_attr_t *attr,
791 void *(*start_routine) (void *),
794 if (!uid_wrapper_enabled()) {
795 return libpthread_pthread_create(thread,
801 return uwrap_pthread_create(thread,
807 /*********************************************************
809 *********************************************************/
811 static void uwrap_thread_prepare(void)
813 struct uwrap_thread *id = uwrap_tls_id;
815 /* uid_wrapper is loaded but not enabled */
823 * What happens if another atfork prepare functions calls a uwrap
824 * function? So disable it in case another atfork prepare function
825 * calls a (s)uid function. We disable uid_wrapper only for thread
826 * (process) which called fork.
831 static void uwrap_thread_parent(void)
833 struct uwrap_thread *id = uwrap_tls_id;
835 /* uid_wrapper is loaded but not enabled */
845 static void uwrap_thread_child(void)
847 struct uwrap_thread *id = uwrap_tls_id;
848 struct uwrap_thread *u = uwrap.ids;
850 /* uid_wrapper is loaded but not enabled */
856 * "Garbage collector" - Inspired by DESTRUCTOR.
857 * All threads (except one which called fork()) are dead now.. Dave
858 * That's what posix said...
862 /* Skip this item. */
867 UWRAP_DLIST_REMOVE(uwrap.ids, u);
869 SAFE_FREE(u->groups);
880 static void uwrap_init(void)
884 UWRAP_LOCK(uwrap_id);
886 if (uwrap.initialised) {
887 struct uwrap_thread *id = uwrap_tls_id;
889 if (uwrap.ids == NULL) {
890 UWRAP_UNLOCK(uwrap_id);
895 UWRAP_LOG(UWRAP_LOG_ERROR,
896 "Invalid id for thread");
900 UWRAP_UNLOCK(uwrap_id);
904 UWRAP_LOG(UWRAP_LOG_DEBUG, "Initialize uid_wrapper");
906 uwrap.initialised = true;
908 env = getenv("UID_WRAPPER");
909 if (env != NULL && env[0] == '1') {
910 const char *root = getenv("UID_WRAPPER_ROOT");
911 struct uwrap_thread *id;
913 id = calloc(1, sizeof(struct uwrap_thread));
915 UWRAP_LOG(UWRAP_LOG_ERROR,
916 "Unable to allocate memory for main id");
920 UWRAP_DLIST_ADD(uwrap.ids, id);
923 uwrap.myuid = libc_geteuid();
924 uwrap.mygid = libc_getegid();
926 /* put us in one group */
927 if (root != NULL && root[0] == '1') {
928 id->ruid = id->euid = id->suid = 0;
929 id->rgid = id->egid = id->sgid = 0;
931 id->groups = malloc(sizeof(gid_t) * 1);
932 if (id->groups == NULL) {
933 UWRAP_LOG(UWRAP_LOG_ERROR,
934 "Unable to allocate memory");
942 id->ruid = id->euid = id->suid = uwrap.myuid;
943 id->rgid = id->egid = id->sgid = uwrap.mygid;
945 id->ngroups = libc_getgroups(0, NULL);
946 if (id->ngroups == -1) {
947 UWRAP_LOG(UWRAP_LOG_ERROR,
948 "Unable to call libc_getgroups in uwrap_init.");
951 id->groups = malloc(sizeof(gid_t) * id->ngroups);
952 if (id->groups == NULL) {
953 UWRAP_LOG(UWRAP_LOG_ERROR, "Unable to allocate memory");
956 if (libc_getgroups(id->ngroups, id->groups) == -1) {
957 UWRAP_LOG(UWRAP_LOG_ERROR,
958 "Unable to call libc_getgroups again in uwrap_init.");
961 * Deallocation of uwrap.groups is handled by
962 * library destructor.
970 UWRAP_LOG(UWRAP_LOG_DEBUG,
971 "Enabled uid_wrapper as %s (real uid=%u)",
972 id->ruid == 0 ? "root" : "user",
973 (unsigned int)uwrap.myuid);
976 UWRAP_UNLOCK(uwrap_id);
978 UWRAP_LOG(UWRAP_LOG_DEBUG, "Succeccfully initialized uid_wrapper");
981 bool uid_wrapper_enabled(void)
983 struct uwrap_thread *id = uwrap_tls_id;
990 UWRAP_LOCK(uwrap_id);
991 enabled = id->enabled;
992 UWRAP_UNLOCK(uwrap_id);
998 * UWRAP_SETxUID FUNCTIONS
1001 static int uwrap_setresuid_args(uid_t ruid, uid_t euid, uid_t suid)
1003 struct uwrap_thread *id = uwrap_tls_id;
1005 UWRAP_LOG(UWRAP_LOG_TRACE,
1006 "ruid %d -> %d, euid %d -> %d, suid %d -> %d",
1007 id->ruid, ruid, id->euid, euid, id->suid, suid);
1009 if (id->euid != 0) {
1010 if (ruid != (uid_t)-1 &&
1017 if (euid != (uid_t)-1 &&
1024 if (suid != (uid_t)-1 &&
1036 static int uwrap_setresuid_thread(uid_t ruid, uid_t euid, uid_t suid)
1038 struct uwrap_thread *id = uwrap_tls_id;
1041 UWRAP_LOG(UWRAP_LOG_TRACE,
1042 "ruid %d -> %d, euid %d -> %d, suid %d -> %d",
1043 id->ruid, ruid, id->euid, euid, id->suid, suid);
1045 rc = uwrap_setresuid_args(ruid, euid, suid);
1050 UWRAP_LOCK(uwrap_id);
1052 if (ruid != (uid_t)-1) {
1056 if (euid != (uid_t)-1) {
1060 if (suid != (uid_t)-1) {
1064 UWRAP_UNLOCK(uwrap_id);
1069 static int uwrap_setresuid(uid_t ruid, uid_t euid, uid_t suid)
1071 struct uwrap_thread *id = uwrap_tls_id;
1074 UWRAP_LOG(UWRAP_LOG_TRACE,
1075 "ruid %d -> %d, euid %d -> %d, suid %d -> %d",
1076 id->ruid, ruid, id->euid, euid, id->suid, suid);
1078 rc = uwrap_setresuid_args(ruid, euid, suid);
1083 UWRAP_LOCK(uwrap_id);
1085 for (id = uwrap.ids; id; id = id->next) {
1086 if (ruid != (uid_t)-1) {
1090 if (euid != (uid_t)-1) {
1094 if (suid != (uid_t)-1) {
1099 UWRAP_UNLOCK(uwrap_id);
1104 static int uwrap_setreuid_args(uid_t ruid, uid_t euid,
1109 struct uwrap_thread *id = uwrap_tls_id;
1110 uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
1112 UWRAP_LOG(UWRAP_LOG_TRACE,
1113 "ruid %d -> %d, euid %d -> %d",
1114 id->ruid, ruid, id->euid, euid);
1116 if (ruid != (uid_t)-1) {
1118 if (ruid != id->ruid &&
1126 if (euid != (uid_t)-1) {
1128 if (euid != id->ruid &&
1137 if (ruid != (uid_t) -1 ||
1138 (euid != (uid_t)-1 && id->ruid != euid)) {
1139 new_suid = new_euid;
1142 *_new_ruid = new_ruid;
1143 *_new_euid = new_euid;
1144 *_new_suid = new_suid;
1149 static int uwrap_setreuid_thread(uid_t ruid, uid_t euid)
1151 struct uwrap_thread *id = uwrap_tls_id;
1152 uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
1155 UWRAP_LOG(UWRAP_LOG_TRACE,
1156 "ruid %d -> %d, euid %d -> %d",
1157 id->ruid, ruid, id->euid, euid);
1159 rc = uwrap_setreuid_args(ruid, euid, &new_ruid, &new_euid, &new_suid);
1164 return uwrap_setresuid_thread(new_ruid, new_euid, new_suid);
1167 #ifdef HAVE_SETREUID
1168 static int uwrap_setreuid(uid_t ruid, uid_t euid)
1170 struct uwrap_thread *id = uwrap_tls_id;
1171 uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
1174 UWRAP_LOG(UWRAP_LOG_TRACE,
1175 "ruid %d -> %d, euid %d -> %d",
1176 id->ruid, ruid, id->euid, euid);
1178 rc = uwrap_setreuid_args(ruid, euid, &new_ruid, &new_euid, &new_suid);
1183 return uwrap_setresuid(new_ruid, new_euid, new_suid);
1187 static int uwrap_setuid_args(uid_t uid,
1192 struct uwrap_thread *id = uwrap_tls_id;
1194 UWRAP_LOG(UWRAP_LOG_TRACE,
1198 if (uid == (uid_t)-1) {
1203 if (id->euid == 0) {
1204 *new_suid = *new_ruid = uid;
1205 } else if (uid != id->ruid &&
1216 static int uwrap_setuid_thread(uid_t uid)
1218 uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
1221 rc = uwrap_setuid_args(uid, &new_ruid, &new_euid, &new_suid);
1226 return uwrap_setresuid_thread(new_ruid, new_euid, new_suid);
1229 static int uwrap_setuid(uid_t uid)
1231 uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
1234 rc = uwrap_setuid_args(uid, &new_ruid, &new_euid, &new_suid);
1239 return uwrap_setresuid(new_ruid, new_euid, new_suid);
1243 * UWRAP_GETxUID FUNCTIONS
1246 #ifdef HAVE_GETRESUID
1247 static int uwrap_getresuid(uid_t *ruid, uid_t *euid, uid_t *suid)
1249 struct uwrap_thread *id = uwrap_tls_id;
1251 UWRAP_LOCK(uwrap_id);
1257 UWRAP_UNLOCK(uwrap_id);
1263 #ifdef HAVE_GETRESGID
1264 static int uwrap_getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid)
1266 struct uwrap_thread *id = uwrap_tls_id;
1268 UWRAP_LOCK(uwrap_id);
1274 UWRAP_UNLOCK(uwrap_id);
1281 * UWRAP_SETxGID FUNCTIONS
1284 static int uwrap_setresgid_args(gid_t rgid, gid_t egid, gid_t sgid)
1286 struct uwrap_thread *id = uwrap_tls_id;
1288 UWRAP_LOG(UWRAP_LOG_TRACE,
1289 "rgid %d -> %d, egid %d -> %d, sgid %d -> %d",
1290 id->rgid, rgid, id->egid, egid, id->sgid, sgid);
1292 if (id->euid != 0) {
1293 if (rgid != (gid_t)-1 &&
1300 if (egid != (gid_t)-1 &&
1307 if (sgid != (gid_t)-1 &&
1319 static int uwrap_setresgid_thread(gid_t rgid, gid_t egid, gid_t sgid)
1321 struct uwrap_thread *id = uwrap_tls_id;
1324 UWRAP_LOG(UWRAP_LOG_TRACE,
1325 "rgid %d -> %d, egid %d -> %d, sgid %d -> %d",
1326 id->rgid, rgid, id->egid, egid, id->sgid, sgid);
1328 rc = uwrap_setresgid_args(rgid, egid, sgid);
1333 UWRAP_LOCK(uwrap_id);
1335 if (rgid != (gid_t)-1) {
1339 if (egid != (gid_t)-1) {
1343 if (sgid != (gid_t)-1) {
1347 UWRAP_UNLOCK(uwrap_id);
1352 static int uwrap_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
1354 struct uwrap_thread *id = uwrap_tls_id;
1357 UWRAP_LOG(UWRAP_LOG_TRACE,
1358 "rgid %d -> %d, egid %d -> %d, sgid %d -> %d",
1359 id->rgid, rgid, id->egid, egid, id->sgid, sgid);
1361 rc = uwrap_setresgid_args(rgid, egid, sgid);
1366 UWRAP_LOCK(uwrap_id);
1368 for (id = uwrap.ids; id; id = id->next) {
1369 if (rgid != (gid_t)-1) {
1373 if (egid != (gid_t)-1) {
1377 if (sgid != (gid_t)-1) {
1382 UWRAP_UNLOCK(uwrap_id);
1390 int setuid(uid_t uid)
1392 if (!uid_wrapper_enabled()) {
1393 return libc_setuid(uid);
1397 return uwrap_setuid(uid);
1401 int seteuid(uid_t euid)
1403 if (!uid_wrapper_enabled()) {
1404 return libc_seteuid(euid);
1407 /* On FreeBSD the uid_t -1 is set and doesn't produce and error */
1408 if (euid == (uid_t)-1) {
1414 return uwrap_setresuid(-1, euid, -1);
1418 #ifdef HAVE_SETREUID
1419 int setreuid(uid_t ruid, uid_t euid)
1421 if (!uid_wrapper_enabled()) {
1422 return libc_setreuid(ruid, euid);
1426 return uwrap_setreuid(ruid, euid);
1430 #ifdef HAVE_SETRESUID
1431 int setresuid(uid_t ruid, uid_t euid, uid_t suid)
1433 if (!uid_wrapper_enabled()) {
1434 return libc_setresuid(ruid, euid, suid);
1438 return uwrap_setresuid(ruid, euid, suid);
1442 #ifdef HAVE_GETRESUID
1443 int getresuid(uid_t *ruid, uid_t *euid, uid_t *suid)
1445 if (!uid_wrapper_enabled()) {
1446 return libc_getresuid(ruid, euid, suid);
1450 return uwrap_getresuid(ruid, euid, suid);
1457 static uid_t uwrap_getuid(void)
1459 struct uwrap_thread *id = uwrap_tls_id;
1462 UWRAP_LOCK(uwrap_id);
1464 UWRAP_UNLOCK(uwrap_id);
1471 if (!uid_wrapper_enabled()) {
1472 return libc_getuid();
1476 return uwrap_getuid();
1482 static uid_t uwrap_geteuid(void)
1484 const char *env = getenv("UID_WRAPPER_MYUID");
1485 struct uwrap_thread *id = uwrap_tls_id;
1488 UWRAP_LOCK(uwrap_id);
1490 UWRAP_UNLOCK(uwrap_id);
1492 /* Disable root and return myuid */
1493 if (env != NULL && env[0] == '1') {
1502 if (!uid_wrapper_enabled()) {
1503 return libc_geteuid();
1507 return uwrap_geteuid();
1513 int setgid(gid_t gid)
1515 if (!uid_wrapper_enabled()) {
1516 return libc_setgid(gid);
1520 return uwrap_setresgid(gid, -1, -1);
1524 int setegid(gid_t egid)
1526 if (!uid_wrapper_enabled()) {
1527 return libc_setegid(egid);
1531 return uwrap_setresgid(-1, egid, -1);
1535 #ifdef HAVE_SETREGID
1536 int setregid(gid_t rgid, gid_t egid)
1538 if (!uid_wrapper_enabled()) {
1539 return libc_setregid(rgid, egid);
1543 return uwrap_setresgid(rgid, egid, -1);
1547 #ifdef HAVE_SETRESGID
1548 int setresgid(gid_t rgid, gid_t egid, gid_t sgid)
1550 if (!uid_wrapper_enabled()) {
1551 return libc_setresgid(rgid, egid, sgid);
1555 return uwrap_setresgid(rgid, egid, sgid);
1559 #ifdef HAVE_GETRESGID
1560 int getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid)
1562 if (!uid_wrapper_enabled()) {
1563 return libc_getresgid(rgid, egid, sgid);
1567 return uwrap_getresgid(rgid, egid, sgid);
1574 static gid_t uwrap_getgid(void)
1576 struct uwrap_thread *id = uwrap_tls_id;
1579 UWRAP_LOCK(uwrap_id);
1581 UWRAP_UNLOCK(uwrap_id);
1588 if (!uid_wrapper_enabled()) {
1589 return libc_getgid();
1593 return uwrap_getgid();
1599 static uid_t uwrap_getegid(void)
1601 struct uwrap_thread *id = uwrap_tls_id;
1604 UWRAP_LOCK(uwrap_id);
1606 UWRAP_UNLOCK(uwrap_id);
1613 if (!uid_wrapper_enabled()) {
1614 return libc_getegid();
1618 return uwrap_getegid();
1621 static int uwrap_setgroups_thread(size_t size, const gid_t *list)
1623 struct uwrap_thread *id = uwrap_tls_id;
1626 UWRAP_LOCK(uwrap_id);
1629 SAFE_FREE(id->groups);
1631 } else if (size > 0) {
1634 tmp = realloc(id->groups, sizeof(gid_t) * size);
1641 memcpy(id->groups, list, size * sizeof(gid_t));
1646 UWRAP_UNLOCK(uwrap_id);
1651 static int uwrap_setgroups(size_t size, const gid_t *list)
1653 struct uwrap_thread *id;
1656 UWRAP_LOCK(uwrap_id);
1659 for (id = uwrap.ids; id; id = id->next) {
1660 SAFE_FREE(id->groups);
1664 } else if (size > 0) {
1667 for (id = uwrap.ids; id; id = id->next) {
1668 tmp = realloc(id->groups, sizeof(gid_t) * size);
1676 memcpy(id->groups, list, size * sizeof(gid_t));
1682 UWRAP_UNLOCK(uwrap_id);
1687 #ifdef HAVE_SETGROUPS_INT
1688 int setgroups(int size, const gid_t *list)
1690 int setgroups(size_t size, const gid_t *list)
1693 if (!uid_wrapper_enabled()) {
1694 return libc_setgroups(size, list);
1698 return uwrap_setgroups(size, list);
1701 static int uwrap_getgroups(int size, gid_t *list)
1703 struct uwrap_thread *id = uwrap_tls_id;
1706 UWRAP_LOCK(uwrap_id);
1707 ngroups = id->ngroups;
1709 if (size > ngroups) {
1715 if (size < ngroups) {
1719 memcpy(list, id->groups, size * sizeof(gid_t));
1722 UWRAP_UNLOCK(uwrap_id);
1727 int getgroups(int size, gid_t *list)
1729 if (!uid_wrapper_enabled()) {
1730 return libc_getgroups(size, list);
1734 return uwrap_getgroups(size, list);
1737 #if (defined(HAVE_SYS_SYSCALL_H) || defined(HAVE_SYSCALL_H)) \
1738 && (defined(SYS_setreuid) || defined(SYS_setreuid32))
1739 static long int uwrap_syscall (long int sysno, va_list vp)
1746 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1750 rc = uwrap_getgid();
1755 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1759 rc = uwrap_getegid();
1762 #endif /* SYS_getegid */
1764 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1768 gid_t gid = (gid_t) va_arg(vp, gid_t);
1770 rc = uwrap_setresgid_thread(gid, -1, -1);
1774 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1775 case SYS_setregid32:
1778 gid_t rgid = (gid_t) va_arg(vp, gid_t);
1779 gid_t egid = (gid_t) va_arg(vp, gid_t);
1781 rc = uwrap_setresgid_thread(rgid, egid, -1);
1784 #ifdef SYS_setresgid
1786 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1787 case SYS_setresgid32:
1790 gid_t rgid = (gid_t) va_arg(vp, gid_t);
1791 gid_t egid = (gid_t) va_arg(vp, gid_t);
1792 gid_t sgid = (gid_t) va_arg(vp, gid_t);
1794 rc = uwrap_setresgid_thread(rgid, egid, sgid);
1797 #endif /* SYS_setresgid */
1798 #if defined(SYS_getresgid) && defined(HAVE_GETRESGID)
1800 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1801 case SYS_getresgid32:
1804 gid_t *rgid = (gid_t *) va_arg(vp, gid_t *);
1805 gid_t *egid = (gid_t *) va_arg(vp, gid_t *);
1806 gid_t *sgid = (gid_t *) va_arg(vp, gid_t *);
1808 rc = uwrap_getresgid(rgid, egid, sgid);
1811 #endif /* SYS_getresgid && HAVE_GETRESGID */
1815 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1819 rc = uwrap_getuid();
1824 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1828 rc = uwrap_geteuid();
1831 #endif /* SYS_geteuid */
1833 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1837 uid_t uid = (uid_t) va_arg(vp, uid_t);
1839 rc = uwrap_setuid_thread(uid);
1843 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1844 case SYS_setreuid32:
1847 uid_t ruid = (uid_t) va_arg(vp, uid_t);
1848 uid_t euid = (uid_t) va_arg(vp, uid_t);
1850 rc = uwrap_setreuid_thread(ruid, euid);
1853 #ifdef SYS_setresuid
1855 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1856 case SYS_setresuid32:
1859 uid_t ruid = (uid_t) va_arg(vp, uid_t);
1860 uid_t euid = (uid_t) va_arg(vp, uid_t);
1861 uid_t suid = (uid_t) va_arg(vp, uid_t);
1863 rc = uwrap_setresuid_thread(ruid, euid, suid);
1866 #endif /* SYS_setresuid */
1867 #if defined(SYS_getresuid) && defined(HAVE_GETRESUID)
1869 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1870 case SYS_getresuid32:
1873 uid_t *ruid = (uid_t *) va_arg(vp, uid_t *);
1874 uid_t *euid = (uid_t *) va_arg(vp, uid_t *);
1875 uid_t *suid = (uid_t *) va_arg(vp, uid_t *);
1877 rc = uwrap_getresuid(ruid, euid, suid);
1880 #endif /* SYS_getresuid && HAVE_GETRESUID*/
1883 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1884 case SYS_setgroups32:
1887 size_t size = (size_t) va_arg(vp, size_t);
1888 gid_t *list = (gid_t *) va_arg(vp, int *);
1890 rc = uwrap_setgroups_thread(size, list);
1894 UWRAP_LOG(UWRAP_LOG_DEBUG,
1895 "UID_WRAPPER calling non-wrapped syscall %lu",
1898 rc = libc_vsyscall(sysno, vp);
1906 #ifdef HAVE_SYSCALL_INT
1907 int syscall (int sysno, ...)
1909 long int syscall (long int sysno, ...)
1912 #ifdef HAVE_SYSCALL_INT
1919 va_start(va, sysno);
1921 if (!uid_wrapper_enabled()) {
1922 rc = libc_vsyscall(sysno, va);
1928 rc = uwrap_syscall(sysno, va);
1933 #endif /* HAVE_SYSCALL */
1934 #endif /* HAVE_SYS_SYSCALL_H || HAVE_SYSCALL_H */
1936 /****************************
1938 ***************************/
1939 void uwrap_constructor(void)
1942 * If we hold a lock and the application forks, then the child
1943 * is not able to unlock the mutex and we are in a deadlock.
1944 * This should prevent such deadlocks.
1946 pthread_atfork(&uwrap_thread_prepare,
1947 &uwrap_thread_parent,
1948 &uwrap_thread_child);
1950 /* Here is safe place to call uwrap_init() and initialize data
1956 /****************************
1958 ***************************/
1961 * This function is called when the library is unloaded and makes sure that
1962 * resources are freed.
1964 void uwrap_destructor(void)
1966 struct uwrap_thread *u = uwrap.ids;
1971 UWRAP_DLIST_REMOVE(uwrap.ids, u);
1973 SAFE_FREE(u->groups);
1980 if (uwrap.libc.handle != NULL) {
1981 dlclose(uwrap.libc.handle);
1984 if (uwrap.libpthread.handle != NULL) {
1985 dlclose(uwrap.libpthread.handle);
git.samba.org / uid_wrapper.git / blob