2 * Copyright (c) 2009 Andrew Tridgell
3 * Copyright (c) 2011-2013 Andreas Schneider <asn@samba.org>
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include <sys/types.h>
30 #ifdef HAVE_SYS_SYSCALL_H
31 #include <sys/syscall.h>
40 #ifdef HAVE_GCC_THREAD_LOCAL_STORAGE
41 # define UWRAP_THREAD __thread
47 #define UWRAP_DEBUG(...)
49 #define UWRAP_DEBUG(...) fprintf(stderr, __VA_ARGS__)
52 #define UWRAP_DLIST_ADD(list,item) do { \
54 (item)->prev = NULL; \
55 (item)->next = NULL; \
58 (item)->prev = NULL; \
59 (item)->next = (list); \
60 (list)->prev = (item); \
65 #define UWRAP_DLIST_REMOVE(list,item) do { \
66 if ((list) == (item)) { \
67 (list) = (item)->next; \
69 (list)->prev = NULL; \
73 (item)->prev->next = (item)->next; \
76 (item)->next->prev = (item)->prev; \
79 (item)->prev = NULL; \
80 (item)->next = NULL; \
83 #define LIBC_NAME "libc.so"
85 struct uwrap_libc_fns {
86 int (*_libc_setuid)(uid_t uid);
87 uid_t (*_libc_getuid)(void);
90 int (*_libc_seteuid)(uid_t euid);
93 int (*_libc_setreuid)(uid_t ruid, uid_t euid);
96 int (*_libc_setresuid)(uid_t ruid, uid_t euid, uid_t suid);
98 uid_t (*_libc_geteuid)(void);
100 int (*_libc_setgid)(gid_t gid);
101 gid_t (*_libc_getgid)(void);
103 int (*_libc_setegid)(uid_t egid);
106 int (*_libc_setregid)(uid_t rgid, uid_t egid);
109 int (*_libc_setresgid)(uid_t rgid, uid_t egid, uid_t sgid);
111 gid_t (*_libc_getegid)(void);
112 int (*_libc_getgroups)(int size, gid_t list[]);
113 int (*_libc_setgroups)(size_t size, const gid_t *list);
115 long int (*_libc_syscall)(long int sysno, ...);
120 * We keep the virtualised euid/egid/groups information here
122 struct uwrap_thread {
137 struct uwrap_thread *next;
138 struct uwrap_thread *prev;
144 struct uwrap_libc_fns fns;
153 struct uwrap_thread *ids;
156 static struct uwrap uwrap;
158 /* Shortcut to the list item */
159 static UWRAP_THREAD struct uwrap_thread *uwrap_tls_id;
161 /* The mutex or accessing the id */
162 static pthread_mutex_t uwrap_id_mutex = PTHREAD_MUTEX_INITIALIZER;
164 static void *uwrap_libc_fn(struct uwrap *u, const char *fn_name)
168 if (u->libc.handle == NULL) {
172 func = dlsym(u->libc.handle, fn_name);
174 printf("Failed to find %s in %s: %s\n",
175 fn_name, LIBC_NAME, dlerror());
182 static void uwrap_libc_init(struct uwrap *u)
185 int flags = RTLD_LAZY;
188 flags |= RTLD_DEEPBIND;
191 for (u->libc.handle = NULL, i = 10; u->libc.handle == NULL; i--) {
192 char soname[256] = {0};
194 snprintf(soname, sizeof(soname), "%s.%u", LIBC_NAME, i);
195 u->libc.handle = dlopen(soname, flags);
198 if (u->libc.handle == NULL) {
199 printf("Failed to dlopen %s.%u: %s\n", LIBC_NAME, i, dlerror());
203 *(void **) (&u->libc.fns._libc_setuid) = uwrap_libc_fn(u, "setuid");
204 *(void **) (&u->libc.fns._libc_getuid) = uwrap_libc_fn(u, "getuid");
207 *(void **) (&u->libc.fns._libc_seteuid) = uwrap_libc_fn(u, "seteuid");
210 *(void **) (&u->libc.fns._libc_setreuid) = uwrap_libc_fn(u, "setreuid");
212 #ifdef HAVE_SETRESUID
213 *(void **) (&u->libc.fns._libc_setresuid) = uwrap_libc_fn(u, "setresuid");
215 *(void **) (&u->libc.fns._libc_geteuid) = uwrap_libc_fn(u, "geteuid");
217 *(void **) (&u->libc.fns._libc_setgid) = uwrap_libc_fn(u, "setgid");
218 *(void **) (&u->libc.fns._libc_getgid) = uwrap_libc_fn(u, "getgid");
220 *(void **) (&u->libc.fns._libc_setegid) = uwrap_libc_fn(u, "setegid");
223 *(void **) (&u->libc.fns._libc_setregid) = uwrap_libc_fn(u, "setregid");
225 #ifdef HAVE_SETRESGID
226 *(void **) (&u->libc.fns._libc_setresgid) = uwrap_libc_fn(u, "setresgid");
228 *(void **) (&u->libc.fns._libc_getegid) = uwrap_libc_fn(u, "getegid");
229 *(void **) (&u->libc.fns._libc_getgroups) = uwrap_libc_fn(u, "getgroups");
230 *(void **) (&u->libc.fns._libc_setgroups) = uwrap_libc_fn(u, "setgroups");
231 *(void **) (&u->libc.fns._libc_getuid) = uwrap_libc_fn(u, "getuid");
232 *(void **) (&u->libc.fns._libc_getgid) = uwrap_libc_fn(u, "getgid");
234 *(void **) (&u->libc.fns._libc_syscall) = uwrap_libc_fn(u, "syscall");
238 static struct uwrap_thread *find_uwrap_id(pthread_t tid)
240 struct uwrap_thread *id;
242 for (id = uwrap.ids; id; id = id->next) {
243 if (pthread_equal(id->tid, tid)) {
251 static int uwrap_new_id(pthread_t tid, bool do_alloc)
253 struct uwrap_thread *id = uwrap_tls_id;
256 id = malloc(sizeof(struct uwrap_thread));
266 id->ruid = id->euid = id->suid = uwrap.myuid;
267 id->rgid = id->egid = id->sgid = uwrap.mygid;
270 id->groups = malloc(sizeof(gid_t) * id->ngroups);
271 id->groups[0] = uwrap.mygid;
274 UWRAP_DLIST_ADD(uwrap.ids, id);
281 static void uwrap_init(void)
283 const char *env = getenv("UID_WRAPPER");
284 pthread_t tid = pthread_self();
288 if (uwrap.initialised) {
289 struct uwrap_thread *id = uwrap_tls_id;
296 pthread_mutex_lock(&uwrap_id_mutex);
297 id = find_uwrap_id(tid);
299 rc = uwrap_new_id(tid, 1);
304 /* We reuse an old thread id */
307 uwrap_new_id(tid, 0);
309 pthread_mutex_unlock(&uwrap_id_mutex);
314 pthread_mutex_lock(&uwrap_id_mutex);
316 uwrap_libc_init(&uwrap);
318 uwrap.initialised = true;
319 uwrap.enabled = false;
321 if (env != NULL && env[0] == '1') {
322 const char *root = getenv("UID_WRAPPER_ROOT");
325 /* put us in one group */
326 if (root != NULL && root[0] == '1') {
330 uwrap.myuid = uwrap.libc.fns._libc_geteuid();
331 uwrap.mygid = uwrap.libc.fns._libc_getegid();
334 rc = uwrap_new_id(tid, 1);
339 uwrap.enabled = true;
342 pthread_mutex_unlock(&uwrap_id_mutex);
345 static int uwrap_enabled(void)
349 return uwrap.enabled ? 1 : 0;
352 static int uwrap_setresuid_thread(uid_t ruid, uid_t euid, uid_t suid)
354 struct uwrap_thread *id = uwrap_tls_id;
356 if (ruid == (uid_t)-1 && euid == (uid_t)-1 && suid == (uid_t)-1) {
361 pthread_mutex_lock(&uwrap_id_mutex);
362 if (ruid != (uid_t)-1) {
366 if (euid != (uid_t)-1) {
370 if (suid != (uid_t)-1) {
373 pthread_mutex_unlock(&uwrap_id_mutex);
378 static int uwrap_setresuid(uid_t ruid, uid_t euid, uid_t suid)
380 struct uwrap_thread *id;
382 if (ruid == (uid_t)-1 && euid == (uid_t)-1 && suid == (uid_t)-1) {
387 pthread_mutex_lock(&uwrap_id_mutex);
388 for (id = uwrap.ids; id; id = id->next) {
393 if (ruid != (uid_t)-1) {
397 if (euid != (uid_t)-1) {
401 if (suid != (uid_t)-1) {
405 pthread_mutex_unlock(&uwrap_id_mutex);
413 int setuid(uid_t uid)
415 if (!uwrap_enabled()) {
416 return uwrap.libc.fns._libc_setuid(uid);
419 return uwrap_setresuid(uid, -1, -1);
423 int seteuid(uid_t euid)
425 if (euid == (uid_t)-1) {
430 if (!uwrap_enabled()) {
431 return uwrap.libc.fns._libc_seteuid(euid);
434 return uwrap_setresuid(-1, euid, -1);
439 int setreuid(uid_t ruid, uid_t euid)
441 if (ruid == (uid_t)-1 && euid == (uid_t)-1) {
446 if (!uwrap_enabled()) {
447 return uwrap.libc.fns._libc_setreuid(ruid, euid);
450 return uwrap_setresuid(ruid, euid, -1);
454 #ifdef HAVE_SETRESUID
455 int setresuid(uid_t ruid, uid_t euid, uid_t suid)
457 if (!uwrap_enabled()) {
458 return uwrap.libc.fns._libc_setresuid(ruid, euid, suid);
461 return uwrap_setresuid(ruid, euid, suid);
468 static uid_t uwrap_getuid(void)
470 struct uwrap_thread *id = uwrap_tls_id;
473 pthread_mutex_lock(&uwrap_id_mutex);
475 pthread_mutex_unlock(&uwrap_id_mutex);
482 if (!uwrap_enabled()) {
483 return uwrap.libc.fns._libc_getuid();
486 return uwrap_getuid();
492 static uid_t uwrap_geteuid(void)
494 const char *env = getenv("UID_WRAPPER_ROOT");
495 struct uwrap_thread *id = uwrap_tls_id;
498 pthread_mutex_lock(&uwrap_id_mutex);
500 pthread_mutex_unlock(&uwrap_id_mutex);
502 /* Disable root and return myuid */
503 if (env != NULL && env[0] == '2') {
512 if (!uwrap_enabled()) {
513 return uwrap.libc.fns._libc_geteuid();
516 return uwrap_geteuid();
519 static int uwrap_setresgid_thread(gid_t rgid, gid_t egid, gid_t sgid)
521 struct uwrap_thread *id = uwrap_tls_id;
523 if (rgid == (gid_t)-1 && egid == (gid_t)-1 && sgid == (gid_t)-1) {
528 pthread_mutex_lock(&uwrap_id_mutex);
529 if (rgid != (gid_t)-1) {
533 if (egid != (gid_t)-1) {
537 if (sgid != (gid_t)-1) {
540 pthread_mutex_unlock(&uwrap_id_mutex);
545 static int uwrap_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
547 struct uwrap_thread *id;
549 if (rgid == (gid_t)-1 && egid == (gid_t)-1 && sgid == (gid_t)-1) {
554 pthread_mutex_lock(&uwrap_id_mutex);
555 for (id = uwrap.ids; id; id = id->next) {
560 if (rgid != (gid_t)-1) {
564 if (egid != (gid_t)-1) {
568 if (sgid != (gid_t)-1) {
572 pthread_mutex_unlock(&uwrap_id_mutex);
580 int setgid(gid_t gid)
582 if (!uwrap_enabled()) {
583 return uwrap.libc.fns._libc_setgid(gid);
586 return uwrap_setresgid(gid, -1, -1);
590 int setegid(gid_t egid)
592 if (!uwrap_enabled()) {
593 return uwrap.libc.fns._libc_setegid(egid);
596 return uwrap_setresgid(-1, egid, -1);
601 int setregid(gid_t rgid, gid_t egid)
603 if (!uwrap_enabled()) {
604 return uwrap.libc.fns._libc_setregid(rgid, egid);
607 return uwrap_setresgid(rgid, egid, -1);
611 #ifdef HAVE_SETRESGID
612 int setresgid(gid_t rgid, gid_t egid, gid_t sgid)
614 if (!uwrap_enabled()) {
615 return uwrap.libc.fns._libc_setregid(rgid, egid, sgid);
618 return uwrap_setresgid(rgid, egid, sgid);
625 static gid_t uwrap_getgid(void)
627 struct uwrap_thread *id = uwrap_tls_id;
630 pthread_mutex_lock(&uwrap_id_mutex);
632 pthread_mutex_unlock(&uwrap_id_mutex);
639 if (!uwrap_enabled()) {
640 return uwrap.libc.fns._libc_getgid();
643 return uwrap_getgid();
649 static uid_t uwrap_getegid(void)
651 struct uwrap_thread *id = uwrap_tls_id;
654 pthread_mutex_lock(&uwrap_id_mutex);
656 pthread_mutex_unlock(&uwrap_id_mutex);
663 if (!uwrap_enabled()) {
664 return uwrap.libc.fns._libc_getegid();
667 return uwrap_getegid();
670 static int uwrap_setgroups_thread(size_t size, const gid_t *list)
672 struct uwrap_thread *id = uwrap_tls_id;
675 pthread_mutex_lock(&uwrap_id_mutex);
681 id->groups = malloc(sizeof(gid_t) * size);
682 if (id->groups == NULL) {
687 memcpy(id->groups, list, size * sizeof(gid_t));
692 pthread_mutex_unlock(&uwrap_id_mutex);
697 static int uwrap_setgroups(size_t size, const gid_t *list)
699 struct uwrap_thread *id;
702 pthread_mutex_lock(&uwrap_id_mutex);
703 for (id = uwrap.ids; id; id = id->next) {
709 id->groups = malloc(sizeof(gid_t) * size);
710 if (id->groups == NULL) {
715 memcpy(id->groups, list, size * sizeof(gid_t));
721 pthread_mutex_unlock(&uwrap_id_mutex);
726 int setgroups(size_t size, const gid_t *list)
728 if (!uwrap_enabled()) {
729 return uwrap.libc.fns._libc_setgroups(size, list);
732 return uwrap_setgroups(size, list);
735 static int uwrap_getgroups(int size, gid_t *list)
737 struct uwrap_thread *id = uwrap_tls_id;
740 pthread_mutex_lock(&uwrap_id_mutex);
741 ngroups = id->ngroups;
743 if (size > ngroups) {
749 if (size < ngroups) {
753 memcpy(list, id->groups, size * sizeof(gid_t));
756 pthread_mutex_unlock(&uwrap_id_mutex);
761 int getgroups(int size, gid_t *list)
763 if (!uwrap_enabled()) {
764 return uwrap.libc.fns._libc_getgroups(size, list);
767 return uwrap_getgroups(size, list);
770 static long int libc_vsyscall(long int sysno, va_list va)
776 for (i = 0; i < 8; i++) {
777 args[i] = va_arg(va, long int);
780 rc = uwrap.libc.fns._libc_syscall(sysno,
793 #if (defined(HAVE_SYS_SYSCALL_H) || defined(HAVE_SYSCALL_H)) \
794 && (defined(SYS_setreuid) || defined(SYS_setreuid32))
795 static long int uwrap_syscall (long int sysno, va_list vp)
802 #ifdef HAVE_LINUX_32BIT_SYSCALLS
810 #ifdef HAVE_LINUX_32BIT_SYSCALLS
814 rc = uwrap_getegid();
818 #ifdef HAVE_LINUX_32BIT_SYSCALLS
822 gid_t gid = (gid_t) va_arg(vp, int);
824 rc = uwrap_setresgid_thread(gid, -1, -1);
828 #ifdef HAVE_LINUX_32BIT_SYSCALLS
832 uid_t rgid = (uid_t) va_arg(vp, int);
833 uid_t egid = (uid_t) va_arg(vp, int);
835 rc = uwrap_setresgid_thread(rgid, egid, -1);
839 #ifdef HAVE_LINUX_32BIT_SYSCALLS
840 case SYS_setresgid32:
843 uid_t rgid = (uid_t) va_arg(vp, int);
844 uid_t egid = (uid_t) va_arg(vp, int);
845 uid_t sgid = (uid_t) va_arg(vp, int);
847 rc = uwrap_setresgid_thread(rgid, egid, sgid);
853 #ifdef HAVE_LINUX_32BIT_SYSCALLS
861 #ifdef HAVE_LINUX_32BIT_SYSCALLS
865 rc = uwrap_geteuid();
869 #ifdef HAVE_LINUX_32BIT_SYSCALLS
873 uid_t uid = (uid_t) va_arg(vp, int);
875 rc = uwrap_setresuid_thread(uid, -1, -1);
879 #ifdef HAVE_LINUX_32BIT_SYSCALLS
883 uid_t ruid = (uid_t) va_arg(vp, int);
884 uid_t euid = (uid_t) va_arg(vp, int);
886 rc = uwrap_setresuid_thread(ruid, euid, -1);
890 #ifdef HAVE_LINUX_32BIT_SYSCALLS
891 case SYS_setresuid32:
894 uid_t ruid = (uid_t) va_arg(vp, int);
895 uid_t euid = (uid_t) va_arg(vp, int);
896 uid_t suid = (uid_t) va_arg(vp, int);
898 rc = uwrap_setresuid_thread(ruid, euid, suid);
904 #ifdef HAVE_LINUX_32BIT_SYSCALLS
905 case SYS_setgroups32:
908 size_t size = (size_t) va_arg(vp, size_t);
909 gid_t *list = (gid_t *) va_arg(vp, int *);
911 rc = uwrap_setgroups_thread(size, list);
915 UWRAP_DEBUG("UID_WRAPPER calling non-wrapped syscall "
918 rc = libc_vsyscall(sysno, vp);
926 long int syscall (long int sysno, ...)
933 if (!uwrap_enabled()) {
934 rc = libc_vsyscall(sysno, va);
939 rc = uwrap_syscall(sysno, va);
944 #endif /* HAVE_SYSCALL */
945 #endif /* HAVE_SYS_SYSCALL_H || HAVE_SYSCALL_H */
git.samba.org / uid_wrapper.git / blob