2 * Copyright (c) 2009 Andrew Tridgell
3 * Copyright (c) 2011-2013 Andreas Schneider <asn@samba.org>
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include <sys/types.h>
30 #ifdef HAVE_SYS_SYSCALL_H
31 #include <sys/syscall.h>
40 #ifdef HAVE_GCC_THREAD_LOCAL_STORAGE
41 # define UWRAP_THREAD __thread
47 #define UWRAP_DEBUG(...)
49 #define UWRAP_DEBUG(...) fprintf(stderr, __VA_ARGS__)
52 #define UWRAP_DLIST_ADD(list,item) do { \
54 (item)->prev = NULL; \
55 (item)->next = NULL; \
58 (item)->prev = NULL; \
59 (item)->next = (list); \
60 (list)->prev = (item); \
65 #define UWRAP_DLIST_REMOVE(list,item) do { \
66 if ((list) == (item)) { \
67 (list) = (item)->next; \
69 (list)->prev = NULL; \
73 (item)->prev->next = (item)->next; \
76 (item)->next->prev = (item)->prev; \
79 (item)->prev = NULL; \
80 (item)->next = NULL; \
83 #define LIBC_NAME "libc.so"
85 struct uwrap_libc_fns {
86 int (*_libc_setuid)(uid_t uid);
87 uid_t (*_libc_getuid)(void);
90 int (*_libc_seteuid)(uid_t euid);
93 int (*_libc_setreuid)(uid_t ruid, uid_t euid);
96 int (*_libc_setresuid)(uid_t ruid, uid_t euid, uid_t suid);
98 uid_t (*_libc_geteuid)(void);
100 int (*_libc_setgid)(gid_t gid);
101 gid_t (*_libc_getgid)(void);
103 int (*_libc_setegid)(uid_t egid);
106 int (*_libc_setregid)(uid_t rgid, uid_t egid);
109 int (*_libc_setresgid)(uid_t rgid, uid_t egid, uid_t sgid);
111 gid_t (*_libc_getegid)(void);
112 int (*_libc_getgroups)(int size, gid_t list[]);
113 int (*_libc_setgroups)(size_t size, const gid_t *list);
115 long int (*_libc_syscall)(long int sysno, ...);
120 * We keep the virtualised euid/egid/groups information here
122 struct uwrap_thread {
137 struct uwrap_thread *next;
138 struct uwrap_thread *prev;
144 struct uwrap_libc_fns fns;
153 struct uwrap_thread *ids;
156 static struct uwrap uwrap;
158 /* Shortcut to the list item */
159 static UWRAP_THREAD struct uwrap_thread *uwrap_tls_id;
161 /* The mutex or accessing the id */
162 static pthread_mutex_t uwrap_id_mutex = PTHREAD_MUTEX_INITIALIZER;
164 /*********************************************************
165 * UWRAP LIBC LOADER FUNCTIONS
166 *********************************************************/
174 static void *uwrap_load_lib_handle(enum uwrap_lib lib)
176 int flags = RTLD_LAZY;
185 flags |= RTLD_DEEPBIND;
191 case UWRAP_LIBSOCKET:
194 if (handle == NULL) {
195 for (handle = NULL, i = 10; handle == NULL && i >= 0; i--) {
196 char soname[256] = {0};
198 snprintf(soname, sizeof(soname), "libc.so.%d", i);
199 handle = dlopen(soname, flags);
202 uwrap.libc.handle = handle;
204 handle = uwrap.libc.handle;
209 if (handle == NULL) {
211 "Failed to dlopen library: %s\n",
219 static void *_uwrap_load_lib_function(enum uwrap_lib lib, const char *fn_name)
224 handle = uwrap_load_lib_handle(lib);
226 func = dlsym(handle, fn_name);
229 "Failed to find %s: %s\n",
237 #define uwrap_load_lib_function(lib, fn_name) \
238 if (uwrap.libc.fns._libc_##fn_name == NULL) { \
239 *(void **) (&uwrap.libc.fns._libc_##fn_name) = \
240 _uwrap_load_lib_function(lib, #fn_name); \
246 * Functions expeciall from libc need to be loaded individually, you can't load
247 * all at once or gdb will segfault at startup. The same applies to valgrind and
248 * has probably something todo with with the linker.
249 * So we need load each function at the point it is called the first time.
251 static int libc_setuid(uid_t uid)
253 uwrap_load_lib_function(UWRAP_LIBC, setuid);
255 return uwrap.libc.fns._libc_setuid(uid);
258 static uid_t libc_getuid(void)
260 uwrap_load_lib_function(UWRAP_LIBC, getuid);
262 return uwrap.libc.fns._libc_getuid();
266 static int libc_seteuid(uid_t euid)
268 uwrap_load_lib_function(UWRAP_LIBC, seteuid);
270 return uwrap.libc.fns._libc_seteuid(euid);
275 static int libc_setreuid(uid_t ruid, uid_t euid)
277 uwrap_load_lib_function(UWRAP_LIBC, setreuid);
279 return uwrap.libc.fns._libc_setreuid(ruid, euid);
283 #ifdef HAVE_SETRESUID
284 int libc_setresuid(uid_t ruid, uid_t euid, uid_t suid);
286 uwrap_load_lib_function(UWRAP_LIBC, setresuid);
288 return uwrap.libc.fns._libc_setresuid(ruid, euid, suid);
292 static uid_t libc_geteuid(void)
294 uwrap_load_lib_function(UWRAP_LIBC, geteuid);
296 return uwrap.libc.fns._libc_geteuid();
299 static int libc_setgid(gid_t gid)
301 uwrap_load_lib_function(UWRAP_LIBC, setgid);
303 return uwrap.libc.fns._libc_setgid(gid);
306 static gid_t libc_getgid(void)
308 uwrap_load_lib_function(UWRAP_LIBC, getgid);
310 return uwrap.libc.fns._libc_getgid();
314 static int libc_setegid(gid_t egid)
316 uwrap_load_lib_function(UWRAP_LIBC, setegid);
318 return uwrap.libc.fns._libc_setegid(egid);
322 static void *uwrap_libc_fn(struct uwrap *u, const char *fn_name)
327 func = dlsym(RTLD_NEXT, fn_name);
329 if (u->libc.handle == NULL) {
333 func = dlsym(u->libc.handle, fn_name);
336 printf("Failed to find %s in %s: %s\n",
337 fn_name, LIBC_NAME, dlerror());
344 static void uwrap_libc_init(struct uwrap *u)
348 int flags = RTLD_LAZY;
351 flags |= RTLD_DEEPBIND;
354 for (u->libc.handle = NULL, i = 10; u->libc.handle == NULL; i--) {
355 char soname[256] = {0};
357 snprintf(soname, sizeof(soname), "%s.%u", LIBC_NAME, i);
358 u->libc.handle = dlopen(soname, flags);
361 if (u->libc.handle == NULL) {
362 printf("Failed to dlopen %s.%u: %s\n", LIBC_NAME, i, dlerror());
368 *(void **) (&u->libc.fns._libc_setregid) = uwrap_libc_fn(u, "setregid");
370 #ifdef HAVE_SETRESGID
371 *(void **) (&u->libc.fns._libc_setresgid) = uwrap_libc_fn(u, "setresgid");
373 *(void **) (&u->libc.fns._libc_getegid) = uwrap_libc_fn(u, "getegid");
374 *(void **) (&u->libc.fns._libc_getgroups) = uwrap_libc_fn(u, "getgroups");
375 *(void **) (&u->libc.fns._libc_setgroups) = uwrap_libc_fn(u, "setgroups");
377 *(void **) (&u->libc.fns._libc_syscall) = uwrap_libc_fn(u, "syscall");
381 static struct uwrap_thread *find_uwrap_id(pthread_t tid)
383 struct uwrap_thread *id;
385 for (id = uwrap.ids; id; id = id->next) {
386 if (pthread_equal(id->tid, tid)) {
394 static int uwrap_new_id(pthread_t tid, bool do_alloc)
396 struct uwrap_thread *id = uwrap_tls_id;
399 id = malloc(sizeof(struct uwrap_thread));
409 id->ruid = id->euid = id->suid = uwrap.myuid;
410 id->rgid = id->egid = id->sgid = uwrap.mygid;
413 id->groups = malloc(sizeof(gid_t) * id->ngroups);
414 id->groups[0] = uwrap.mygid;
417 UWRAP_DLIST_ADD(uwrap.ids, id);
424 static void uwrap_thread_prepare(void)
426 pthread_mutex_lock(&uwrap_id_mutex);
429 * What happens if another atfork prepare functions calls a uwrap
430 * function? So disable it in case another atfork prepare function
431 * calls a (s)uid function.
433 uwrap.enabled = false;
436 static void uwrap_thread_parent(void)
438 uwrap.enabled = true;
440 pthread_mutex_unlock(&uwrap_id_mutex);
443 static void uwrap_thread_child(void)
445 uwrap.enabled = true;
447 pthread_mutex_unlock(&uwrap_id_mutex);
450 static void uwrap_init(void)
452 const char *env = getenv("UID_WRAPPER");
453 pthread_t tid = pthread_self();
457 if (uwrap.initialised) {
458 struct uwrap_thread *id = uwrap_tls_id;
465 pthread_mutex_lock(&uwrap_id_mutex);
466 id = find_uwrap_id(tid);
468 rc = uwrap_new_id(tid, 1);
473 /* We reuse an old thread id */
476 uwrap_new_id(tid, 0);
478 pthread_mutex_unlock(&uwrap_id_mutex);
484 * If we hold a lock and the application forks, then the child
485 * is not able to unlock the mutex and we are in a deadlock.
486 * This should prevent such deadlocks.
488 pthread_atfork(&uwrap_thread_prepare,
489 &uwrap_thread_parent,
490 &uwrap_thread_child);
492 pthread_mutex_lock(&uwrap_id_mutex);
494 uwrap_libc_init(&uwrap);
496 uwrap.initialised = true;
497 uwrap.enabled = false;
499 if (env != NULL && env[0] == '1') {
500 const char *root = getenv("UID_WRAPPER_ROOT");
503 /* put us in one group */
504 if (root != NULL && root[0] == '1') {
508 uwrap.myuid = libc_geteuid();
509 uwrap.mygid = uwrap.libc.fns._libc_getegid();
512 rc = uwrap_new_id(tid, 1);
517 uwrap.enabled = true;
520 pthread_mutex_unlock(&uwrap_id_mutex);
523 static int uwrap_enabled(void)
527 return uwrap.enabled ? 1 : 0;
530 static int uwrap_setresuid_thread(uid_t ruid, uid_t euid, uid_t suid)
532 struct uwrap_thread *id = uwrap_tls_id;
534 if (ruid == (uid_t)-1 && euid == (uid_t)-1 && suid == (uid_t)-1) {
539 pthread_mutex_lock(&uwrap_id_mutex);
540 if (ruid != (uid_t)-1) {
544 if (euid != (uid_t)-1) {
548 if (suid != (uid_t)-1) {
551 pthread_mutex_unlock(&uwrap_id_mutex);
556 static int uwrap_setresuid(uid_t ruid, uid_t euid, uid_t suid)
558 struct uwrap_thread *id;
560 if (ruid == (uid_t)-1 && euid == (uid_t)-1 && suid == (uid_t)-1) {
565 pthread_mutex_lock(&uwrap_id_mutex);
566 for (id = uwrap.ids; id; id = id->next) {
571 if (ruid != (uid_t)-1) {
575 if (euid != (uid_t)-1) {
579 if (suid != (uid_t)-1) {
583 pthread_mutex_unlock(&uwrap_id_mutex);
591 int setuid(uid_t uid)
593 if (!uwrap_enabled()) {
594 return libc_setuid(uid);
597 return uwrap_setresuid(uid, -1, -1);
601 int seteuid(uid_t euid)
603 if (euid == (uid_t)-1) {
608 if (!uwrap_enabled()) {
609 return libc_seteuid(euid);
612 return uwrap_setresuid(-1, euid, -1);
617 int setreuid(uid_t ruid, uid_t euid)
619 if (ruid == (uid_t)-1 && euid == (uid_t)-1) {
624 if (!uwrap_enabled()) {
625 return libc_setreuid(ruid, euid);
628 return uwrap_setresuid(ruid, euid, -1);
632 #ifdef HAVE_SETRESUID
633 int setresuid(uid_t ruid, uid_t euid, uid_t suid)
635 if (!uwrap_enabled()) {
636 return libc_setresuid(ruid, euid, suid);
639 return uwrap_setresuid(ruid, euid, suid);
646 static uid_t uwrap_getuid(void)
648 struct uwrap_thread *id = uwrap_tls_id;
651 pthread_mutex_lock(&uwrap_id_mutex);
653 pthread_mutex_unlock(&uwrap_id_mutex);
660 if (!uwrap_enabled()) {
661 return libc_getuid();
664 return uwrap_getuid();
670 static uid_t uwrap_geteuid(void)
672 const char *env = getenv("UID_WRAPPER_ROOT");
673 struct uwrap_thread *id = uwrap_tls_id;
676 pthread_mutex_lock(&uwrap_id_mutex);
678 pthread_mutex_unlock(&uwrap_id_mutex);
680 /* Disable root and return myuid */
681 if (env != NULL && env[0] == '2') {
690 if (!uwrap_enabled()) {
691 return libc_geteuid();
694 return uwrap_geteuid();
697 static int uwrap_setresgid_thread(gid_t rgid, gid_t egid, gid_t sgid)
699 struct uwrap_thread *id = uwrap_tls_id;
701 if (rgid == (gid_t)-1 && egid == (gid_t)-1 && sgid == (gid_t)-1) {
706 pthread_mutex_lock(&uwrap_id_mutex);
707 if (rgid != (gid_t)-1) {
711 if (egid != (gid_t)-1) {
715 if (sgid != (gid_t)-1) {
718 pthread_mutex_unlock(&uwrap_id_mutex);
723 static int uwrap_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
725 struct uwrap_thread *id;
727 if (rgid == (gid_t)-1 && egid == (gid_t)-1 && sgid == (gid_t)-1) {
732 pthread_mutex_lock(&uwrap_id_mutex);
733 for (id = uwrap.ids; id; id = id->next) {
738 if (rgid != (gid_t)-1) {
742 if (egid != (gid_t)-1) {
746 if (sgid != (gid_t)-1) {
750 pthread_mutex_unlock(&uwrap_id_mutex);
758 int setgid(gid_t gid)
760 if (!uwrap_enabled()) {
761 return libc_setgid(gid);
764 return uwrap_setresgid(gid, -1, -1);
768 int setegid(gid_t egid)
770 if (!uwrap_enabled()) {
771 return libc_setegid(egid);
774 return uwrap_setresgid(-1, egid, -1);
779 int setregid(gid_t rgid, gid_t egid)
781 if (!uwrap_enabled()) {
782 return uwrap.libc.fns._libc_setregid(rgid, egid);
785 return uwrap_setresgid(rgid, egid, -1);
789 #ifdef HAVE_SETRESGID
790 int setresgid(gid_t rgid, gid_t egid, gid_t sgid)
792 if (!uwrap_enabled()) {
793 return uwrap.libc.fns._libc_setregid(rgid, egid, sgid);
796 return uwrap_setresgid(rgid, egid, sgid);
803 static gid_t uwrap_getgid(void)
805 struct uwrap_thread *id = uwrap_tls_id;
808 pthread_mutex_lock(&uwrap_id_mutex);
810 pthread_mutex_unlock(&uwrap_id_mutex);
817 if (!uwrap_enabled()) {
818 return libc_getgid();
821 return uwrap_getgid();
827 static uid_t uwrap_getegid(void)
829 struct uwrap_thread *id = uwrap_tls_id;
832 pthread_mutex_lock(&uwrap_id_mutex);
834 pthread_mutex_unlock(&uwrap_id_mutex);
841 if (!uwrap_enabled()) {
842 return uwrap.libc.fns._libc_getegid();
845 return uwrap_getegid();
848 static int uwrap_setgroups_thread(size_t size, const gid_t *list)
850 struct uwrap_thread *id = uwrap_tls_id;
853 pthread_mutex_lock(&uwrap_id_mutex);
859 id->groups = malloc(sizeof(gid_t) * size);
860 if (id->groups == NULL) {
865 memcpy(id->groups, list, size * sizeof(gid_t));
870 pthread_mutex_unlock(&uwrap_id_mutex);
875 static int uwrap_setgroups(size_t size, const gid_t *list)
877 struct uwrap_thread *id;
880 pthread_mutex_lock(&uwrap_id_mutex);
881 for (id = uwrap.ids; id; id = id->next) {
887 id->groups = malloc(sizeof(gid_t) * size);
888 if (id->groups == NULL) {
893 memcpy(id->groups, list, size * sizeof(gid_t));
899 pthread_mutex_unlock(&uwrap_id_mutex);
904 #ifdef HAVE_SETGROUPS_INT
905 int setgroups(int size, const gid_t *list)
907 int setgroups(size_t size, const gid_t *list)
910 if (!uwrap_enabled()) {
911 return uwrap.libc.fns._libc_setgroups(size, list);
914 return uwrap_setgroups(size, list);
917 static int uwrap_getgroups(int size, gid_t *list)
919 struct uwrap_thread *id = uwrap_tls_id;
922 pthread_mutex_lock(&uwrap_id_mutex);
923 ngroups = id->ngroups;
925 if (size > ngroups) {
931 if (size < ngroups) {
935 memcpy(list, id->groups, size * sizeof(gid_t));
938 pthread_mutex_unlock(&uwrap_id_mutex);
943 int getgroups(int size, gid_t *list)
945 if (!uwrap_enabled()) {
946 return uwrap.libc.fns._libc_getgroups(size, list);
949 return uwrap_getgroups(size, list);
952 static long int libc_vsyscall(long int sysno, va_list va)
958 for (i = 0; i < 8; i++) {
959 args[i] = va_arg(va, long int);
962 rc = uwrap.libc.fns._libc_syscall(sysno,
975 #if (defined(HAVE_SYS_SYSCALL_H) || defined(HAVE_SYSCALL_H)) \
976 && (defined(SYS_setreuid) || defined(SYS_setreuid32))
977 static long int uwrap_syscall (long int sysno, va_list vp)
984 #ifdef HAVE_LINUX_32BIT_SYSCALLS
993 #ifdef HAVE_LINUX_32BIT_SYSCALLS
997 rc = uwrap_getegid();
1000 #endif /* SYS_getegid */
1002 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1006 gid_t gid = (gid_t) va_arg(vp, int);
1008 rc = uwrap_setresgid_thread(gid, -1, -1);
1012 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1013 case SYS_setregid32:
1016 uid_t rgid = (uid_t) va_arg(vp, int);
1017 uid_t egid = (uid_t) va_arg(vp, int);
1019 rc = uwrap_setresgid_thread(rgid, egid, -1);
1022 #ifdef SYS_setresgid
1024 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1025 case SYS_setresgid32:
1028 uid_t rgid = (uid_t) va_arg(vp, int);
1029 uid_t egid = (uid_t) va_arg(vp, int);
1030 uid_t sgid = (uid_t) va_arg(vp, int);
1032 rc = uwrap_setresgid_thread(rgid, egid, sgid);
1035 #endif /* SYS_setresgid */
1039 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1043 rc = uwrap_getuid();
1048 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1052 rc = uwrap_geteuid();
1055 #endif /* SYS_geteuid */
1057 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1061 uid_t uid = (uid_t) va_arg(vp, int);
1063 rc = uwrap_setresuid_thread(uid, -1, -1);
1067 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1068 case SYS_setreuid32:
1071 uid_t ruid = (uid_t) va_arg(vp, int);
1072 uid_t euid = (uid_t) va_arg(vp, int);
1074 rc = uwrap_setresuid_thread(ruid, euid, -1);
1077 #ifdef SYS_setresuid
1079 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1080 case SYS_setresuid32:
1083 uid_t ruid = (uid_t) va_arg(vp, int);
1084 uid_t euid = (uid_t) va_arg(vp, int);
1085 uid_t suid = (uid_t) va_arg(vp, int);
1087 rc = uwrap_setresuid_thread(ruid, euid, suid);
1090 #endif /* SYS_setresuid */
1094 #ifdef HAVE_LINUX_32BIT_SYSCALLS
1095 case SYS_setgroups32:
1098 size_t size = (size_t) va_arg(vp, size_t);
1099 gid_t *list = (gid_t *) va_arg(vp, int *);
1101 rc = uwrap_setgroups_thread(size, list);
1105 UWRAP_DEBUG("UID_WRAPPER calling non-wrapped syscall "
1108 rc = libc_vsyscall(sysno, vp);
1116 #ifdef HAVE_SYSCALL_INT
1117 int syscall (int sysno, ...)
1119 long int syscall (long int sysno, ...)
1122 #ifdef HAVE_SYSCALL_INT
1129 va_start(va, sysno);
1131 if (!uwrap_enabled()) {
1132 rc = libc_vsyscall(sysno, va);
1137 rc = uwrap_syscall(sysno, va);
1142 #endif /* HAVE_SYSCALL */
1143 #endif /* HAVE_SYS_SYSCALL_H || HAVE_SYSCALL_H */
git.samba.org / uid_wrapper.git / blob