Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 Feb 2013 04:50:01 GMT
From:      Danny Warren <danny@dannywarren.com>
To:        gnome@FreeBSD.org
Subject:   Re: ports/176203: [patch] devel/gamin: Drop privileges to effective user and group
Message-ID:  <201302170450.r1H4o17g097546@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/176203; it has been noted by GNATS.

From: Danny Warren <danny@dannywarren.com>
To: bug-followup@FreeBSD.org, danny@dannywarren.com
Cc:  
Subject: Re: ports/176203: [patch] devel/gamin: Drop privileges to effective
 user and group
Date: Sat, 16 Feb 2013 20:47:01 -0800

 This is a multi-part message in MIME format.
 --------------020205000508090601030105
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Alright, this should hopefully be the last change.
 
 * fixed typo in setgid debug message
 * reworked "gamin_drop_privileges" method to accept a uid and gid value 
 instead of assuming you always want the effective user, so that it can 
 be used in other parts of the code if needed
 * changed call to "gamin_drop_privileges" to pass the effective uid/gid 
 after fork
 
 --------------020205000508090601030105
 Content-Type: text/plain; charset=windows-1252;
  name="gamin-drop_privileges.patch.txt"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="gamin-drop_privileges.patch.txt"
 
 --- Makefile.orig	2013-02-16 19:09:52.507178348 -0800
 +++ Makefile	2013-02-16 16:18:30.230098850 -0800
 @@ -27,9 +27,10 @@
  GNU_CONFIGURE=	yes
  
  .if !defined(GAMIN_SLAVE)
 -OPTIONS_DEFINE=	GAM_POLLER LIBINOTIFY 
 +OPTIONS_DEFINE=	GAM_POLLER LIBINOTIFY RUN_AS_EUID
  GAM_POLLER_DESC=Use gamin's poller instead of kqueue's
  LIBINOTIFY_DESC=Use libinotify as the FAM backend
 +RUN_AS_EUID_DESC=Drop privileges to effective user
  .endif
  
  .include <bsd.port.options.mk>
 @@ -48,6 +49,10 @@
  .endif
  .endif
  
 +.if ${PORT_OPTIONS:MRUN_AS_EUID}
 +CPPFLAGS+=	-DRUN_AS_EUID=1
 +.endif
 +
  post-patch:
  	@${REINPLACE_CMD} "s|/etc|${PREFIX}/etc|g" ${WRKSRC}/server/gam_conf.c
  
 --- libgamin/gam_api.c.orig	2007-08-27 03:21:03.000000000 -0700
 +++ libgamin/gam_api.c	2013-02-16 15:51:11.927100135 -0800
 @@ -14,6 +14,7 @@
  #include <sys/socket.h>
  #include <sys/un.h>
  #include <sys/uio.h>
 +#include <string.h>
  #include "fam.h"
  #include "gam_protocol.h"
  #include "gam_data.h"
 @@ -117,7 +118,11 @@
      if (user_name[0] != 0)
          return (user_name);
  
 +#ifdef RUN_AS_EUID
 +    pw = getpwuid(geteuid());
 +#else
      pw = getpwuid(getuid());
 +#endif
  
      if (pw != NULL) {
  	strncpy(user_name, pw->pw_name, 99);
 @@ -224,7 +229,11 @@
  	free(dir);
  	return(0);
      }
 +#ifdef RUN_AS_EUID
 +    if (st.st_uid != geteuid()) {
 +#else
      if (st.st_uid != getuid()) {
 +#endif
  	gam_error(DEBUG_INFO,
  		  "Socket directory %s has different owner\n",
  		  dir);
 @@ -301,7 +310,11 @@
      if (ret < 0)
  	return(0);
      
 +#ifdef RUN_AS_EUID
 +    if (st.st_uid != geteuid()) {
 +#else
      if (st.st_uid != getuid()) {
 +#endif
  	gam_error(DEBUG_INFO,
  		  "Socket %s has different owner\n",
  		  path);
 @@ -428,10 +441,10 @@
  {
      char data[2] = { 0, 0 };
      int written;
 -#if defined(HAVE_CMSGCRED) && !defined(LOCAL_CREDS)
 -    struct {
 +#if defined(HAVE_CMSGCRED) && (!defined(LOCAL_CREDS) || defined(__FreeBSD__))
 +    union {
  	    struct cmsghdr hdr;
 -	    struct cmsgcred cred;
 +	    char cred[CMSG_SPACE (sizeof (struct cmsgcred))];
      } cmsg;
      struct iovec iov;
      struct msghdr msg;
 @@ -443,16 +456,16 @@
      msg.msg_iov = &iov;
      msg.msg_iovlen = 1;
  
 -    msg.msg_control = &cmsg;
 -    msg.msg_controllen = sizeof (cmsg);
 +    msg.msg_control = (caddr_t) &cmsg;
 +    msg.msg_controllen = CMSG_SPACE (sizeof (struct cmsgcred));
      memset (&cmsg, 0, sizeof (cmsg));
 -    cmsg.hdr.cmsg_len = sizeof (cmsg);
 +    cmsg.hdr.cmsg_len = CMSG_LEN (sizeof (struct cmsgcred));
      cmsg.hdr.cmsg_level = SOL_SOCKET;
      cmsg.hdr.cmsg_type = SCM_CREDS;
  #endif
  
  retry:
 -#if defined(HAVE_CMSGCRED) && !defined(LOCAL_CREDS)
 +#if defined(HAVE_CMSGCRED) && (!defined(LOCAL_CREDS) || defined(__FreeBSD__))
      written = sendmsg(fd, &msg, 0);
  #else
      written = write(fd, &data[0], 1);
 @@ -654,15 +667,20 @@
      gid_t c_gid;
  
  #ifdef HAVE_CMSGCRED
 -    struct {
 +    struct cmsgcred *cred;
 +    union {
  	    struct cmsghdr hdr;
 -	    struct cmsgcred cred;
 +	    char cred[CMSG_SPACE (sizeof (struct cmsgcred))];
      } cmsg;
  #endif
  
 +#ifdef RUN_AS_EUID
 +    s_uid = geteuid();
 +#else
      s_uid = getuid();
 +#endif
  
 -#if defined(LOCAL_CREDS) && defined(HAVE_CMSGCRED)
 +#if defined(LOCAL_CREDS) && defined(HAVE_CMSGCRED) && !defined(__FreeBSD__)
      /* Set the socket to receive credentials on the next message */
      {
          int on = 1;
 @@ -683,8 +701,8 @@
  
  #ifdef HAVE_CMSGCRED
      memset(&cmsg, 0, sizeof(cmsg));
 -    msg.msg_control = &cmsg;
 -    msg.msg_controllen = sizeof(cmsg);
 +    msg.msg_control = (caddr_t) &cmsg;
 +    msg.msg_controllen = CMSG_SPACE (sizeof (struct cmsgcred));
  #endif
  
  retry:
 @@ -701,7 +719,7 @@
          goto failed;
      }
  #ifdef HAVE_CMSGCRED
 -    if (cmsg.hdr.cmsg_len < sizeof(cmsg) || cmsg.hdr.cmsg_type != SCM_CREDS) {
 +    if (cmsg.hdr.cmsg_len < CMSG_LEN (sizeof (struct cmsgcred)) || cmsg.hdr.cmsg_type != SCM_CREDS) {
          GAM_DEBUG(DEBUG_INFO,
                    "Message from recvmsg() was not SCM_CREDS\n");
          goto failed;
 @@ -727,9 +745,10 @@
              goto failed;
          }
  #elif defined(HAVE_CMSGCRED)
 -        c_pid = cmsg.cred.cmcred_pid;
 -        c_uid = cmsg.cred.cmcred_euid;
 -        c_gid = cmsg.cred.cmcred_groups[0];
 +        cred = (struct cmsgcred *) CMSG_DATA (&cmsg);
 +        c_pid = cred->cmcred_pid;
 +        c_uid = cred->cmcred_euid;
 +        c_gid = cred->cmcred_groups[0];
  #else /* !SO_PEERCRED && !HAVE_CMSGCRED */
          GAM_DEBUG(DEBUG_INFO,
                    "Socket credentials not supported on this OS\n");
 @@ -1288,14 +1307,17 @@
  
      // FIXME: drop and reacquire lock while blocked?
      gamin_data_lock(conn);
 -    if (!gamin_data_event_ready(conn)) {
 +    while ((ret = gamin_data_event_ready(conn)) == 0) {
          if (gamin_read_data(conn, fc->fd, 1) < 0) {
  	    gamin_try_reconnect(conn, fc->fd);
  	    FAMErrno = FAM_CONNECT;
  	    return (-1);
  	}
      }
 -    ret = gamin_data_read_event(conn, fe);
 +
 +    if (ret > 0)
 +        ret = gamin_data_read_event(conn, fe);
 +
      gamin_data_unlock(conn);
  
      if (ret < 0) {
 --- libgamin/gam_fork.c.orig	2007-07-04 06:36:48.000000000 -0700
 +++ libgamin/gam_fork.c	2013-02-16 20:37:31.298176973 -0800
 @@ -42,6 +42,78 @@
      return NULL;
  }
  
 +#ifdef RUN_AS_EUID
 +/**
 + * gamin_drop_privileges
 + *
 + * Attempt to drop privileges to another user and group before forking
 + * a copy of the gam server
 + * 
 + * Return 0 in case of success or -1 in case of detected error.
 + */
 +int
 +gamin_drop_privileges(int to_uid, int to_gid)
 +{
 +    GAM_DEBUG(DEBUG_INFO, "Dropping privileges to %d:%d before forking server\n", to_uid, to_gid);
 +
 +    /* Get the current real user and group */
 +    int from_uid = getuid();
 +    int from_gid = getgid();
 +
 +    /* Make sure we were able to get the user and group values */
 +    if ( from_uid == -1 || to_uid == -1 || from_gid == -1 || to_gid == -1 ) {
 +        gam_error(DEBUG_INFO, "failed to get user or group info, unable to drop privileges\n");
 +        return(-1);
 +    }
 +
 +    /* Refuse to run setuid if it would escalate privileges */
 +    if ( from_uid != 0 && to_uid == 0 )
 +    {
 +        gam_error(DEBUG_INFO, "refusing to escalate user privileges from=%d to=%d\n", from_uid, to_uid);
 +        return(-1);
 +    }
 +
 +    /* Refuse to run setgid if it would escalate privileges */
 +    if ( from_gid != 0 && to_gid == 0 )
 +    {
 +        gam_error(DEBUG_INFO, "refusing to escalate group privileges from=%d to=%d\n", from_gid, to_gid);
 +        return(-1);
 +    }
 +
 +    /* Run setuid to drop privileges to the effective user */
 +    if ( from_uid != to_uid ) {
 +        GAM_DEBUG(DEBUG_INFO, "Attempting setuid from=%d to=%d\n", from_uid, to_uid);
 +
 +        /* run setuid and check for errors */
 +        if (setuid(to_uid) == -1) {
 +            gam_error(DEBUG_INFO, "failed to run setuid from=%d to=%d\n", from_uid, to_uid);
 +            return(-1);
 +        }
 +    }
 +    else {
 +        GAM_DEBUG(DEBUG_INFO, "Already running as effective user, skipping setuid\n");
 +    }
 +
 +    /* Run setgid to drop privileges to the effective group */
 +    if ( from_gid != to_gid ) {
 +        GAM_DEBUG(DEBUG_INFO, "Attempting setgid from=%d to=%d\n", from_gid, to_gid);
 +
 +        /* run setuid and check for errors */
 +        if (setgid(to_gid) == -1) {
 +            gam_error(DEBUG_INFO, "failed to run setgid from=%d to=%d\n", from_gid, to_gid);
 +            return(-1);
 +        }
 +    }
 +    else {
 +        GAM_DEBUG(DEBUG_INFO, "Already running as effective group, skipping setgid\n");
 +    }
 +
 +    GAM_DEBUG(DEBUG_INFO, "Succeeded in dropping privileges from %d:%d to %d:%d\n", from_uid, from_gid, to_uid, to_gid);
 +
 +    return(0);
 +}
 +#endif
 +
  /**
   * gamin_fork_server:
   * @fam_client_id: the client ID string to use
 @@ -71,6 +143,13 @@
          long open_max;
  	long i;
  
 +#ifdef RUN_AS_EUID
 +        /* Drop privileges to the current effective uid/gid and return on failure */
 +        if(gamin_drop_privileges( geteuid(), getegid() ) == -1) {
 +            return(-1);
 +        }
 +#endif
 +
          /* don't hold open fd opened from the client of the library */
  	open_max = sysconf (_SC_OPEN_MAX);
  	for (i = 0; i < open_max; i++)
 --- libgamin/gam_fork.h.orig	2007-07-04 06:36:48.000000000 -0700
 +++ libgamin/gam_fork.h	2013-02-16 20:38:00.328594608 -0800
 @@ -32,6 +32,9 @@
  #endif
  
  int		gamin_fork_server	(const char *fam_client_id);
 +#ifdef RUN_AS_EUID
 +int		gamin_drop_privileges	(int to_uid, int to_gid);
 +#endif
  
  #ifdef __cplusplus
  }
 
 --------------020205000508090601030105--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302170450.r1H4o17g097546>