1 /* $NetBSD: openpam_borrow_cred.c,v 1.5 2023/06/30 21:46:20 christos Exp $ */
2
3 /*-
4 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
5 * Copyright (c) 2004-2011 Dag-Erling Smørgrav
6 * All rights reserved.
7 *
8 * This software was developed for the FreeBSD Project by ThinkSec AS and
9 * Network Associates Laboratories, the Security Research Division of
10 * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
11 * ("CBOSS"), as part of the DARPA CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. The name of the author may not be used to endorse or promote
22 * products derived from this software without specific prior written
23 * permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 */
37
38 #ifdef HAVE_CONFIG_H
39 # include "config.h"
40 #endif
41
42 #include <sys/cdefs.h>
43 __RCSID("$NetBSD: openpam_borrow_cred.c,v 1.5 2023/06/30 21:46:20 christos Exp $");
44
45 #include <sys/param.h>
46
47 #include <grp.h>
48 #include <limits.h>
49 #include <pwd.h>
50 #include <stdlib.h>
51 #include <unistd.h>
52
53 #include <security/pam_appl.h>
54
55 #include "openpam_impl.h"
56 #include "openpam_cred.h"
57
58 /*
59 * OpenPAM extension
60 *
61 * Temporarily borrow user credentials
62 */
63
64 int
openpam_borrow_cred(pam_handle_t * pamh,const struct passwd * pwd)65 openpam_borrow_cred(pam_handle_t *pamh,
66 const struct passwd *pwd)
67 {
68 struct pam_saved_cred *scred;
69 const void *scredp;
70 int r;
71
72 ENTERN(pwd->pw_uid);
73 r = pam_get_data(pamh, PAM_SAVED_CRED, &scredp);
74 if (r == PAM_SUCCESS && scredp != NULL) {
75 openpam_log(PAM_LOG_LIBDEBUG,
76 "already operating under borrowed credentials");
77 RETURNC(PAM_SYSTEM_ERR);
78 }
79 if (geteuid() != 0 && geteuid() != pwd->pw_uid) {
80 openpam_log(PAM_LOG_LIBDEBUG, "called with non-zero euid: %d",
81 (int)geteuid());
82 RETURNC(PAM_PERM_DENIED);
83 }
84 scred = calloc((size_t)1, sizeof *scred);
85 if (scred == NULL)
86 RETURNC(PAM_BUF_ERR);
87 scred->euid = geteuid();
88 scred->egid = getegid();
89 r = getgroups(NGROUPS_MAX, scred->groups);
90 if (r < 0) {
91 FREE(scred);
92 RETURNC(PAM_SYSTEM_ERR);
93 }
94 scred->ngroups = r;
95 r = pam_set_data(pamh, PAM_SAVED_CRED, scred, &openpam_free_data);
96 if (r != PAM_SUCCESS) {
97 FREE(scred);
98 RETURNC(r);
99 }
100 if (geteuid() == pwd->pw_uid)
101 RETURNC(PAM_SUCCESS);
102 if (initgroups(pwd->pw_name, pwd->pw_gid) < 0 ||
103 setegid(pwd->pw_gid) < 0 || seteuid(pwd->pw_uid) < 0) {
104 openpam_restore_cred(pamh);
105 RETURNC(PAM_SYSTEM_ERR);
106 }
107 RETURNC(PAM_SUCCESS);
108 }
109
110 /*
111 * Error codes:
112 *
113 * =pam_set_data
114 * PAM_SYSTEM_ERR
115 * PAM_BUF_ERR
116 * PAM_PERM_DENIED
117 */
118
119 /**
120 * The =openpam_borrow_cred function saves the current credentials and
121 * switches to those of the user specified by its =pwd argument.
122 * The affected credentials are the effective UID, the effective GID, and
123 * the group access list.
124 * The original credentials can be restored using =openpam_restore_cred.
125 *
126 * >setegid 2
127 * >seteuid 2
128 * >setgroups 2
129 */
130