xref: /netbsd-src/external/bsd/pam-u2f/dist/drop_privs.h (revision 510cde34809348e11d0aca2401c67de0cceee33b) 
1 /* Copyright (c) 2011-2014 Yubico AB
2  * All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions are
6  * met:
7  *
8  *     * Redistributions of source code must retain the above copyright
9  *       notice, this list of conditions and the following disclaimer.
10  *
11  *     * Redistributions in binary form must reproduce the above
12  *       copyright notice, this list of conditions and the following
13  *       disclaimer in the documentation and/or other materials provided
14  *       with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
19  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
20  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
21  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
22  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
26  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #ifndef __PAM_U2F_DROP_PRIVS_H_INCLUDED__
30 #define __PAM_U2F_DROP_PRIVS_H_INCLUDED__
31 
32 #ifdef HAVE_PAM_MODUTIL_DROP_PRIV
33 #include <security/pam_modutil.h>
34 #elif HAVE_OPENPAM_BORROW_CRED
35 #include <sys/types.h>
36 #include <security/pam_appl.h>
37 #include <security/openpam.h>
38 
39 #define PAM_MODUTIL_DEF_PRIVS(n) /* noop */
40 #define pam_modutil_drop_priv(pamh, privs, pwd)                                \
41   ((openpam_borrow_cred((pamh), (pwd)) == PAM_SUCCESS) ? 0 : -1)
42 #define pam_modutil_regain_priv(pamh, privs)                                   \
43   ((openpam_restore_cred((pamh)) == PAM_SUCCESS) ? 0 : -1)
44 
45 #else
46 
47 #include <pwd.h>
48 #include <stdio.h>
49 
50 #ifdef HAVE_SECURITY_PAM_APPL_H
51 #include <security/pam_appl.h>
52 #endif
53 #ifdef HAVE_SECURITY_PAM_MODULES_H
54 #include <security/pam_modules.h>
55 #endif
56 
57 #define SAVED_GROUPS_MAX_LEN 64 /* as pam_modutil.. */
58 
59 struct _ykpam_privs {
60   uid_t saved_euid;
61   gid_t saved_egid;
62   gid_t *saved_groups;
63   int saved_groups_length;
64   FILE *debug_file;
65 };
66 
67 #define PAM_MODUTIL_DEF_PRIVS(n)                                               \
68   gid_t n##_saved_groups[SAVED_GROUPS_MAX_LEN];                                \
69   struct _ykpam_privs n = { \
70       (uid_t)-1, \
71       (gid_t)-1, \
72       n##_saved_groups, \
73       SAVED_GROUPS_MAX_LEN,     \
74       cfg->debug_file, \
75   }
76 
77 int pam_modutil_drop_priv(pam_handle_t *, struct _ykpam_privs *,
78                           struct passwd *);
79 int pam_modutil_regain_priv(pam_handle_t *, struct _ykpam_privs *);
80 
81 #endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
82 #endif /* __PAM_U2F_DROP_PRIVS_H_INCLUDED__ */
83