xref: /netbsd-src/sbin/mount_portal/pt_file.c (revision fe6f1f01c1a88a9dde0f0742f4ffd26dc2535940) 
1*fe6f1f01Skre /*	$NetBSD: pt_file.c,v 1.20 2019/05/23 11:13:17 kre Exp $	*/
20114e805Scgd 
3a70a31f7Scgd /*
4a70a31f7Scgd  * Copyright (c) 1992, 1993
5a70a31f7Scgd  *	The Regents of the University of California.  All rights reserved.
6a70a31f7Scgd  *
7a70a31f7Scgd  * This code is derived from software donated to Berkeley by
8a70a31f7Scgd  * Jan-Simon Pendry.
9a70a31f7Scgd  *
10a70a31f7Scgd  * Redistribution and use in source and binary forms, with or without
11a70a31f7Scgd  * modification, are permitted provided that the following conditions
12a70a31f7Scgd  * are met:
13a70a31f7Scgd  * 1. Redistributions of source code must retain the above copyright
14a70a31f7Scgd  *    notice, this list of conditions and the following disclaimer.
15a70a31f7Scgd  * 2. Redistributions in binary form must reproduce the above copyright
16a70a31f7Scgd  *    notice, this list of conditions and the following disclaimer in the
17a70a31f7Scgd  *    documentation and/or other materials provided with the distribution.
18276d62f6Sagc  * 3. Neither the name of the University nor the names of its contributors
19a70a31f7Scgd  *    may be used to endorse or promote products derived from this software
20a70a31f7Scgd  *    without specific prior written permission.
21a70a31f7Scgd  *
22a70a31f7Scgd  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23a70a31f7Scgd  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24a70a31f7Scgd  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25a70a31f7Scgd  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26a70a31f7Scgd  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27a70a31f7Scgd  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28a70a31f7Scgd  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29a70a31f7Scgd  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30a70a31f7Scgd  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31a70a31f7Scgd  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32a70a31f7Scgd  * SUCH DAMAGE.
33a70a31f7Scgd  *
345922d844Smycroft  *	from: Id: pt_file.c,v 1.1 1992/05/25 21:43:09 jsp Exp
354b0b1ba8Slukem  *	@(#)pt_file.c	8.3 (Berkeley) 7/3/94
36a70a31f7Scgd  */
37a70a31f7Scgd 
384eb9f40aSlukem #include <sys/cdefs.h>
394eb9f40aSlukem #ifndef lint
40*fe6f1f01Skre __RCSID("$NetBSD: pt_file.c,v 1.20 2019/05/23 11:13:17 kre Exp $");
414eb9f40aSlukem #endif /* not lint */
424eb9f40aSlukem 
43a70a31f7Scgd #include <stdio.h>
44a70a31f7Scgd #include <unistd.h>
45a70a31f7Scgd #include <stdlib.h>
465922d844Smycroft #include <string.h>
47a70a31f7Scgd #include <errno.h>
48a70a31f7Scgd #include <fcntl.h>
49a70a31f7Scgd #include <sys/types.h>
50a70a31f7Scgd #include <sys/param.h>
51a70a31f7Scgd #include <sys/syslog.h>
52a70a31f7Scgd 
53a70a31f7Scgd #include "portald.h"
54a70a31f7Scgd 
55ac273e7fSbgrayson #ifdef DEBUG
56ac273e7fSbgrayson #define DEBUG_SYSLOG	syslog
57ac273e7fSbgrayson #else
58ac273e7fSbgrayson /*
59ac273e7fSbgrayson  * The "if (0) ..." will be optimized away by the compiler if
60ac273e7fSbgrayson  * DEBUG is not defined.
61ac273e7fSbgrayson  */
62ac273e7fSbgrayson #define DEBUG_SYSLOG	if (0) syslog
63ac273e7fSbgrayson #endif
64ac273e7fSbgrayson 
65ac273e7fSbgrayson int
lose_credentials(struct portal_cred * pcr)66a8d83732Sxtraeme lose_credentials(struct portal_cred *pcr)
67ac273e7fSbgrayson {
68ac273e7fSbgrayson 	/*
69ac273e7fSbgrayson 	 * If we are root, then switch into the caller's credentials.
70ac273e7fSbgrayson 	 * By the way, we _always_ log failures, to make
71ac273e7fSbgrayson 	 * sure questionable activity is noticed.
72ac273e7fSbgrayson 	 */
73ac273e7fSbgrayson 	if (getuid() == 0) {
740d39e62eSbgrayson 		/* Set groups first ... */
75ac273e7fSbgrayson 		if (setgroups(pcr->pcr_ngroups, pcr->pcr_groups) < 0) {
76415d1abdSlukem 			syslog(LOG_WARNING,
77ac273e7fSbgrayson 			    "lose_credentials: setgroups() failed (%m)");
78ac273e7fSbgrayson 			return (errno);
79ac273e7fSbgrayson 		}
800d39e62eSbgrayson 		/* ... then gid ... */
810d39e62eSbgrayson 		if (setgid(pcr->pcr_gid) < 0) {
82415d1abdSlukem 			syslog(LOG_WARNING,
830d39e62eSbgrayson 				"lose_credentials: setgid(%d) failed (%m)",
840d39e62eSbgrayson 				pcr->pcr_gid);
850d39e62eSbgrayson 		}
860d39e62eSbgrayson 		/*
87cc50bb7aSchristos 		 * ... and now do the seteuid() where we temporarily give
88cc50bb7aSchristos 		 * away our root privileges.
890d39e62eSbgrayson 		 */
90cc50bb7aSchristos 		if (seteuid(pcr->pcr_uid) < 0) {
91415d1abdSlukem 			syslog(LOG_WARNING,
920d39e62eSbgrayson 				"lose_credentials: setuid(%d) failed (%m)",
93ac273e7fSbgrayson 				pcr->pcr_uid);
94ac273e7fSbgrayson 		}
95ac273e7fSbgrayson 		/* The credential change was successful! */
96415d1abdSlukem 		DEBUG_SYSLOG(LOG_DEBUG, "Root-owned mount process lowered credentials -- returning successfully!\n");
97ac273e7fSbgrayson 		return 0;
98ac273e7fSbgrayson 	}
99415d1abdSlukem 	DEBUG_SYSLOG(LOG_DEBUG, "Actual/effective/caller's creds are:");
100415d1abdSlukem 	DEBUG_SYSLOG(LOG_DEBUG, "%d/%d %d/%d %d/%d", getuid(),
101ac273e7fSbgrayson 	    getgid(), geteuid(), getegid(), pcr->pcr_uid, pcr->pcr_gid);
102ac273e7fSbgrayson 	/*
103ac273e7fSbgrayson 	 * Else, fail if the uid is neither actual or effective
104ac273e7fSbgrayson 	 * uid of mount process...
105ac273e7fSbgrayson 	 */
106ac273e7fSbgrayson 	if ((getuid() != pcr->pcr_uid) && (geteuid() != pcr->pcr_uid)) {
107415d1abdSlukem 		syslog(LOG_WARNING,
108415d1abdSlukem 		    "lose_credentials: uid %d != uid %d, or euid %d != uid %d",
109ac273e7fSbgrayson 		    getuid(), pcr->pcr_uid, geteuid(), pcr->pcr_uid);
110ac273e7fSbgrayson 		return EPERM;
111ac273e7fSbgrayson 	}
112ac273e7fSbgrayson 	/*
113ac273e7fSbgrayson 	 * ... or the gid is neither the actual or effective
114ac273e7fSbgrayson 	 * gid of the mount process.
115ac273e7fSbgrayson 	 */
116ac273e7fSbgrayson 	if ((getgid() != pcr->pcr_gid) && (getegid() != pcr->pcr_gid)) {
117415d1abdSlukem 		syslog(LOG_WARNING,
118415d1abdSlukem 		    "lose_credentials: gid %d != gid %d, or egid %d != gid %d",
119ac273e7fSbgrayson 		    getgid(), pcr->pcr_gid, getegid(), pcr->pcr_gid);
120ac273e7fSbgrayson 		return EPERM;
121ac273e7fSbgrayson 	}
122ac273e7fSbgrayson 	/*
123ac273e7fSbgrayson 	 * If we make it here, we have a uid _and_ gid match! Allow the
124ac273e7fSbgrayson 	 * access.
125ac273e7fSbgrayson 	 */
126415d1abdSlukem 	DEBUG_SYSLOG(LOG_DEBUG, "Returning successfully!\n");
127ac273e7fSbgrayson 	return 0;
128ac273e7fSbgrayson }
129ac273e7fSbgrayson 
1304eb9f40aSlukem int
portal_file(struct portal_cred * pcr,char * key,char ** v,int * fdp)13101d79aaeSpooka portal_file(struct portal_cred *pcr, char *key, char **v, int *fdp)
132a70a31f7Scgd {
133a70a31f7Scgd 	int     fd;
134a70a31f7Scgd 	char    pbuf[MAXPATHLEN];
135a70a31f7Scgd 	int     error;
1363e4993b3Schristos 	int     origuid;
137a70a31f7Scgd 
138ac273e7fSbgrayson 	origuid = getuid();
139a70a31f7Scgd 	pbuf[0] = '/';
140d90a2369Sitojun 	strlcpy(pbuf + 1, key + (v[1] ? strlen(v[1]) : 0), sizeof(pbuf) - 1);
141415d1abdSlukem 	DEBUG_SYSLOG(LOG_DEBUG, "path = %s, uid = %d, gid = %d",
142ac273e7fSbgrayson 	    pbuf, pcr->pcr_uid, pcr->pcr_gid);
143a70a31f7Scgd 
144ac273e7fSbgrayson 	if ((error = lose_credentials(pcr)) != 0) {
145415d1abdSlukem 		DEBUG_SYSLOG(LOG_DEBUG, "portal_file: Credential err %d", error);
146ac273e7fSbgrayson 		return error;
147ac273e7fSbgrayson 	}
148a70a31f7Scgd 	error = 0;
149ac273e7fSbgrayson 	/*
150ac273e7fSbgrayson 	 * Be careful -- only set error to errno if there is an error.
151ac273e7fSbgrayson 	 * errno could hold an old, uncaught value, from a routine
152ac273e7fSbgrayson 	 * called long before now.
153ac273e7fSbgrayson 	 */
154ac273e7fSbgrayson 	fd = open(pbuf, O_RDWR | O_CREAT, 0666);
155ac273e7fSbgrayson 	if (fd < 0) {
156ac273e7fSbgrayson 		error = errno;
157*fe6f1f01Skre 		if (error == EACCES || error == EISDIR) {
158415d1abdSlukem 			DEBUG_SYSLOG(LOG_DEBUG, "Error:  could not open '%s' "
159ac273e7fSbgrayson 			    "read/write with create flag.  "
160ac273e7fSbgrayson 			    "Trying read-only open...", pbuf);
161ac273e7fSbgrayson 			/* Try opening read-only. */
162ac273e7fSbgrayson 			fd = open(pbuf, O_RDONLY, 0);
163ac273e7fSbgrayson 			if (fd < 0) {
164ac273e7fSbgrayson 				error = errno;
165415d1abdSlukem 				DEBUG_SYSLOG(LOG_DEBUG, "That failed too!  %m");
166ac273e7fSbgrayson 			} else {
167ac273e7fSbgrayson 				/* Clear the error indicator. */
168ac273e7fSbgrayson 				error = 0;
169ac273e7fSbgrayson 			}
170ac273e7fSbgrayson 		} else {
171415d1abdSlukem 			DEBUG_SYSLOG(LOG_DEBUG, "Error:  could not open '%s': %m", pbuf);
172ac273e7fSbgrayson 		}
173a70a31f7Scgd 
174ac273e7fSbgrayson 	}
175ac273e7fSbgrayson 	if (seteuid((uid_t) origuid) < 0) {	/* XXX - should reset gidset
176ac273e7fSbgrayson 						 * too */
177a70a31f7Scgd 		error = errno;
178415d1abdSlukem 		syslog(LOG_WARNING, "setcred: %m");
179a70a31f7Scgd 		if (fd >= 0) {
180a70a31f7Scgd 			(void) close(fd);
181a70a31f7Scgd 			fd = -1;
182a70a31f7Scgd 		}
183a70a31f7Scgd 	}
184a70a31f7Scgd 	if (error == 0)
185a70a31f7Scgd 		*fdp = fd;
186a70a31f7Scgd 
187415d1abdSlukem 	DEBUG_SYSLOG(LOG_DEBUG, "pt_file returns *fdp = %d, error = %d", *fdp,
1880ac5bcaaSenami 	    error);
189a70a31f7Scgd 	return (error);
190a70a31f7Scgd }
191