1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the University of 21 * California, Berkeley and its contributors. 22 * 4. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 39 * $FreeBSD: src/sys/kern/kern_prot.c,v 1.53.2.9 2002/03/09 05:20:26 dd Exp $ 40 * $DragonFly: src/sys/kern/kern_prot.c,v 1.29 2008/02/16 15:53:39 matthias Exp $ 41 */ 42 43 /* 44 * System calls related to processes and protection 45 */ 46 47 #include "opt_compat.h" 48 49 #include <sys/param.h> 50 #include <sys/acct.h> 51 #include <sys/systm.h> 52 #include <sys/sysproto.h> 53 #include <sys/kernel.h> 54 #include <sys/lock.h> 55 #include <sys/proc.h> 56 #include <sys/priv.h> 57 #include <sys/malloc.h> 58 #include <sys/pioctl.h> 59 #include <sys/resourcevar.h> 60 #include <sys/jail.h> 61 #include <sys/lockf.h> 62 #include <sys/spinlock.h> 63 64 #include <sys/thread2.h> 65 #include <sys/spinlock2.h> 66 #include <sys/mplock2.h> 67 68 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 69 70 /* 71 * MPALMOSTSAFE 72 */ 73 int 74 sys_getpid(struct getpid_args *uap) 75 { 76 struct proc *p = curproc; 77 78 uap->sysmsg_fds[0] = p->p_pid; 79 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 80 get_mplock(); 81 uap->sysmsg_fds[1] = p->p_pptr->p_pid; 82 rel_mplock(); 83 #endif 84 return (0); 85 } 86 87 /* 88 * MPALMOSTSAFE 89 */ 90 int 91 sys_getppid(struct getppid_args *uap) 92 { 93 struct proc *p = curproc; 94 95 get_mplock(); 96 uap->sysmsg_result = p->p_pptr->p_pid; 97 rel_mplock(); 98 99 return (0); 100 } 101 102 /* 103 * MPSAFE 104 */ 105 int 106 sys_lwp_gettid(struct lwp_gettid_args *uap) 107 { 108 struct lwp *lp = curthread->td_lwp; 109 110 uap->sysmsg_result = lp->lwp_tid; 111 return (0); 112 } 113 114 /* 115 * Get process group ID; note that POSIX getpgrp takes no parameter 116 * 117 * MPSAFE XXX pgrp 118 */ 119 int 120 sys_getpgrp(struct getpgrp_args *uap) 121 { 122 struct proc *p = curproc; 123 124 uap->sysmsg_result = p->p_pgrp->pg_id; 125 return (0); 126 } 127 128 /* 129 * Get an arbitrary pid's process group id 130 * 131 * MPALMOSTSAFE 132 */ 133 int 134 sys_getpgid(struct getpgid_args *uap) 135 { 136 struct proc *p = curproc; 137 struct proc *pt; 138 int error; 139 140 get_mplock(); 141 error = 0; 142 143 if (uap->pid == 0) { 144 pt = p; 145 } else { 146 pt = pfind(uap->pid); 147 if (pt == NULL) 148 error = ESRCH; 149 } 150 if (error == 0) 151 uap->sysmsg_result = pt->p_pgrp->pg_id; 152 rel_mplock(); 153 return (error); 154 } 155 156 /* 157 * Get an arbitrary pid's session id. 158 * 159 * MPALMOSTSAFE 160 */ 161 int 162 sys_getsid(struct getsid_args *uap) 163 { 164 struct proc *p = curproc; 165 struct proc *pt; 166 int error; 167 168 get_mplock(); 169 error = 0; 170 171 if (uap->pid == 0) { 172 pt = p; 173 } else { 174 pt = pfind(uap->pid); 175 if (pt == NULL) 176 error = ESRCH; 177 } 178 if (error == 0) 179 uap->sysmsg_result = pt->p_session->s_sid; 180 rel_mplock(); 181 return (error); 182 } 183 184 185 /* 186 * getuid() 187 * 188 * MPSAFE 189 */ 190 int 191 sys_getuid(struct getuid_args *uap) 192 { 193 struct ucred *cred = curthread->td_ucred; 194 195 uap->sysmsg_fds[0] = cred->cr_ruid; 196 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 197 uap->sysmsg_fds[1] = cred->cr_uid; 198 #endif 199 return (0); 200 } 201 202 /* 203 * geteuid() 204 * 205 * MPSAFE 206 */ 207 int 208 sys_geteuid(struct geteuid_args *uap) 209 { 210 struct ucred *cred = curthread->td_ucred; 211 212 uap->sysmsg_result = cred->cr_uid; 213 return (0); 214 } 215 216 /* 217 * getgid() 218 * 219 * MPSAFE 220 */ 221 int 222 sys_getgid(struct getgid_args *uap) 223 { 224 struct ucred *cred = curthread->td_ucred; 225 226 uap->sysmsg_fds[0] = cred->cr_rgid; 227 #if defined(COMPAT_43) || defined(COMPAT_SUNOS) 228 uap->sysmsg_fds[1] = cred->cr_groups[0]; 229 #endif 230 return (0); 231 } 232 233 /* 234 * Get effective group ID. The "egid" is groups[0], and could be obtained 235 * via getgroups. This syscall exists because it is somewhat painful to do 236 * correctly in a library function. 237 * 238 * MPSAFE 239 */ 240 int 241 sys_getegid(struct getegid_args *uap) 242 { 243 struct ucred *cred = curthread->td_ucred; 244 245 uap->sysmsg_result = cred->cr_groups[0]; 246 return (0); 247 } 248 249 /* 250 * MPSAFE 251 */ 252 int 253 sys_getgroups(struct getgroups_args *uap) 254 { 255 struct ucred *cr; 256 u_int ngrp; 257 int error; 258 259 cr = curthread->td_ucred; 260 if ((ngrp = uap->gidsetsize) == 0) { 261 uap->sysmsg_result = cr->cr_ngroups; 262 return (0); 263 } 264 if (ngrp < cr->cr_ngroups) 265 return (EINVAL); 266 ngrp = cr->cr_ngroups; 267 error = copyout((caddr_t)cr->cr_groups, 268 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)); 269 if (error == 0) 270 uap->sysmsg_result = ngrp; 271 return (error); 272 } 273 274 /* 275 * MPALMOSTSAFE 276 */ 277 int 278 sys_setsid(struct setsid_args *uap) 279 { 280 struct proc *p = curproc; 281 int error; 282 283 get_mplock(); 284 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) { 285 error = EPERM; 286 } else { 287 enterpgrp(p, p->p_pid, 1); 288 uap->sysmsg_result = p->p_pid; 289 error = 0; 290 } 291 rel_mplock(); 292 return (error); 293 } 294 295 /* 296 * set process group (setpgid/old setpgrp) 297 * 298 * caller does setpgid(targpid, targpgid) 299 * 300 * pid must be caller or child of caller (ESRCH) 301 * if a child 302 * pid must be in same session (EPERM) 303 * pid can't have done an exec (EACCES) 304 * if pgid != pid 305 * there must exist some pid in same session having pgid (EPERM) 306 * pid must not be session leader (EPERM) 307 * 308 * MPALMOSTSAFE 309 */ 310 int 311 sys_setpgid(struct setpgid_args *uap) 312 { 313 struct proc *curp = curproc; 314 struct proc *targp; /* target process */ 315 struct pgrp *pgrp; /* target pgrp */ 316 int error; 317 318 if (uap->pgid < 0) 319 return (EINVAL); 320 321 get_mplock(); 322 if (uap->pid != 0 && uap->pid != curp->p_pid) { 323 if ((targp = pfind(uap->pid)) == 0 || !inferior(targp)) { 324 error = ESRCH; 325 goto done; 326 } 327 if (targp->p_pgrp == NULL || 328 targp->p_session != curp->p_session) { 329 error = EPERM; 330 goto done; 331 } 332 if (targp->p_flag & P_EXEC) { 333 error = EACCES; 334 goto done; 335 } 336 } else { 337 targp = curp; 338 } 339 if (SESS_LEADER(targp)) { 340 error = EPERM; 341 goto done; 342 } 343 if (uap->pgid == 0) { 344 uap->pgid = targp->p_pid; 345 } else if (uap->pgid != targp->p_pid) { 346 if ((pgrp = pgfind(uap->pgid)) == 0 || 347 pgrp->pg_session != curp->p_session) { 348 error = EPERM; 349 goto done; 350 } 351 } 352 error = enterpgrp(targp, uap->pgid, 0); 353 done: 354 rel_mplock(); 355 return (error); 356 } 357 358 /* 359 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 360 * compatible. It says that setting the uid/gid to euid/egid is a special 361 * case of "appropriate privilege". Once the rules are expanded out, this 362 * basically means that setuid(nnn) sets all three id's, in all permitted 363 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 364 * does not set the saved id - this is dangerous for traditional BSD 365 * programs. For this reason, we *really* do not want to set 366 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 367 */ 368 #define POSIX_APPENDIX_B_4_2_2 369 370 /* 371 * MPALMOSTSAFE 372 */ 373 int 374 sys_setuid(struct setuid_args *uap) 375 { 376 struct proc *p = curproc; 377 struct ucred *cr; 378 uid_t uid; 379 int error; 380 381 get_mplock(); 382 cr = p->p_ucred; 383 384 /* 385 * See if we have "permission" by POSIX 1003.1 rules. 386 * 387 * Note that setuid(geteuid()) is a special case of 388 * "appropriate privileges" in appendix B.4.2.2. We need 389 * to use this clause to be compatible with traditional BSD 390 * semantics. Basically, it means that "setuid(xx)" sets all 391 * three id's (assuming you have privs). 392 * 393 * Notes on the logic. We do things in three steps. 394 * 1: We determine if the euid is going to change, and do EPERM 395 * right away. We unconditionally change the euid later if this 396 * test is satisfied, simplifying that part of the logic. 397 * 2: We determine if the real and/or saved uid's are going to 398 * change. Determined by compile options. 399 * 3: Change euid last. (after tests in #2 for "appropriate privs") 400 */ 401 uid = uap->uid; 402 if (uid != cr->cr_ruid && /* allow setuid(getuid()) */ 403 #ifdef _POSIX_SAVED_IDS 404 uid != crc->cr_svuid && /* allow setuid(saved gid) */ 405 #endif 406 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 407 uid != cr->cr_uid && /* allow setuid(geteuid()) */ 408 #endif 409 (error = priv_check_cred(cr, PRIV_CRED_SETUID, 0))) 410 goto done; 411 412 #ifdef _POSIX_SAVED_IDS 413 /* 414 * Do we have "appropriate privileges" (are we root or uid == euid) 415 * If so, we are changing the real uid and/or saved uid. 416 */ 417 if ( 418 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 419 uid == cr->cr_uid || 420 #endif 421 priv_check_cred(cr, PRIV_CRED_SETUID, 0) == 0) /* we are using privs */ 422 #endif 423 { 424 /* 425 * Set the real uid and transfer proc count to new user. 426 */ 427 if (uid != cr->cr_ruid) { 428 cr = change_ruid(uid); 429 setsugid(); 430 } 431 /* 432 * Set saved uid 433 * 434 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 435 * the security of seteuid() depends on it. B.4.2.2 says it 436 * is important that we should do this. 437 */ 438 if (cr->cr_svuid != uid) { 439 cr = cratom(&p->p_ucred); 440 cr->cr_svuid = uid; 441 setsugid(); 442 } 443 } 444 445 /* 446 * In all permitted cases, we are changing the euid. 447 * Copy credentials so other references do not see our changes. 448 */ 449 if (cr->cr_uid != uid) { 450 change_euid(uid); 451 setsugid(); 452 } 453 error = 0; 454 done: 455 rel_mplock(); 456 return (error); 457 } 458 459 /* 460 * MPALMOSTSAFE 461 */ 462 int 463 sys_seteuid(struct seteuid_args *uap) 464 { 465 struct proc *p = curproc; 466 struct ucred *cr; 467 uid_t euid; 468 int error; 469 470 get_mplock(); 471 cr = p->p_ucred; 472 euid = uap->euid; 473 if (euid != cr->cr_ruid && /* allow seteuid(getuid()) */ 474 euid != cr->cr_svuid && /* allow seteuid(saved uid) */ 475 (error = priv_check_cred(cr, PRIV_CRED_SETEUID, 0))) { 476 rel_mplock(); 477 return (error); 478 } 479 480 /* 481 * Everything's okay, do it. Copy credentials so other references do 482 * not see our changes. 483 */ 484 if (cr->cr_uid != euid) { 485 change_euid(euid); 486 setsugid(); 487 } 488 rel_mplock(); 489 return (0); 490 } 491 492 /* 493 * MPALMOSTSAFE 494 */ 495 int 496 sys_setgid(struct setgid_args *uap) 497 { 498 struct proc *p = curproc; 499 struct ucred *cr; 500 gid_t gid; 501 int error; 502 503 get_mplock(); 504 cr = p->p_ucred; 505 506 /* 507 * See if we have "permission" by POSIX 1003.1 rules. 508 * 509 * Note that setgid(getegid()) is a special case of 510 * "appropriate privileges" in appendix B.4.2.2. We need 511 * to use this clause to be compatible with traditional BSD 512 * semantics. Basically, it means that "setgid(xx)" sets all 513 * three id's (assuming you have privs). 514 * 515 * For notes on the logic here, see setuid() above. 516 */ 517 gid = uap->gid; 518 if (gid != cr->cr_rgid && /* allow setgid(getgid()) */ 519 #ifdef _POSIX_SAVED_IDS 520 gid != cr->cr_svgid && /* allow setgid(saved gid) */ 521 #endif 522 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 523 gid != cr->cr_groups[0] && /* allow setgid(getegid()) */ 524 #endif 525 (error = priv_check_cred(cr, PRIV_CRED_SETGID, 0))) { 526 goto done; 527 } 528 529 #ifdef _POSIX_SAVED_IDS 530 /* 531 * Do we have "appropriate privileges" (are we root or gid == egid) 532 * If so, we are changing the real uid and saved gid. 533 */ 534 if ( 535 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 536 gid == cr->cr_groups[0] || 537 #endif 538 priv_check_cred(cr, PRIV_CRED_SETGID, 0) == 0) /* we are using privs */ 539 #endif 540 { 541 /* 542 * Set real gid 543 */ 544 if (cr->cr_rgid != gid) { 545 cr = cratom(&p->p_ucred); 546 cr->cr_rgid = gid; 547 setsugid(); 548 } 549 /* 550 * Set saved gid 551 * 552 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 553 * the security of setegid() depends on it. B.4.2.2 says it 554 * is important that we should do this. 555 */ 556 if (cr->cr_svgid != gid) { 557 cr = cratom(&p->p_ucred); 558 cr->cr_svgid = gid; 559 setsugid(); 560 } 561 } 562 /* 563 * In all cases permitted cases, we are changing the egid. 564 * Copy credentials so other references do not see our changes. 565 */ 566 if (cr->cr_groups[0] != gid) { 567 cr = cratom(&p->p_ucred); 568 cr->cr_groups[0] = gid; 569 setsugid(); 570 } 571 error = 0; 572 done: 573 rel_mplock(); 574 return (error); 575 } 576 577 /* 578 * MPALMOSTSAFE 579 */ 580 int 581 sys_setegid(struct setegid_args *uap) 582 { 583 struct proc *p = curproc; 584 struct ucred *cr; 585 gid_t egid; 586 int error; 587 588 get_mplock(); 589 cr = p->p_ucred; 590 egid = uap->egid; 591 if (egid != cr->cr_rgid && /* allow setegid(getgid()) */ 592 egid != cr->cr_svgid && /* allow setegid(saved gid) */ 593 (error = priv_check_cred(cr, PRIV_CRED_SETEGID, 0))) { 594 goto done; 595 } 596 if (cr->cr_groups[0] != egid) { 597 cr = cratom(&p->p_ucred); 598 cr->cr_groups[0] = egid; 599 setsugid(); 600 } 601 error = 0; 602 done: 603 rel_mplock(); 604 return (error); 605 } 606 607 /* 608 * MPALMOSTSAFE 609 */ 610 int 611 sys_setgroups(struct setgroups_args *uap) 612 { 613 struct proc *p = curproc; 614 struct ucred *cr; 615 u_int ngrp; 616 int error; 617 618 get_mplock(); 619 cr = p->p_ucred; 620 621 if ((error = priv_check_cred(cr, PRIV_CRED_SETGROUPS, 0))) 622 goto done; 623 ngrp = uap->gidsetsize; 624 if (ngrp > NGROUPS) { 625 error = EINVAL; 626 goto done; 627 } 628 /* 629 * XXX A little bit lazy here. We could test if anything has 630 * changed before cratom() and setting P_SUGID. 631 */ 632 cr = cratom(&p->p_ucred); 633 if (ngrp < 1) { 634 /* 635 * setgroups(0, NULL) is a legitimate way of clearing the 636 * groups vector on non-BSD systems (which generally do not 637 * have the egid in the groups[0]). We risk security holes 638 * when running non-BSD software if we do not do the same. 639 */ 640 cr->cr_ngroups = 1; 641 } else { 642 error = copyin(uap->gidset, cr->cr_groups, 643 ngrp * sizeof(gid_t)); 644 if (error) 645 goto done; 646 cr->cr_ngroups = ngrp; 647 } 648 setsugid(); 649 error = 0; 650 done: 651 rel_mplock(); 652 return (error); 653 } 654 655 /* 656 * MPALMOSTSAFE 657 */ 658 int 659 sys_setreuid(struct setreuid_args *uap) 660 { 661 struct proc *p = curproc; 662 struct ucred *cr; 663 uid_t ruid, euid; 664 int error; 665 666 get_mplock(); 667 cr = p->p_ucred; 668 669 ruid = uap->ruid; 670 euid = uap->euid; 671 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && ruid != cr->cr_svuid) || 672 (euid != (uid_t)-1 && euid != cr->cr_uid && 673 euid != cr->cr_ruid && euid != cr->cr_svuid)) && 674 (error = priv_check_cred(cr, PRIV_CRED_SETREUID, 0)) != 0) { 675 goto done; 676 } 677 678 if (euid != (uid_t)-1 && cr->cr_uid != euid) { 679 cr = change_euid(euid); 680 setsugid(); 681 } 682 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) { 683 cr = change_ruid(ruid); 684 setsugid(); 685 } 686 if ((ruid != (uid_t)-1 || cr->cr_uid != cr->cr_ruid) && 687 cr->cr_svuid != cr->cr_uid) { 688 cr = cratom(&p->p_ucred); 689 cr->cr_svuid = cr->cr_uid; 690 setsugid(); 691 } 692 error = 0; 693 done: 694 rel_mplock(); 695 return (error); 696 } 697 698 /* 699 * MPALMOSTSAFE 700 */ 701 int 702 sys_setregid(struct setregid_args *uap) 703 { 704 struct proc *p = curproc; 705 struct ucred *cr; 706 gid_t rgid, egid; 707 int error; 708 709 get_mplock(); 710 cr = p->p_ucred; 711 712 rgid = uap->rgid; 713 egid = uap->egid; 714 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && rgid != cr->cr_svgid) || 715 (egid != (gid_t)-1 && egid != cr->cr_groups[0] && 716 egid != cr->cr_rgid && egid != cr->cr_svgid)) && 717 (error = priv_check_cred(cr, PRIV_CRED_SETREGID, 0)) != 0) { 718 goto done; 719 } 720 721 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) { 722 cr = cratom(&p->p_ucred); 723 cr->cr_groups[0] = egid; 724 setsugid(); 725 } 726 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) { 727 cr = cratom(&p->p_ucred); 728 cr->cr_rgid = rgid; 729 setsugid(); 730 } 731 if ((rgid != (gid_t)-1 || cr->cr_groups[0] != cr->cr_rgid) && 732 cr->cr_svgid != cr->cr_groups[0]) { 733 cr = cratom(&p->p_ucred); 734 cr->cr_svgid = cr->cr_groups[0]; 735 setsugid(); 736 } 737 error = 0; 738 done: 739 rel_mplock(); 740 return (error); 741 } 742 743 /* 744 * setresuid(ruid, euid, suid) is like setreuid except control over the 745 * saved uid is explicit. 746 * 747 * MPALMOSTSAFE 748 */ 749 int 750 sys_setresuid(struct setresuid_args *uap) 751 { 752 struct proc *p = curproc; 753 struct ucred *cr; 754 uid_t ruid, euid, suid; 755 int error; 756 757 get_mplock(); 758 cr = p->p_ucred; 759 760 ruid = uap->ruid; 761 euid = uap->euid; 762 suid = uap->suid; 763 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && ruid != cr->cr_svuid && 764 ruid != cr->cr_uid) || 765 (euid != (uid_t)-1 && euid != cr->cr_ruid && euid != cr->cr_svuid && 766 euid != cr->cr_uid) || 767 (suid != (uid_t)-1 && suid != cr->cr_ruid && suid != cr->cr_svuid && 768 suid != cr->cr_uid)) && 769 (error = priv_check_cred(cr, PRIV_CRED_SETRESUID, 0)) != 0) { 770 goto done; 771 } 772 if (euid != (uid_t)-1 && cr->cr_uid != euid) { 773 cr = change_euid(euid); 774 setsugid(); 775 } 776 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) { 777 cr = change_ruid(ruid); 778 setsugid(); 779 } 780 if (suid != (uid_t)-1 && cr->cr_svuid != suid) { 781 cr = cratom(&p->p_ucred); 782 cr->cr_svuid = suid; 783 setsugid(); 784 } 785 error = 0; 786 done: 787 rel_mplock(); 788 return (error); 789 } 790 791 /* 792 * setresgid(rgid, egid, sgid) is like setregid except control over the 793 * saved gid is explicit. 794 * 795 * MPALMOSTSAFE 796 */ 797 int 798 sys_setresgid(struct setresgid_args *uap) 799 { 800 struct proc *p = curproc; 801 struct ucred *cr; 802 gid_t rgid, egid, sgid; 803 int error; 804 805 get_mplock(); 806 cr = p->p_ucred; 807 rgid = uap->rgid; 808 egid = uap->egid; 809 sgid = uap->sgid; 810 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && rgid != cr->cr_svgid && 811 rgid != cr->cr_groups[0]) || 812 (egid != (gid_t)-1 && egid != cr->cr_rgid && egid != cr->cr_svgid && 813 egid != cr->cr_groups[0]) || 814 (sgid != (gid_t)-1 && sgid != cr->cr_rgid && sgid != cr->cr_svgid && 815 sgid != cr->cr_groups[0])) && 816 (error = priv_check_cred(cr, PRIV_CRED_SETRESGID, 0)) != 0) { 817 goto done; 818 } 819 820 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) { 821 cr = cratom(&p->p_ucred); 822 cr->cr_groups[0] = egid; 823 setsugid(); 824 } 825 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) { 826 cr = cratom(&p->p_ucred); 827 cr->cr_rgid = rgid; 828 setsugid(); 829 } 830 if (sgid != (gid_t)-1 && cr->cr_svgid != sgid) { 831 cr = cratom(&p->p_ucred); 832 cr->cr_svgid = sgid; 833 setsugid(); 834 } 835 error = 0; 836 done: 837 rel_mplock(); 838 return (error); 839 } 840 841 /* 842 * MPALMOSTSAFE 843 */ 844 int 845 sys_getresuid(struct getresuid_args *uap) 846 { 847 struct proc *p = curproc; 848 struct ucred *cr; 849 int error1 = 0, error2 = 0, error3 = 0; 850 851 get_mplock(); 852 cr = p->p_ucred; 853 if (uap->ruid) 854 error1 = copyout((caddr_t)&cr->cr_ruid, 855 (caddr_t)uap->ruid, sizeof(cr->cr_ruid)); 856 if (uap->euid) 857 error2 = copyout((caddr_t)&cr->cr_uid, 858 (caddr_t)uap->euid, sizeof(cr->cr_uid)); 859 if (uap->suid) 860 error3 = copyout((caddr_t)&cr->cr_svuid, 861 (caddr_t)uap->suid, sizeof(cr->cr_svuid)); 862 rel_mplock(); 863 return error1 ? error1 : (error2 ? error2 : error3); 864 } 865 866 /* 867 * MPSAFE 868 */ 869 int 870 sys_getresgid(struct getresgid_args *uap) 871 { 872 struct ucred *cr; 873 int error1 = 0, error2 = 0, error3 = 0; 874 875 cr = curthread->td_ucred; 876 if (uap->rgid) 877 error1 = copyout(&cr->cr_rgid, uap->rgid, 878 sizeof(cr->cr_rgid)); 879 if (uap->egid) 880 error2 = copyout(&cr->cr_groups[0], uap->egid, 881 sizeof(cr->cr_groups[0])); 882 if (uap->sgid) 883 error3 = copyout(&cr->cr_svgid, uap->sgid, 884 sizeof(cr->cr_svgid)); 885 return error1 ? error1 : (error2 ? error2 : error3); 886 } 887 888 889 /* 890 * NOTE: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 891 * we use P_SUGID because we consider changing the owners as 892 * "tainting" as well. 893 * This is significant for procs that start as root and "become" 894 * a user without an exec - programs cannot know *everything* 895 * that libc *might* have put in their data segment. 896 * 897 * MPSAFE 898 */ 899 int 900 sys_issetugid(struct issetugid_args *uap) 901 { 902 uap->sysmsg_result = (curproc->p_flag & P_SUGID) ? 1 : 0; 903 return (0); 904 } 905 906 /* 907 * Check if gid is a member of the group set. 908 */ 909 int 910 groupmember(gid_t gid, struct ucred *cred) 911 { 912 gid_t *gp; 913 gid_t *egp; 914 915 egp = &(cred->cr_groups[cred->cr_ngroups]); 916 for (gp = cred->cr_groups; gp < egp; gp++) { 917 if (*gp == gid) 918 return (1); 919 } 920 return (0); 921 } 922 923 /* 924 * Test whether the specified credentials have the privilege 925 * in question. 926 * 927 * A kernel thread without a process context is assumed to have 928 * the privilege in question. In situations where the caller always 929 * expect a cred to exist, the cred should be passed separately and 930 * priv_check_cred() should be used instead of priv_check(). 931 * 932 * Returns 0 or error. 933 * 934 * MPSAFE 935 */ 936 int 937 priv_check(struct thread *td, int priv) 938 { 939 if (td->td_lwp != NULL) 940 return priv_check_cred(td->td_ucred, priv, 0); 941 return (0); 942 } 943 944 /* 945 * Check a credential for privilege. 946 * 947 * A non-null credential is expected unless NULL_CRED_OKAY is set. 948 * 949 * MPSAFE 950 */ 951 int 952 priv_check_cred(struct ucred *cred, int priv, int flags) 953 { 954 int error; 955 956 KASSERT(PRIV_VALID(priv), ("priv_check_cred: invalid privilege")); 957 958 KASSERT(cred != NULL || flags & NULL_CRED_OKAY, 959 ("priv_check_cred: NULL cred!")); 960 961 if (cred == NULL) { 962 if (flags & NULL_CRED_OKAY) 963 return (0); 964 else 965 return (EPERM); 966 } 967 if (cred->cr_uid != 0) 968 return (EPERM); 969 970 error = prison_priv_check(cred, priv); 971 if (error) 972 return (error); 973 974 /* NOTE: accounting for suser access (p_acflag/ASU) removed */ 975 return (0); 976 } 977 978 /* 979 * Return zero if p1 can fondle p2, return errno (EPERM/ESRCH) otherwise. 980 */ 981 int 982 p_trespass(struct ucred *cr1, struct ucred *cr2) 983 { 984 if (cr1 == cr2) 985 return (0); 986 if (!PRISON_CHECK(cr1, cr2)) 987 return (ESRCH); 988 if (cr1->cr_ruid == cr2->cr_ruid) 989 return (0); 990 if (cr1->cr_uid == cr2->cr_ruid) 991 return (0); 992 if (cr1->cr_ruid == cr2->cr_uid) 993 return (0); 994 if (cr1->cr_uid == cr2->cr_uid) 995 return (0); 996 if (priv_check_cred(cr1, PRIV_PROC_TRESPASS, 0) == 0) 997 return (0); 998 return (EPERM); 999 } 1000 1001 /* 1002 * MPSAFE 1003 */ 1004 static __inline void 1005 _crinit(struct ucred *cr) 1006 { 1007 cr->cr_ref = 1; 1008 } 1009 1010 /* 1011 * MPSAFE 1012 */ 1013 void 1014 crinit(struct ucred *cr) 1015 { 1016 bzero(cr, sizeof(*cr)); 1017 _crinit(cr); 1018 } 1019 1020 /* 1021 * Allocate a zeroed cred structure. 1022 * 1023 * MPSAFE 1024 */ 1025 struct ucred * 1026 crget(void) 1027 { 1028 struct ucred *cr; 1029 1030 cr = kmalloc(sizeof(*cr), M_CRED, M_WAITOK|M_ZERO); 1031 _crinit(cr); 1032 return (cr); 1033 } 1034 1035 /* 1036 * Claim another reference to a ucred structure. Can be used with special 1037 * creds. 1038 * 1039 * It must be possible to call this routine with spinlocks held, meaning 1040 * that this routine itself cannot obtain a spinlock. 1041 * 1042 * MPSAFE 1043 */ 1044 struct ucred * 1045 crhold(struct ucred *cr) 1046 { 1047 if (cr != NOCRED && cr != FSCRED) 1048 atomic_add_int(&cr->cr_ref, 1); 1049 return(cr); 1050 } 1051 1052 /* 1053 * Drop a reference from the cred structure, free it if the reference count 1054 * reaches 0. 1055 * 1056 * NOTE: because we used atomic_add_int() above, without a spinlock, we 1057 * must also use atomic_subtract_int() below. A spinlock is required 1058 * in crfree() to handle multiple callers racing the refcount to 0. 1059 * 1060 * MPSAFE 1061 */ 1062 void 1063 crfree(struct ucred *cr) 1064 { 1065 if (cr->cr_ref <= 0) 1066 panic("Freeing already free credential! %p", cr); 1067 if (atomic_fetchadd_int(&cr->cr_ref, -1) == 1) { 1068 /* 1069 * Some callers of crget(), such as nfs_statfs(), 1070 * allocate a temporary credential, but don't 1071 * allocate a uidinfo structure. 1072 */ 1073 if (cr->cr_uidinfo != NULL) { 1074 uidrop(cr->cr_uidinfo); 1075 cr->cr_uidinfo = NULL; 1076 } 1077 if (cr->cr_ruidinfo != NULL) { 1078 uidrop(cr->cr_ruidinfo); 1079 cr->cr_ruidinfo = NULL; 1080 } 1081 1082 /* 1083 * Destroy empty prisons 1084 */ 1085 if (jailed(cr)) 1086 prison_free(cr->cr_prison); 1087 cr->cr_prison = NULL; /* safety */ 1088 1089 FREE((caddr_t)cr, M_CRED); 1090 } 1091 } 1092 1093 /* 1094 * Atomize a cred structure so it can be modified without polluting 1095 * other references to it. 1096 * 1097 * MPSAFE (however, *pcr must be stable) 1098 */ 1099 struct ucred * 1100 cratom(struct ucred **pcr) 1101 { 1102 struct ucred *oldcr; 1103 struct ucred *newcr; 1104 1105 oldcr = *pcr; 1106 if (oldcr->cr_ref == 1) 1107 return (oldcr); 1108 newcr = crget(); 1109 *newcr = *oldcr; 1110 if (newcr->cr_uidinfo) 1111 uihold(newcr->cr_uidinfo); 1112 if (newcr->cr_ruidinfo) 1113 uihold(newcr->cr_ruidinfo); 1114 if (jailed(newcr)) 1115 prison_hold(newcr->cr_prison); 1116 newcr->cr_ref = 1; 1117 crfree(oldcr); 1118 *pcr = newcr; 1119 return (newcr); 1120 } 1121 1122 #if 0 /* no longer used but keep around for a little while */ 1123 /* 1124 * Copy cred structure to a new one and free the old one. 1125 * 1126 * MPSAFE (*cr must be stable) 1127 */ 1128 struct ucred * 1129 crcopy(struct ucred *cr) 1130 { 1131 struct ucred *newcr; 1132 1133 if (cr->cr_ref == 1) 1134 return (cr); 1135 newcr = crget(); 1136 *newcr = *cr; 1137 if (newcr->cr_uidinfo) 1138 uihold(newcr->cr_uidinfo); 1139 if (newcr->cr_ruidinfo) 1140 uihold(newcr->cr_ruidinfo); 1141 if (jailed(newcr)) 1142 prison_hold(newcr->cr_prison); 1143 newcr->cr_ref = 1; 1144 crfree(cr); 1145 return (newcr); 1146 } 1147 #endif 1148 1149 /* 1150 * Dup cred struct to a new held one. 1151 */ 1152 struct ucred * 1153 crdup(struct ucred *cr) 1154 { 1155 struct ucred *newcr; 1156 1157 newcr = crget(); 1158 *newcr = *cr; 1159 if (newcr->cr_uidinfo) 1160 uihold(newcr->cr_uidinfo); 1161 if (newcr->cr_ruidinfo) 1162 uihold(newcr->cr_ruidinfo); 1163 if (jailed(newcr)) 1164 prison_hold(newcr->cr_prison); 1165 newcr->cr_ref = 1; 1166 return (newcr); 1167 } 1168 1169 /* 1170 * Fill in a struct xucred based on a struct ucred. 1171 */ 1172 void 1173 cru2x(struct ucred *cr, struct xucred *xcr) 1174 { 1175 1176 bzero(xcr, sizeof(*xcr)); 1177 xcr->cr_version = XUCRED_VERSION; 1178 xcr->cr_uid = cr->cr_uid; 1179 xcr->cr_ngroups = cr->cr_ngroups; 1180 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1181 } 1182 1183 /* 1184 * Get login name, if available. 1185 * 1186 * MPALMOSTSAFE 1187 */ 1188 int 1189 sys_getlogin(struct getlogin_args *uap) 1190 { 1191 struct proc *p = curproc; 1192 char buf[MAXLOGNAME]; 1193 int error; 1194 1195 if (uap->namelen > MAXLOGNAME) /* namelen is unsigned */ 1196 uap->namelen = MAXLOGNAME; 1197 get_mplock(); 1198 bzero(buf, sizeof(buf)); 1199 bcopy(p->p_pgrp->pg_session->s_login, buf, uap->namelen); 1200 rel_mplock(); 1201 1202 error = copyout(buf, uap->namebuf, uap->namelen); 1203 return (error); 1204 } 1205 1206 /* 1207 * Set login name. 1208 * 1209 * MPALMOSTSAFE 1210 */ 1211 int 1212 sys_setlogin(struct setlogin_args *uap) 1213 { 1214 struct thread *td = curthread; 1215 struct proc *p; 1216 struct ucred *cred; 1217 char buf[MAXLOGNAME]; 1218 int error; 1219 1220 cred = td->td_ucred; 1221 p = td->td_proc; 1222 1223 if ((error = priv_check_cred(cred, PRIV_PROC_SETLOGIN, 0))) 1224 return (error); 1225 bzero(buf, sizeof(buf)); 1226 error = copyinstr(uap->namebuf, buf, sizeof(buf), NULL); 1227 if (error == ENAMETOOLONG) 1228 error = EINVAL; 1229 if (error == 0) { 1230 get_mplock(); 1231 memcpy(p->p_pgrp->pg_session->s_login, buf, sizeof(buf)); 1232 rel_mplock(); 1233 } 1234 return (error); 1235 } 1236 1237 void 1238 setsugid(void) 1239 { 1240 struct proc *p = curproc; 1241 1242 KKASSERT(p != NULL); 1243 p->p_flag |= P_SUGID; 1244 if (!(p->p_pfsflags & PF_ISUGID)) 1245 p->p_stops = 0; 1246 } 1247 1248 /* 1249 * Helper function to change the effective uid of a process 1250 */ 1251 struct ucred * 1252 change_euid(uid_t euid) 1253 { 1254 struct proc *p = curproc; 1255 struct ucred *cr; 1256 1257 KKASSERT(p != NULL); 1258 lf_count_adjust(p, 0); 1259 cr = cratom(&p->p_ucred); 1260 cr->cr_uid = euid; 1261 uireplace(&cr->cr_uidinfo, uifind(euid)); 1262 lf_count_adjust(p, 1); 1263 return (cr); 1264 } 1265 1266 /* 1267 * Helper function to change the real uid of a process 1268 * 1269 * The per-uid process count for this process is transfered from 1270 * the old uid to the new uid. 1271 */ 1272 struct ucred * 1273 change_ruid(uid_t ruid) 1274 { 1275 struct proc *p = curproc; 1276 struct ucred *cr; 1277 1278 KKASSERT(p != NULL); 1279 1280 cr = cratom(&p->p_ucred); 1281 chgproccnt(cr->cr_ruidinfo, -1, 0); 1282 cr->cr_ruid = ruid; 1283 uireplace(&cr->cr_ruidinfo, uifind(ruid)); 1284 chgproccnt(cr->cr_ruidinfo, 1, 0); 1285 return (cr); 1286 } 1287