1 /* $OpenBSD: uidswap.c,v 1.42 2019/06/28 13:35:04 deraadt Exp $ */
2 /*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
6 * Code for uid-swapping.
7 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 */
14
15 #include "includes.h"
16
17 #include <errno.h>
18 #include <pwd.h>
19 #include <string.h>
20 #include <unistd.h>
21 #include <limits.h>
22 #include <stdarg.h>
23 #include <stdlib.h>
24
25 #include <grp.h>
26
27 #include "log.h"
28 #include "uidswap.h"
29 #include "xmalloc.h"
30
31 #if defined(ANDROID)
32 #define AID_GRAPHICS 1003
33 #define AID_INPUT 1004
34 #define AID_LOG 1007
35 #define AID_MOUNT 1009
36 #define AID_SDCARD_RW 1015
37 #define AID_SHELL 2000
38 #define AID_NET_BT_ADMIN 3001
39 #define AID_NET_BT 3002
40 #define AID_INET 3003
41 #define AID_NET_BW_STATS 3006
42 #include <sys/capability.h>
43 #include <sys/prctl.h>
44 #endif
45
46 /*
47 * Note: all these functions must work in all of the following cases:
48 * 1. euid=0, ruid=0
49 * 2. euid=0, ruid!=0
50 * 3. euid!=0, ruid!=0
51 * Additionally, they must work regardless of whether the system has
52 * POSIX saved uids or not.
53 */
54
55 #if defined(_POSIX_SAVED_IDS) && !defined(BROKEN_SAVED_UIDS)
56 /* Lets assume that posix saved ids also work with seteuid, even though that
57 is not part of the posix specification. */
58 #define SAVED_IDS_WORK_WITH_SETEUID
59 /* Saved effective uid. */
60 static uid_t saved_euid = 0;
61 static gid_t saved_egid = 0;
62 #endif
63
64 /* Saved effective uid. */
65 static int privileged = 0;
66 static int temporarily_use_uid_effective = 0;
67 static uid_t user_groups_uid;
68 static gid_t *saved_egroups = NULL, *user_groups = NULL;
69 static int saved_egroupslen = -1, user_groupslen = -1;
70
71 /*
72 * Temporarily changes to the given uid. If the effective user
73 * id is not root, this does nothing. This call cannot be nested.
74 */
75 void
temporarily_use_uid(struct passwd * pw)76 temporarily_use_uid(struct passwd *pw)
77 {
78 /* Save the current euid, and egroups. */
79 #ifdef SAVED_IDS_WORK_WITH_SETEUID
80 saved_euid = geteuid();
81 saved_egid = getegid();
82 debug("temporarily_use_uid: %u/%u (e=%u/%u)",
83 (u_int)pw->pw_uid, (u_int)pw->pw_gid,
84 (u_int)saved_euid, (u_int)saved_egid);
85 #ifndef HAVE_CYGWIN
86 if (saved_euid != 0) {
87 privileged = 0;
88 return;
89 }
90 #endif
91 #else
92 if (geteuid() != 0) {
93 privileged = 0;
94 return;
95 }
96 #endif /* SAVED_IDS_WORK_WITH_SETEUID */
97
98 privileged = 1;
99 temporarily_use_uid_effective = 1;
100
101 saved_egroupslen = getgroups(0, NULL);
102 if (saved_egroupslen == -1)
103 fatal("getgroups: %.100s", strerror(errno));
104 if (saved_egroupslen > 0) {
105 saved_egroups = xreallocarray(saved_egroups,
106 saved_egroupslen, sizeof(gid_t));
107 if (getgroups(saved_egroupslen, saved_egroups) == -1)
108 fatal("getgroups: %.100s", strerror(errno));
109 } else { /* saved_egroupslen == 0 */
110 free(saved_egroups);
111 saved_egroups = NULL;
112 }
113
114 /* set and save the user's groups */
115 if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
116 if (initgroups(pw->pw_name, pw->pw_gid) == -1)
117 fatal("initgroups: %s: %.100s", pw->pw_name,
118 strerror(errno));
119
120 user_groupslen = getgroups(0, NULL);
121 if (user_groupslen == -1)
122 fatal("getgroups: %.100s", strerror(errno));
123 if (user_groupslen > 0) {
124 user_groups = xreallocarray(user_groups,
125 user_groupslen, sizeof(gid_t));
126 if (getgroups(user_groupslen, user_groups) == -1)
127 fatal("getgroups: %.100s", strerror(errno));
128 } else { /* user_groupslen == 0 */
129 free(user_groups);
130 user_groups = NULL;
131 }
132 user_groups_uid = pw->pw_uid;
133 }
134 /* Set the effective uid to the given (unprivileged) uid. */
135 if (setgroups(user_groupslen, user_groups) == -1)
136 fatal("setgroups: %.100s", strerror(errno));
137 #ifndef SAVED_IDS_WORK_WITH_SETEUID
138 /* Propagate the privileged gid to all of our gids. */
139 if (setgid(getegid()) == -1)
140 debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno));
141 /* Propagate the privileged uid to all of our uids. */
142 if (setuid(geteuid()) == -1)
143 debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno));
144 #endif /* SAVED_IDS_WORK_WITH_SETEUID */
145 if (setegid(pw->pw_gid) == -1)
146 fatal("setegid %u: %.100s", (u_int)pw->pw_gid,
147 strerror(errno));
148 if (seteuid(pw->pw_uid) == -1)
149 fatal("seteuid %u: %.100s", (u_int)pw->pw_uid,
150 strerror(errno));
151 }
152
153 /*
154 * Restores to the original (privileged) uid.
155 */
156 void
restore_uid(void)157 restore_uid(void)
158 {
159 /* it's a no-op unless privileged */
160 if (!privileged) {
161 debug("restore_uid: (unprivileged)");
162 return;
163 }
164 if (!temporarily_use_uid_effective)
165 fatal("restore_uid: temporarily_use_uid not effective");
166
167 #ifdef SAVED_IDS_WORK_WITH_SETEUID
168 debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid);
169 /* Set the effective uid back to the saved privileged uid. */
170 if (seteuid(saved_euid) == -1)
171 fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno));
172 if (setegid(saved_egid) == -1)
173 fatal("setegid %u: %.100s", (u_int)saved_egid, strerror(errno));
174 #else /* SAVED_IDS_WORK_WITH_SETEUID */
175 /*
176 * We are unable to restore the real uid to its unprivileged value.
177 * Propagate the real uid (usually more privileged) to effective uid
178 * as well.
179 */
180 if (setuid(getuid()) == -1)
181 fatal("%s: setuid failed: %s", __func__, strerror(errno));
182 if (setgid(getgid()) == -1)
183 fatal("%s: setgid failed: %s", __func__, strerror(errno));
184 #endif /* SAVED_IDS_WORK_WITH_SETEUID */
185
186 if (setgroups(saved_egroupslen, saved_egroups) == -1)
187 fatal("setgroups: %.100s", strerror(errno));
188 temporarily_use_uid_effective = 0;
189 }
190
191 /*
192 * Permanently sets all uids to the given uid. This cannot be
193 * called while temporarily_use_uid is effective.
194 */
195 void
permanently_set_uid(struct passwd * pw)196 permanently_set_uid(struct passwd *pw)
197 {
198 #ifndef NO_UID_RESTORATION_TEST
199 uid_t old_uid = getuid();
200 gid_t old_gid = getgid();
201 #endif
202 #if defined(ANDROID)
203 struct __user_cap_header_struct header;
204 struct __user_cap_data_struct cap;
205 #endif
206
207 if (pw == NULL)
208 fatal("permanently_set_uid: no user given");
209 if (temporarily_use_uid_effective)
210 fatal("permanently_set_uid: temporarily_use_uid effective");
211 debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
212 (u_int)pw->pw_gid);
213
214 #if defined(ANDROID)
215 if (pw->pw_uid == AID_SHELL) {
216 prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
217
218 /* add extra groups needed for shell user:
219 * - AID_LOG to read system logs (adb logcat)
220 * - AID_INPUT to diagnose input issues (getevent)
221 * - AID_INET to diagnose network issues (netcfg, ping)
222 * - AID_GRAPHICS to access the frame buffer
223 * - AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump)
224 * - AID_SDCARD_RW to allow writing to the SD card
225 * - AID_MOUNT to allow unmounting the SD card before rebooting
226 * - AID_NET_BW_STATS to read out qtaguid statistics. */
227 gid_t groups[] = {AID_LOG, AID_INPUT, AID_INET,
228 AID_GRAPHICS, AID_NET_BT, AID_NET_BT_ADMIN,
229 AID_SDCARD_RW, AID_MOUNT, AID_NET_BW_STATS};
230 setgroups(sizeof(groups)/sizeof(groups[0]), groups);
231 }
232 #endif
233
234 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1)
235 fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
236
237 #ifdef __APPLE__
238 /*
239 * OS X requires initgroups after setgid to opt back into
240 * memberd support for >16 supplemental groups.
241 */
242 if (initgroups(pw->pw_name, pw->pw_gid) == -1)
243 fatal("initgroups %.100s %u: %.100s",
244 pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
245 #endif
246
247 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
248 fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
249
250 #ifndef NO_UID_RESTORATION_TEST
251 /* Try restoration of GID if changed (test clearing of saved gid) */
252 if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
253 (setgid(old_gid) != -1 || setegid(old_gid) != -1))
254 fatal("%s: was able to restore old [e]gid", __func__);
255 #endif
256
257 /* Verify GID drop was successful */
258 if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) {
259 fatal("%s: egid incorrect gid:%u egid:%u (should be %u)",
260 __func__, (u_int)getgid(), (u_int)getegid(),
261 (u_int)pw->pw_gid);
262 }
263
264 #ifndef NO_UID_RESTORATION_TEST
265 /* Try restoration of UID if changed (test clearing of saved uid) */
266 if (old_uid != pw->pw_uid &&
267 (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
268 fatal("%s: was able to restore old [e]uid", __func__);
269 #endif
270
271 /* Verify UID drop was successful */
272 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
273 fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
274 __func__, (u_int)getuid(), (u_int)geteuid(),
275 (u_int)pw->pw_uid);
276 }
277
278 #if defined(ANDROID)
279 if (pw->pw_uid == AID_SHELL) {
280 /* set CAP_SYS_BOOT capability, so "adb reboot" will succeed */
281 header.version = _LINUX_CAPABILITY_VERSION;
282 header.pid = 0;
283 cap.effective = cap.permitted = (1 << CAP_SYS_BOOT);
284 cap.inheritable = 0;
285 capset(&header, &cap);
286 }
287 #endif
288
289 }
290