capabilities: Proper error handling when reading groups
[strongswan.git] / src / libstrongswan / utils / capabilities.c
1 /*
2 * Copyright (C) 2012-2013 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 * Copyright (C) 2012 Martin Willi
5 * Copyright (C) 2012 revosec AG
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "capabilities.h"
19
20 #include <errno.h>
21 #include <string.h>
22 #include <sys/types.h>
23 #include <pwd.h>
24 #include <grp.h>
25 #include <unistd.h>
26 #ifdef HAVE_PRCTL
27 # include <sys/prctl.h>
28 #endif /* HAVE_PRCTL */
29
30 #include <utils/debug.h>
31
32 #if !defined(HAVE_GETPWNAM_R) || \
33 !defined(HAVE_GETGRNAM_R) || \
34 !defined(HAVE_GETPWUID_R)
35 # include <threading/mutex.h>
36 # define EMULATE_R_FUNCS
37 #endif
38
39 typedef struct private_capabilities_t private_capabilities_t;
40
41 /**
42 * Private data of an capabilities_t object.
43 */
44 struct private_capabilities_t {
45
46 /**
47 * Public capabilities_t interface.
48 */
49 capabilities_t public;
50
51 /**
52 * user ID to switch during rights dropping
53 */
54 uid_t uid;
55
56 /**
57 * group ID to switch during rights dropping
58 */
59 gid_t gid;
60
61 /**
62 * capabilities to keep
63 */
64 #ifdef CAPABILITIES_LIBCAP
65 cap_t caps;
66 #endif /* CAPABILITIES_LIBCAP */
67 #ifdef CAPABILITIES_NATIVE
68 struct __user_cap_data_struct caps[2];
69 #endif /* CAPABILITIES_NATIVE */
70
71 #ifdef EMULATE_R_FUNCS
72 /**
73 * mutex to emulate get(pw|gr)nam_r functions
74 */
75 mutex_t *mutex;
76 #endif
77 };
78
79 /**
80 * Returns TRUE if the current process/user is member of the given group
81 */
82 static bool has_group(gid_t group)
83 {
84 gid_t *groups;
85 long ngroups, i;
86 bool found = FALSE;
87
88 if (group == getegid())
89 { /* it's unspecified if this is part of the list below or not */
90 return TRUE;
91 }
92 ngroups = sysconf(_SC_NGROUPS_MAX);
93 if (ngroups == -1)
94 {
95 DBG1(DBG_LIB, "getting groups for current process failed: %s",
96 strerror(errno));
97 return FALSE;
98 }
99 groups = calloc(ngroups + 1, sizeof(gid_t));
100 ngroups = getgroups(ngroups, groups);
101 if (ngroups == -1)
102 {
103 DBG1(DBG_LIB, "getting groups for current process failed: %s",
104 strerror(errno));
105 free(groups);
106 return FALSE;
107 }
108 for (i = 0; i < ngroups; i++)
109 {
110 if (group == groups[i])
111 {
112 found = TRUE;
113 break;
114 }
115 }
116 free(groups);
117 return found;
118 }
119
120 /**
121 * Verify that the current process has the given capability
122 */
123 static bool has_capability(private_capabilities_t *this, u_int cap,
124 bool *ignore)
125 {
126 if (cap == CAP_CHOWN)
127 { /* if new files/UNIX sockets are created they should be owned by the
128 * configured user and group. This requires a call to chown(2). But
129 * CAP_CHOWN is not always required. */
130 if (!this->uid || geteuid() == this->uid)
131 { /* if the owner does not change CAP_CHOWN is not needed */
132 if (!this->gid || has_group(this->gid))
133 { /* the same applies if the owner is a member of the group */
134 if (ignore)
135 { /* we don't have to keep this, if requested */
136 *ignore = TRUE;
137 }
138 return TRUE;
139 }
140 }
141 }
142 #ifndef CAPABILITIES
143 /* if we can't check the actual capabilities assume only root has it */
144 return geteuid() == 0;
145 #endif /* !CAPABILITIES */
146 #ifdef CAPABILITIES_LIBCAP
147 cap_flag_value_t val;
148 cap_t caps;
149 bool ok;
150
151 caps = cap_get_proc();
152 if (!caps)
153 {
154 return FALSE;
155 }
156 ok = cap_get_flag(caps, cap, CAP_PERMITTED, &val) == 0 && val == CAP_SET;
157 cap_free(caps);
158 return ok;
159 #endif /* CAPABILITIES_LIBCAP */
160 #ifdef CAPABILITIES_NATIVE
161 struct __user_cap_header_struct header = {
162 #if defined(_LINUX_CAPABILITY_VERSION_3)
163 .version = _LINUX_CAPABILITY_VERSION_3,
164 #elif defined(_LINUX_CAPABILITY_VERSION_2)
165 .version = _LINUX_CAPABILITY_VERSION_2,
166 #elif defined(_LINUX_CAPABILITY_VERSION_1)
167 .version = _LINUX_CAPABILITY_VERSION_1,
168 #else
169 .version = _LINUX_CAPABILITY_VERSION,
170 #endif
171 };
172 struct __user_cap_data_struct caps[2];
173 int i = 0;
174
175 if (cap >= 32)
176 {
177 i++;
178 cap -= 32;
179 }
180 return capget(&header, caps) == 0 && caps[i].permitted & (1 << cap);
181 #endif /* CAPABILITIES_NATIVE */
182 }
183
184 /**
185 * Keep the given capability if it is held by the current process. Returns
186 * FALSE, if this is not the case.
187 */
188 static bool keep_capability(private_capabilities_t *this, u_int cap)
189 {
190 #ifdef CAPABILITIES_LIBCAP
191 cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
192 cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET);
193 cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
194 #endif /* CAPABILITIES_LIBCAP */
195 #ifdef CAPABILITIES_NATIVE
196 int i = 0;
197
198 if (cap >= 32)
199 {
200 i++;
201 cap -= 32;
202 }
203 this->caps[i].effective |= 1 << cap;
204 this->caps[i].permitted |= 1 << cap;
205 this->caps[i].inheritable |= 1 << cap;
206 #endif /* CAPABILITIES_NATIVE */
207 return TRUE;
208 }
209
210 METHOD(capabilities_t, keep, bool,
211 private_capabilities_t *this, u_int cap)
212 {
213 bool ignore = FALSE;
214
215 if (!has_capability(this, cap, &ignore))
216 {
217 return FALSE;
218 }
219 else if (ignore)
220 { /* don't keep capabilities that are not required */
221 return TRUE;
222 }
223 return keep_capability(this, cap);
224 }
225
226 METHOD(capabilities_t, check, bool,
227 private_capabilities_t *this, u_int cap)
228 {
229 return has_capability(this, cap, NULL);
230 }
231
232 METHOD(capabilities_t, get_uid, uid_t,
233 private_capabilities_t *this)
234 {
235 return this->uid ?: geteuid();
236 }
237
238 METHOD(capabilities_t, get_gid, gid_t,
239 private_capabilities_t *this)
240 {
241 return this->gid ?: getegid();
242 }
243
244 METHOD(capabilities_t, set_uid, void,
245 private_capabilities_t *this, uid_t uid)
246 {
247 this->uid = uid;
248 }
249
250 METHOD(capabilities_t, set_gid, void,
251 private_capabilities_t *this, gid_t gid)
252 {
253 this->gid = gid;
254 }
255
256 METHOD(capabilities_t, resolve_uid, bool,
257 private_capabilities_t *this, char *username)
258 {
259 struct passwd *pwp;
260 int err;
261
262 #ifdef HAVE_GETPWNAM_R
263 struct passwd passwd;
264 char buf[1024];
265
266 err = getpwnam_r(username, &passwd, buf, sizeof(buf), &pwp);
267 if (pwp)
268 {
269 this->uid = pwp->pw_uid;
270 }
271 #else /* HAVE GETPWNAM_R */
272 this->mutex->lock(this->mutex);
273 pwp = getpwnam(username);
274 if (pwp)
275 {
276 this->uid = pwp->pw_uid;
277 }
278 err = errno;
279 this->mutex->unlock(this->mutex);
280 #endif /* HAVE GETPWNAM_R */
281 if (pwp)
282 {
283 return TRUE;
284 }
285 DBG1(DBG_LIB, "resolving user '%s' failed: %s", username,
286 err ? strerror(err) : "user not found");
287 return FALSE;
288 }
289
290 METHOD(capabilities_t, resolve_gid, bool,
291 private_capabilities_t *this, char *groupname)
292 {
293 struct group *grp;
294 int err;
295
296 #ifdef HAVE_GETGRNAM_R
297 struct group group;
298 char buf[1024];
299
300 err = getgrnam_r(groupname, &group, buf, sizeof(buf), &grp);
301 if (grp)
302 {
303 this->gid = grp->gr_gid;
304 }
305 #else /* HAVE_GETGRNAM_R */
306 this->mutex->lock(this->mutex);
307 grp = getgrnam(groupname);
308 if (grp)
309 {
310 this->gid = grp->gr_gid;
311 }
312 err = errno;
313 this->mutex->unlock(this->mutex);
314 #endif /* HAVE_GETGRNAM_R */
315 if (grp)
316 {
317 return TRUE;
318 }
319 DBG1(DBG_LIB, "resolving user '%s' failed: %s", groupname,
320 err ? strerror(err) : "group not found");
321 return FALSE;
322 }
323
324 /**
325 * Initialize supplementary groups for unprivileged user
326 */
327 static bool init_supplementary_groups(private_capabilities_t *this)
328 {
329 struct passwd *pwp;
330 int res = -1;
331
332 #ifdef HAVE_GETPWUID_R
333 struct passwd pwd;
334 char buf[1024];
335
336 if (getpwuid_r(this->uid, &pwd, buf, sizeof(buf), &pwp) == 0 && pwp)
337 {
338 res = initgroups(pwp->pw_name, this->gid);
339 }
340 #else /* HAVE_GETPWUID_R */
341 this->mutex->lock(this->mutex);
342 pwp = getpwuid(this->uid);
343 if (pwp)
344 {
345 res = initgroups(pwp->pw_name, this->gid);
346 }
347 this->mutex->unlock(this->mutex);
348 #endif /* HAVE_GETPWUID_R */
349 return res == 0;
350 }
351
352 METHOD(capabilities_t, drop, bool,
353 private_capabilities_t *this)
354 {
355 #ifdef HAVE_PRCTL
356 prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
357 #endif
358
359 if (this->uid && !init_supplementary_groups(this))
360 {
361 DBG1(DBG_LIB, "initializing supplementary groups for %u failed",
362 this->uid);
363 return FALSE;
364 }
365 if (this->gid && setgid(this->gid) != 0)
366 {
367 DBG1(DBG_LIB, "change to unprivileged group %u failed: %s",
368 this->gid, strerror(errno));
369 return FALSE;
370 }
371 if (this->uid && setuid(this->uid) != 0)
372 {
373 DBG1(DBG_LIB, "change to unprivileged user %u failed: %s",
374 this->uid, strerror(errno));
375 return FALSE;
376 }
377
378 #ifdef CAPABILITIES_LIBCAP
379 if (cap_set_proc(this->caps) != 0)
380 {
381 DBG1(DBG_LIB, "dropping capabilities failed: %s", strerror(errno));
382 return FALSE;
383 }
384 #endif /* CAPABILITIES_LIBCAP */
385 #ifdef CAPABILITIES_NATIVE
386 struct __user_cap_header_struct header = {
387 #if defined(_LINUX_CAPABILITY_VERSION_3)
388 .version = _LINUX_CAPABILITY_VERSION_3,
389 #elif defined(_LINUX_CAPABILITY_VERSION_2)
390 .version = _LINUX_CAPABILITY_VERSION_2,
391 #elif defined(_LINUX_CAPABILITY_VERSION_1)
392 .version = _LINUX_CAPABILITY_VERSION_1,
393 #else
394 .version = _LINUX_CAPABILITY_VERSION,
395 #endif
396 };
397 if (capset(&header, this->caps) != 0)
398 {
399 DBG1(DBG_LIB, "dropping capabilities failed: %s", strerror(errno));
400 return FALSE;
401 }
402 #endif /* CAPABILITIES_NATIVE */
403 #ifdef CAPABILITIES
404 DBG1(DBG_LIB, "dropped capabilities, running as uid %u, gid %u",
405 geteuid(), getegid());
406 #endif /* CAPABILITIES */
407 return TRUE;
408 }
409
410 METHOD(capabilities_t, destroy, void,
411 private_capabilities_t *this)
412 {
413 #ifdef EMULATE_R_FUNCS
414 this->mutex->destroy(this->mutex);
415 #endif /* EMULATE_R_FUNCS */
416 #ifdef CAPABILITIES_LIBCAP
417 cap_free(this->caps);
418 #endif /* CAPABILITIES_LIBCAP */
419 free(this);
420 }
421
422 /**
423 * See header
424 */
425 capabilities_t *capabilities_create()
426 {
427 private_capabilities_t *this;
428
429 INIT(this,
430 .public = {
431 .keep = _keep,
432 .check = _check,
433 .get_uid = _get_uid,
434 .get_gid = _get_gid,
435 .set_uid = _set_uid,
436 .set_gid = _set_gid,
437 .resolve_uid = _resolve_uid,
438 .resolve_gid = _resolve_gid,
439 .drop = _drop,
440 .destroy = _destroy,
441 },
442 );
443
444 #ifdef CAPABILITIES_LIBCAP
445 this->caps = cap_init();
446 #endif /* CAPABILITIES_LIBCAP */
447
448 #ifdef EMULATE_R_FUNCS
449 this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
450 #endif /* EMULATE_R_FUNCS */
451
452 return &this->public;
453 }