|
|
390a82 |
From e6dea148252c9d8cb3de0965f2e558ac13e12f06 Mon Sep 17 00:00:00 2001
|
|
|
390a82 |
From: Daniel Shahaf <danielsh@apache.org>
|
|
|
390a82 |
Date: Thu, 26 Dec 2019 11:49:45 +0000
|
|
|
390a82 |
Subject: [PATCH 1/7] internal: Allow %L in zerrmsg() in non-debug builds, too.
|
|
|
390a82 |
|
|
|
390a82 |
This will let error messages include long integers.
|
|
|
390a82 |
|
|
|
390a82 |
Upstream-commit: 81185f4c6106d7ea2f7beaabbec7360c08e400d2
|
|
|
390a82 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
390a82 |
---
|
|
|
390a82 |
Src/utils.c | 2 --
|
|
|
390a82 |
1 file changed, 2 deletions(-)
|
|
|
390a82 |
|
|
|
390a82 |
diff --git a/Src/utils.c b/Src/utils.c
|
|
|
390a82 |
index 32f6008..2ddc596 100644
|
|
|
390a82 |
--- a/Src/utils.c
|
|
|
390a82 |
+++ b/Src/utils.c
|
|
|
390a82 |
@@ -325,12 +325,10 @@ zerrmsg(FILE *file, const char *fmt, va_list ap)
|
|
|
390a82 |
nicezputs(s, file);
|
|
|
390a82 |
break;
|
|
|
390a82 |
}
|
|
|
390a82 |
-#ifdef DEBUG
|
|
|
390a82 |
case 'L':
|
|
|
390a82 |
lnum = va_arg(ap, long);
|
|
|
390a82 |
fprintf(file, "%ld", lnum);
|
|
|
390a82 |
break;
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
case 'd':
|
|
|
390a82 |
num = va_arg(ap, int);
|
|
|
390a82 |
fprintf(file, "%d", num);
|
|
|
390a82 |
--
|
|
|
390a82 |
2.21.1
|
|
|
390a82 |
|
|
|
390a82 |
|
|
|
390a82 |
From 4907caaf15e5a054088e05534c5500679c15b105 Mon Sep 17 00:00:00 2001
|
|
|
390a82 |
From: dana <dana@dana.is>
|
|
|
390a82 |
Date: Thu, 26 Dec 2019 14:57:07 -0600
|
|
|
390a82 |
Subject: [PATCH 2/7] unposted: zerrmsg(): Fix macro guard missed in previous
|
|
|
390a82 |
commit
|
|
|
390a82 |
|
|
|
390a82 |
Upstream-commit: ed21a7b70068b4250a25dcdc5b7213a789b0d0ca
|
|
|
390a82 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
390a82 |
---
|
|
|
390a82 |
Src/utils.c | 2 --
|
|
|
390a82 |
1 file changed, 2 deletions(-)
|
|
|
390a82 |
|
|
|
390a82 |
diff --git a/Src/utils.c b/Src/utils.c
|
|
|
390a82 |
index 2ddc596..4a1dcc4 100644
|
|
|
390a82 |
--- a/Src/utils.c
|
|
|
390a82 |
+++ b/Src/utils.c
|
|
|
390a82 |
@@ -287,9 +287,7 @@ zerrmsg(FILE *file, const char *fmt, va_list ap)
|
|
|
390a82 |
{
|
|
|
390a82 |
const char *str;
|
|
|
390a82 |
int num;
|
|
|
390a82 |
-#ifdef DEBUG
|
|
|
390a82 |
long lnum;
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
#ifdef HAVE_STRERROR_R
|
|
|
390a82 |
#define ERRBUFSIZE (80)
|
|
|
390a82 |
int olderrno;
|
|
|
390a82 |
--
|
|
|
390a82 |
2.21.1
|
|
|
390a82 |
|
|
|
390a82 |
|
|
|
390a82 |
From a6763e5de6eebc5994097fc4d778094e7254589c Mon Sep 17 00:00:00 2001
|
|
|
390a82 |
From: Sam Foxman <samfoxman320@gmail.com>
|
|
|
390a82 |
Date: Sun, 22 Dec 2019 17:30:28 -0500
|
|
|
390a82 |
Subject: [PATCH 3/7] Drop privileges securely
|
|
|
390a82 |
|
|
|
390a82 |
Upstream-commit: 24e993db62cf146fb76ebcf677a4a7aa3766fc74
|
|
|
390a82 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
390a82 |
---
|
|
|
390a82 |
Src/options.c | 146 +++++++++++++++++++++++++++++++++++++++++---------
|
|
|
390a82 |
configure.ac | 4 +-
|
|
|
390a82 |
2 files changed, 125 insertions(+), 25 deletions(-)
|
|
|
390a82 |
|
|
|
390a82 |
diff --git a/Src/options.c b/Src/options.c
|
|
|
390a82 |
index 590652e..c9608af 100644
|
|
|
390a82 |
--- a/Src/options.c
|
|
|
390a82 |
+++ b/Src/options.c
|
|
|
390a82 |
@@ -576,6 +576,7 @@ int
|
|
|
390a82 |
bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
|
|
|
390a82 |
{
|
|
|
390a82 |
int action, optno, match = 0;
|
|
|
390a82 |
+ int retval = 0;
|
|
|
390a82 |
|
|
|
390a82 |
/* With no arguments or options, display options. */
|
|
|
390a82 |
if (!*args) {
|
|
|
390a82 |
@@ -603,18 +604,28 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
|
|
|
390a82 |
inittyptab();
|
|
|
390a82 |
return 1;
|
|
|
390a82 |
}
|
|
|
390a82 |
- if(!(optno = optlookup(*args)))
|
|
|
390a82 |
+ if(!(optno = optlookup(*args))) {
|
|
|
390a82 |
zwarnnam(nam, "no such option: %s", *args);
|
|
|
390a82 |
- else if(dosetopt(optno, action, 0, opts))
|
|
|
390a82 |
- zwarnnam(nam, "can't change option: %s", *args);
|
|
|
390a82 |
+ retval = 1;
|
|
|
390a82 |
+ } else {
|
|
|
390a82 |
+ retval = !!dosetopt(optno, action, 0, opts);
|
|
|
390a82 |
+ if (retval) {
|
|
|
390a82 |
+ zwarnnam(nam, "can't change option: %s", *args);
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ }
|
|
|
390a82 |
break;
|
|
|
390a82 |
} else if(**args == 'm') {
|
|
|
390a82 |
match = 1;
|
|
|
390a82 |
} else {
|
|
|
390a82 |
- if (!(optno = optlookupc(**args)))
|
|
|
390a82 |
+ if (!(optno = optlookupc(**args))) {
|
|
|
390a82 |
zwarnnam(nam, "bad option: -%c", **args);
|
|
|
390a82 |
- else if(dosetopt(optno, action, 0, opts))
|
|
|
390a82 |
- zwarnnam(nam, "can't change option: -%c", **args);
|
|
|
390a82 |
+ retval = 1;
|
|
|
390a82 |
+ } else {
|
|
|
390a82 |
+ retval = !!dosetopt(optno, action, 0, opts);
|
|
|
390a82 |
+ if (retval) {
|
|
|
390a82 |
+ zwarnnam(nam, "can't change option: -%c", **args);
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ }
|
|
|
390a82 |
}
|
|
|
390a82 |
}
|
|
|
390a82 |
args++;
|
|
|
390a82 |
@@ -624,10 +635,15 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
|
|
|
390a82 |
if (!match) {
|
|
|
390a82 |
/* Not globbing the arguments -- arguments are simply option names. */
|
|
|
390a82 |
while (*args) {
|
|
|
390a82 |
- if(!(optno = optlookup(*args++)))
|
|
|
390a82 |
+ if(!(optno = optlookup(*args++))) {
|
|
|
390a82 |
zwarnnam(nam, "no such option: %s", args[-1]);
|
|
|
390a82 |
- else if(dosetopt(optno, !isun, 0, opts))
|
|
|
390a82 |
- zwarnnam(nam, "can't change option: %s", args[-1]);
|
|
|
390a82 |
+ retval = 1;
|
|
|
390a82 |
+ } else {
|
|
|
390a82 |
+ retval = !!dosetopt(optno, !isun, 0, opts);
|
|
|
390a82 |
+ if (retval) {
|
|
|
390a82 |
+ zwarnnam(nam, "can't change option: %s", args[-1]);
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ }
|
|
|
390a82 |
}
|
|
|
390a82 |
} else {
|
|
|
390a82 |
/* Globbing option (-m) set. */
|
|
|
390a82 |
@@ -650,7 +666,8 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
|
|
|
390a82 |
tokenize(s);
|
|
|
390a82 |
if (!(pprog = patcompile(s, PAT_HEAPDUP, NULL))) {
|
|
|
390a82 |
zwarnnam(nam, "bad pattern: %s", *args);
|
|
|
390a82 |
- continue;
|
|
|
390a82 |
+ retval = 1;
|
|
|
390a82 |
+ break;
|
|
|
390a82 |
}
|
|
|
390a82 |
/* Loop over expansions. */
|
|
|
390a82 |
scanmatchtable(optiontab, pprog, 0, 0, OPT_ALIAS,
|
|
|
390a82 |
@@ -659,7 +676,7 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
|
|
|
390a82 |
}
|
|
|
390a82 |
}
|
|
|
390a82 |
inittyptab();
|
|
|
390a82 |
- return 0;
|
|
|
390a82 |
+ return retval;
|
|
|
390a82 |
}
|
|
|
390a82 |
|
|
|
390a82 |
/* Identify an option name */
|
|
|
390a82 |
@@ -768,20 +785,101 @@ dosetopt(int optno, int value, int force, char *new_opts)
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
} else if(optno == PRIVILEGED && !value) {
|
|
|
390a82 |
/* unsetting PRIVILEGED causes the shell to make itself unprivileged */
|
|
|
390a82 |
-#ifdef HAVE_SETUID
|
|
|
390a82 |
- setuid(getuid());
|
|
|
390a82 |
- setgid(getgid());
|
|
|
390a82 |
- if (setuid(getuid())) {
|
|
|
390a82 |
- zwarn("failed to change user ID: %e", errno);
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
- } else if (setgid(getgid())) {
|
|
|
390a82 |
- zwarn("failed to change group ID: %e", errno);
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
- }
|
|
|
390a82 |
+
|
|
|
390a82 |
+ int skip_setuid = 0;
|
|
|
390a82 |
+ int skip_setgid = 0;
|
|
|
390a82 |
+
|
|
|
390a82 |
+#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
|
|
|
390a82 |
+ int orig_egid = getegid();
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+#if defined(HAVE_GETEUID) && defined(HAVE_GETUID)
|
|
|
390a82 |
+ if (geteuid() == getuid()) {
|
|
|
390a82 |
+ skip_setuid = 1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+#if defined(HAVE_GETEGID) && defined(HAVE_GETGID)
|
|
|
390a82 |
+ if (getegid() == getgid()) {
|
|
|
390a82 |
+ skip_setgid = 1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+ if (!skip_setgid) {
|
|
|
390a82 |
+ int setgid_err;
|
|
|
390a82 |
+#ifdef HAVE_SETRESGID
|
|
|
390a82 |
+ setgid_err = setresgid(getgid(), getgid(), getgid());
|
|
|
390a82 |
+#elif defined(HAVE_SETREGID)
|
|
|
390a82 |
+#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
|
|
|
390a82 |
+ setgid_err = setregid(getgid(), getgid());
|
|
|
390a82 |
+#else
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "PRIVILEGED: can't drop privileges; setregid available, but cannot check if saved gid changed");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+#else
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid and setregid not available");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+ if (setgid_err) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+
|
|
|
390a82 |
+ if (!skip_setuid) {
|
|
|
390a82 |
+#if defined(HAVE_GETEUID) && defined(HAVE_SETUID)
|
|
|
390a82 |
+ int orig_euid = geteuid();
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+ int setuid_err;
|
|
|
390a82 |
+#if defined(HAVE_GETEUID) && defined(HAVE_INITGROUPS) && defined(HAVE_GETPWUID)
|
|
|
390a82 |
+ if (geteuid() == 0) {
|
|
|
390a82 |
+ struct passwd *pw = getpwuid(getuid());
|
|
|
390a82 |
+ if (pw == NULL) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %d: %e",
|
|
|
390a82 |
+ getuid(), errno);
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ if (initgroups(pw->pw_name, pw->pw_gid)) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+#ifdef HAVE_SETRESUID
|
|
|
390a82 |
+ setuid_err = setresuid(getuid(), getuid(), getuid());
|
|
|
390a82 |
+#elif defined(HAVE_SETREUID)
|
|
|
390a82 |
+#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID)
|
|
|
390a82 |
+ setuid_err = setreuid(getuid(), getuid());
|
|
|
390a82 |
+#else
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "PRIVILEGED: can't drop privileges; setreuid available, but cannot check if saved uid changed");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
#else
|
|
|
390a82 |
- zwarn("setuid not available");
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
-#endif /* not HAVE_SETUID */
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid and setreuid not available");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+ if (setuid_err) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID)
|
|
|
390a82 |
+ if (getuid() != 0 && !setuid(orig_euid)) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+
|
|
|
390a82 |
+#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
|
|
|
390a82 |
+ if (getuid() != 0 && !skip_setgid && !setgid(orig_egid)) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
#ifdef JOB_CONTROL
|
|
|
390a82 |
} else if (!force && optno == MONITOR && value) {
|
|
|
390a82 |
if (new_opts[optno] == value)
|
|
|
390a82 |
diff --git a/configure.ac b/configure.ac
|
|
|
390a82 |
index d15a6cd..51cdf89 100644
|
|
|
390a82 |
--- a/configure.ac
|
|
|
390a82 |
+++ b/configure.ac
|
|
|
390a82 |
@@ -1300,7 +1300,9 @@ AC_CHECK_FUNCS(strftime strptime mktime timelocal \
|
|
|
390a82 |
inet_aton inet_pton inet_ntop \
|
|
|
390a82 |
getlogin getpwent getpwnam getpwuid getgrgid getgrnam \
|
|
|
390a82 |
initgroups nis_list \
|
|
|
390a82 |
- setuid seteuid setreuid setresuid setsid \
|
|
|
390a82 |
+ getuid setuid seteuid setreuid setresuid setsid \
|
|
|
390a82 |
+ getgid setgid setegid setregid setresgid \
|
|
|
390a82 |
+ geteuid getegid \
|
|
|
390a82 |
memcpy memmove strstr strerror strtoul \
|
|
|
390a82 |
getrlimit getrusage \
|
|
|
390a82 |
setlocale \
|
|
|
390a82 |
--
|
|
|
390a82 |
2.21.1
|
|
|
390a82 |
|
|
|
390a82 |
|
|
|
390a82 |
From 07ec3e46db743ff37fd2bfeafbb4a44ddc7b4aaa Mon Sep 17 00:00:00 2001
|
|
|
390a82 |
From: Daniel Shahaf <danielsh@apache.org>
|
|
|
390a82 |
Date: Thu, 26 Dec 2019 09:16:19 +0000
|
|
|
390a82 |
Subject: [PATCH 4/7] Improve PRIVILEGED fixes
|
|
|
390a82 |
MIME-Version: 1.0
|
|
|
390a82 |
Content-Type: text/plain; charset=UTF-8
|
|
|
390a82 |
Content-Transfer-Encoding: 8bit
|
|
|
390a82 |
|
|
|
390a82 |
- Fix retval handling in bin_setopt()
|
|
|
390a82 |
|
|
|
390a82 |
- Don't skip_setuid / skip_setgid. It's not our place to optimize away noops
|
|
|
390a82 |
(that might not even _be_ noops; they might change the saved uid…).
|
|
|
390a82 |
|
|
|
390a82 |
- Remove HAVE_* guard checks around functions that are used unguarded elsewhere.
|
|
|
390a82 |
|
|
|
390a82 |
- Use bsd-setres_id.c from OpenSSH to provide setresuid() / setresgid()
|
|
|
390a82 |
everywhere, and thus simplify the ifdef soup. Fix some preëxisting
|
|
|
390a82 |
bugs in the macro definitions of setuid() (do we still need that one?).
|
|
|
390a82 |
|
|
|
390a82 |
- Fix zwarning() format codes for variadic arguments type safety
|
|
|
390a82 |
|
|
|
390a82 |
- Restored a comment from HEAD
|
|
|
390a82 |
|
|
|
390a82 |
- Fix failure modes around initgroups()
|
|
|
390a82 |
|
|
|
390a82 |
- Compared privilege restoration code with OpenSSH's permanently_drop_uid() and
|
|
|
390a82 |
updated as needed
|
|
|
390a82 |
|
|
|
390a82 |
- Add E01 PRIVILEGED sanity checks
|
|
|
390a82 |
|
|
|
390a82 |
Upstream-commit: 8250c5c168f07549ed646e6848e6dda118271e23
|
|
|
390a82 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
390a82 |
---
|
|
|
390a82 |
Src/openssh_bsd_setres_id.c | 129 +++++++++++++++++++++++++++++++
|
|
|
390a82 |
Src/options.c | 148 ++++++++++++++++--------------------
|
|
|
390a82 |
Src/zsh.mdd | 3 +-
|
|
|
390a82 |
Src/zsh_system.h | 94 ++++++++++++++++++-----
|
|
|
390a82 |
Test/E01options.ztst | 15 ++++
|
|
|
390a82 |
configure.ac | 5 +-
|
|
|
390a82 |
6 files changed, 292 insertions(+), 102 deletions(-)
|
|
|
390a82 |
create mode 100644 Src/openssh_bsd_setres_id.c
|
|
|
390a82 |
|
|
|
390a82 |
diff --git a/Src/openssh_bsd_setres_id.c b/Src/openssh_bsd_setres_id.c
|
|
|
390a82 |
new file mode 100644
|
|
|
390a82 |
index 0000000..65e91a4
|
|
|
390a82 |
--- /dev/null
|
|
|
390a82 |
+++ b/Src/openssh_bsd_setres_id.c
|
|
|
390a82 |
@@ -0,0 +1,129 @@
|
|
|
390a82 |
+/*
|
|
|
390a82 |
+ * Copyright (c) 2012 Darren Tucker (dtucker at zip com au).
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * Permission to use, copy, modify, and distribute this software for any
|
|
|
390a82 |
+ * purpose with or without fee is hereby granted, provided that the above
|
|
|
390a82 |
+ * copyright notice and this permission notice appear in all copies.
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
390a82 |
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
390a82 |
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
390a82 |
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
390a82 |
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
390a82 |
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
390a82 |
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
390a82 |
+ */
|
|
|
390a82 |
+/*
|
|
|
390a82 |
+ * openssh_bsd_setres_id.c - setresuid() and setresgid() wrappers
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * This file is part of zsh, the Z shell.
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * It is based on the file openbsd-compat/bsd-setres_id.c in OpenSSH 7.9p1,
|
|
|
390a82 |
+ * which is subject to the copyright notice above. The zsh modifications are
|
|
|
390a82 |
+ * licensed as follows:
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * Copyright (c) 2019 Daniel Shahaf
|
|
|
390a82 |
+ * All rights reserved.
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * Permission is hereby granted, without written agreement and without
|
|
|
390a82 |
+ * license or royalty fees, to use, copy, modify, and distribute this
|
|
|
390a82 |
+ * software and to distribute modified versions of this software for any
|
|
|
390a82 |
+ * purpose, provided that the above copyright notice and the following
|
|
|
390a82 |
+ * two paragraphs appear in all copies of this software.
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * In no event shall Daniel Shahaf or the Zsh Development Group be liable
|
|
|
390a82 |
+ * to any party for direct, indirect, special, incidental, or consequential
|
|
|
390a82 |
+ * damages arising out of the use of this software and its documentation,
|
|
|
390a82 |
+ * even if Daniel Shahaf and the Zsh Development Group have been advised of
|
|
|
390a82 |
+ * the possibility of such damage.
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * Daniel Shahaf and the Zsh Development Group specifically disclaim any
|
|
|
390a82 |
+ * warranties, including, but not limited to, the implied warranties of
|
|
|
390a82 |
+ * merchantability and fitness for a particular purpose. The software
|
|
|
390a82 |
+ * provided hereunder is on an "as is" basis, and Daniel Shahaf and the
|
|
|
390a82 |
+ * Zsh Development Group have no obligation to provide maintenance,
|
|
|
390a82 |
+ * support, updates, enhancements, or modifications.
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ */
|
|
|
390a82 |
+
|
|
|
390a82 |
+
|
|
|
390a82 |
+#include <sys/types.h>
|
|
|
390a82 |
+
|
|
|
390a82 |
+#include <stdarg.h>
|
|
|
390a82 |
+#include <unistd.h>
|
|
|
390a82 |
+#include <string.h>
|
|
|
390a82 |
+
|
|
|
390a82 |
+#include "zsh.mdh"
|
|
|
390a82 |
+
|
|
|
390a82 |
+#if defined(ZSH_IMPLEMENT_SETRESGID) || defined(BROKEN_SETRESGID)
|
|
|
390a82 |
+int
|
|
|
390a82 |
+setresgid(gid_t rgid, gid_t egid, gid_t sgid)
|
|
|
390a82 |
+{
|
|
|
390a82 |
+ int ret = 0, saved_errno;
|
|
|
390a82 |
+
|
|
|
390a82 |
+ if (rgid != sgid) {
|
|
|
390a82 |
+ errno = ENOSYS;
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#if defined(ZSH_HAVE_NATIVE_SETREGID) && !defined(BROKEN_SETREGID)
|
|
|
390a82 |
+ if (setregid(rgid, egid) < 0) {
|
|
|
390a82 |
+ saved_errno = errno;
|
|
|
390a82 |
+ zwarnnam("setregid", "to gid %L: %e", (long)rgid, errno);
|
|
|
390a82 |
+ errno = saved_errno;
|
|
|
390a82 |
+ ret = -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#else
|
|
|
390a82 |
+ if (setegid(egid) < 0) {
|
|
|
390a82 |
+ saved_errno = errno;
|
|
|
390a82 |
+ zwarnnam("setegid", "to gid %L: %e", (long)(unsigned int)egid, errno);
|
|
|
390a82 |
+ errno = saved_errno;
|
|
|
390a82 |
+ ret = -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ if (setgid(rgid) < 0) {
|
|
|
390a82 |
+ saved_errno = errno;
|
|
|
390a82 |
+ zwarnnam("setgid", "to gid %L: %e", (long)rgid, errno);
|
|
|
390a82 |
+ errno = saved_errno;
|
|
|
390a82 |
+ ret = -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+ return ret;
|
|
|
390a82 |
+}
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+#if defined(ZSH_IMPLEMENT_SETRESUID) || defined(BROKEN_SETRESUID)
|
|
|
390a82 |
+int
|
|
|
390a82 |
+setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
|
|
390a82 |
+{
|
|
|
390a82 |
+ int ret = 0, saved_errno;
|
|
|
390a82 |
+
|
|
|
390a82 |
+ if (ruid != suid) {
|
|
|
390a82 |
+ errno = ENOSYS;
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#if defined(ZSH_HAVE_NATIVE_SETREUID) && !defined(BROKEN_SETREUID)
|
|
|
390a82 |
+ if (setreuid(ruid, euid) < 0) {
|
|
|
390a82 |
+ saved_errno = errno;
|
|
|
390a82 |
+ zwarnnam("setreuid", "to uid %L: %e", (long)ruid, errno);
|
|
|
390a82 |
+ errno = saved_errno;
|
|
|
390a82 |
+ ret = -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#else
|
|
|
390a82 |
+
|
|
|
390a82 |
+# ifndef SETEUID_BREAKS_SETUID
|
|
|
390a82 |
+ if (seteuid(euid) < 0) {
|
|
|
390a82 |
+ saved_errno = errno;
|
|
|
390a82 |
+ zwarnnam("seteuid", "to uid %L: %e", (long)euid, errno);
|
|
|
390a82 |
+ errno = saved_errno;
|
|
|
390a82 |
+ ret = -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+# endif
|
|
|
390a82 |
+ if (setuid(ruid) < 0) {
|
|
|
390a82 |
+ saved_errno = errno;
|
|
|
390a82 |
+ zwarnnam("setuid", "to uid %L: %e", (long)ruid, errno);
|
|
|
390a82 |
+ errno = saved_errno;
|
|
|
390a82 |
+ ret = -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+ return ret;
|
|
|
390a82 |
+}
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
diff --git a/Src/options.c b/Src/options.c
|
|
|
390a82 |
index c9608af..deec560 100644
|
|
|
390a82 |
--- a/Src/options.c
|
|
|
390a82 |
+++ b/Src/options.c
|
|
|
390a82 |
@@ -606,25 +606,21 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
|
|
|
390a82 |
}
|
|
|
390a82 |
if(!(optno = optlookup(*args))) {
|
|
|
390a82 |
zwarnnam(nam, "no such option: %s", *args);
|
|
|
390a82 |
- retval = 1;
|
|
|
390a82 |
- } else {
|
|
|
390a82 |
- retval = !!dosetopt(optno, action, 0, opts);
|
|
|
390a82 |
- if (retval) {
|
|
|
390a82 |
- zwarnnam(nam, "can't change option: %s", *args);
|
|
|
390a82 |
- }
|
|
|
390a82 |
+ retval |= 1;
|
|
|
390a82 |
+ } else if (dosetopt(optno, action, 0, opts)) {
|
|
|
390a82 |
+ zwarnnam(nam, "can't change option: %s", *args);
|
|
|
390a82 |
+ retval |= 1;
|
|
|
390a82 |
}
|
|
|
390a82 |
break;
|
|
|
390a82 |
} else if(**args == 'm') {
|
|
|
390a82 |
match = 1;
|
|
|
390a82 |
} else {
|
|
|
390a82 |
- if (!(optno = optlookupc(**args))) {
|
|
|
390a82 |
+ if (!(optno = optlookupc(**args))) {
|
|
|
390a82 |
zwarnnam(nam, "bad option: -%c", **args);
|
|
|
390a82 |
- retval = 1;
|
|
|
390a82 |
- } else {
|
|
|
390a82 |
- retval = !!dosetopt(optno, action, 0, opts);
|
|
|
390a82 |
- if (retval) {
|
|
|
390a82 |
- zwarnnam(nam, "can't change option: -%c", **args);
|
|
|
390a82 |
- }
|
|
|
390a82 |
+ retval |= 1;
|
|
|
390a82 |
+ } else if (dosetopt(optno, action, 0, opts)) {
|
|
|
390a82 |
+ zwarnnam(nam, "can't change option: -%c", **args);
|
|
|
390a82 |
+ retval |= 1;
|
|
|
390a82 |
}
|
|
|
390a82 |
}
|
|
|
390a82 |
}
|
|
|
390a82 |
@@ -637,12 +633,10 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
|
|
|
390a82 |
while (*args) {
|
|
|
390a82 |
if(!(optno = optlookup(*args++))) {
|
|
|
390a82 |
zwarnnam(nam, "no such option: %s", args[-1]);
|
|
|
390a82 |
- retval = 1;
|
|
|
390a82 |
- } else {
|
|
|
390a82 |
- retval = !!dosetopt(optno, !isun, 0, opts);
|
|
|
390a82 |
- if (retval) {
|
|
|
390a82 |
- zwarnnam(nam, "can't change option: %s", args[-1]);
|
|
|
390a82 |
- }
|
|
|
390a82 |
+ retval |= 1;
|
|
|
390a82 |
+ } else if (dosetopt(optno, !isun, 0, opts)) {
|
|
|
390a82 |
+ zwarnnam(nam, "can't change option: %s", args[-1]);
|
|
|
390a82 |
+ retval |= 1;
|
|
|
390a82 |
}
|
|
|
390a82 |
}
|
|
|
390a82 |
} else {
|
|
|
390a82 |
@@ -666,7 +660,7 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
|
|
|
390a82 |
tokenize(s);
|
|
|
390a82 |
if (!(pprog = patcompile(s, PAT_HEAPDUP, NULL))) {
|
|
|
390a82 |
zwarnnam(nam, "bad pattern: %s", *args);
|
|
|
390a82 |
- retval = 1;
|
|
|
390a82 |
+ retval |= 1;
|
|
|
390a82 |
break;
|
|
|
390a82 |
}
|
|
|
390a82 |
/* Loop over expansions. */
|
|
|
390a82 |
@@ -786,100 +780,92 @@ dosetopt(int optno, int value, int force, char *new_opts)
|
|
|
390a82 |
} else if(optno == PRIVILEGED && !value) {
|
|
|
390a82 |
/* unsetting PRIVILEGED causes the shell to make itself unprivileged */
|
|
|
390a82 |
|
|
|
390a82 |
- int skip_setuid = 0;
|
|
|
390a82 |
- int skip_setgid = 0;
|
|
|
390a82 |
-
|
|
|
390a82 |
-#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
|
|
|
390a82 |
- int orig_egid = getegid();
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
+ /* If set, return -1 so lastval will be non-zero. */
|
|
|
390a82 |
+ int failed = 0;
|
|
|
390a82 |
|
|
|
390a82 |
-#if defined(HAVE_GETEUID) && defined(HAVE_GETUID)
|
|
|
390a82 |
- if (geteuid() == getuid()) {
|
|
|
390a82 |
- skip_setuid = 1;
|
|
|
390a82 |
- }
|
|
|
390a82 |
+#ifdef HAVE_SETUID
|
|
|
390a82 |
+ const int orig_euid = geteuid();
|
|
|
390a82 |
#endif
|
|
|
390a82 |
+ const int orig_egid = getegid();
|
|
|
390a82 |
|
|
|
390a82 |
-#if defined(HAVE_GETEGID) && defined(HAVE_GETGID)
|
|
|
390a82 |
- if (getegid() == getgid()) {
|
|
|
390a82 |
- skip_setgid = 1;
|
|
|
390a82 |
- }
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
-
|
|
|
390a82 |
- if (!skip_setgid) {
|
|
|
390a82 |
- int setgid_err;
|
|
|
390a82 |
-#ifdef HAVE_SETRESGID
|
|
|
390a82 |
- setgid_err = setresgid(getgid(), getgid(), getgid());
|
|
|
390a82 |
-#elif defined(HAVE_SETREGID)
|
|
|
390a82 |
-#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
|
|
|
390a82 |
- setgid_err = setregid(getgid(), getgid());
|
|
|
390a82 |
-#else
|
|
|
390a82 |
- zwarnnam("unsetopt",
|
|
|
390a82 |
- "PRIVILEGED: can't drop privileges; setregid available, but cannot check if saved gid changed");
|
|
|
390a82 |
+ /*
|
|
|
390a82 |
+ * Set the GID first as if we set the UID to non-privileged it
|
|
|
390a82 |
+ * might be impossible to restore the GID.
|
|
|
390a82 |
+ */
|
|
|
390a82 |
+ {
|
|
|
390a82 |
+#ifndef HAVE_SETRESGID
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
#else
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid and setregid not available");
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
+ int setgid_err;
|
|
|
390a82 |
+ setgid_err = setresgid(getgid(), getgid(), getgid());
|
|
|
390a82 |
if (setgid_err) {
|
|
|
390a82 |
zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
}
|
|
|
390a82 |
|
|
|
390a82 |
- if (!skip_setuid) {
|
|
|
390a82 |
-#if defined(HAVE_GETEUID) && defined(HAVE_SETUID)
|
|
|
390a82 |
- int orig_euid = geteuid();
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
+ /* Set the UID second. */
|
|
|
390a82 |
+ {
|
|
|
390a82 |
+#ifndef HAVE_SETRESUID
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+#else
|
|
|
390a82 |
int setuid_err;
|
|
|
390a82 |
-#if defined(HAVE_GETEUID) && defined(HAVE_INITGROUPS) && defined(HAVE_GETPWUID)
|
|
|
390a82 |
+
|
|
|
390a82 |
+# ifdef HAVE_INITGROUPS
|
|
|
390a82 |
+ /* Set the supplementary groups list. */
|
|
|
390a82 |
if (geteuid() == 0) {
|
|
|
390a82 |
struct passwd *pw = getpwuid(getuid());
|
|
|
390a82 |
if (pw == NULL) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %d: %e",
|
|
|
390a82 |
- getuid(), errno);
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
- }
|
|
|
390a82 |
- if (initgroups(pw->pw_name, pw->pw_gid)) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e",
|
|
|
390a82 |
+ (long)getuid(), errno);
|
|
|
390a82 |
+ failed = 1;
|
|
|
390a82 |
+ } else if (initgroups(pw->pw_name, pw->pw_gid)) {
|
|
|
390a82 |
zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
+ } else if (getuid() != 0 &&
|
|
|
390a82 |
+ (geteuid() != getuid() || orig_egid != getegid())) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
|
|
|
390a82 |
+ (long)geteuid());
|
|
|
390a82 |
+ failed = 1;
|
|
|
390a82 |
}
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
+# else
|
|
|
390a82 |
+ /* initgroups() isn't in POSIX. If it's not available on the system,
|
|
|
390a82 |
+ * we silently skip it. */
|
|
|
390a82 |
+# endif
|
|
|
390a82 |
|
|
|
390a82 |
-#ifdef HAVE_SETRESUID
|
|
|
390a82 |
setuid_err = setresuid(getuid(), getuid(), getuid());
|
|
|
390a82 |
-#elif defined(HAVE_SETREUID)
|
|
|
390a82 |
-#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID)
|
|
|
390a82 |
- setuid_err = setreuid(getuid(), getuid());
|
|
|
390a82 |
-#else
|
|
|
390a82 |
- zwarnnam("unsetopt",
|
|
|
390a82 |
- "PRIVILEGED: can't drop privileges; setreuid available, but cannot check if saved uid changed");
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
-#else
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid and setreuid not available");
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
if (setuid_err) {
|
|
|
390a82 |
zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
-#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID)
|
|
|
390a82 |
- if (getuid() != 0 && !setuid(orig_euid)) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
- }
|
|
|
390a82 |
#endif
|
|
|
390a82 |
}
|
|
|
390a82 |
|
|
|
390a82 |
-#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
|
|
|
390a82 |
- if (getuid() != 0 && !skip_setgid && !setgid(orig_egid)) {
|
|
|
390a82 |
+#ifdef HAVE_SETGID
|
|
|
390a82 |
+ if (getuid() != 0 && orig_egid != getegid() &&
|
|
|
390a82 |
+ (setgid(orig_egid) != -1 || setegid(orig_egid) != -1)) {
|
|
|
390a82 |
zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid");
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
#endif
|
|
|
390a82 |
|
|
|
390a82 |
+#ifdef HAVE_SETUID
|
|
|
390a82 |
+ if (getuid() != 0 && orig_euid != geteuid() &&
|
|
|
390a82 |
+ (setuid(orig_euid) != -1 || seteuid(orig_euid) != -1)) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+ if (failed) {
|
|
|
390a82 |
+ /* A warning message has been printed. */
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+
|
|
|
390a82 |
#ifdef JOB_CONTROL
|
|
|
390a82 |
} else if (!force && optno == MONITOR && value) {
|
|
|
390a82 |
if (new_opts[optno] == value)
|
|
|
390a82 |
diff --git a/Src/zsh.mdd b/Src/zsh.mdd
|
|
|
390a82 |
index 324435d..a2590dc 100644
|
|
|
390a82 |
--- a/Src/zsh.mdd
|
|
|
390a82 |
+++ b/Src/zsh.mdd
|
|
|
390a82 |
@@ -13,7 +13,8 @@ objects="builtin.o compat.o cond.o context.o \
|
|
|
390a82 |
exec.o glob.o hashtable.o hashnameddir.o \
|
|
|
390a82 |
hist.o init.o input.o jobs.o lex.o linklist.o loop.o math.o \
|
|
|
390a82 |
mem.o module.o options.o params.o parse.o pattern.o prompt.o signals.o \
|
|
|
390a82 |
-signames.o sort.o string.o subst.o text.o utils.o watch.o"
|
|
|
390a82 |
+signames.o sort.o string.o subst.o text.o utils.o watch.o \
|
|
|
390a82 |
+openssh_bsd_setres_id.o"
|
|
|
390a82 |
|
|
|
390a82 |
headers="../config.h zsh_system.h zsh.h sigcount.h signals.h \
|
|
|
390a82 |
prototypes.h hashtable.h ztype.h"
|
|
|
390a82 |
diff --git a/Src/zsh_system.h b/Src/zsh_system.h
|
|
|
390a82 |
index 5339b49..18fe09b 100644
|
|
|
390a82 |
--- a/Src/zsh_system.h
|
|
|
390a82 |
+++ b/Src/zsh_system.h
|
|
|
390a82 |
@@ -456,30 +456,90 @@ struct timezone {
|
|
|
390a82 |
# define setpgrp setpgid
|
|
|
390a82 |
#endif
|
|
|
390a82 |
|
|
|
390a82 |
-/* can we set the user/group id of a process */
|
|
|
390a82 |
+/* compatibility wrappers */
|
|
|
390a82 |
|
|
|
390a82 |
-#ifndef HAVE_SETUID
|
|
|
390a82 |
+/* Our strategy is as follows:
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * - Ensure that either setre[ug]id() or set{e,}[ug]id() is available.
|
|
|
390a82 |
+ * - If setres[ug]id() are missing, provide them in terms of either
|
|
|
390a82 |
+ * setre[ug]id() or set{e,}[ug]id(), whichever is available.
|
|
|
390a82 |
+ * - Provide replacement setre[ug]id() or set{e,}[ug]id() if they are not
|
|
|
390a82 |
+ * available natively.
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * There isn't a circular dependency because, right off the bat, we check that
|
|
|
390a82 |
+ * there's an end condition, and #error out otherwise.
|
|
|
390a82 |
+ */
|
|
|
390a82 |
+#if !defined(HAVE_SETREUID) && !(defined(HAVE_SETEUID) && defined(HAVE_SETUID))
|
|
|
390a82 |
+ /*
|
|
|
390a82 |
+ * If you run into this error, you have two options:
|
|
|
390a82 |
+ * - Teach zsh how to do the equivalent of setreuid() on your system
|
|
|
390a82 |
+ * - Remove support for PRIVILEGED option, and then remove the #error.
|
|
|
390a82 |
+ */
|
|
|
390a82 |
+# error "Don't know how to change UID"
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+#if !defined(HAVE_SETREGID) && !(defined(HAVE_SETEGID) && defined(HAVE_SETGID))
|
|
|
390a82 |
+ /* See above comment. */
|
|
|
390a82 |
+# error "Don't know how to change GID"
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+/* Provide setresuid(). */
|
|
|
390a82 |
+#ifndef HAVE_SETRESUID
|
|
|
390a82 |
+int setresuid(uid_t, uid_t, uid_t);
|
|
|
390a82 |
+# define HAVE_SETRESUID
|
|
|
390a82 |
+# define ZSH_IMPLEMENT_SETRESUID
|
|
|
390a82 |
# ifdef HAVE_SETREUID
|
|
|
390a82 |
-# define setuid(X) setreuid(X,X)
|
|
|
390a82 |
-# define setgid(X) setregid(X,X)
|
|
|
390a82 |
-# define HAVE_SETUID
|
|
|
390a82 |
+# define ZSH_HAVE_NATIVE_SETREUID
|
|
|
390a82 |
# endif
|
|
|
390a82 |
#endif
|
|
|
390a82 |
|
|
|
390a82 |
-/* can we set the effective user/group id of a process */
|
|
|
390a82 |
+/* Provide setresgid(). */
|
|
|
390a82 |
+#ifndef HAVE_SETRESGID
|
|
|
390a82 |
+int setresgid(gid_t, gid_t, gid_t);
|
|
|
390a82 |
+# define HAVE_SETRESGID
|
|
|
390a82 |
+# define ZSH_IMPLEMENT_SETRESGID
|
|
|
390a82 |
+# ifdef HAVE_SETREGID
|
|
|
390a82 |
+# define ZSH_HAVE_NATIVE_SETREGID
|
|
|
390a82 |
+# endif
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
|
|
|
390a82 |
+/* Provide setreuid(). */
|
|
|
390a82 |
+#ifndef HAVE_SETREUID
|
|
|
390a82 |
+# define setreuid(X, Y) setresuid((X), (Y), -1)
|
|
|
390a82 |
+# define HAVE_SETREUID
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+/* Provide setregid(). */
|
|
|
390a82 |
+#ifndef HAVE_SETREGID
|
|
|
390a82 |
+# define setregid(X, Y) setresgid((X), (Y), -1)
|
|
|
390a82 |
+# define HAVE_SETREGID
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+/* Provide setuid(). */
|
|
|
390a82 |
+/* ### TODO: Either remove this (this function has been standard since 1985),
|
|
|
390a82 |
+ * ### or rewrite this without multiply-evaluating the argument */
|
|
|
390a82 |
+#ifndef HAVE_SETUID
|
|
|
390a82 |
+# define setuid(X) setreuid((X), (X))
|
|
|
390a82 |
+# define HAVE_SETUID
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+/* Provide setgid(). */
|
|
|
390a82 |
+#ifndef HAVE_SETGID
|
|
|
390a82 |
+/* ### TODO: Either remove this (this function has been standard since 1985),
|
|
|
390a82 |
+ * ### or rewrite this without multiply-evaluating the argument */
|
|
|
390a82 |
+# define setgid(X) setregid((X), (X))
|
|
|
390a82 |
+# define HAVE_SETGID
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+/* Provide seteuid(). */
|
|
|
390a82 |
#ifndef HAVE_SETEUID
|
|
|
390a82 |
-# ifdef HAVE_SETREUID
|
|
|
390a82 |
-# define seteuid(X) setreuid(-1,X)
|
|
|
390a82 |
-# define setegid(X) setregid(-1,X)
|
|
|
390a82 |
-# define HAVE_SETEUID
|
|
|
390a82 |
-# else
|
|
|
390a82 |
-# ifdef HAVE_SETRESUID
|
|
|
390a82 |
-# define seteuid(X) setresuid(-1,X,-1)
|
|
|
390a82 |
-# define setegid(X) setresgid(-1,X,-1)
|
|
|
390a82 |
-# define HAVE_SETEUID
|
|
|
390a82 |
-# endif
|
|
|
390a82 |
-# endif
|
|
|
390a82 |
+# define seteuid(X) setreuid(-1, (X))
|
|
|
390a82 |
+# define HAVE_SETEUID
|
|
|
390a82 |
+#endif
|
|
|
390a82 |
+
|
|
|
390a82 |
+/* Provide setegid(). */
|
|
|
390a82 |
+#ifndef HAVE_SETEGID
|
|
|
390a82 |
+# define setegid(X) setregid(-1, (X))
|
|
|
390a82 |
+# define HAVE_SETEGID
|
|
|
390a82 |
#endif
|
|
|
390a82 |
|
|
|
390a82 |
#ifdef HAVE_SYS_RESOURCE_H
|
|
|
390a82 |
diff --git a/Test/E01options.ztst b/Test/E01options.ztst
|
|
|
390a82 |
index 0f6bb34..c4c3d67 100644
|
|
|
390a82 |
--- a/Test/E01options.ztst
|
|
|
390a82 |
+++ b/Test/E01options.ztst
|
|
|
390a82 |
@@ -1391,3 +1391,18 @@ F:Regression test for workers/41811
|
|
|
390a82 |
?(anon):4: `break' active at end of function scope
|
|
|
390a82 |
?(anon):4: `break' active at end of function scope
|
|
|
390a82 |
?(anon):4: `break' active at end of function scope
|
|
|
390a82 |
+
|
|
|
390a82 |
+# There are further tests for PRIVILEGED in P01privileged.ztst.
|
|
|
390a82 |
+ if [[ -o privileged ]]; then
|
|
|
390a82 |
+ unsetopt privileged
|
|
|
390a82 |
+ fi
|
|
|
390a82 |
+ unsetopt privileged
|
|
|
390a82 |
+0:PRIVILEGED sanity check: unsetting is idempotent
|
|
|
390a82 |
+F:If this test fails at the first unsetopt, refer to P01privileged.ztst.
|
|
|
390a82 |
+
|
|
|
390a82 |
+ if [[ -o privileged ]]; then
|
|
|
390a82 |
+ (( UID != EUID ))
|
|
|
390a82 |
+ else
|
|
|
390a82 |
+ (( UID == EUID ))
|
|
|
390a82 |
+ fi
|
|
|
390a82 |
+0:PRIVILEGED sanity check: default value is correct
|
|
|
390a82 |
diff --git a/configure.ac b/configure.ac
|
|
|
390a82 |
index 51cdf89..4e30ad1 100644
|
|
|
390a82 |
--- a/configure.ac
|
|
|
390a82 |
+++ b/configure.ac
|
|
|
390a82 |
@@ -1300,9 +1300,8 @@ AC_CHECK_FUNCS(strftime strptime mktime timelocal \
|
|
|
390a82 |
inet_aton inet_pton inet_ntop \
|
|
|
390a82 |
getlogin getpwent getpwnam getpwuid getgrgid getgrnam \
|
|
|
390a82 |
initgroups nis_list \
|
|
|
390a82 |
- getuid setuid seteuid setreuid setresuid setsid \
|
|
|
390a82 |
- getgid setgid setegid setregid setresgid \
|
|
|
390a82 |
- geteuid getegid \
|
|
|
390a82 |
+ setuid seteuid setreuid setresuid setsid \
|
|
|
390a82 |
+ setgid setegid setregid setresgid \
|
|
|
390a82 |
memcpy memmove strstr strerror strtoul \
|
|
|
390a82 |
getrlimit getrusage \
|
|
|
390a82 |
setlocale \
|
|
|
390a82 |
--
|
|
|
390a82 |
2.21.1
|
|
|
390a82 |
|
|
|
390a82 |
|
|
|
390a82 |
From 6caecc2efb2fa4c708fd27858962ace55d957dce Mon Sep 17 00:00:00 2001
|
|
|
390a82 |
From: dana <dana@dana.is>
|
|
|
390a82 |
Date: Sun, 29 Dec 2019 02:41:11 +0000
|
|
|
390a82 |
Subject: [PATCH 5/7] Improve PRIVILEGED fixes (again)
|
|
|
390a82 |
|
|
|
390a82 |
* Pass RGID instead of passwd GID to initgroups()
|
|
|
390a82 |
|
|
|
390a82 |
* Clean up #ifdefs, avoid unnecessary checks
|
|
|
390a82 |
|
|
|
390a82 |
* Flatten conditions
|
|
|
390a82 |
|
|
|
390a82 |
Upstream-commit: 26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211
|
|
|
390a82 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
390a82 |
---
|
|
|
390a82 |
Src/options.c | 92 ++++++++++++++++++++++++---------------------------
|
|
|
390a82 |
1 file changed, 43 insertions(+), 49 deletions(-)
|
|
|
390a82 |
|
|
|
390a82 |
diff --git a/Src/options.c b/Src/options.c
|
|
|
390a82 |
index deec560..8599ed3 100644
|
|
|
390a82 |
--- a/Src/options.c
|
|
|
390a82 |
+++ b/Src/options.c
|
|
|
390a82 |
@@ -780,91 +780,85 @@ dosetopt(int optno, int value, int force, char *new_opts)
|
|
|
390a82 |
} else if(optno == PRIVILEGED && !value) {
|
|
|
390a82 |
/* unsetting PRIVILEGED causes the shell to make itself unprivileged */
|
|
|
390a82 |
|
|
|
390a82 |
+/* For simplicity's sake, require both setresgid() and setresuid() up-front. */
|
|
|
390a82 |
+#if !defined(HAVE_SETRESGID)
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+#elif !defined(HAVE_SETRESUID)
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
+#else
|
|
|
390a82 |
/* If set, return -1 so lastval will be non-zero. */
|
|
|
390a82 |
int failed = 0;
|
|
|
390a82 |
-
|
|
|
390a82 |
-#ifdef HAVE_SETUID
|
|
|
390a82 |
const int orig_euid = geteuid();
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
const int orig_egid = getegid();
|
|
|
390a82 |
|
|
|
390a82 |
/*
|
|
|
390a82 |
* Set the GID first as if we set the UID to non-privileged it
|
|
|
390a82 |
* might be impossible to restore the GID.
|
|
|
390a82 |
*/
|
|
|
390a82 |
- {
|
|
|
390a82 |
-#ifndef HAVE_SETRESGID
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
|
|
|
390a82 |
+ if (setresgid(getgid(), getgid(), getgid())) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
-#else
|
|
|
390a82 |
- int setgid_err;
|
|
|
390a82 |
- setgid_err = setresgid(getgid(), getgid(), getgid());
|
|
|
390a82 |
- if (setgid_err) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
- }
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
}
|
|
|
390a82 |
|
|
|
390a82 |
- /* Set the UID second. */
|
|
|
390a82 |
- {
|
|
|
390a82 |
-#ifndef HAVE_SETRESUID
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
-#else
|
|
|
390a82 |
- int setuid_err;
|
|
|
390a82 |
-
|
|
|
390a82 |
# ifdef HAVE_INITGROUPS
|
|
|
390a82 |
- /* Set the supplementary groups list. */
|
|
|
390a82 |
- if (geteuid() == 0) {
|
|
|
390a82 |
- struct passwd *pw = getpwuid(getuid());
|
|
|
390a82 |
- if (pw == NULL) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e",
|
|
|
390a82 |
- (long)getuid(), errno);
|
|
|
390a82 |
- failed = 1;
|
|
|
390a82 |
- } else if (initgroups(pw->pw_name, pw->pw_gid)) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
- }
|
|
|
390a82 |
- } else if (getuid() != 0 &&
|
|
|
390a82 |
- (geteuid() != getuid() || orig_egid != getegid())) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
|
|
|
390a82 |
- (long)geteuid());
|
|
|
390a82 |
+ /* Set the supplementary groups list.
|
|
|
390a82 |
+ *
|
|
|
390a82 |
+ * Note that on macOS, FreeBSD, and possibly some other platforms,
|
|
|
390a82 |
+ * initgroups() resets the EGID to its second argument (see setgroups(2) for
|
|
|
390a82 |
+ * details). This has the potential to leave the EGID in an unexpected
|
|
|
390a82 |
+ * state. However, it seems common in other projects that do this dance to
|
|
|
390a82 |
+ * simply re-use the same GID that's going to become the EGID anyway, in
|
|
|
390a82 |
+ * which case it doesn't matter. That's what we do here. It's therefore
|
|
|
390a82 |
+ * possible, in some probably uncommon cases, that the shell ends up not
|
|
|
390a82 |
+ * having the privileges of the RUID user's primary/passwd group. */
|
|
|
390a82 |
+ if (geteuid() == 0) {
|
|
|
390a82 |
+ struct passwd *pw = getpwuid(getuid());
|
|
|
390a82 |
+ if (pw == NULL) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e",
|
|
|
390a82 |
+ (long)getuid(), errno);
|
|
|
390a82 |
failed = 1;
|
|
|
390a82 |
+ /* This may behave strangely in the unlikely event that the same user
|
|
|
390a82 |
+ * name appears with multiple UIDs in the passwd database */
|
|
|
390a82 |
+ } else if (initgroups(pw->pw_name, getgid())) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
+ } else if (getuid() != 0 &&
|
|
|
390a82 |
+ (geteuid() != getuid() || orig_egid != getegid())) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
|
|
|
390a82 |
+ (long)geteuid());
|
|
|
390a82 |
+ failed = 1;
|
|
|
390a82 |
+ }
|
|
|
390a82 |
# else
|
|
|
390a82 |
- /* initgroups() isn't in POSIX. If it's not available on the system,
|
|
|
390a82 |
- * we silently skip it. */
|
|
|
390a82 |
+ /* initgroups() isn't in POSIX. If it's not available on the system,
|
|
|
390a82 |
+ * we silently skip it. */
|
|
|
390a82 |
# endif
|
|
|
390a82 |
|
|
|
390a82 |
- setuid_err = setresuid(getuid(), getuid(), getuid());
|
|
|
390a82 |
- if (setuid_err) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
|
|
|
390a82 |
- return -1;
|
|
|
390a82 |
- }
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
+ /* Set the UID second. */
|
|
|
390a82 |
+ if (setresuid(getuid(), getuid(), getuid())) {
|
|
|
390a82 |
+ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
|
|
|
390a82 |
+ return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
|
|
|
390a82 |
-#ifdef HAVE_SETGID
|
|
|
390a82 |
if (getuid() != 0 && orig_egid != getegid() &&
|
|
|
390a82 |
(setgid(orig_egid) != -1 || setegid(orig_egid) != -1)) {
|
|
|
390a82 |
zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid");
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
|
|
|
390a82 |
-#ifdef HAVE_SETUID
|
|
|
390a82 |
if (getuid() != 0 && orig_euid != geteuid() &&
|
|
|
390a82 |
(setuid(orig_euid) != -1 || seteuid(orig_euid) != -1)) {
|
|
|
390a82 |
zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
-#endif
|
|
|
390a82 |
|
|
|
390a82 |
if (failed) {
|
|
|
390a82 |
/* A warning message has been printed. */
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
+#endif /* HAVE_SETRESGID && HAVE_SETRESUID */
|
|
|
390a82 |
|
|
|
390a82 |
#ifdef JOB_CONTROL
|
|
|
390a82 |
} else if (!force && optno == MONITOR && value) {
|
|
|
390a82 |
--
|
|
|
390a82 |
2.21.1
|
|
|
390a82 |
|
|
|
390a82 |
|
|
|
390a82 |
From 7d224cc6d93933db596ecb4ec78ba5bf48ef2d32 Mon Sep 17 00:00:00 2001
|
|
|
390a82 |
From: dana <dana@dana.is>
|
|
|
390a82 |
Date: Sun, 29 Dec 2019 02:43:14 +0000
|
|
|
390a82 |
Subject: [PATCH 6/7] Clean up error-message white space
|
|
|
390a82 |
|
|
|
390a82 |
Upstream-commit: 4ce66857b71b40a0661df3780ff557f2b0f4cb13
|
|
|
390a82 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
390a82 |
---
|
|
|
390a82 |
Src/options.c | 30 +++++++++++++++++++++---------
|
|
|
390a82 |
1 file changed, 21 insertions(+), 9 deletions(-)
|
|
|
390a82 |
|
|
|
390a82 |
diff --git a/Src/options.c b/Src/options.c
|
|
|
390a82 |
index 8599ed3..5b972d4 100644
|
|
|
390a82 |
--- a/Src/options.c
|
|
|
390a82 |
+++ b/Src/options.c
|
|
|
390a82 |
@@ -782,10 +782,12 @@ dosetopt(int optno, int value, int force, char *new_opts)
|
|
|
390a82 |
|
|
|
390a82 |
/* For simplicity's sake, require both setresgid() and setresuid() up-front. */
|
|
|
390a82 |
#if !defined(HAVE_SETRESGID)
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
#elif !defined(HAVE_SETRESUID)
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
#else
|
|
|
390a82 |
/* If set, return -1 so lastval will be non-zero. */
|
|
|
390a82 |
@@ -798,7 +800,9 @@ dosetopt(int optno, int value, int force, char *new_opts)
|
|
|
390a82 |
* might be impossible to restore the GID.
|
|
|
390a82 |
*/
|
|
|
390a82 |
if (setresgid(getgid(), getgid(), getgid())) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "PRIVILEGED: can't drop privileges; failed to change group ID: %e",
|
|
|
390a82 |
+ errno);
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
|
|
|
390a82 |
@@ -816,18 +820,22 @@ dosetopt(int optno, int value, int force, char *new_opts)
|
|
|
390a82 |
if (geteuid() == 0) {
|
|
|
390a82 |
struct passwd *pw = getpwuid(getuid());
|
|
|
390a82 |
if (pw == NULL) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e",
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "can't drop privileges; failed to get user information for uid %L: %e",
|
|
|
390a82 |
(long)getuid(), errno);
|
|
|
390a82 |
failed = 1;
|
|
|
390a82 |
/* This may behave strangely in the unlikely event that the same user
|
|
|
390a82 |
* name appears with multiple UIDs in the passwd database */
|
|
|
390a82 |
} else if (initgroups(pw->pw_name, getgid())) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "can't drop privileges; failed to set supplementary group list: %e",
|
|
|
390a82 |
+ errno);
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
} else if (getuid() != 0 &&
|
|
|
390a82 |
(geteuid() != getuid() || orig_egid != getegid())) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
|
|
|
390a82 |
(long)geteuid());
|
|
|
390a82 |
failed = 1;
|
|
|
390a82 |
}
|
|
|
390a82 |
@@ -838,19 +846,23 @@ dosetopt(int optno, int value, int force, char *new_opts)
|
|
|
390a82 |
|
|
|
390a82 |
/* Set the UID second. */
|
|
|
390a82 |
if (setresuid(getuid(), getuid(), getuid())) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "PRIVILEGED: can't drop privileges; failed to change user ID: %e",
|
|
|
390a82 |
+ errno);
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
|
|
|
390a82 |
if (getuid() != 0 && orig_egid != getegid() &&
|
|
|
390a82 |
(setgid(orig_egid) != -1 || setegid(orig_egid) != -1)) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid");
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "PRIVILEGED: can't drop privileges; was able to restore the egid");
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
|
|
|
390a82 |
if (getuid() != 0 && orig_euid != geteuid() &&
|
|
|
390a82 |
(setuid(orig_euid) != -1 || seteuid(orig_euid) != -1)) {
|
|
|
390a82 |
- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
|
|
|
390a82 |
+ zwarnnam("unsetopt",
|
|
|
390a82 |
+ "PRIVILEGED: can't drop privileges; was able to restore the euid");
|
|
|
390a82 |
return -1;
|
|
|
390a82 |
}
|
|
|
390a82 |
|
|
|
390a82 |
--
|
|
|
390a82 |
2.21.1
|
|
|
390a82 |
|
|
|
390a82 |
|
|
|
390a82 |
From a86d3b201352f14bc17c9521baeb5eaa2ad60f1a Mon Sep 17 00:00:00 2001
|
|
|
390a82 |
From: dana <dana@dana.is>
|
|
|
390a82 |
Date: Sat, 28 Dec 2019 20:45:55 -0600
|
|
|
390a82 |
Subject: [PATCH 7/7] Add unsetopt/PRIVILEGED tests
|
|
|
390a82 |
|
|
|
390a82 |
Upstream-commit: b15bd4aa590db8087d1e8f2eb1af2874f5db814d
|
|
|
390a82 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
390a82 |
---
|
|
|
390a82 |
Test/E01options.ztst | 10 +-
|
|
|
390a82 |
Test/P01privileged.ztst | 197 ++++++++++++++++++++++++++++++++++++++++
|
|
|
390a82 |
Test/README | 1 +
|
|
|
390a82 |
3 files changed, 207 insertions(+), 1 deletion(-)
|
|
|
390a82 |
create mode 100644 Test/P01privileged.ztst
|
|
|
390a82 |
|
|
|
390a82 |
diff --git a/Test/E01options.ztst b/Test/E01options.ztst
|
|
|
390a82 |
index c4c3d67..767879a 100644
|
|
|
390a82 |
--- a/Test/E01options.ztst
|
|
|
390a82 |
+++ b/Test/E01options.ztst
|
|
|
390a82 |
@@ -74,7 +74,6 @@
|
|
|
390a82 |
# HASH_LIST_ALL )
|
|
|
390a82 |
# PRINT_EXIT_STATUS haven't worked out what this does yet, although
|
|
|
390a82 |
# Bart suggested a fix.
|
|
|
390a82 |
-# PRIVILEGED (similar to GLOBAL_RCS)
|
|
|
390a82 |
# RCS ( " " " " )
|
|
|
390a82 |
# SH_OPTION_LETTERS even I found this too dull to set up a test for
|
|
|
390a82 |
# SINGLE_COMMAND kills shell
|
|
|
390a82 |
@@ -95,6 +94,15 @@
|
|
|
390a82 |
|
|
|
390a82 |
%test
|
|
|
390a82 |
|
|
|
390a82 |
+ # setopt should move on to the next operation in the face of an error, but
|
|
|
390a82 |
+ # preserve the >0 return code
|
|
|
390a82 |
+ unsetopt aliases
|
|
|
390a82 |
+ setopt not_a_real_option aliases && return 2
|
|
|
390a82 |
+ print -r - $options[aliases]
|
|
|
390a82 |
+0:setopt error handling
|
|
|
390a82 |
+?(eval):setopt:4: no such option: not_a_real_option
|
|
|
390a82 |
+>on
|
|
|
390a82 |
+
|
|
|
390a82 |
alias echo='print foo'
|
|
|
390a82 |
unsetopt aliases
|
|
|
390a82 |
# use eval else aliases are all parsed at start
|
|
|
390a82 |
diff --git a/Test/P01privileged.ztst b/Test/P01privileged.ztst
|
|
|
390a82 |
new file mode 100644
|
|
|
390a82 |
index 0000000..c54112b
|
|
|
390a82 |
--- /dev/null
|
|
|
390a82 |
+++ b/Test/P01privileged.ztst
|
|
|
390a82 |
@@ -0,0 +1,197 @@
|
|
|
390a82 |
+# This file contains tests related to the PRIVILEGED option. In order to run,
|
|
|
390a82 |
+# it requires that the test process itself have super-user privileges (or that
|
|
|
390a82 |
+# one of the environment variables described below be set). This can be achieved
|
|
|
390a82 |
+# via, e.g., `sudo make check TESTNUM=P`.
|
|
|
390a82 |
+#
|
|
|
390a82 |
+# Optionally, the environment variables ZSH_TEST_UNPRIVILEGED_UID and/or
|
|
|
390a82 |
+# ZSH_TEST_UNPRIVILEGED_GID may be set to UID:EUID or GID:EGID pairs, where the
|
|
|
390a82 |
+# two IDs in each pair are different, non-0 IDs valid on the system being used
|
|
|
390a82 |
+# to run the tests. (The UIDs must both be non-0 to effectively test downgrading
|
|
|
390a82 |
+# of privileges, and they must be non-matching to test auto-enabling of
|
|
|
390a82 |
+# PRIVILEGED and to ensure that disabling PRIVILEGED correctly resets the saved
|
|
|
390a82 |
+# UID. Technically GID 0 is not special, but for simplicity's sake we apply the
|
|
|
390a82 |
+# same requirements here.)
|
|
|
390a82 |
+#
|
|
|
390a82 |
+# If either of the aforementioned environment variables is not set, the test
|
|
|
390a82 |
+# script will try to pick the first two >0 IDs from the passwd/group databases
|
|
|
390a82 |
+# on the current system.
|
|
|
390a82 |
+#
|
|
|
390a82 |
+# If either variable is set, the tests will run, but they will likely fail
|
|
|
390a82 |
+# without super-user privileges.
|
|
|
390a82 |
+
|
|
|
390a82 |
+%prep
|
|
|
390a82 |
+
|
|
|
390a82 |
+ # Mind your empty lines here. The logic in this %prep section is somewhat
|
|
|
390a82 |
+ # complex compared to most others; to avoid lots of nested/duplicated
|
|
|
390a82 |
+ # conditions we need to make sure that this all gets executed as a single
|
|
|
390a82 |
+ # function from which we can return early
|
|
|
390a82 |
+ [[ $EUID == 0 || -n $ZSH_TEST_UNPRIVILEGED_UID$ZSH_TEST_UNPRIVILEGED_GID ]] || {
|
|
|
390a82 |
+ ZTST_unimplemented='PRIVILEGED tests require super-user privileges (or env var)'
|
|
|
390a82 |
+ return 1
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ (( $+commands[perl] )) || { # @todo Eliminate this dependency with a C wrapper?
|
|
|
390a82 |
+ ZTST_unimplemented='PRIVILEGED tests require Perl'
|
|
|
390a82 |
+ return 1
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ grep -qE '#define HAVE_SETRES?UID' $ZTST_testdir/../config.h || {
|
|
|
390a82 |
+ ZTST_unimplemented='PRIVILEGED tests require setreuid()/setresuid()'
|
|
|
390a82 |
+ return 1
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ #
|
|
|
390a82 |
+ ruid= euid= rgid= egid=
|
|
|
390a82 |
+ #
|
|
|
390a82 |
+ if [[ -n $ZSH_TEST_UNPRIVILEGED_UID ]]; then
|
|
|
390a82 |
+ ruid=${ZSH_TEST_UNPRIVILEGED_UID%%:*}
|
|
|
390a82 |
+ euid=${ZSH_TEST_UNPRIVILEGED_UID##*:}
|
|
|
390a82 |
+ else
|
|
|
390a82 |
+ print -ru$ZTST_fd 'Selecting unprivileged UID:EUID pair automatically'
|
|
|
390a82 |
+ local tmp=$( getent passwd 2> /dev/null || < /etc/passwd )
|
|
|
390a82 |
+ # Note: Some awks require -v and its argument to be separate
|
|
|
390a82 |
+ ruid=$( awk -F: '$3 > 0 { print $3; exit; }' <<< $tmp )
|
|
|
390a82 |
+ euid=$( awk -F: -v u=$ruid '$3 > u { print $3; exit; }' <<< $tmp )
|
|
|
390a82 |
+ fi
|
|
|
390a82 |
+ #
|
|
|
390a82 |
+ if [[ -n $ZSH_TEST_UNPRIVILEGED_GID ]]; then
|
|
|
390a82 |
+ rgid=${ZSH_TEST_UNPRIVILEGED_GID%%:*}
|
|
|
390a82 |
+ egid=${ZSH_TEST_UNPRIVILEGED_GID##*:}
|
|
|
390a82 |
+ else
|
|
|
390a82 |
+ print -ru$ZTST_fd 'Selecting unprivileged GID:EGID pair automatically'
|
|
|
390a82 |
+ local tmp=$( getent group 2> /dev/null || < /etc/group )
|
|
|
390a82 |
+ # Note: Some awks require -v and its argument to be separate
|
|
|
390a82 |
+ rgid=$( awk -F: '$3 > 0 { print $3; exit; }' <<< $tmp )
|
|
|
390a82 |
+ egid=$( awk -F: -v g=$rgid '$3 > g { print $3; exit; }' <<< $tmp )
|
|
|
390a82 |
+ fi
|
|
|
390a82 |
+ #
|
|
|
390a82 |
+ [[ $ruid/$euid == <1->/<1-> && $ruid != $euid ]] || ruid= euid=
|
|
|
390a82 |
+ [[ $rgid/$egid == <1->/<1-> && $rgid != $egid ]] || rgid= egid=
|
|
|
390a82 |
+ #
|
|
|
390a82 |
+ [[ -n $ruid && -n $euid ]] || {
|
|
|
390a82 |
+ ZTST_unimplemented='PRIVILEGED tests require unprivileged UID:EUID'
|
|
|
390a82 |
+ return 1
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ [[ -n $rgid || -n $egid ]] || {
|
|
|
390a82 |
+ ZTST_unimplemented='PRIVILEGED tests require unprivileged GID:EGID'
|
|
|
390a82 |
+ return 1
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ #
|
|
|
390a82 |
+ print -ru$ZTST_fd \
|
|
|
390a82 |
+ "Using unprivileged UID $ruid, EUID $euid, GID $rgid, EGID $egid"
|
|
|
390a82 |
+ #
|
|
|
390a82 |
+ # Execute process with specified UID and EUID
|
|
|
390a82 |
+ # $1 => Real UID
|
|
|
390a82 |
+ # $2 => Effective UID
|
|
|
390a82 |
+ # $3 => Real GID
|
|
|
390a82 |
+ # $4 => Effective GID
|
|
|
390a82 |
+ # $5 ... => Command + args to execute (must NOT be a shell command string)
|
|
|
390a82 |
+ re_exec() {
|
|
|
390a82 |
+ perl -e '
|
|
|
390a82 |
+ die("re_exec: not enough arguments") unless (@ARGV >= 5);
|
|
|
390a82 |
+ my ($ruid, $euid, $rgid, $egid, @cmd) = @ARGV;
|
|
|
390a82 |
+ foreach my $id ($ruid, $euid, $rgid, $egid) {
|
|
|
390a82 |
+ die("re_exec: invalid ID: $id") unless ($id =~ /^(-1|\d+)$/a);
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ $< = 0 + $ruid if ($ruid >= 0);
|
|
|
390a82 |
+ $> = 0 + $euid if ($euid >= 0);
|
|
|
390a82 |
+ $( = 0 + $rgid if ($rgid >= 0);
|
|
|
390a82 |
+ $) = 0 + $egid if ($egid >= 0);
|
|
|
390a82 |
+ exec(@cmd);
|
|
|
390a82 |
+ die("re_exec: exec failed: $!");
|
|
|
390a82 |
+ ' -- "$@"
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ #
|
|
|
390a82 |
+ # Convenience wrapper for re_exec to call `zsh -c`
|
|
|
390a82 |
+ # -* ... => (optional) Command-line options to zsh
|
|
|
390a82 |
+ # $1 => Real UID
|
|
|
390a82 |
+ # $2 => Effective UID
|
|
|
390a82 |
+ # $3 => Real GID
|
|
|
390a82 |
+ # $4 => Effective GID
|
|
|
390a82 |
+ # $5 ... => zsh command string; multiple strings are joined by \n
|
|
|
390a82 |
+ re_zsh() {
|
|
|
390a82 |
+ local -a opts
|
|
|
390a82 |
+ while [[ $1 == -[A-Za-z-]* ]]; do
|
|
|
390a82 |
+ opts+=( $1 )
|
|
|
390a82 |
+ shift
|
|
|
390a82 |
+ done
|
|
|
390a82 |
+ re_exec "$1" "$2" "$3" "$4" $ZTST_exe $opts -fc \
|
|
|
390a82 |
+ "MODULE_PATH=${(q)MODULE_PATH}; ${(F)@[5,-1]}"
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ #
|
|
|
390a82 |
+ # Return one or more random unused UIDs
|
|
|
390a82 |
+ # $1 ... => Names of parameters to store UIDs in
|
|
|
390a82 |
+ get_unused_uid() {
|
|
|
390a82 |
+ while (( $# )); do
|
|
|
390a82 |
+ local i_=0 uid_=
|
|
|
390a82 |
+ until [[ -n $uid_ ]]; do
|
|
|
390a82 |
+ (( ++i_ > 99 )) && return 1
|
|
|
390a82 |
+ uid_=$RANDOM
|
|
|
390a82 |
+ id $uid_ &> /dev/null || break
|
|
|
390a82 |
+ uid_=
|
|
|
390a82 |
+ done
|
|
|
390a82 |
+ : ${(P)1::=$uid_}
|
|
|
390a82 |
+ shift
|
|
|
390a82 |
+ done
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+
|
|
|
390a82 |
+%test
|
|
|
390a82 |
+
|
|
|
390a82 |
+ re_zsh $ruid $ruid -1 -1 'echo $UID/$EUID $options[privileged]'
|
|
|
390a82 |
+ re_zsh $euid $euid -1 -1 'echo $UID/$EUID $options[privileged]'
|
|
|
390a82 |
+ re_zsh $ruid $euid -1 -1 'echo $UID/$EUID $options[privileged]'
|
|
|
390a82 |
+0q:PRIVILEGED automatically enabled when RUID != EUID
|
|
|
390a82 |
+>$ruid/$ruid off
|
|
|
390a82 |
+>$euid/$euid off
|
|
|
390a82 |
+>$ruid/$euid on
|
|
|
390a82 |
+
|
|
|
390a82 |
+ re_zsh -1 -1 $rgid $rgid 'echo $GID/$EGID $options[privileged]'
|
|
|
390a82 |
+ re_zsh -1 -1 $egid $egid 'echo $GID/$EGID $options[privileged]'
|
|
|
390a82 |
+ re_zsh -1 -1 $rgid $egid 'echo $GID/$EGID $options[privileged]'
|
|
|
390a82 |
+0q:PRIVILEGED automatically enabled when RGID != EGID
|
|
|
390a82 |
+>$rgid/$rgid off
|
|
|
390a82 |
+>$egid/$egid off
|
|
|
390a82 |
+>$rgid/$egid on
|
|
|
390a82 |
+
|
|
|
390a82 |
+ re_zsh $ruid $euid -1 -1 'unsetopt privileged; echo $UID/$EUID'
|
|
|
390a82 |
+0q:EUID set to RUID after disabling PRIVILEGED
|
|
|
390a82 |
+*?zsh:unsetopt:1: PRIVILEGED: supplementary group list not changed *
|
|
|
390a82 |
+*?zsh:unsetopt:1: can't change option: privileged
|
|
|
390a82 |
+>$ruid/$ruid
|
|
|
390a82 |
+
|
|
|
390a82 |
+ re_zsh 0 $euid -1 -1 'unsetopt privileged && echo $UID/$EUID'
|
|
|
390a82 |
+0:RUID/EUID set to 0/0 when privileged after disabling PRIVILEGED
|
|
|
390a82 |
+>0/0
|
|
|
390a82 |
+
|
|
|
390a82 |
+ re_zsh $ruid $euid -1 -1 "unsetopt privileged; UID=$euid" ||
|
|
|
390a82 |
+ re_zsh $ruid $euid -1 -1 "unsetopt privileged; EUID=$euid"
|
|
|
390a82 |
+1:not possible to regain EUID when unprivileged after disabling PRIVILEGED
|
|
|
390a82 |
+*?zsh:unsetopt:1: PRIVILEGED: supplementary group list not changed *
|
|
|
390a82 |
+*?zsh:unsetopt:1: can't change option: privileged
|
|
|
390a82 |
+*?zsh:1: failed to change user ID: *
|
|
|
390a82 |
+*?zsh:unsetopt:1: PRIVILEGED: supplementary group list not changed *
|
|
|
390a82 |
+*?zsh:unsetopt:1: can't change option: privileged
|
|
|
390a82 |
+*?zsh:1: failed to change effective user ID: *
|
|
|
390a82 |
+
|
|
|
390a82 |
+ re_zsh -1 -1 $rgid $egid 'unsetopt privileged && echo $GID/$EGID'
|
|
|
390a82 |
+0q:EGID set to RGID after disabling PRIVILEGED
|
|
|
390a82 |
+>$rgid/$rgid
|
|
|
390a82 |
+
|
|
|
390a82 |
+# This test also confirms that we can't revert to the original EUID's primary
|
|
|
390a82 |
+# GID, which initgroups() may reset the EGID to on some systems
|
|
|
390a82 |
+ re_zsh $ruid 0 $rgid 0 'unsetopt privileged; GID=0' ||
|
|
|
390a82 |
+ re_zsh $ruid 0 $rgid 0 'unsetopt privileged; EGID=0'
|
|
|
390a82 |
+1:not possible to regain EGID when unprivileged after disabling PRIVILEGED
|
|
|
390a82 |
+*?zsh:1: failed to change group ID: *
|
|
|
390a82 |
+*?zsh:1: failed to change effective group ID: *
|
|
|
390a82 |
+
|
|
|
390a82 |
+ local rruid
|
|
|
390a82 |
+ grep -qF '#define HAVE_INITGROUPS' $ZTST_testdir/../config.h || {
|
|
|
390a82 |
+ ZTST_skip='initgroups() not available'
|
|
|
390a82 |
+ return 1
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ get_unused_uid rruid || {
|
|
|
390a82 |
+ ZTST_skip="Can't get unused UID"
|
|
|
390a82 |
+ return 1
|
|
|
390a82 |
+ }
|
|
|
390a82 |
+ re_zsh $rruid 0 -1 -1 'unsetopt privileged'
|
|
|
390a82 |
+1:getpwuid() fails with non-existent RUID and 0 EUID
|
|
|
390a82 |
+*?zsh:unsetopt:1: can't drop privileges; failed to get user information *
|
|
|
390a82 |
+*?zsh:unsetopt:1: can't change option: privileged
|
|
|
390a82 |
diff --git a/Test/README b/Test/README
|
|
|
390a82 |
index d012277..726d68e 100644
|
|
|
390a82 |
--- a/Test/README
|
|
|
390a82 |
+++ b/Test/README
|
|
|
390a82 |
@@ -6,6 +6,7 @@ scripts names:
|
|
|
390a82 |
C: shell commands with special syntax
|
|
|
390a82 |
D: substititution
|
|
|
390a82 |
E: options
|
|
|
390a82 |
+ P: privileged (needs super-user privileges)
|
|
|
390a82 |
V: modules
|
|
|
390a82 |
W: builtin interactive commands and constructs
|
|
|
390a82 |
X: line editing
|
|
|
390a82 |
--
|
|
|
390a82 |
2.21.1
|
|
|
390a82 |
|