250d04
From e6dea148252c9d8cb3de0965f2e558ac13e12f06 Mon Sep 17 00:00:00 2001
250d04
From: Daniel Shahaf <danielsh@apache.org>
250d04
Date: Thu, 26 Dec 2019 11:49:45 +0000
250d04
Subject: [PATCH 1/7] internal: Allow %L in zerrmsg() in non-debug builds, too.
250d04
250d04
This will let error messages include long integers.
250d04
250d04
Upstream-commit: 81185f4c6106d7ea2f7beaabbec7360c08e400d2
250d04
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
250d04
---
250d04
 Src/utils.c | 2 --
250d04
 1 file changed, 2 deletions(-)
250d04
250d04
diff --git a/Src/utils.c b/Src/utils.c
250d04
index 32f6008..2ddc596 100644
250d04
--- a/Src/utils.c
250d04
+++ b/Src/utils.c
250d04
@@ -304,12 +304,10 @@ zerrmsg(FILE *file, const char *fmt, va_list ap)
250d04
 		nicezputs(s, file);
250d04
 		break;
250d04
 	    }
250d04
-#ifdef DEBUG
250d04
 	    case 'L':
250d04
 		lnum = va_arg(ap, long);
250d04
 		fprintf(file, "%ld", lnum);
250d04
 		break;
250d04
-#endif
250d04
 	    case 'd':
250d04
 		num = va_arg(ap, int);
250d04
 		fprintf(file, "%d", num);
250d04
-- 
250d04
2.21.1
250d04
250d04
250d04
From 4907caaf15e5a054088e05534c5500679c15b105 Mon Sep 17 00:00:00 2001
250d04
From: dana <dana@dana.is>
250d04
Date: Thu, 26 Dec 2019 14:57:07 -0600
250d04
Subject: [PATCH 2/7] unposted: zerrmsg(): Fix macro guard missed in previous
250d04
 commit
250d04
250d04
Upstream-commit: ed21a7b70068b4250a25dcdc5b7213a789b0d0ca
250d04
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
250d04
---
250d04
 Src/utils.c | 2 --
250d04
 1 file changed, 2 deletions(-)
250d04
250d04
diff --git a/Src/utils.c b/Src/utils.c
250d04
index 2ddc596..4a1dcc4 100644
250d04
--- a/Src/utils.c
250d04
+++ b/Src/utils.c
250d04
@@ -266,9 +266,7 @@ zerrmsg(FILE *file, const char *fmt, va_list ap)
250d04
 {
250d04
     const char *str;
250d04
     int num;
250d04
-#ifdef DEBUG
250d04
     long lnum;
250d04
-#endif
250d04
 #ifdef HAVE_STRERROR_R
250d04
 #define ERRBUFSIZE (80)
250d04
     int olderrno;
250d04
-- 
250d04
2.21.1
250d04
250d04
250d04
From 6b5d2276f9a8a30e7a62d542f092793575f0ae97 Mon Sep 17 00:00:00 2001
250d04
From: Sam Foxman <samfoxman320@gmail.com>
250d04
Date: Sun, 22 Dec 2019 17:30:28 -0500
250d04
Subject: [PATCH 3/7] Drop privileges securely
250d04
250d04
Upstream-commit: 24e993db62cf146fb76ebcf677a4a7aa3766fc74
250d04
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
250d04
---
250d04
 Src/options.c | 138 ++++++++++++++++++++++++++++++++++++++++++++------
250d04
 configure.ac  |   4 +-
250d04
 2 files changed, 126 insertions(+), 16 deletions(-)
250d04
250d04
diff --git a/Src/options.c b/Src/options.c
250d04
index b36bd99..3a0edab 100644
250d04
--- a/Src/options.c
250d04
+++ b/Src/options.c
250d04
@@ -565,6 +565,7 @@ int
250d04
 bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
250d04
 {
250d04
     int action, optno, match = 0;
250d04
+    int retval = 0;
250d04
 
250d04
     /* With no arguments or options, display options. */
250d04
     if (!*args) {
250d04
@@ -592,18 +593,28 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
250d04
 		    inittyptab();
250d04
 		    return 1;
250d04
 		}
250d04
-		if(!(optno = optlookup(*args)))
250d04
+		if(!(optno = optlookup(*args))) {
250d04
 		    zwarnnam(nam, "no such option: %s", *args);
250d04
-		else if(dosetopt(optno, action, 0, opts))
250d04
-		    zwarnnam(nam, "can't change option: %s", *args);
250d04
+		    retval = 1;
250d04
+		} else {
250d04
+		    retval = !!dosetopt(optno, action, 0, opts);
250d04
+		    if (retval) {
250d04
+			zwarnnam(nam, "can't change option: %s", *args);
250d04
+		    }
250d04
+		}
250d04
 		break;
250d04
 	    } else if(**args == 'm') {
250d04
 		match = 1;
250d04
 	    } else {
250d04
-	    	if (!(optno = optlookupc(**args)))
250d04
+	    	if (!(optno = optlookupc(**args))) {
250d04
 		    zwarnnam(nam, "bad option: -%c", **args);
250d04
-		else if(dosetopt(optno, action, 0, opts))
250d04
-		    zwarnnam(nam, "can't change option: -%c", **args);
250d04
+		    retval = 1;
250d04
+		} else {
250d04
+		    retval = !!dosetopt(optno, action, 0, opts);
250d04
+		    if (retval) {
250d04
+			zwarnnam(nam, "can't change option: -%c", **args);
250d04
+		    }
250d04
+		}
250d04
 	    }
250d04
 	}
250d04
 	args++;
250d04
@@ -613,10 +624,15 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
250d04
     if (!match) {
250d04
 	/* Not globbing the arguments -- arguments are simply option names. */
250d04
 	while (*args) {
250d04
-	    if(!(optno = optlookup(*args++)))
250d04
+	    if(!(optno = optlookup(*args++))) {
250d04
 		zwarnnam(nam, "no such option: %s", args[-1]);
250d04
-	    else if(dosetopt(optno, !isun, 0, opts))
250d04
-		zwarnnam(nam, "can't change option: %s", args[-1]);
250d04
+		retval = 1;
250d04
+	    } else {
250d04
+		retval = !!dosetopt(optno, !isun, 0, opts);
250d04
+		if (retval) {
250d04
+		    zwarnnam(nam, "can't change option: %s", args[-1]);
250d04
+		}
250d04
+	    }
250d04
 	}
250d04
     } else {
250d04
 	/* Globbing option (-m) set. */
250d04
@@ -639,7 +655,8 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
250d04
 	    tokenize(s);
250d04
 	    if (!(pprog = patcompile(s, PAT_STATIC, NULL))) {
250d04
 		zwarnnam(nam, "bad pattern: %s", *args);
250d04
-		continue;
250d04
+		retval = 1;
250d04
+		break;
250d04
 	    }
250d04
 	    /* Loop over expansions. */
250d04
 	    scanmatchtable(optiontab, pprog, 0, 0, OPT_ALIAS,
250d04
@@ -648,7 +665,7 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
250d04
 	}
250d04
     }
250d04
     inittyptab();
250d04
-    return 0;
250d04
+    return retval;
250d04
 }
250d04
 
250d04
 /* Identify an option name */
250d04
@@ -757,10 +774,101 @@ dosetopt(int optno, int value, int force, char *new_opts)
250d04
 	    return -1;
250d04
     } else if(optno == PRIVILEGED && !value) {
250d04
 	/* unsetting PRIVILEGED causes the shell to make itself unprivileged */
250d04
-#ifdef HAVE_SETUID
250d04
-	setuid(getuid());
250d04
-	setgid(getgid());
250d04
-#endif /* HAVE_SETUID */
250d04
+
250d04
+	int skip_setuid = 0;
250d04
+	int skip_setgid = 0;
250d04
+
250d04
+#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
250d04
+	int orig_egid = getegid();
250d04
+#endif
250d04
+
250d04
+#if defined(HAVE_GETEUID) && defined(HAVE_GETUID)
250d04
+	if (geteuid() == getuid()) {
250d04
+	    skip_setuid = 1;
250d04
+	}
250d04
+#endif
250d04
+
250d04
+#if defined(HAVE_GETEGID) && defined(HAVE_GETGID)
250d04
+	if (getegid() == getgid()) {
250d04
+	    skip_setgid = 1;
250d04
+	}
250d04
+#endif
250d04
+
250d04
+	if (!skip_setgid) {
250d04
+	    int setgid_err;
250d04
+#ifdef HAVE_SETRESGID
250d04
+	    setgid_err = setresgid(getgid(), getgid(), getgid());
250d04
+#elif defined(HAVE_SETREGID)
250d04
+#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
250d04
+	    setgid_err = setregid(getgid(), getgid());
250d04
+#else
250d04
+	    zwarnnam("unsetopt",
250d04
+		"PRIVILEGED: can't drop privileges; setregid available, but cannot check if saved gid changed");
250d04
+	    return -1;
250d04
+#endif
250d04
+#else
250d04
+	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid and setregid not available");
250d04
+	    return -1;
250d04
+#endif
250d04
+	    if (setgid_err) {
250d04
+		zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
250d04
+		return -1;
250d04
+	    }
250d04
+	}
250d04
+
250d04
+	if (!skip_setuid) {
250d04
+#if defined(HAVE_GETEUID) && defined(HAVE_SETUID)
250d04
+	    int orig_euid = geteuid();
250d04
+#endif
250d04
+	    int setuid_err;
250d04
+#if defined(HAVE_GETEUID) && defined(HAVE_INITGROUPS) && defined(HAVE_GETPWUID)
250d04
+	    if (geteuid() == 0) {
250d04
+		struct passwd *pw = getpwuid(getuid());
250d04
+		if (pw == NULL) {
250d04
+		    zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %d: %e",
250d04
+			    getuid(), errno);
250d04
+		    return -1;
250d04
+		}
250d04
+		if (initgroups(pw->pw_name, pw->pw_gid)) {
250d04
+		    zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
250d04
+		    return -1;
250d04
+		}
250d04
+	    }
250d04
+#endif
250d04
+
250d04
+#ifdef HAVE_SETRESUID
250d04
+	    setuid_err = setresuid(getuid(), getuid(), getuid());
250d04
+#elif defined(HAVE_SETREUID)
250d04
+#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID)
250d04
+	    setuid_err = setreuid(getuid(), getuid());
250d04
+#else
250d04
+	    zwarnnam("unsetopt",
250d04
+		"PRIVILEGED: can't drop privileges; setreuid available, but cannot check if saved uid changed");
250d04
+	    return -1;
250d04
+#endif
250d04
+#else
250d04
+	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid and setreuid not available");
250d04
+	    return -1;
250d04
+#endif
250d04
+	    if (setuid_err) {
250d04
+		zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
250d04
+		return -1;
250d04
+	    }
250d04
+#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID)
250d04
+	    if (getuid() != 0 && !setuid(orig_euid)) {
250d04
+		zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
250d04
+		return -1;
250d04
+	    }
250d04
+#endif
250d04
+	}
250d04
+
250d04
+#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
250d04
+	if (getuid() != 0 && !skip_setgid && !setgid(orig_egid)) {
250d04
+	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid");
250d04
+	    return -1;
250d04
+	}
250d04
+#endif
250d04
+
250d04
 #ifdef JOB_CONTROL
250d04
     } else if (!force && optno == MONITOR && value) {
250d04
 	if (new_opts[optno] == value)
250d04
diff --git a/configure.ac b/configure.ac
250d04
index 5528597..47f174e 100644
250d04
--- a/configure.ac
250d04
+++ b/configure.ac
250d04
@@ -1217,7 +1217,9 @@ AC_CHECK_FUNCS(strftime strptime mktime timelocal \
250d04
 	       inet_aton inet_pton inet_ntop \
250d04
 	       getlogin getpwent getpwnam getpwuid getgrgid getgrnam \
250d04
 	       initgroups nis_list \
250d04
-	       setuid seteuid setreuid setresuid setsid \
250d04
+	       getuid setuid seteuid setreuid setresuid setsid \
250d04
+	       getgid setgid setegid setregid setresgid \
250d04
+	       geteuid getegid \
250d04
 	       memcpy memmove strstr strerror strtoul \
250d04
 	       getrlimit getrusage \
250d04
 	       setlocale \
250d04
-- 
250d04
2.21.1
250d04
250d04
250d04
From 2544b32ecbb2493aa99e65599176be43d6064a78 Mon Sep 17 00:00:00 2001
250d04
From: Daniel Shahaf <danielsh@apache.org>
250d04
Date: Thu, 26 Dec 2019 09:16:19 +0000
250d04
Subject: [PATCH 4/7] Improve PRIVILEGED fixes
250d04
MIME-Version: 1.0
250d04
Content-Type: text/plain; charset=UTF-8
250d04
Content-Transfer-Encoding: 8bit
250d04
250d04
- Fix retval handling in bin_setopt()
250d04
250d04
- Don't skip_setuid / skip_setgid.  It's not our place to optimize away noops
250d04
  (that might not even _be_ noops; they might change the saved uid…).
250d04
250d04
- Remove HAVE_* guard checks around functions that are used unguarded elsewhere.
250d04
250d04
- Use bsd-setres_id.c from OpenSSH to provide setresuid() / setresgid()
250d04
  everywhere, and thus simplify the ifdef soup.  Fix some preëxisting
250d04
  bugs in the macro definitions of setuid() (do we still need that one?).
250d04
250d04
- Fix zwarning() format codes for variadic arguments type safety
250d04
250d04
- Restored a comment from HEAD
250d04
250d04
- Fix failure modes around initgroups()
250d04
250d04
- Compared privilege restoration code with OpenSSH's permanently_drop_uid() and
250d04
  updated as needed
250d04
250d04
- Add E01 PRIVILEGED sanity checks
250d04
250d04
Upstream-commit: 8250c5c168f07549ed646e6848e6dda118271e23
250d04
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
250d04
---
250d04
 Src/openssh_bsd_setres_id.c | 129 +++++++++++++++++++++++++++++++
250d04
 Src/options.c               | 148 ++++++++++++++++--------------------
250d04
 Src/zsh.mdd                 |   3 +-
250d04
 Src/zsh_system.h            |  94 ++++++++++++++++++-----
250d04
 Test/E01options.ztst        |  15 ++++
250d04
 configure.ac                |   5 +-
250d04
 6 files changed, 292 insertions(+), 102 deletions(-)
250d04
 create mode 100644 Src/openssh_bsd_setres_id.c
250d04
250d04
diff --git a/Src/openssh_bsd_setres_id.c b/Src/openssh_bsd_setres_id.c
250d04
new file mode 100644
250d04
index 0000000..65e91a4
250d04
--- /dev/null
250d04
+++ b/Src/openssh_bsd_setres_id.c
250d04
@@ -0,0 +1,129 @@
250d04
+/*
250d04
+ * Copyright (c) 2012 Darren Tucker (dtucker at zip com au).
250d04
+ *
250d04
+ * Permission to use, copy, modify, and distribute this software for any
250d04
+ * purpose with or without fee is hereby granted, provided that the above
250d04
+ * copyright notice and this permission notice appear in all copies.
250d04
+ *
250d04
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
250d04
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
250d04
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
250d04
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
250d04
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
250d04
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
250d04
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
250d04
+ */
250d04
+/*
250d04
+ * openssh_bsd_setres_id.c - setresuid() and setresgid() wrappers
250d04
+ *
250d04
+ * This file is part of zsh, the Z shell.
250d04
+ *
250d04
+ * It is based on the file openbsd-compat/bsd-setres_id.c in OpenSSH 7.9p1,
250d04
+ * which is subject to the copyright notice above.  The zsh modifications are
250d04
+ * licensed as follows:
250d04
+ *
250d04
+ * Copyright (c) 2019 Daniel Shahaf
250d04
+ * All rights reserved.
250d04
+ *
250d04
+ * Permission is hereby granted, without written agreement and without
250d04
+ * license or royalty fees, to use, copy, modify, and distribute this
250d04
+ * software and to distribute modified versions of this software for any
250d04
+ * purpose, provided that the above copyright notice and the following
250d04
+ * two paragraphs appear in all copies of this software.
250d04
+ *
250d04
+ * In no event shall Daniel Shahaf or the Zsh Development Group be liable
250d04
+ * to any party for direct, indirect, special, incidental, or consequential
250d04
+ * damages arising out of the use of this software and its documentation,
250d04
+ * even if Daniel Shahaf and the Zsh Development Group have been advised of
250d04
+ * the possibility of such damage.
250d04
+ *
250d04
+ * Daniel Shahaf and the Zsh Development Group specifically disclaim any
250d04
+ * warranties, including, but not limited to, the implied warranties of
250d04
+ * merchantability and fitness for a particular purpose.  The software
250d04
+ * provided hereunder is on an "as is" basis, and Daniel Shahaf and the
250d04
+ * Zsh Development Group have no obligation to provide maintenance,
250d04
+ * support, updates, enhancements, or modifications.
250d04
+ *
250d04
+ */
250d04
+
250d04
+
250d04
+#include <sys/types.h>
250d04
+
250d04
+#include <stdarg.h>
250d04
+#include <unistd.h>
250d04
+#include <string.h>
250d04
+
250d04
+#include "zsh.mdh"
250d04
+
250d04
+#if defined(ZSH_IMPLEMENT_SETRESGID) || defined(BROKEN_SETRESGID)
250d04
+int
250d04
+setresgid(gid_t rgid, gid_t egid, gid_t sgid)
250d04
+{
250d04
+	int ret = 0, saved_errno;
250d04
+
250d04
+	if (rgid != sgid) {
250d04
+		errno = ENOSYS;
250d04
+		return -1;
250d04
+	}
250d04
+#if defined(ZSH_HAVE_NATIVE_SETREGID) && !defined(BROKEN_SETREGID)
250d04
+	if (setregid(rgid, egid) < 0) {
250d04
+		saved_errno = errno;
250d04
+		zwarnnam("setregid", "to gid %L: %e", (long)rgid, errno);
250d04
+		errno = saved_errno;
250d04
+		ret = -1;
250d04
+	}
250d04
+#else
250d04
+	if (setegid(egid) < 0) {
250d04
+		saved_errno = errno;
250d04
+		zwarnnam("setegid", "to gid %L: %e", (long)(unsigned int)egid, errno);
250d04
+		errno = saved_errno;
250d04
+		ret = -1;
250d04
+	}
250d04
+	if (setgid(rgid) < 0) {
250d04
+		saved_errno = errno;
250d04
+		zwarnnam("setgid", "to gid %L: %e", (long)rgid, errno);
250d04
+		errno = saved_errno;
250d04
+		ret = -1;
250d04
+	}
250d04
+#endif
250d04
+	return ret;
250d04
+}
250d04
+#endif
250d04
+
250d04
+#if defined(ZSH_IMPLEMENT_SETRESUID) || defined(BROKEN_SETRESUID)
250d04
+int
250d04
+setresuid(uid_t ruid, uid_t euid, uid_t suid)
250d04
+{
250d04
+	int ret = 0, saved_errno;
250d04
+
250d04
+	if (ruid != suid) {
250d04
+		errno = ENOSYS;
250d04
+		return -1;
250d04
+	}
250d04
+#if defined(ZSH_HAVE_NATIVE_SETREUID) && !defined(BROKEN_SETREUID)
250d04
+	if (setreuid(ruid, euid) < 0) {
250d04
+		saved_errno = errno;
250d04
+		zwarnnam("setreuid", "to uid %L: %e", (long)ruid, errno);
250d04
+		errno = saved_errno;
250d04
+		ret = -1;
250d04
+	}
250d04
+#else
250d04
+
250d04
+# ifndef SETEUID_BREAKS_SETUID
250d04
+	if (seteuid(euid) < 0) {
250d04
+		saved_errno = errno;
250d04
+		zwarnnam("seteuid", "to uid %L: %e", (long)euid, errno);
250d04
+		errno = saved_errno;
250d04
+		ret = -1;
250d04
+	}
250d04
+# endif
250d04
+	if (setuid(ruid) < 0) {
250d04
+		saved_errno = errno;
250d04
+		zwarnnam("setuid", "to uid %L: %e", (long)ruid, errno);
250d04
+		errno = saved_errno;
250d04
+		ret = -1;
250d04
+	}
250d04
+#endif
250d04
+	return ret;
250d04
+}
250d04
+#endif
250d04
diff --git a/Src/options.c b/Src/options.c
250d04
index 3a0edab..b10a53e 100644
250d04
--- a/Src/options.c
250d04
+++ b/Src/options.c
250d04
@@ -595,25 +595,21 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
250d04
 		}
250d04
 		if(!(optno = optlookup(*args))) {
250d04
 		    zwarnnam(nam, "no such option: %s", *args);
250d04
-		    retval = 1;
250d04
-		} else {
250d04
-		    retval = !!dosetopt(optno, action, 0, opts);
250d04
-		    if (retval) {
250d04
-			zwarnnam(nam, "can't change option: %s", *args);
250d04
-		    }
250d04
+		    retval |= 1;
250d04
+		} else if (dosetopt(optno, action, 0, opts)) {
250d04
+		    zwarnnam(nam, "can't change option: %s", *args);
250d04
+		    retval |= 1;
250d04
 		}
250d04
 		break;
250d04
 	    } else if(**args == 'm') {
250d04
 		match = 1;
250d04
 	    } else {
250d04
-	    	if (!(optno = optlookupc(**args))) {
250d04
+		if (!(optno = optlookupc(**args))) {
250d04
 		    zwarnnam(nam, "bad option: -%c", **args);
250d04
-		    retval = 1;
250d04
-		} else {
250d04
-		    retval = !!dosetopt(optno, action, 0, opts);
250d04
-		    if (retval) {
250d04
-			zwarnnam(nam, "can't change option: -%c", **args);
250d04
-		    }
250d04
+		    retval |= 1;
250d04
+		} else if (dosetopt(optno, action, 0, opts)) {
250d04
+		    zwarnnam(nam, "can't change option: -%c", **args);
250d04
+		    retval |= 1;
250d04
 		}
250d04
 	    }
250d04
 	}
250d04
@@ -626,12 +622,10 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
250d04
 	while (*args) {
250d04
 	    if(!(optno = optlookup(*args++))) {
250d04
 		zwarnnam(nam, "no such option: %s", args[-1]);
250d04
-		retval = 1;
250d04
-	    } else {
250d04
-		retval = !!dosetopt(optno, !isun, 0, opts);
250d04
-		if (retval) {
250d04
-		    zwarnnam(nam, "can't change option: %s", args[-1]);
250d04
-		}
250d04
+		retval |= 1;
250d04
+	    } else if (dosetopt(optno, !isun, 0, opts)) {
250d04
+		zwarnnam(nam, "can't change option: %s", args[-1]);
250d04
+		retval |= 1;
250d04
 	    }
250d04
 	}
250d04
     } else {
250d04
@@ -655,7 +649,7 @@ bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun)
250d04
 	    tokenize(s);
250d04
 	    if (!(pprog = patcompile(s, PAT_STATIC, NULL))) {
250d04
 		zwarnnam(nam, "bad pattern: %s", *args);
250d04
-		retval = 1;
250d04
+		retval |= 1;
250d04
 		break;
250d04
 	    }
250d04
 	    /* Loop over expansions. */
250d04
@@ -775,100 +769,92 @@ dosetopt(int optno, int value, int force, char *new_opts)
250d04
     } else if(optno == PRIVILEGED && !value) {
250d04
 	/* unsetting PRIVILEGED causes the shell to make itself unprivileged */
250d04
 
250d04
-	int skip_setuid = 0;
250d04
-	int skip_setgid = 0;
250d04
-
250d04
-#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
250d04
-	int orig_egid = getegid();
250d04
-#endif
250d04
+	/* If set, return -1 so lastval will be non-zero. */
250d04
+	int failed = 0;
250d04
 
250d04
-#if defined(HAVE_GETEUID) && defined(HAVE_GETUID)
250d04
-	if (geteuid() == getuid()) {
250d04
-	    skip_setuid = 1;
250d04
-	}
250d04
+#ifdef HAVE_SETUID
250d04
+	const int orig_euid = geteuid();
250d04
 #endif
250d04
+	const int orig_egid = getegid();
250d04
 
250d04
-#if defined(HAVE_GETEGID) && defined(HAVE_GETGID)
250d04
-	if (getegid() == getgid()) {
250d04
-	    skip_setgid = 1;
250d04
-	}
250d04
-#endif
250d04
-
250d04
-	if (!skip_setgid) {
250d04
-	    int setgid_err;
250d04
-#ifdef HAVE_SETRESGID
250d04
-	    setgid_err = setresgid(getgid(), getgid(), getgid());
250d04
-#elif defined(HAVE_SETREGID)
250d04
-#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
250d04
-	    setgid_err = setregid(getgid(), getgid());
250d04
-#else
250d04
-	    zwarnnam("unsetopt",
250d04
-		"PRIVILEGED: can't drop privileges; setregid available, but cannot check if saved gid changed");
250d04
+	/*
250d04
+	 * Set the GID first as if we set the UID to non-privileged it
250d04
+	 * might be impossible to restore the GID.
250d04
+	 */
250d04
+	{
250d04
+#ifndef HAVE_SETRESGID
250d04
+	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
250d04
 	    return -1;
250d04
-#endif
250d04
 #else
250d04
-	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid and setregid not available");
250d04
-	    return -1;
250d04
-#endif
250d04
+	    int setgid_err;
250d04
+	    setgid_err = setresgid(getgid(), getgid(), getgid());
250d04
 	    if (setgid_err) {
250d04
 		zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
250d04
 		return -1;
250d04
 	    }
250d04
+#endif
250d04
 	}
250d04
 
250d04
-	if (!skip_setuid) {
250d04
-#if defined(HAVE_GETEUID) && defined(HAVE_SETUID)
250d04
-	    int orig_euid = geteuid();
250d04
-#endif
250d04
+	/* Set the UID second. */
250d04
+	{
250d04
+#ifndef HAVE_SETRESUID
250d04
+	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
250d04
+	    return -1;
250d04
+#else
250d04
 	    int setuid_err;
250d04
-#if defined(HAVE_GETEUID) && defined(HAVE_INITGROUPS) && defined(HAVE_GETPWUID)
250d04
+
250d04
+# ifdef HAVE_INITGROUPS
250d04
+	    /* Set the supplementary groups list. */
250d04
 	    if (geteuid() == 0) {
250d04
 		struct passwd *pw = getpwuid(getuid());
250d04
 		if (pw == NULL) {
250d04
-		    zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %d: %e",
250d04
-			    getuid(), errno);
250d04
-		    return -1;
250d04
-		}
250d04
-		if (initgroups(pw->pw_name, pw->pw_gid)) {
250d04
+		    zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e",
250d04
+			    (long)getuid(), errno);
250d04
+		    failed = 1;
250d04
+		} else if (initgroups(pw->pw_name, pw->pw_gid)) {
250d04
 		    zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
250d04
 		    return -1;
250d04
 		}
250d04
+	    } else if (getuid() != 0 &&
250d04
+		    (geteuid() != getuid() || orig_egid != getegid())) {
250d04
+		zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
250d04
+			(long)geteuid());
250d04
+		failed = 1;
250d04
 	    }
250d04
-#endif
250d04
+# else
250d04
+	    /* initgroups() isn't in POSIX.  If it's not available on the system,
250d04
+	     * we silently skip it. */
250d04
+# endif
250d04
 
250d04
-#ifdef HAVE_SETRESUID
250d04
 	    setuid_err = setresuid(getuid(), getuid(), getuid());
250d04
-#elif defined(HAVE_SETREUID)
250d04
-#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID)
250d04
-	    setuid_err = setreuid(getuid(), getuid());
250d04
-#else
250d04
-	    zwarnnam("unsetopt",
250d04
-		"PRIVILEGED: can't drop privileges; setreuid available, but cannot check if saved uid changed");
250d04
-	    return -1;
250d04
-#endif
250d04
-#else
250d04
-	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid and setreuid not available");
250d04
-	    return -1;
250d04
-#endif
250d04
 	    if (setuid_err) {
250d04
 		zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
250d04
 		return -1;
250d04
 	    }
250d04
-#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID)
250d04
-	    if (getuid() != 0 && !setuid(orig_euid)) {
250d04
-		zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
250d04
-		return -1;
250d04
-	    }
250d04
 #endif
250d04
 	}
250d04
 
250d04
-#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID)
250d04
-	if (getuid() != 0 && !skip_setgid && !setgid(orig_egid)) {
250d04
+#ifdef HAVE_SETGID
250d04
+	if (getuid() != 0 && orig_egid != getegid() &&
250d04
+		(setgid(orig_egid) != -1 || setegid(orig_egid) != -1)) {
250d04
 	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid");
250d04
 	    return -1;
250d04
 	}
250d04
 #endif
250d04
 
250d04
+#ifdef HAVE_SETUID
250d04
+	if (getuid() != 0 && orig_euid != geteuid() &&
250d04
+		(setuid(orig_euid) != -1 || seteuid(orig_euid) != -1)) {
250d04
+	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
250d04
+	    return -1;
250d04
+	}
250d04
+#endif
250d04
+
250d04
+	if (failed) {
250d04
+	    /* A warning message has been printed. */
250d04
+	    return -1;
250d04
+	}
250d04
+
250d04
 #ifdef JOB_CONTROL
250d04
     } else if (!force && optno == MONITOR && value) {
250d04
 	if (new_opts[optno] == value)
250d04
diff --git a/Src/zsh.mdd b/Src/zsh.mdd
250d04
index 6e90776..292821a 100644
250d04
--- a/Src/zsh.mdd
250d04
+++ b/Src/zsh.mdd
250d04
@@ -12,7 +12,8 @@ alwayslink=1
250d04
 objects="builtin.o compat.o cond.o exec.o glob.o hashtable.o hashnameddir.o \
250d04
 hist.o init.o input.o jobs.o lex.o linklist.o loop.o math.o \
250d04
 mem.o module.o options.o params.o parse.o pattern.o prompt.o signals.o \
250d04
-signames.o sort.o string.o subst.o text.o utils.o watch.o"
250d04
+signames.o sort.o string.o subst.o text.o utils.o watch.o \
250d04
+openssh_bsd_setres_id.o"
250d04
 
250d04
 headers="../config.h zsh_system.h zsh.h sigcount.h signals.h \
250d04
 prototypes.h hashtable.h ztype.h"
250d04
diff --git a/Src/zsh_system.h b/Src/zsh_system.h
250d04
index 427c25f..4a95d0a 100644
250d04
--- a/Src/zsh_system.h
250d04
+++ b/Src/zsh_system.h
250d04
@@ -457,30 +457,90 @@ struct timezone {
250d04
 # define setpgrp setpgid
250d04
 #endif
250d04
 
250d04
-/* can we set the user/group id of a process */
250d04
+/* compatibility wrappers */
250d04
 
250d04
-#ifndef HAVE_SETUID
250d04
+/* Our strategy is as follows:
250d04
+ *
250d04
+ * - Ensure that either setre[ug]id() or set{e,}[ug]id() is available.
250d04
+ * - If setres[ug]id() are missing, provide them in terms of either
250d04
+ *   setre[ug]id() or set{e,}[ug]id(), whichever is available.
250d04
+ * - Provide replacement setre[ug]id() or set{e,}[ug]id() if they are not
250d04
+ *   available natively.
250d04
+ *
250d04
+ * There isn't a circular dependency because, right off the bat, we check that
250d04
+ * there's an end condition, and #error out otherwise.
250d04
+ */
250d04
+#if !defined(HAVE_SETREUID) && !(defined(HAVE_SETEUID) && defined(HAVE_SETUID))
250d04
+  /*
250d04
+   * If you run into this error, you have two options:
250d04
+   * - Teach zsh how to do the equivalent of setreuid() on your system
250d04
+   * - Remove support for PRIVILEGED option, and then remove the #error.
250d04
+   */
250d04
+# error "Don't know how to change UID"
250d04
+#endif
250d04
+#if !defined(HAVE_SETREGID) && !(defined(HAVE_SETEGID) && defined(HAVE_SETGID))
250d04
+  /* See above comment. */
250d04
+# error "Don't know how to change GID"
250d04
+#endif
250d04
+
250d04
+/* Provide setresuid(). */
250d04
+#ifndef HAVE_SETRESUID
250d04
+int	setresuid(uid_t, uid_t, uid_t);
250d04
+# define HAVE_SETRESUID
250d04
+# define ZSH_IMPLEMENT_SETRESUID
250d04
 # ifdef HAVE_SETREUID
250d04
-#  define setuid(X) setreuid(X,X)
250d04
-#  define setgid(X) setregid(X,X)
250d04
-#  define HAVE_SETUID
250d04
+#  define ZSH_HAVE_NATIVE_SETREUID
250d04
 # endif
250d04
 #endif
250d04
 
250d04
-/* can we set the effective user/group id of a process */
250d04
+/* Provide setresgid(). */
250d04
+#ifndef HAVE_SETRESGID
250d04
+int	setresgid(gid_t, gid_t, gid_t);
250d04
+# define HAVE_SETRESGID
250d04
+# define ZSH_IMPLEMENT_SETRESGID
250d04
+# ifdef HAVE_SETREGID
250d04
+#  define ZSH_HAVE_NATIVE_SETREGID
250d04
+# endif
250d04
+#endif
250d04
 
250d04
+/* Provide setreuid(). */
250d04
+#ifndef HAVE_SETREUID
250d04
+# define setreuid(X, Y) setresuid((X), (Y), -1)
250d04
+# define HAVE_SETREUID
250d04
+#endif
250d04
+
250d04
+/* Provide setregid(). */
250d04
+#ifndef HAVE_SETREGID
250d04
+# define setregid(X, Y) setresgid((X), (Y), -1)
250d04
+# define HAVE_SETREGID
250d04
+#endif
250d04
+
250d04
+/* Provide setuid(). */
250d04
+/* ### TODO: Either remove this (this function has been standard since 1985),
250d04
+ * ###       or rewrite this without multiply-evaluating the argument */
250d04
+#ifndef HAVE_SETUID
250d04
+# define setuid(X) setreuid((X), (X))
250d04
+# define HAVE_SETUID
250d04
+#endif
250d04
+
250d04
+/* Provide setgid(). */
250d04
+#ifndef HAVE_SETGID
250d04
+/* ### TODO: Either remove this (this function has been standard since 1985),
250d04
+ * ###       or rewrite this without multiply-evaluating the argument */
250d04
+#  define setgid(X) setregid((X), (X))
250d04
+#  define HAVE_SETGID
250d04
+#endif
250d04
+
250d04
+/* Provide seteuid(). */
250d04
 #ifndef HAVE_SETEUID
250d04
-# ifdef HAVE_SETREUID
250d04
-#  define seteuid(X) setreuid(-1,X)
250d04
-#  define setegid(X) setregid(-1,X)
250d04
-#  define HAVE_SETEUID
250d04
-# else
250d04
-#  ifdef HAVE_SETRESUID
250d04
-#   define seteuid(X) setresuid(-1,X,-1)
250d04
-#   define setegid(X) setresgid(-1,X,-1)
250d04
-#   define HAVE_SETEUID
250d04
-#  endif
250d04
-# endif
250d04
+# define seteuid(X) setreuid(-1, (X))
250d04
+# define HAVE_SETEUID
250d04
+#endif
250d04
+
250d04
+/* Provide setegid(). */
250d04
+#ifndef HAVE_SETEGID
250d04
+# define setegid(X) setregid(-1, (X))
250d04
+# define HAVE_SETEGID
250d04
 #endif
250d04
 
250d04
 #ifdef HAVE_SYS_RESOURCE_H
250d04
diff --git a/Test/E01options.ztst b/Test/E01options.ztst
250d04
index bcb34c3..38ae17e 100644
250d04
--- a/Test/E01options.ztst
250d04
+++ b/Test/E01options.ztst
250d04
@@ -1096,3 +1096,18 @@
250d04
 0:IGNORE_CLOSE_BRACES option
250d04
 >this is OK
250d04
 >6
250d04
+
250d04
+# There are further tests for PRIVILEGED in P01privileged.ztst.
250d04
+ if [[ -o privileged ]]; then
250d04
+   unsetopt privileged
250d04
+ fi
250d04
+ unsetopt privileged
250d04
+0:PRIVILEGED sanity check: unsetting is idempotent
250d04
+F:If this test fails at the first unsetopt, refer to P01privileged.ztst.
250d04
+
250d04
+  if [[ -o privileged ]]; then
250d04
+    (( UID != EUID ))
250d04
+  else
250d04
+    (( UID == EUID ))
250d04
+  fi
250d04
+0:PRIVILEGED sanity check: default value is correct
250d04
diff --git a/configure.ac b/configure.ac
250d04
index 47f174e..cc050a9 100644
250d04
--- a/configure.ac
250d04
+++ b/configure.ac
250d04
@@ -1217,9 +1217,8 @@ AC_CHECK_FUNCS(strftime strptime mktime timelocal \
250d04
 	       inet_aton inet_pton inet_ntop \
250d04
 	       getlogin getpwent getpwnam getpwuid getgrgid getgrnam \
250d04
 	       initgroups nis_list \
250d04
-	       getuid setuid seteuid setreuid setresuid setsid \
250d04
-	       getgid setgid setegid setregid setresgid \
250d04
-	       geteuid getegid \
250d04
+	       setuid seteuid setreuid setresuid setsid \
250d04
+	       setgid setegid setregid setresgid \
250d04
 	       memcpy memmove strstr strerror strtoul \
250d04
 	       getrlimit getrusage \
250d04
 	       setlocale \
250d04
-- 
250d04
2.21.1
250d04
250d04
250d04
From 1754f070a8ac6953eb27f13e4df4a95b90bfe6a1 Mon Sep 17 00:00:00 2001
250d04
From: dana <dana@dana.is>
250d04
Date: Sun, 29 Dec 2019 02:41:11 +0000
250d04
Subject: [PATCH 5/7] Improve PRIVILEGED fixes (again)
250d04
250d04
* Pass RGID instead of passwd GID to initgroups()
250d04
250d04
* Clean up #ifdefs, avoid unnecessary checks
250d04
250d04
* Flatten conditions
250d04
250d04
Upstream-commit: 26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211
250d04
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
250d04
---
250d04
 Src/options.c | 92 ++++++++++++++++++++++++---------------------------
250d04
 1 file changed, 43 insertions(+), 49 deletions(-)
250d04
250d04
diff --git a/Src/options.c b/Src/options.c
250d04
index b10a53e..223cc24 100644
250d04
--- a/Src/options.c
250d04
+++ b/Src/options.c
250d04
@@ -769,91 +769,85 @@ dosetopt(int optno, int value, int force, char *new_opts)
250d04
     } else if(optno == PRIVILEGED && !value) {
250d04
 	/* unsetting PRIVILEGED causes the shell to make itself unprivileged */
250d04
 
250d04
+/* For simplicity's sake, require both setresgid() and setresuid() up-front. */
250d04
+#if !defined(HAVE_SETRESGID)
250d04
+	zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
250d04
+	return -1;
250d04
+#elif !defined(HAVE_SETRESUID)
250d04
+	zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
250d04
+	return -1;
250d04
+#else
250d04
 	/* If set, return -1 so lastval will be non-zero. */
250d04
 	int failed = 0;
250d04
-
250d04
-#ifdef HAVE_SETUID
250d04
 	const int orig_euid = geteuid();
250d04
-#endif
250d04
 	const int orig_egid = getegid();
250d04
 
250d04
 	/*
250d04
 	 * Set the GID first as if we set the UID to non-privileged it
250d04
 	 * might be impossible to restore the GID.
250d04
 	 */
250d04
-	{
250d04
-#ifndef HAVE_SETRESGID
250d04
-	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
250d04
+	if (setresgid(getgid(), getgid(), getgid())) {
250d04
+	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
250d04
 	    return -1;
250d04
-#else
250d04
-	    int setgid_err;
250d04
-	    setgid_err = setresgid(getgid(), getgid(), getgid());
250d04
-	    if (setgid_err) {
250d04
-		zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
250d04
-		return -1;
250d04
-	    }
250d04
-#endif
250d04
 	}
250d04
 
250d04
-	/* Set the UID second. */
250d04
-	{
250d04
-#ifndef HAVE_SETRESUID
250d04
-	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
250d04
-	    return -1;
250d04
-#else
250d04
-	    int setuid_err;
250d04
-
250d04
 # ifdef HAVE_INITGROUPS
250d04
-	    /* Set the supplementary groups list. */
250d04
-	    if (geteuid() == 0) {
250d04
-		struct passwd *pw = getpwuid(getuid());
250d04
-		if (pw == NULL) {
250d04
-		    zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e",
250d04
-			    (long)getuid(), errno);
250d04
-		    failed = 1;
250d04
-		} else if (initgroups(pw->pw_name, pw->pw_gid)) {
250d04
-		    zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
250d04
-		    return -1;
250d04
-		}
250d04
-	    } else if (getuid() != 0 &&
250d04
-		    (geteuid() != getuid() || orig_egid != getegid())) {
250d04
-		zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
250d04
-			(long)geteuid());
250d04
+	/* Set the supplementary groups list.
250d04
+	 *
250d04
+	 * Note that on macOS, FreeBSD, and possibly some other platforms,
250d04
+	 * initgroups() resets the EGID to its second argument (see setgroups(2) for
250d04
+	 * details). This has the potential to leave the EGID in an unexpected
250d04
+	 * state. However, it seems common in other projects that do this dance to
250d04
+	 * simply re-use the same GID that's going to become the EGID anyway, in
250d04
+	 * which case it doesn't matter. That's what we do here. It's therefore
250d04
+	 * possible, in some probably uncommon cases, that the shell ends up not
250d04
+	 * having the privileges of the RUID user's primary/passwd group. */
250d04
+	if (geteuid() == 0) {
250d04
+	    struct passwd *pw = getpwuid(getuid());
250d04
+	    if (pw == NULL) {
250d04
+		zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e",
250d04
+		    (long)getuid(), errno);
250d04
 		failed = 1;
250d04
+	    /* This may behave strangely in the unlikely event that the same user
250d04
+	     * name appears with multiple UIDs in the passwd database */
250d04
+	    } else if (initgroups(pw->pw_name, getgid())) {
250d04
+		zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
250d04
+		return -1;
250d04
 	    }
250d04
+	} else if (getuid() != 0 &&
250d04
+	    (geteuid() != getuid() || orig_egid != getegid())) {
250d04
+	    zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
250d04
+		(long)geteuid());
250d04
+	    failed = 1;
250d04
+	}
250d04
 # else
250d04
-	    /* initgroups() isn't in POSIX.  If it's not available on the system,
250d04
-	     * we silently skip it. */
250d04
+	/* initgroups() isn't in POSIX.  If it's not available on the system,
250d04
+	 * we silently skip it. */
250d04
 # endif
250d04
 
250d04
-	    setuid_err = setresuid(getuid(), getuid(), getuid());
250d04
-	    if (setuid_err) {
250d04
-		zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
250d04
-		return -1;
250d04
-	    }
250d04
-#endif
250d04
+	/* Set the UID second. */
250d04
+	if (setresuid(getuid(), getuid(), getuid())) {
250d04
+	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
250d04
+	    return -1;
250d04
 	}
250d04
 
250d04
-#ifdef HAVE_SETGID
250d04
 	if (getuid() != 0 && orig_egid != getegid() &&
250d04
 		(setgid(orig_egid) != -1 || setegid(orig_egid) != -1)) {
250d04
 	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid");
250d04
 	    return -1;
250d04
 	}
250d04
-#endif
250d04
 
250d04
-#ifdef HAVE_SETUID
250d04
 	if (getuid() != 0 && orig_euid != geteuid() &&
250d04
 		(setuid(orig_euid) != -1 || seteuid(orig_euid) != -1)) {
250d04
 	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
250d04
 	    return -1;
250d04
 	}
250d04
-#endif
250d04
 
250d04
 	if (failed) {
250d04
 	    /* A warning message has been printed. */
250d04
 	    return -1;
250d04
 	}
250d04
+#endif /* HAVE_SETRESGID && HAVE_SETRESUID */
250d04
 
250d04
 #ifdef JOB_CONTROL
250d04
     } else if (!force && optno == MONITOR && value) {
250d04
-- 
250d04
2.21.1
250d04
250d04
250d04
From dc66d410f09ff1db86f774f273fee14a3feb4ffd Mon Sep 17 00:00:00 2001
250d04
From: dana <dana@dana.is>
250d04
Date: Sun, 29 Dec 2019 02:43:14 +0000
250d04
Subject: [PATCH 6/7] Clean up error-message white space
250d04
250d04
Upstream-commit: 4ce66857b71b40a0661df3780ff557f2b0f4cb13
250d04
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
250d04
---
250d04
 Src/options.c | 30 +++++++++++++++++++++---------
250d04
 1 file changed, 21 insertions(+), 9 deletions(-)
250d04
250d04
diff --git a/Src/options.c b/Src/options.c
250d04
index 223cc24..a2e629f 100644
250d04
--- a/Src/options.c
250d04
+++ b/Src/options.c
250d04
@@ -771,10 +771,12 @@ dosetopt(int optno, int value, int force, char *new_opts)
250d04
 
250d04
 /* For simplicity's sake, require both setresgid() and setresuid() up-front. */
250d04
 #if !defined(HAVE_SETRESGID)
250d04
-	zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
250d04
+	zwarnnam("unsetopt",
250d04
+	    "PRIVILEGED: can't drop privileges; setresgid() and friends not available");
250d04
 	return -1;
250d04
 #elif !defined(HAVE_SETRESUID)
250d04
-	zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
250d04
+	zwarnnam("unsetopt",
250d04
+	    "PRIVILEGED: can't drop privileges; setresuid() and friends not available");
250d04
 	return -1;
250d04
 #else
250d04
 	/* If set, return -1 so lastval will be non-zero. */
250d04
@@ -787,7 +789,9 @@ dosetopt(int optno, int value, int force, char *new_opts)
250d04
 	 * might be impossible to restore the GID.
250d04
 	 */
250d04
 	if (setresgid(getgid(), getgid(), getgid())) {
250d04
-	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno);
250d04
+	    zwarnnam("unsetopt",
250d04
+		"PRIVILEGED: can't drop privileges; failed to change group ID: %e",
250d04
+		errno);
250d04
 	    return -1;
250d04
 	}
250d04
 
250d04
@@ -805,18 +809,22 @@ dosetopt(int optno, int value, int force, char *new_opts)
250d04
 	if (geteuid() == 0) {
250d04
 	    struct passwd *pw = getpwuid(getuid());
250d04
 	    if (pw == NULL) {
250d04
-		zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e",
250d04
+		zwarnnam("unsetopt",
250d04
+		    "can't drop privileges; failed to get user information for uid %L: %e",
250d04
 		    (long)getuid(), errno);
250d04
 		failed = 1;
250d04
 	    /* This may behave strangely in the unlikely event that the same user
250d04
 	     * name appears with multiple UIDs in the passwd database */
250d04
 	    } else if (initgroups(pw->pw_name, getgid())) {
250d04
-		zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno);
250d04
+		zwarnnam("unsetopt",
250d04
+		    "can't drop privileges; failed to set supplementary group list: %e",
250d04
+		    errno);
250d04
 		return -1;
250d04
 	    }
250d04
 	} else if (getuid() != 0 &&
250d04
 	    (geteuid() != getuid() || orig_egid != getegid())) {
250d04
-	    zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
250d04
+	    zwarnnam("unsetopt",
250d04
+		"PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L",
250d04
 		(long)geteuid());
250d04
 	    failed = 1;
250d04
 	}
250d04
@@ -827,19 +835,23 @@ dosetopt(int optno, int value, int force, char *new_opts)
250d04
 
250d04
 	/* Set the UID second. */
250d04
 	if (setresuid(getuid(), getuid(), getuid())) {
250d04
-	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno);
250d04
+	    zwarnnam("unsetopt",
250d04
+		"PRIVILEGED: can't drop privileges; failed to change user ID: %e",
250d04
+		errno);
250d04
 	    return -1;
250d04
 	}
250d04
 
250d04
 	if (getuid() != 0 && orig_egid != getegid() &&
250d04
 		(setgid(orig_egid) != -1 || setegid(orig_egid) != -1)) {
250d04
-	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid");
250d04
+	    zwarnnam("unsetopt",
250d04
+		"PRIVILEGED: can't drop privileges; was able to restore the egid");
250d04
 	    return -1;
250d04
 	}
250d04
 
250d04
 	if (getuid() != 0 && orig_euid != geteuid() &&
250d04
 		(setuid(orig_euid) != -1 || seteuid(orig_euid) != -1)) {
250d04
-	    zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid");
250d04
+	    zwarnnam("unsetopt",
250d04
+		"PRIVILEGED: can't drop privileges; was able to restore the euid");
250d04
 	    return -1;
250d04
 	}
250d04
 
250d04
-- 
250d04
2.21.1
250d04
250d04
250d04
From ec2a5a5fa71103e20d62afa843a953863a2e1f97 Mon Sep 17 00:00:00 2001
250d04
From: dana <dana@dana.is>
250d04
Date: Sat, 28 Dec 2019 20:45:55 -0600
250d04
Subject: [PATCH 7/7] Add unsetopt/PRIVILEGED tests
250d04
250d04
Upstream-commit: b15bd4aa590db8087d1e8f2eb1af2874f5db814d
250d04
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
250d04
---
250d04
 Test/E01options.ztst    |  10 +-
250d04
 Test/P01privileged.ztst | 197 ++++++++++++++++++++++++++++++++++++++++
250d04
 Test/README             |   1 +
250d04
 3 files changed, 207 insertions(+), 1 deletion(-)
250d04
 create mode 100644 Test/P01privileged.ztst
250d04
250d04
diff --git a/Test/E01options.ztst b/Test/E01options.ztst
250d04
index 38ae17e..4dcae2c 100644
250d04
--- a/Test/E01options.ztst
250d04
+++ b/Test/E01options.ztst
250d04
@@ -74,7 +74,6 @@
250d04
 #    HASH_LIST_ALL )
250d04
 #    PRINT_EXIT_STATUS   haven't worked out what this does yet, although
250d04
 #                        Bart suggested a fix.
250d04
-#    PRIVILEGED (similar to GLOBAL_RCS)
250d04
 #    RCS        (  "      "    "    " )
250d04
 #    SH_OPTION_LETTERS   even I found this too dull to set up a test for
250d04
 #    SINGLE_COMMAND      kills shell
250d04
@@ -94,6 +93,15 @@
250d04
 
250d04
 %test
250d04
 
250d04
+  # setopt should move on to the next operation in the face of an error, but
250d04
+  # preserve the >0 return code
250d04
+  unsetopt aliases
250d04
+  setopt not_a_real_option aliases && return 2
250d04
+  print -r - $options[aliases]
250d04
+0:setopt error handling
250d04
+?(eval):setopt:4: no such option: not_a_real_option
250d04
+>on
250d04
+
250d04
   alias echo='print foo'
250d04
   unsetopt aliases
250d04
   # use eval else aliases are all parsed at start
250d04
diff --git a/Test/P01privileged.ztst b/Test/P01privileged.ztst
250d04
new file mode 100644
250d04
index 0000000..c54112b
250d04
--- /dev/null
250d04
+++ b/Test/P01privileged.ztst
250d04
@@ -0,0 +1,197 @@
250d04
+# This file contains tests related to the PRIVILEGED option. In order to run,
250d04
+# it requires that the test process itself have super-user privileges (or that
250d04
+# one of the environment variables described below be set). This can be achieved
250d04
+# via, e.g., `sudo make check TESTNUM=P`.
250d04
+#
250d04
+# Optionally, the environment variables ZSH_TEST_UNPRIVILEGED_UID and/or
250d04
+# ZSH_TEST_UNPRIVILEGED_GID may be set to UID:EUID or GID:EGID pairs, where the
250d04
+# two IDs in each pair are different, non-0 IDs valid on the system being used
250d04
+# to run the tests. (The UIDs must both be non-0 to effectively test downgrading
250d04
+# of privileges, and they must be non-matching to test auto-enabling of
250d04
+# PRIVILEGED and to ensure that disabling PRIVILEGED correctly resets the saved
250d04
+# UID. Technically GID 0 is not special, but for simplicity's sake we apply the
250d04
+# same requirements here.)
250d04
+#
250d04
+# If either of the aforementioned environment variables is not set, the test
250d04
+# script will try to pick the first two >0 IDs from the passwd/group databases
250d04
+# on the current system.
250d04
+#
250d04
+# If either variable is set, the tests will run, but they will likely fail
250d04
+# without super-user privileges.
250d04
+
250d04
+%prep
250d04
+
250d04
+  # Mind your empty lines here. The logic in this %prep section is somewhat
250d04
+  # complex compared to most others; to avoid lots of nested/duplicated
250d04
+  # conditions we need to make sure that this all gets executed as a single
250d04
+  # function from which we can return early
250d04
+  [[ $EUID == 0 || -n $ZSH_TEST_UNPRIVILEGED_UID$ZSH_TEST_UNPRIVILEGED_GID ]] || {
250d04
+    ZTST_unimplemented='PRIVILEGED tests require super-user privileges (or env var)'
250d04
+    return 1
250d04
+  }
250d04
+  (( $+commands[perl] )) || { # @todo Eliminate this dependency with a C wrapper?
250d04
+    ZTST_unimplemented='PRIVILEGED tests require Perl'
250d04
+    return 1
250d04
+  }
250d04
+  grep -qE '#define HAVE_SETRES?UID' $ZTST_testdir/../config.h || {
250d04
+    ZTST_unimplemented='PRIVILEGED tests require setreuid()/setresuid()'
250d04
+    return 1
250d04
+  }
250d04
+  #
250d04
+  ruid= euid= rgid= egid=
250d04
+  #
250d04
+  if [[ -n $ZSH_TEST_UNPRIVILEGED_UID ]]; then
250d04
+    ruid=${ZSH_TEST_UNPRIVILEGED_UID%%:*}
250d04
+    euid=${ZSH_TEST_UNPRIVILEGED_UID##*:}
250d04
+  else
250d04
+    print -ru$ZTST_fd 'Selecting unprivileged UID:EUID pair automatically'
250d04
+    local tmp=$( getent passwd 2> /dev/null || < /etc/passwd )
250d04
+    # Note: Some awks require -v and its argument to be separate
250d04
+    ruid=$( awk -F:            '$3 > 0 { print $3; exit; }' <<< $tmp )
250d04
+    euid=$( awk -F: -v u=$ruid '$3 > u { print $3; exit; }' <<< $tmp )
250d04
+  fi
250d04
+  #
250d04
+  if [[ -n $ZSH_TEST_UNPRIVILEGED_GID ]]; then
250d04
+    rgid=${ZSH_TEST_UNPRIVILEGED_GID%%:*}
250d04
+    egid=${ZSH_TEST_UNPRIVILEGED_GID##*:}
250d04
+  else
250d04
+    print -ru$ZTST_fd 'Selecting unprivileged GID:EGID pair automatically'
250d04
+    local tmp=$( getent group 2> /dev/null || < /etc/group )
250d04
+    # Note: Some awks require -v and its argument to be separate
250d04
+    rgid=$( awk -F:            '$3 > 0 { print $3; exit; }' <<< $tmp )
250d04
+    egid=$( awk -F: -v g=$rgid '$3 > g { print $3; exit; }' <<< $tmp )
250d04
+  fi
250d04
+  #
250d04
+  [[ $ruid/$euid == <1->/<1-> && $ruid != $euid ]] || ruid= euid=
250d04
+  [[ $rgid/$egid == <1->/<1-> && $rgid != $egid ]] || rgid= egid=
250d04
+  #
250d04
+  [[ -n $ruid && -n $euid ]] || {
250d04
+    ZTST_unimplemented='PRIVILEGED tests require unprivileged UID:EUID'
250d04
+    return 1
250d04
+  }
250d04
+  [[ -n $rgid || -n $egid ]] || {
250d04
+    ZTST_unimplemented='PRIVILEGED tests require unprivileged GID:EGID'
250d04
+    return 1
250d04
+  }
250d04
+  #
250d04
+  print -ru$ZTST_fd \
250d04
+    "Using unprivileged UID $ruid, EUID $euid, GID $rgid, EGID $egid"
250d04
+  #
250d04
+  # Execute process with specified UID and EUID
250d04
+  # $1     => Real UID
250d04
+  # $2     => Effective UID
250d04
+  # $3     => Real GID
250d04
+  # $4     => Effective GID
250d04
+  # $5 ... => Command + args to execute (must NOT be a shell command string)
250d04
+  re_exec() {
250d04
+    perl -e '
250d04
+      die("re_exec: not enough arguments") unless (@ARGV >= 5);
250d04
+      my ($ruid, $euid, $rgid, $egid, @cmd) = @ARGV;
250d04
+      foreach my $id ($ruid, $euid, $rgid, $egid) {
250d04
+        die("re_exec: invalid ID: $id") unless ($id =~ /^(-1|\d+)$/a);
250d04
+      }
250d04
+      $< = 0 + $ruid if ($ruid >= 0);
250d04
+      $> = 0 + $euid if ($euid >= 0);
250d04
+      $( = 0 + $rgid if ($rgid >= 0);
250d04
+      $) = 0 + $egid if ($egid >= 0);
250d04
+      exec(@cmd);
250d04
+      die("re_exec: exec failed: $!");
250d04
+    ' -- "$@"
250d04
+  }
250d04
+  #
250d04
+  # Convenience wrapper for re_exec to call `zsh -c`
250d04
+  # -* ... => (optional) Command-line options to zsh
250d04
+  # $1     => Real UID
250d04
+  # $2     => Effective UID
250d04
+  # $3     => Real GID
250d04
+  # $4     => Effective GID
250d04
+  # $5 ... => zsh command string; multiple strings are joined by \n
250d04
+  re_zsh() {
250d04
+    local -a opts
250d04
+    while [[ $1 == -[A-Za-z-]* ]]; do
250d04
+      opts+=( $1 )
250d04
+      shift
250d04
+    done
250d04
+    re_exec "$1" "$2" "$3" "$4" $ZTST_exe $opts -fc \
250d04
+      "MODULE_PATH=${(q)MODULE_PATH}; ${(F)@[5,-1]}"
250d04
+  }
250d04
+  #
250d04
+  # Return one or more random unused UIDs
250d04
+  # $1 ... => Names of parameters to store UIDs in
250d04
+  get_unused_uid() {
250d04
+    while (( $# )); do
250d04
+      local i_=0 uid_=
250d04
+      until [[ -n $uid_ ]]; do
250d04
+        (( ++i_ > 99 )) && return 1
250d04
+        uid_=$RANDOM
250d04
+        id $uid_ &> /dev/null || break
250d04
+        uid_=
250d04
+      done
250d04
+      : ${(P)1::=$uid_}
250d04
+      shift
250d04
+    done
250d04
+  }
250d04
+
250d04
+%test
250d04
+
250d04
+  re_zsh $ruid $ruid -1 -1 'echo $UID/$EUID $options[privileged]'
250d04
+  re_zsh $euid $euid -1 -1 'echo $UID/$EUID $options[privileged]'
250d04
+  re_zsh $ruid $euid -1 -1 'echo $UID/$EUID $options[privileged]'
250d04
+0q:PRIVILEGED automatically enabled when RUID != EUID
250d04
+>$ruid/$ruid off
250d04
+>$euid/$euid off
250d04
+>$ruid/$euid on
250d04
+
250d04
+  re_zsh -1 -1 $rgid $rgid 'echo $GID/$EGID $options[privileged]'
250d04
+  re_zsh -1 -1 $egid $egid 'echo $GID/$EGID $options[privileged]'
250d04
+  re_zsh -1 -1 $rgid $egid 'echo $GID/$EGID $options[privileged]'
250d04
+0q:PRIVILEGED automatically enabled when RGID != EGID
250d04
+>$rgid/$rgid off
250d04
+>$egid/$egid off
250d04
+>$rgid/$egid on
250d04
+
250d04
+  re_zsh $ruid $euid -1 -1 'unsetopt privileged; echo $UID/$EUID'
250d04
+0q:EUID set to RUID after disabling PRIVILEGED
250d04
+*?zsh:unsetopt:1: PRIVILEGED: supplementary group list not changed *
250d04
+*?zsh:unsetopt:1: can't change option: privileged
250d04
+>$ruid/$ruid
250d04
+
250d04
+  re_zsh 0 $euid -1 -1 'unsetopt privileged && echo $UID/$EUID'
250d04
+0:RUID/EUID set to 0/0 when privileged after disabling PRIVILEGED
250d04
+>0/0
250d04
+
250d04
+  re_zsh $ruid $euid -1 -1 "unsetopt privileged; UID=$euid" ||
250d04
+  re_zsh $ruid $euid -1 -1 "unsetopt privileged; EUID=$euid"
250d04
+1:not possible to regain EUID when unprivileged after disabling PRIVILEGED
250d04
+*?zsh:unsetopt:1: PRIVILEGED: supplementary group list not changed *
250d04
+*?zsh:unsetopt:1: can't change option: privileged
250d04
+*?zsh:1: failed to change user ID: *
250d04
+*?zsh:unsetopt:1: PRIVILEGED: supplementary group list not changed *
250d04
+*?zsh:unsetopt:1: can't change option: privileged
250d04
+*?zsh:1: failed to change effective user ID: *
250d04
+
250d04
+  re_zsh -1 -1 $rgid $egid 'unsetopt privileged && echo $GID/$EGID'
250d04
+0q:EGID set to RGID after disabling PRIVILEGED
250d04
+>$rgid/$rgid
250d04
+
250d04
+# This test also confirms that we can't revert to the original EUID's primary
250d04
+# GID, which initgroups() may reset the EGID to on some systems
250d04
+  re_zsh $ruid 0 $rgid 0 'unsetopt privileged; GID=0' ||
250d04
+  re_zsh $ruid 0 $rgid 0 'unsetopt privileged; EGID=0'
250d04
+1:not possible to regain EGID when unprivileged after disabling PRIVILEGED
250d04
+*?zsh:1: failed to change group ID: *
250d04
+*?zsh:1: failed to change effective group ID: *
250d04
+
250d04
+  local rruid
250d04
+  grep -qF '#define HAVE_INITGROUPS' $ZTST_testdir/../config.h || {
250d04
+    ZTST_skip='initgroups() not available'
250d04
+    return 1
250d04
+  }
250d04
+  get_unused_uid rruid || {
250d04
+    ZTST_skip="Can't get unused UID"
250d04
+    return 1
250d04
+  }
250d04
+  re_zsh $rruid 0 -1 -1 'unsetopt privileged'
250d04
+1:getpwuid() fails with non-existent RUID and 0 EUID
250d04
+*?zsh:unsetopt:1: can't drop privileges; failed to get user information *
250d04
+*?zsh:unsetopt:1: can't change option: privileged
250d04
diff --git a/Test/README b/Test/README
250d04
index d012277..726d68e 100644
250d04
--- a/Test/README
250d04
+++ b/Test/README
250d04
@@ -6,6 +6,7 @@ scripts names:
250d04
  C: shell commands with special syntax
250d04
  D: substititution
250d04
  E: options
250d04
+ P: privileged (needs super-user privileges)
250d04
  V: modules
250d04
  W: builtin interactive commands and constructs
250d04
  X: line editing
250d04
-- 
250d04
2.21.1
250d04