summaryrefslogtreecommitdiff
path: root/src/runas.c
blob: 8ebe51ae02eeab0c541de286628d0c17fd6d9226 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
#include "fileserv.h"
#include <string.h>
#include <errno.h>
#include <pwd.h>
#include <grp.h>

static void
addgid(gid_t **pgv, size_t *pgc, size_t *pgi, gid_t gid)
{
	gid_t *gv = *pgv;
	size_t gc = *pgc;
	size_t gi = *pgi;

	if (gi == gc) {
		if (gc == 0) {
			gc = 16;
			gv = calloc(gc, sizeof(*gv));
		} else if (gc <= SIZE_T_MAX / 2 / sizeof(*gv)) {
			gc *= 2;
			gv = realloc(gv, gc * sizeof(*gv));
		} else 
			xmalloc_fail();
		if (!gv)
			xmalloc_fail();
	}
	gv[gi++] = gid;
	*pgv = gv;
	*pgc = gc;
	*pgi = gi;
}

static int
member(gid_t *gv, size_t gc, gid_t gid)
{
	size_t i;

	for (i = 0; i < gc; i++)
		if (gv[i] == gid)
			return 1;
	return 0;
}

static size_t
get_user_groups(const char *user, gid_t **pgv, size_t *pgc)
{
	struct group *gr;
	size_t gi = 0;
	
	setgrent();
	while ((gr = getgrent())) {
		char **p;
		for (p = gr->gr_mem; *p; p++)
			if (strcmp(*p, user) == 0)
				addgid(pgv, pgc, &gi, gr->gr_gid);
	}
	endgrent();
	return gi;
}

void
runas(char const *runas_user, char const *runas_group)
{
	struct passwd *pw;
	struct group *gr;
	uid_t uid;
	gid_t gid;
	char const *user_name;
	gid_t *gv;
	size_t gc, gn;
	
	if (!(runas_user || runas_group))
		return;
	if (getuid() != 0) {
		error("not root: can't switch to user privileges");
		exit(1);
	}

	user_name = runas_user;
	if (!user_name) {
		pw = getpwuid(0);
		user_name = "root";
	} else if (user_name[0] == '+') {
		char *end;
		unsigned long n;

		errno = 0;
		n = strtoul(user_name + 1, &end, 10);
		if (errno || *end) {
			error("invalid user name %s", user_name);
			exit(1);
		}

		pw = getpwuid(n);
	} else
		pw = getpwnam(user_name);

	if (!pw) {
		error("%s: no such user", runas_user);
		exit(1);
	}
	user_name = pw->pw_name;
		
	uid = pw->pw_uid;
	gid = pw->pw_gid;
	
	if (runas_group) {
		if (runas_group[0] == '+') {
			char *end;
			unsigned long n;

			errno = 0;
			n = strtoul(runas_group + 1, &end, 10);
			if (errno || *end) {
				error("invalid group name %s", runas_group);
				exit(1);
			}

			gr = getgrgid(n);
		} else
			gr = getgrnam(runas_group);

		if (!gr) {
			error("%s: no such group", runas_user);
			exit(1);
		}

		gid = gr->gr_gid;
	}

	gv = NULL;
	gc = 0;
	gn = get_user_groups(user_name, &gv, &gc);
	if (!member(gv, gn, gid))
		addgid(&gv, &gc, &gn, gid);

	/* Reset group permissions */
	if (setgroups(gn, gv)) {
		error("setgroups failed: %s", strerror(errno));
		exit(1);
	}
	free(gv);
	
	if (gid) {
		/* Switch to the user's gid. */
		if (setgid(gid)) {
			error("setgid(%lu) failed: %s",
			      (unsigned long) gid, strerror(errno));
			exit(1);
		}
	}
	
	/* Now reset uid */
	if (uid) {
		if (setuid(uid)) {
			error("setuid(%lu) failed: %s",
			      (unsigned long) uid, strerror(errno));
			exit(1);
		}
	}
}	

Return to:

Send suggestions and report system problems to the System administrator.