--- embedaddon/sudo/plugins/sudoers/set_perms.c 2012/10/09 09:29:52 1.1.1.3 +++ embedaddon/sudo/plugins/sudoers/set_perms.c 2014/06/15 16:12:54 1.1.1.6 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1994-1996,1998-2011 Todd C. Miller + * Copyright (c) 1994-1996,1998-2013 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -21,7 +21,6 @@ #include #include -#include #include #include #ifdef STDC_HEADERS @@ -80,18 +79,20 @@ static struct perm_state perm_stack[PERM_STACK_MAX]; static int perm_stack_depth = 0; #undef ID -#define ID(x) (state->x == ostate->x ? -1 : state->x) +#define ID(x) (state->x == ostate->x ? (uid_t)-1 : state->x) #undef OID -#define OID(x) (ostate->x == state->x ? -1 : ostate->x) +#define OID(x) (ostate->x == state->x ? (uid_t)-1 : ostate->x) void rewind_perms(void) { debug_decl(rewind_perms, SUDO_DEBUG_PERMS) - while (perm_stack_depth > 1) - restore_perms(); - sudo_grlist_delref(perm_stack[0].grlist); + if (perm_stack_depth != 0) { + while (perm_stack_depth > 1) + restore_perms(); + sudo_grlist_delref(perm_stack[0].grlist); + } debug_return; } @@ -112,6 +113,7 @@ set_perms(int perm) { struct perm_state *state, *ostate = NULL; char errbuf[1024]; + const char *errstr = errbuf; int noexit; debug_decl(set_perms, SUDO_DEBUG_PERMS) @@ -119,7 +121,7 @@ set_perms(int perm) CLR(perm, PERM_MASK); if (perm_stack_depth == PERM_STACK_MAX) { - strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf)); + errstr = N_("perm stack overflow"); errno = EINVAL; goto bad; } @@ -127,7 +129,7 @@ set_perms(int perm) state = &perm_stack[perm_stack_depth]; if (perm != PERM_INITIAL) { if (perm_stack_depth == 0) { - strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf)); + errstr = N_("perm stack underflow"); errno = EINVAL; goto bad; } @@ -139,12 +141,12 @@ set_perms(int perm) /* Stash initial state */ #ifdef HAVE_GETRESUID if (getresuid(&state->ruid, &state->euid, &state->suid)) { - strlcpy(errbuf, "PERM_INITIAL: getresuid", sizeof(errbuf)); + errstr = "PERM_INITIAL: getresuid"; goto bad; } if (getresgid(&state->rgid, &state->egid, &state->sgid)) { - strlcpy(errbuf, "PERM_INITIAL: getresgid", sizeof(errbuf)); + errstr = "PERM_INITIAL: getresgid"; goto bad; } #else @@ -179,8 +181,16 @@ set_perms(int perm) goto bad; } state->rgid = ostate->rgid; - state->egid = ostate->egid; + state->egid = ROOT_GID; state->sgid = ostate->sgid; + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: " + "[%d, %d, %d] -> [%d, %d, %d]", __func__, + (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid, + (int)state->rgid, (int)state->egid, (int)state->sgid); + if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) { + errstr = N_("unable to change to root gid"); + goto bad; + } state->grlist = ostate->grlist; sudo_grlist_addref(state->grlist); break; @@ -202,7 +212,7 @@ set_perms(int perm) sudo_grlist_addref(state->grlist); if (state->grlist != ostate->grlist) { if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) { - strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf)); + errstr = "PERM_USER: setgroups"; goto bad; } } @@ -239,7 +249,7 @@ set_perms(int perm) sudo_grlist_addref(state->grlist); if (state->grlist != ostate->grlist) { if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) { - strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf)); + errstr = "PERM_FULL_USER: setgroups"; goto bad; } } @@ -267,7 +277,7 @@ set_perms(int perm) (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid, (int)state->rgid, (int)state->egid, (int)state->sgid); if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) { - strlcpy(errbuf, _("unable to change to runas gid"), sizeof(errbuf)); + errstr = N_("unable to change to runas gid"); goto bad; } state->grlist = runas_setgroups(); @@ -279,7 +289,7 @@ set_perms(int perm) (int)ostate->ruid, (int)ostate->euid, (int)ostate->suid, (int)state->ruid, (int)state->euid, (int)state->suid); if (UID_CHANGED && setresuid(ID(ruid), ID(euid), ID(suid))) { - strlcpy(errbuf, _("unable to change to runas uid"), sizeof(errbuf)); + errstr = N_("unable to change to runas uid"); goto bad; } break; @@ -297,7 +307,7 @@ set_perms(int perm) (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid, (int)state->rgid, (int)state->egid, (int)state->sgid); if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) { - strlcpy(errbuf, _("unable to change to sudoers gid"), sizeof(errbuf)); + errstr = N_("unable to change to sudoers gid"); goto bad; } @@ -349,8 +359,10 @@ set_perms(int perm) perm_stack_depth++; debug_return_bool(1); bad: - warningx("%s: %s", errbuf, - errno == EAGAIN ? _("too many processes") : strerror(errno)); + if (errno == EAGAIN) + warningx(U_("%s: %s"), U_(errstr), U_("too many processes")); + else + warning("%s", U_(errstr)); if (noexit) debug_return_bool(0); exit(1); @@ -426,6 +438,7 @@ set_perms(int perm) { struct perm_state *state, *ostate = NULL; char errbuf[1024]; + const char *errstr = errbuf; int noexit; debug_decl(set_perms, SUDO_DEBUG_PERMS) @@ -433,7 +446,7 @@ set_perms(int perm) CLR(perm, PERM_MASK); if (perm_stack_depth == PERM_STACK_MAX) { - strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf)); + errstr = N_("perm stack overflow"); errno = EINVAL; goto bad; } @@ -441,7 +454,7 @@ set_perms(int perm) state = &perm_stack[perm_stack_depth]; if (perm != PERM_INITIAL) { if (perm_stack_depth == 0) { - strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf)); + errstr = N_("perm stack underflow"); errno = EINVAL; goto bad; } @@ -481,8 +494,16 @@ set_perms(int perm) goto bad; } state->rgid = ostate->rgid; - state->egid = ostate->egid; + state->egid = ROOT_GID; state->sgid = ostate->sgid; + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: " + "[%d, %d, %d] -> [%d, %d, %d]", __func__, + (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid, + (int)state->rgid, (int)state->egid, (int)state->sgid); + if (GID_CHANGED && setgidx(ID_EFFECTIVE, ROOT_GID)) { + errstr = N_("unable to change to root gid"); + goto bad; + } state->grlist = ostate->grlist; sudo_grlist_addref(state->grlist); break; @@ -504,7 +525,7 @@ set_perms(int perm) sudo_grlist_addref(state->grlist); if (state->grlist != ostate->grlist) { if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) { - strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf)); + errstr = "PERM_USER: setgroups"; goto bad; } } @@ -549,7 +570,7 @@ set_perms(int perm) sudo_grlist_addref(state->grlist); if (state->grlist != ostate->grlist) { if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) { - strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf)); + errstr = "PERM_FULL_USER: setgroups"; goto bad; } } @@ -577,7 +598,7 @@ set_perms(int perm) (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid, (int)state->rgid, (int)state->egid, (int)state->sgid); if (GID_CHANGED && setgidx(ID_EFFECTIVE, state->egid)) { - strlcpy(errbuf, _("unable to change to runas gid"), sizeof(errbuf)); + errstr = N_("unable to change to runas gid"); goto bad; } state->grlist = runas_setgroups(); @@ -589,7 +610,7 @@ set_perms(int perm) (int)ostate->ruid, (int)ostate->euid, (int)ostate->suid, (int)state->ruid, (int)state->euid, (int)state->suid); if (UID_CHANGED && setuidx(ID_EFFECTIVE, state->euid)) { - strlcpy(errbuf, _("unable to change to runas uid"), sizeof(errbuf)); + errstr = N_("unable to change to runas uid"); goto bad; } break; @@ -607,7 +628,7 @@ set_perms(int perm) (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid, (int)state->rgid, (int)state->egid, (int)state->sgid); if (GID_CHANGED && setgidx(ID_EFFECTIVE, sudoers_gid)) { - strlcpy(errbuf, _("unable to change to sudoers gid"), sizeof(errbuf)); + errstr = N_("unable to change to sudoers gid"); goto bad; } @@ -677,8 +698,10 @@ set_perms(int perm) perm_stack_depth++; debug_return_bool(1); bad: - warningx("%s: %s", errbuf, - errno == EAGAIN ? _("too many processes") : strerror(errno)); + if (errno == EAGAIN) + warningx(U_("%s: %s"), U_(errstr), U_("too many processes")); + else + warning("%s", U_(errstr)); if (noexit) debug_return_bool(0); exit(1); @@ -818,6 +841,7 @@ set_perms(int perm) { struct perm_state *state, *ostate = NULL; char errbuf[1024]; + const char *errstr = errbuf; int noexit; debug_decl(set_perms, SUDO_DEBUG_PERMS) @@ -825,7 +849,7 @@ set_perms(int perm) CLR(perm, PERM_MASK); if (perm_stack_depth == PERM_STACK_MAX) { - strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf)); + errstr = N_("perm stack overflow"); errno = EINVAL; goto bad; } @@ -833,7 +857,7 @@ set_perms(int perm) state = &perm_stack[perm_stack_depth]; if (perm != PERM_INITIAL) { if (perm_stack_depth == 0) { - strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf)); + errstr = N_("perm stack underflow"); errno = EINVAL; goto bad; } @@ -867,7 +891,7 @@ set_perms(int perm) if (ostate->euid != ROOT_UID) { if (setreuid(-1, ROOT_UID)) { snprintf(errbuf, sizeof(errbuf), - "PERM_ROOT: setreuid(-1, %d)", PERM_ROOT); + "PERM_ROOT: setreuid(-1, %d)", ROOT_UID); goto bad; } } @@ -879,7 +903,15 @@ set_perms(int perm) } } state->rgid = ostate->rgid; - state->egid = ostate->rgid; + state->egid = ROOT_GID; + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: " + "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid, + (int)ostate->egid, (int)state->rgid, (int)state->egid); + if (GID_CHANGED && setregid(ID(rgid), ID(egid))) { + snprintf(errbuf, sizeof(errbuf), + "PERM_ROOT: setregid(%d, %d)", ID(rgid), ID(egid)); + goto bad; + } state->grlist = ostate->grlist; sudo_grlist_addref(state->grlist); break; @@ -899,7 +931,7 @@ set_perms(int perm) sudo_grlist_addref(state->grlist); if (state->grlist != ostate->grlist) { if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) { - strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf)); + errstr = "PERM_USER: setgroups"; goto bad; } } @@ -931,7 +963,7 @@ set_perms(int perm) sudo_grlist_addref(state->grlist); if (state->grlist != ostate->grlist) { if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) { - strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf)); + errstr = "PERM_FULL_USER: setgroups"; goto bad; } } @@ -954,7 +986,7 @@ set_perms(int perm) "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid, (int)ostate->egid, (int)state->rgid, (int)state->egid); if (GID_CHANGED && setregid(ID(rgid), ID(egid))) { - strlcpy(errbuf, _("unable to change to runas gid"), sizeof(errbuf)); + errstr = N_("unable to change to runas gid"); goto bad; } state->grlist = runas_setgroups(); @@ -964,7 +996,7 @@ set_perms(int perm) "[%d, %d] -> [%d, %d]", __func__, (int)ostate->ruid, (int)ostate->euid, (int)state->ruid, (int)state->euid); if (UID_CHANGED && setreuid(ID(ruid), ID(euid))) { - strlcpy(errbuf, _("unable to change to runas uid"), sizeof(errbuf)); + errstr = N_("unable to change to runas uid"); goto bad; } break; @@ -980,7 +1012,7 @@ set_perms(int perm) "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid, (int)ostate->egid, (int)state->rgid, (int)state->egid); if (GID_CHANGED && setregid(ID(rgid), ID(egid))) { - strlcpy(errbuf, _("unable to change to sudoers gid"), sizeof(errbuf)); + errstr = N_("unable to change to sudoers gid"); goto bad; } @@ -1025,8 +1057,10 @@ set_perms(int perm) perm_stack_depth++; debug_return_bool(1); bad: - warningx("%s: %s", errbuf, - errno == EAGAIN ? _("too many processes") : strerror(errno)); + if (errno == EAGAIN) + warningx(U_("%s: %s"), U_(errstr), U_("too many processes")); + else + warning("%s", U_(errstr)); if (noexit) debug_return_bool(0); exit(1); @@ -1059,7 +1093,7 @@ restore_perms(void) if (OID(euid) == ROOT_UID) { /* setuid() may not set the saved ID unless the euid is ROOT_UID */ if (ID(euid) != ROOT_UID) - (void)setreuid(-1, ROOT_UID); + ignore_result(setreuid(-1, ROOT_UID)); if (setuid(ROOT_UID)) { warning("setuid() [%d, %d] -> %d)", (int)state->ruid, (int)state->euid, ROOT_UID); @@ -1104,6 +1138,7 @@ set_perms(int perm) { struct perm_state *state, *ostate = NULL; char errbuf[1024]; + const char *errstr = errbuf; int noexit; debug_decl(set_perms, SUDO_DEBUG_PERMS) @@ -1111,7 +1146,7 @@ set_perms(int perm) CLR(perm, PERM_MASK); if (perm_stack_depth == PERM_STACK_MAX) { - strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf)); + errstr = N_("perm stack overflow"); errno = EINVAL; goto bad; } @@ -1119,7 +1154,7 @@ set_perms(int perm) state = &perm_stack[perm_stack_depth]; if (perm != PERM_INITIAL) { if (perm_stack_depth == 0) { - strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf)); + errstr = N_("perm stack underflow"); errno = EINVAL; goto bad; } @@ -1165,7 +1200,14 @@ set_perms(int perm) state->ruid = ROOT_UID; state->euid = ROOT_UID; state->rgid = ostate->rgid; - state->egid = ostate->egid; + state->egid = ROOT_GID; + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: " + "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid, + (int)ostate->egid, ROOT_GID, ROOT_GID); + if (GID_CHANGED && setegid(ROOT_GID)) { + errstr = N_("unable to change to root gid"); + goto bad; + } state->grlist = ostate->grlist; sudo_grlist_addref(state->grlist); break; @@ -1185,7 +1227,7 @@ set_perms(int perm) sudo_grlist_addref(state->grlist); if (state->grlist != ostate->grlist) { if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) { - strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf)); + errstr = "PERM_USER: setgroups"; goto bad; } } @@ -1217,7 +1259,7 @@ set_perms(int perm) sudo_grlist_addref(state->grlist); if (state->grlist != ostate->grlist) { if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) { - strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf)); + errstr = "PERM_FULL_USER: setgroups"; goto bad; } } @@ -1240,7 +1282,7 @@ set_perms(int perm) "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid, (int)ostate->egid, (int)state->rgid, (int)state->egid); if (GID_CHANGED && setegid(state->egid)) { - strlcpy(errbuf, _("unable to change to runas gid"), sizeof(errbuf)); + errstr = N_("unable to change to runas gid"); goto bad; } state->grlist = runas_setgroups(); @@ -1250,7 +1292,7 @@ set_perms(int perm) "[%d, %d] -> [%d, %d]", __func__, (int)ostate->ruid, (int)ostate->euid, (int)state->ruid, (int)state->euid); if (seteuid(state->euid)) { - strlcpy(errbuf, _("unable to change to runas uid"), sizeof(errbuf)); + errstr = N_("unable to change to runas uid"); goto bad; } break; @@ -1266,7 +1308,7 @@ set_perms(int perm) "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid, (int)ostate->egid, (int)state->rgid, (int)state->egid); if (GID_CHANGED && setegid(sudoers_gid)) { - strlcpy(errbuf, _("unable to change to sudoers gid"), sizeof(errbuf)); + errstr = N_("unable to change to sudoers gid"); goto bad; } @@ -1311,8 +1353,10 @@ set_perms(int perm) perm_stack_depth++; debug_return_bool(1); bad: - warningx("%s: %s", errbuf, - errno == EAGAIN ? _("too many processes") : strerror(errno)); + if (errno == EAGAIN) + warningx(U_("%s: %s"), U_(errstr), U_("too many processes")); + else + warning("%s", U_(errstr)); if (noexit) debug_return_bool(0); exit(1); @@ -1386,6 +1430,7 @@ set_perms(int perm) { struct perm_state *state, *ostate = NULL; char errbuf[1024]; + const char *errstr = errbuf; int noexit; debug_decl(set_perms, SUDO_DEBUG_PERMS) @@ -1393,7 +1438,7 @@ set_perms(int perm) CLR(perm, PERM_MASK); if (perm_stack_depth == PERM_STACK_MAX) { - strlcpy(errbuf, _("perm stack overflow"), sizeof(errbuf)); + errstr = N_("perm stack overflow"); errno = EINVAL; goto bad; } @@ -1401,7 +1446,7 @@ set_perms(int perm) state = &perm_stack[perm_stack_depth]; if (perm != PERM_INITIAL) { if (perm_stack_depth == 0) { - strlcpy(errbuf, _("perm stack underflow"), sizeof(errbuf)); + errstr = N_("perm stack underflow"); errno = EINVAL; goto bad; } @@ -1421,7 +1466,7 @@ set_perms(int perm) case PERM_ROOT: state->ruid = ROOT_UID; - state->rgid = ostate->rgid; + state->rgid = ROOT_GID; state->grlist = ostate->grlist; sudo_grlist_addref(state->grlist); sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: " @@ -1430,23 +1475,29 @@ set_perms(int perm) snprintf(errbuf, sizeof(errbuf), "PERM_ROOT: setuid(%d)", ROOT_UID); goto bad; } + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: " + "[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid); + if (setgid(ROOT_GID)) { + errstr = N_("unable to change to root gid"); + goto bad; + } break; case PERM_FULL_USER: state->rgid = user_gid; - sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: " + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: gid: " "[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid); (void) setgid(user_gid); state->grlist = user_group_list; sudo_grlist_addref(state->grlist); if (state->grlist != ostate->grlist) { if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) { - strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf)); + errstr = "PERM_FULL_USER: setgroups"; goto bad; } } state->ruid = user_uid; - sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: " + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: uid: " "[%d] -> [%d]", __func__, (int)ostate->ruid, (int)state->ruid); if (setuid(user_uid)) { snprintf(errbuf, sizeof(errbuf), @@ -1470,8 +1521,10 @@ set_perms(int perm) perm_stack_depth++; debug_return_bool(1); bad: - warningx("%s: %s", errbuf, - errno == EAGAIN ? _("too many processes") : strerror(errno)); + if (errno == EAGAIN) + warningx(U_("%s: %s"), U_(errstr), U_("too many processes")); + else + warning("%s", U_(errstr)); if (noexit) debug_return_bool(0); exit(1); @@ -1539,7 +1592,7 @@ runas_setgroups(void) aix_restoreauthdb(); #endif if (sudo_setgroups(grlist->ngids, grlist->gids) < 0) - log_fatal(USE_ERRNO|MSG_ONLY, _("unable to set runas group vector")); + log_fatal(USE_ERRNO|MSG_ONLY, N_("unable to set runas group vector")); debug_return_ptr(grlist); } #endif /* HAVE_SETRESUID || HAVE_SETREUID || HAVE_SETEUID */