2 * Copyright (c) 2006 nCircle Network Security, Inc.
5 * This software was developed by Robert N. M. Watson for the TrustedBSD
6 * Project under contract to nCircle Network Security, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
21 * INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
22 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
23 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
24 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
25 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
26 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 * There are three cases in which the file system will clear the setuid or
34 * setgid bits on a file when running as !root:
36 * - When the file is chown()'d and either of the uid or the gid is changed.
38 * - The file is written to succeesfully.
40 * - An extended attribute of the file is written to successfully.
42 * Test each case first as root (that flags aren't cleared), and then as
43 * !root, to check they are cleared.
46 #include <sys/types.h>
47 #include <sys/extattr.h>
58 static const gid_t gidset[] = {GID_WHEEL, GID_OWNER, GID_OTHER};
61 * Confirm that the setuid bit is set on a file. Don't return on failure.
64 confirm_setuid(char *fpathp, char *test_case)
68 if (stat(fpathp, &sb) < 0) {
69 warn("%s stat(%s)", test_case, fpathp);
70 (void)seteuid(UID_ROOT);
74 if (!(sb.st_mode & S_ISUID)) {
75 warnx("case %s stat(%s) not setuid", test_case, fpathp);
76 (void)seteuid(UID_ROOT);
83 * Confirm that the setuid bit is not set on a file. Don't return on failure.
86 confirm_notsetuid(char *fpathp, char *test_case)
90 if (stat(fpathp, &sb) < 0) {
91 warn("%s stat(%s)", test_case, fpathp);
92 (void)seteuid(UID_ROOT);
96 if (sb.st_mode & S_ISUID) {
97 warnx("case %s stat(%s) is setuid", test_case, fpathp);
98 (void)seteuid(UID_ROOT);
104 #define EA_NAMESPACE EXTATTR_NAMESPACE_USER
105 #define EA_NAME "clearsugid"
106 #define EA_DATA "test"
107 #define EA_SIZE (strlen(EA_DATA))
109 priv_vfs_clearsugid(void)
111 char ch, fpath[1024];
117 * Before starting on work, set up group IDs so that the process can
118 * change the group ID of the file without privilege, in order to see
119 * the effects. That way privilege is only required to maintain the
120 * setuid bit. For the chown() test, we change only the group id, as
121 * that can be done with or without privilege.
123 if (setgroups(3, gidset) < 0)
124 err(-1, "setgroups(2, {%d, %d})", GID_WHEEL, GID_OWNER);
127 * chown() with privilege.
129 setup_file(fpath, UID_ROOT, GID_WHEEL, 0600 | S_ISUID);
130 if (chown(fpath, -1, GID_OTHER) < 0)
131 warn("chown(%s, -1, %d) as root", fpath, GID_OTHER);
132 confirm_setuid(fpath, "chown as root");
136 * write() with privilege.
138 setup_file(fpath, UID_ROOT, GID_WHEEL, 0600 | S_ISUID);
139 fd = open(fpath, O_RDWR);
141 warn("open(%s) as root", fpath);
145 if (write(fd, &ch, sizeof(ch)) < 0) {
146 warn("write(%s) as root", fpath);
150 confirm_setuid(fpath, "write as root");
154 * extwrite() with privilege.
156 setup_file(fpath, UID_ROOT, GID_WHEEL, 0600 | S_ISUID);
157 if (extattr_set_file(fpath, EA_NAMESPACE, EA_NAME, EA_DATA, EA_SIZE)
159 warn("extattr_set_file(%s, user, %s, %s, %d) as root",
160 fpath, EA_NAME, EA_DATA, EA_SIZE);
163 confirm_setuid(fpath, "extwrite as root");
167 * chown() without privilege.
169 setup_file(fpath, UID_OWNER, GID_OWNER, 0600 | S_ISUID);
171 if (chown(fpath, -1, GID_OTHER) < 0)
172 warn("chown(%s, -1, %d) as !root", fpath, GID_OTHER);
174 confirm_notsetuid(fpath, "chown as !root");
178 * write() without privilege.
180 setup_file(fpath, UID_OWNER, GID_OWNER, 0600 | S_ISUID);
182 fd = open(fpath, O_RDWR);
184 warn("open(%s) as !root", fpath);
188 if (write(fd, &ch, sizeof(ch)) < 0) {
189 warn("write(%s) as !root", fpath);
194 confirm_notsetuid(fpath, "write as !root");
198 * extwrite() without privilege.
200 setup_file(fpath, UID_OWNER, GID_OWNER, 0600 | S_ISUID);
202 if (extattr_set_file(fpath, EA_NAMESPACE, EA_NAME, EA_DATA, EA_SIZE)
204 warn("extattr_set_file(%s, user, %s, %s, %d) as !root",
205 fpath, EA_NAME, EA_DATA, EA_SIZE);
209 confirm_notsetuid(fpath, "extwrite as !root");
213 (void)seteuid(UID_ROOT);