2 * privs.h - header for privileged operations
4 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
6 * Copyright (C) 1993 Thomas Koenig
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. The name of the author(s) may not be used to endorse or promote
14 * products derived from this software without specific prior written
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 /* Relinquish privileges temporarily for a setuid or setgid program
37 * with the option of getting them back later. This is done by
38 * utilizing POSIX saved user and group IDs. Call RELINQUISH_PRIVS once
39 * at the beginning of the main program. This will cause all operations
40 * to be executed with the real userid. When you need the privileges
41 * of the setuid/setgid invocation, call PRIV_START; when you no longer
42 * need it, call PRIV_END. Note that it is an error to call PRIV_START
43 * and not PRIV_END within the same function.
45 * Use RELINQUISH_PRIVS_ROOT(a,b) if your program started out running
46 * as root, and you want to drop back the effective userid to a
47 * and the effective group id to b, with the option to get them back
50 * If you no longer need root privileges, but those of some other
51 * userid/groupid, you can call REDUCE_PRIV(a,b) when your effective
54 * Problems: Do not use return between PRIV_START and PRIV_END; this
55 * will cause the program to continue running in an unprivileged
58 * It is NOT safe to call exec(), system() or popen() with a user-
59 * supplied program (i.e. without carefully checking PATH and any
60 * library load paths) with relinquished privileges; the called program
61 * can acquire them just as easily. Set both effective and real userid
62 * to the real userid before calling any of them.
65 extern uid_t real_uid, effective_uid;
66 extern gid_t real_gid, effective_gid;
69 uid_t real_uid, effective_uid;
70 gid_t real_gid, effective_gid;
73 #define RELINQUISH_PRIVS { \
74 real_uid = getuid(); \
75 effective_uid = geteuid(); \
76 real_gid = getgid(); \
77 effective_gid = getegid(); \
78 if (seteuid(real_uid) != 0) err(1, "seteuid failed"); \
79 if (setegid(real_gid) != 0) err(1, "setegid failed"); \
82 #define RELINQUISH_PRIVS_ROOT(a, b) { \
84 effective_uid = geteuid(); \
86 effective_gid = getegid(); \
87 if (setegid(real_gid) != 0) err(1, "setegid failed"); \
88 if (seteuid(real_uid) != 0) err(1, "seteuid failed"); \
91 #define PRIV_START { \
92 if (seteuid(effective_uid) != 0) err(1, "seteuid failed"); \
93 if (setegid(effective_gid) != 0) err(1, "setegid failed"); \
97 if (setegid(real_gid) != 0) err(1, "setegid failed"); \
98 if (seteuid(real_uid) != 0) err(1, "seteuid failed"); \
101 #define REDUCE_PRIV(a, b) { \
103 effective_uid = (a); \
104 effective_gid = (b); \
105 if (setregid((gid_t)-1, effective_gid) != 0) err(1, "setregid failed"); \
106 if (setreuid((uid_t)-1, effective_uid) != 0) err(1, "setreuid failed"); \