src/lib/restrict-access.c

	restrict-access.c revision 2692e6870c98132727f0f6800fabf2e6df571781
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody/* Copyright (c) 2002-2008 Dovecot authors, see the included COPYING file */
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#define _GNU_SOURCE /* setresgid() */
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#include <sys/types.h>
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#include <unistd.h>
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#include "lib.h"
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#include "restrict-access.h"
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#include "env-util.h"
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#include <stdlib.h>
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#include <time.h>
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#include <grp.h>
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmodystatic gid_t primary_gid = (gid_t)-1, privileged_gid = (gid_t)-1;
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmodystatic bool using_priv_gid = FALSE;
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
1d9053f57383a2382c70f76b0790a7bf192aa891Sergey Kitovvoid restrict_access_set_env(const char *user, uid_t uid,
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                 gid_t gid, gid_t privileged_gid,
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                 const char *chroot_dir,
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                 gid_t first_valid_gid, gid_t last_valid_gid,
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                 const char *extra_groups)
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody{
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (user != NULL && *user != '\0')
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        env_put(t_strconcat("RESTRICT_USER=", user, NULL));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (chroot_dir != NULL && *chroot_dir != '\0')
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        env_put(t_strconcat("RESTRICT_CHROOT=", chroot_dir, NULL));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    env_put(t_strdup_printf("RESTRICT_SETUID=%s", dec2str(uid)));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    env_put(t_strdup_printf("RESTRICT_SETGID=%s", dec2str(gid)));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (privileged_gid != (gid_t)-1) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        env_put(t_strdup_printf("RESTRICT_SETGID_PRIV=%s",
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                    dec2str(privileged_gid)));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (extra_groups != NULL && *extra_groups != '\0') {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        env_put(t_strconcat("RESTRICT_SETEXTRAGROUPS=",
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                    extra_groups, NULL));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (first_valid_gid != 0) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        env_put(t_strdup_printf("RESTRICT_GID_FIRST=%s",
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                    dec2str(first_valid_gid)));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (last_valid_gid != 0) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        env_put(t_strdup_printf("RESTRICT_GID_LAST=%s",
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                    dec2str(last_valid_gid)));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody}
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmodystatic void restrict_init_groups(gid_t primary_gid, gid_t privileged_gid)
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody{
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (privileged_gid == (gid_t)-1) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        if (primary_gid == getgid() && primary_gid == getegid()) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody            /* everything is already set */
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody            return;
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        if (setgid(primary_gid) != 0) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody            i_fatal("setgid(%s) failed with euid=%s, "
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                "gid=%s, egid=%s: %m",
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                dec2str(primary_gid), dec2str(geteuid()),
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                dec2str(getgid()), dec2str(getegid()));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        return;
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (getegid() != 0 && primary_gid == getgid() &&
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        primary_gid == getegid()) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        /* privileged_gid is hopefully in saved ID. if not,
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody           there's nothing we can do about it. */
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        return;
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#ifdef HAVE_SETRESGID
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (setresgid(primary_gid, primary_gid, privileged_gid) != 0) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        i_fatal("setresgid(%s,%s,%s) failed with euid=%s: %m",
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody            dec2str(primary_gid), dec2str(primary_gid),
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody            dec2str(privileged_gid), dec2str(geteuid()));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#else
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (geteuid() == 0) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        /* real, effective, saved -> privileged_gid */
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        if (setgid(privileged_gid) < 0) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody            i_fatal("setgid(%s) failed: %m",
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody                dec2str(privileged_gid));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    /* real, effective -> primary_gid
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody       saved -> keep */
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if (setregid(primary_gid, primary_gid) != 0) {
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        i_fatal("setregid(%s,%s) failed with euid=%s: %m",
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody            dec2str(primary_gid), dec2str(privileged_gid),
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody            dec2str(geteuid()));
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    }
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody#endif
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody}
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmodystatic gid_t *get_groups_list(unsigned int *gid_count_r)
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody{
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    gid_t *gid_list;
c75fd96004b89df8ef2d2c40fc2ce8bc1e46f26aTimo Sirainen    int ret, gid_count;
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if ((gid_count = getgroups(0, NULL)) < 0)
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        i_fatal("getgroups() failed: %m");
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    /* @UNSAFE */
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    gid_list = t_new(gid_t, gid_count);
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    if ((ret = getgroups(gid_count, gid_list)) < 0)
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody        i_fatal("getgroups() failed: %m");
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    *gid_count_r = ret;
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody    return gid_list;
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody}
78717e55d8c4b6528d1afe70505a19e4fcc0a56fPhil Carmody
static bool drop_restricted_groups(gid_t *gid_list, unsigned int *gid_count,
                   bool *have_root_group)
{
    /* @UNSAFE */
    gid_t first_valid, last_valid;
    const char *env;
    unsigned int i, used;

    env = getenv("RESTRICT_GID_FIRST");
    first_valid = env == NULL ? 0 : (gid_t)strtoul(env, NULL, 10);
    env = getenv("RESTRICT_GID_LAST");
    last_valid = env == NULL ? (gid_t)-1 : (gid_t)strtoul(env, NULL, 10);

    for (i = 0, used = 0; i < *gid_count; i++) {
        if (gid_list[i] >= first_valid &&
            (last_valid == (gid_t)-1 || gid_list[i] <= last_valid)) {
            if (gid_list[i] == 0)
                *have_root_group = TRUE;
            gid_list[used++] = gid_list[i];
        }
    }
    if (*gid_count == used)
        return FALSE;
    *gid_count = used;
    return TRUE;
}

static gid_t get_group_id(const char *name)
{
    struct group *group;

    if (is_numeric(name, '\0'))
        return (gid_t)strtoul(name, NULL, 10);

    group = getgrnam(name);
    if (group == NULL)
        i_fatal("unknown group name in extra_groups: %s", name);
    return group->gr_gid;
}

static void fix_groups_list(const char *extra_groups, gid_t egid,
                bool preserve_existing, bool *have_root_group)
{
    gid_t *gid_list, *gid_list2;
    const char *const *tmp, *empty = NULL;
    unsigned int gid_count;

    tmp = extra_groups == NULL ? &empty :
        t_strsplit_spaces(extra_groups, ", ");

    if (preserve_existing) {
        gid_list = get_groups_list(&gid_count);
        if (!drop_restricted_groups(gid_list, &gid_count,
                        have_root_group) &&
            *tmp == NULL) {
            /* nothing dropped, no extra groups to grant. */
            return;
        }
    } else {
        if (egid == (gid_t)-1 && *tmp == NULL) {
            /* nothing to do */
            return;
        }
        /* Some OSes don't like an empty groups list,
           so use the effective GID as the only one. */
        gid_list = t_new(gid_t, 2);
        gid_list[0] = egid != (gid_t)-1 ? egid : getegid();
        gid_count = 1;
    }

    if (*tmp != NULL) {
        /* @UNSAFE: add extra groups to gids list */
        gid_list2 = t_new(gid_t, gid_count + str_array_length(tmp));
        memcpy(gid_list2, gid_list, gid_count * sizeof(gid_t));
        for (; *tmp != NULL; tmp++)
            gid_list2[gid_count++] = get_group_id(*tmp);
        gid_list = gid_list2;
    }

    if (setgroups(gid_count, gid_list) < 0) {
        if (errno == EINVAL) {
            i_fatal("setgroups(%s) failed: Too many extra groups",
                extra_groups == NULL ? "" : extra_groups);
        } else {
            i_fatal("setgroups() failed: %m");
        }
    }
}

void restrict_access_by_env(bool disallow_root)
{
    const char *env;
    uid_t uid;
    bool is_root, have_root_group, preserve_groups = FALSE;
    bool allow_root_gid;

    is_root = geteuid() == 0;

    /* set the primary/privileged group */
    env = getenv("RESTRICT_SETGID");
    primary_gid = env == NULL || *env == '\0' ? (gid_t)-1 :
        (gid_t)strtoul(env, NULL, 10);
    env = getenv("RESTRICT_SETGID_PRIV");
    privileged_gid = env == NULL || *env == '\0' ? (gid_t)-1 :
        (gid_t)strtoul(env, NULL, 10);

    have_root_group = primary_gid == 0;
    if (primary_gid != (gid_t)-1 || privileged_gid != (gid_t)-1) {
        if (primary_gid == (gid_t)-1)
            primary_gid = getegid();
        restrict_init_groups(primary_gid, privileged_gid);
    }

    /* set system user's groups */
    env = getenv("RESTRICT_USER");
    if (env != NULL && *env != '\0' && is_root) {
        if (initgroups(env, primary_gid) < 0) {
            i_fatal("initgroups(%s, %s) failed: %m",
                env, dec2str(primary_gid));
        }
        preserve_groups = TRUE;
    }

    /* add extra groups. if we set system user's groups, drop the
       restricted groups at the same time. */
    env = getenv("RESTRICT_SETEXTRAGROUPS");
    if (is_root) {
        T_BEGIN {
            fix_groups_list(env, primary_gid, preserve_groups,
                    &have_root_group);
        } T_END;
    }

    /* chrooting */
    env = getenv("RESTRICT_CHROOT");
    if (env != NULL && *env != '\0') {
        /* kludge: localtime() must be called before chroot(),
           or the timezone isn't known */
        const char *home = getenv("HOME");
        time_t t = 0;
        (void)localtime(&t);

        if (chroot(env) != 0)
            i_fatal("chroot(%s) failed: %m", env);

        if (home != NULL) {
            if (chdir(home) < 0) {
                i_error("chdir(%s) failed: %m", home);
                home = NULL;
            }
        }
        if (home == NULL) {
            if (chdir("/") != 0)
                i_fatal("chdir(/) failed: %m");
        }
    }

    /* uid last */
    env = getenv("RESTRICT_SETUID");
    uid = env == NULL || *env == '\0' ? 0 : (uid_t)strtoul(env, NULL, 10);
    if (uid != 0) {
        if (setuid(uid) != 0) {
            i_fatal("setuid(%s) failed with euid=%s: %m",
                dec2str(uid), dec2str(geteuid()));
        }
    }

    /* verify that we actually dropped the privileges */
    if (uid != 0 || disallow_root) {
        if (setuid(0) == 0) {
            if (uid == 0)
                i_fatal("Running as root isn't permitted");
            i_fatal("We couldn't drop root privileges");
        }
    }

    env = getenv("RESTRICT_GID_FIRST");
    if (env != NULL && atoi(env) != 0)
        allow_root_gid = FALSE;
    else if (primary_gid == 0 || privileged_gid == 0)
        allow_root_gid = TRUE;
    else
        allow_root_gid = FALSE;

    if (!allow_root_gid && uid != 0) {
        if (getgid() == 0 || getegid() == 0 || setgid(0) == 0) {
            if (primary_gid == 0)
                i_fatal("GID 0 isn't permitted");
            i_fatal("We couldn't drop root group privileges "
                "(wanted=%s, gid=%s, egid=%s)",
                dec2str(primary_gid),
                dec2str(getgid()), dec2str(getegid()));
        }
    }

    /* clear the environment, so we don't fail if we get back here */
    env_put("RESTRICT_USER=");
    env_put("RESTRICT_CHROOT=");
    env_put("RESTRICT_SETUID=");
    if (privileged_gid == (gid_t)-1) {
        /* if we're dropping privileges before executing and
           a privileged group is set, the groups must be fixed
           after exec */
        env_put("RESTRICT_SETGID=");
        env_put("RESTRICT_SETGID_PRIV=");
    }
    env_put("RESTRICT_SETEXTRAGROUPS=");
    env_put("RESTRICT_GID_FIRST=");
    env_put("RESTRICT_GID_LAST=");
}

int restrict_access_use_priv_gid(void)
{
    i_assert(!using_priv_gid);

    if (privileged_gid == (gid_t)-1)
        return 0;
    if (setegid(privileged_gid) < 0) {
        i_error("setegid(privileged) failed: %m");
        return -1;
    }
    using_priv_gid = TRUE;
    return 0;
}

void restrict_access_drop_priv_gid(void)
{
    if (!using_priv_gid)
        return;

    if (setegid(primary_gid) < 0)
        i_fatal("setegid(primary) failed: %m");
    using_priv_gid = FALSE;
}

bool restrict_access_have_priv_gid(void)
{
    return privileged_gid != (gid_t)-1;
}