summaryrefslogtreecommitdiffstats
path: root/src/lib/restrict-access.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
commitf7548d6d28c313cf80e6f3ef89aed16a19815df1 (patch)
treea3f6f2a3f247293bee59ecd28e8cd8ceb6ca064a /src/lib/restrict-access.c
parentInitial commit. (diff)
downloaddovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.tar.xz
dovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.zip
Adding upstream version 1:2.3.19.1+dfsg1.upstream/1%2.3.19.1+dfsg1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/lib/restrict-access.c')
-rw-r--r--src/lib/restrict-access.c531
1 files changed, 531 insertions, 0 deletions
diff --git a/src/lib/restrict-access.c b/src/lib/restrict-access.c
new file mode 100644
index 0000000..a8fc47d
--- /dev/null
+++ b/src/lib/restrict-access.c
@@ -0,0 +1,531 @@
+/* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */
+
+#define _GNU_SOURCE /* setresgid() */
+#include <stdio.h> /* for AIX */
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "lib.h"
+#include "str.h"
+#include "restrict-access.h"
+#include "env-util.h"
+#include "ipwd.h"
+
+#include <time.h>
+#ifdef HAVE_PR_SET_DUMPABLE
+# include <sys/prctl.h>
+#endif
+
+static gid_t process_primary_gid = (gid_t)-1;
+static gid_t process_privileged_gid = (gid_t)-1;
+static bool process_using_priv_gid = FALSE;
+static char *chroot_dir = NULL;
+
+void restrict_access_init(struct restrict_access_settings *set)
+{
+ i_zero(set);
+
+ set->uid = (uid_t)-1;
+ set->gid = (gid_t)-1;
+ set->privileged_gid = (gid_t)-1;
+}
+
+static const char *get_uid_str(uid_t uid)
+{
+ struct passwd pw;
+ const char *ret;
+ int old_errno = errno;
+
+ if (i_getpwuid(uid, &pw) <= 0)
+ ret = dec2str(uid);
+ else
+ ret = t_strdup_printf("%s(%s)", dec2str(uid), pw.pw_name);
+ errno = old_errno;
+ return ret;
+}
+
+static const char *get_gid_str(gid_t gid)
+{
+ struct group group;
+ const char *ret;
+ int old_errno = errno;
+
+ if (i_getgrgid(gid, &group) <= 0)
+ ret = dec2str(gid);
+ else
+ ret = t_strdup_printf("%s(%s)", dec2str(gid), group.gr_name);
+ errno = old_errno;
+ return ret;
+}
+
+static void restrict_init_groups(gid_t primary_gid, gid_t privileged_gid,
+ const char *gid_source)
+{
+ string_t *str;
+
+ if (privileged_gid == (gid_t)-1) {
+ if (primary_gid == getgid() && primary_gid == getegid()) {
+ /* everything is already set */
+ return;
+ }
+
+ if (setgid(primary_gid) == 0)
+ return;
+
+ str = t_str_new(128);
+ str_printfa(str, "setgid(%s", get_gid_str(primary_gid));
+ if (gid_source != NULL)
+ str_printfa(str, " from %s", gid_source);
+ str_printfa(str, ") failed with euid=%s, gid=%s, egid=%s: %m "
+ "(This binary should probably be called with "
+ "process group set to %s instead of %s)",
+ get_uid_str(geteuid()),
+ get_gid_str(getgid()), get_gid_str(getegid()),
+ get_gid_str(primary_gid), get_gid_str(getegid()));
+ i_fatal("%s", str_c(str));
+ }
+
+ if (getegid() != 0 && primary_gid == getgid() &&
+ primary_gid == getegid()) {
+ /* privileged_gid is hopefully in saved ID. if not,
+ there's nothing we can do about it. */
+ return;
+ }
+
+#ifdef HAVE_SETRESGID
+ if (setresgid(primary_gid, primary_gid, privileged_gid) != 0) {
+ i_fatal("setresgid(%s,%s,%s) failed with euid=%s: %m",
+ get_gid_str(primary_gid), get_gid_str(primary_gid),
+ get_gid_str(privileged_gid), get_uid_str(geteuid()));
+ }
+#else
+ if (geteuid() == 0) {
+ /* real, effective, saved -> privileged_gid */
+ if (setgid(privileged_gid) < 0) {
+ i_fatal("setgid(%s) failed: %m",
+ get_gid_str(privileged_gid));
+ }
+ }
+ /* real, effective -> primary_gid
+ saved -> keep */
+ if (setregid(primary_gid, primary_gid) != 0) {
+ i_fatal("setregid(%s,%s) failed with euid=%s: %m",
+ get_gid_str(primary_gid), get_gid_str(privileged_gid),
+ get_uid_str(geteuid()));
+ }
+#endif
+}
+
+gid_t *restrict_get_groups_list(unsigned int *gid_count_r)
+{
+ gid_t *gid_list;
+ int ret, gid_count;
+
+ if ((gid_count = getgroups(0, NULL)) < 0)
+ i_fatal("getgroups() failed: %m");
+
+ /* @UNSAFE */
+ gid_list = t_new(gid_t, gid_count+1); /* +1 in case gid_count=0 */
+ if ((ret = getgroups(gid_count, gid_list)) < 0)
+ i_fatal("getgroups() failed: %m");
+
+ *gid_count_r = ret;
+ return gid_list;
+}
+
+static void drop_restricted_groups(const struct restrict_access_settings *set,
+ gid_t *gid_list, unsigned int *gid_count,
+ bool *have_root_group)
+{
+ /* @UNSAFE */
+ unsigned int i, used;
+
+ for (i = 0, used = 0; i < *gid_count; i++) {
+ if (gid_list[i] >= set->first_valid_gid &&
+ (set->last_valid_gid == 0 ||
+ gid_list[i] <= set->last_valid_gid)) {
+ if (gid_list[i] == 0)
+ *have_root_group = TRUE;
+ gid_list[used++] = gid_list[i];
+ }
+ }
+ *gid_count = used;
+}
+
+static gid_t get_group_id(const char *name)
+{
+ struct group group;
+ gid_t gid;
+
+ if (str_to_gid(name, &gid) == 0)
+ return gid;
+
+ switch (i_getgrnam(name, &group)) {
+ case -1:
+ i_fatal("getgrnam(%s) failed: %m", name);
+ case 0:
+ i_fatal("unknown group name in extra_groups: %s", name);
+ default:
+ return group.gr_gid;
+ }
+}
+
+static void fix_groups_list(const struct restrict_access_settings *set,
+ bool preserve_existing, bool *have_root_group)
+{
+ gid_t gid, *gid_list, *gid_list2;
+ const char *const *tmp, *empty = NULL;
+ unsigned int i, gid_count;
+ bool add_primary_gid;
+
+ /* if we're using a privileged GID, we can temporarily drop our
+ effective GID. we still want to be able to use its privileges,
+ so add it to supplementary groups. */
+ add_primary_gid = process_privileged_gid != (gid_t)-1;
+
+ tmp = set->extra_groups == NULL ? &empty :
+ t_strsplit_spaces(set->extra_groups, ", ");
+
+ if (preserve_existing) {
+ gid_list = restrict_get_groups_list(&gid_count);
+ drop_restricted_groups(set, gid_list, &gid_count,
+ have_root_group);
+ /* see if the list already contains the primary GID */
+ for (i = 0; i < gid_count; i++) {
+ if (gid_list[i] == process_primary_gid) {
+ add_primary_gid = FALSE;
+ break;
+ }
+ }
+ } else {
+ gid_list = NULL;
+ gid_count = 0;
+ }
+ if (gid_count == 0) {
+ /* Some OSes don't like an empty groups list,
+ so use the primary GID as the only one. */
+ gid_list = t_new(gid_t, 2);
+ gid_list[0] = process_primary_gid;
+ gid_count = 1;
+ add_primary_gid = FALSE;
+ }
+
+ if (*tmp != NULL || add_primary_gid) {
+ /* @UNSAFE: add extra groups and/or primary GID to gids list */
+ gid_list2 = t_new(gid_t, gid_count + str_array_length(tmp) + 1);
+ memcpy(gid_list2, gid_list, gid_count * sizeof(gid_t));
+ for (; *tmp != NULL; tmp++) {
+ gid = get_group_id(*tmp);
+ if (gid != process_primary_gid)
+ gid_list2[gid_count++] = gid;
+ }
+ if (add_primary_gid)
+ gid_list2[gid_count++] = process_primary_gid;
+ gid_list = gid_list2;
+ }
+
+ if (setgroups(gid_count, gid_list) < 0) {
+ if (errno == EINVAL) {
+ i_fatal("setgroups(%s) failed: Too many extra groups",
+ set->extra_groups == NULL ? "" :
+ set->extra_groups);
+ } else {
+ i_fatal("setgroups() failed: %m");
+ }
+ }
+}
+
+static const char *
+get_setuid_error_str(const struct restrict_access_settings *set, uid_t target_uid)
+{
+ string_t *str = t_str_new(128);
+
+ str_printfa(str, "setuid(%s", get_uid_str(target_uid));
+ if (set->uid_source != NULL)
+ str_printfa(str, " from %s", set->uid_source);
+ str_printfa(str, ") failed with euid=%s: %m ",
+ get_uid_str(geteuid()));
+ if (errno == EAGAIN) {
+ str_append(str, "(ulimit -u reached)");
+ } else {
+ str_printfa(str, "(This binary should probably be called with "
+ "process user set to %s instead of %s)",
+ get_uid_str(target_uid), get_uid_str(geteuid()));
+ }
+ return str_c(str);
+}
+
+void restrict_access(const struct restrict_access_settings *set,
+ enum restrict_access_flags flags, const char *home)
+{
+ bool is_root, have_root_group, preserve_groups = FALSE;
+ bool allow_root_gid;
+ bool allow_root = (flags & RESTRICT_ACCESS_FLAG_ALLOW_ROOT) != 0;
+ uid_t target_uid = set->uid;
+
+ is_root = geteuid() == 0;
+
+ if (!is_root &&
+ !set->allow_setuid_root &&
+ getuid() == 0) {
+ /* recover current effective UID */
+ if (target_uid == (uid_t)-1)
+ target_uid = geteuid();
+ else
+ i_assert(target_uid > 0);
+ /* try to elevate to root */
+ if (seteuid(0) < 0)
+ i_fatal("seteuid(0) failed: %m");
+ is_root = TRUE;
+ }
+
+ /* set the primary/privileged group */
+ process_primary_gid = set->gid;
+ process_privileged_gid = set->privileged_gid;
+ if (process_privileged_gid == process_primary_gid) {
+ /* a pointless configuration, ignore it */
+ process_privileged_gid = (gid_t)-1;
+ }
+
+ have_root_group = process_primary_gid == 0;
+ if (process_primary_gid != (gid_t)-1 ||
+ process_privileged_gid != (gid_t)-1) {
+ if (process_primary_gid == (gid_t)-1)
+ process_primary_gid = getegid();
+ restrict_init_groups(process_primary_gid,
+ process_privileged_gid, set->gid_source);
+ } else {
+ if (process_primary_gid == (gid_t)-1)
+ process_primary_gid = getegid();
+ }
+
+ /* set system user's groups */
+ if (set->system_groups_user != NULL && is_root) {
+ if (initgroups(set->system_groups_user,
+ process_primary_gid) < 0) {
+ i_fatal("initgroups(%s, %s) failed: %m",
+ set->system_groups_user,
+ get_gid_str(process_primary_gid));
+ }
+ preserve_groups = TRUE;
+ }
+
+ /* add extra groups. if we set system user's groups, drop the
+ restricted groups at the same time. */
+ if (is_root) T_BEGIN {
+ fix_groups_list(set, preserve_groups,
+ &have_root_group);
+ } T_END;
+
+ /* chrooting */
+ if (set->chroot_dir != NULL) {
+ /* kludge: localtime() must be called before chroot(),
+ or the timezone isn't known */
+ time_t t = 0;
+ (void)localtime(&t);
+
+ if (chroot(set->chroot_dir) != 0)
+ i_fatal("chroot(%s) failed: %m", set->chroot_dir);
+ /* makes static analyzers happy, and is more secure */
+ if (chdir("/") != 0)
+ i_fatal("chdir(/) failed: %m");
+
+ chroot_dir = i_strdup(set->chroot_dir);
+
+ if (home != NULL) {
+ if (chdir(home) < 0) {
+ i_error("chdir(%s) failed: %m", home);
+ }
+ }
+ }
+
+ /* uid last */
+ if (target_uid != (uid_t)-1) {
+ if (setuid(target_uid) != 0)
+ i_fatal("%s", get_setuid_error_str(set, target_uid));
+ }
+
+ /* verify that we actually dropped the privileges */
+ if ((target_uid != (uid_t)-1 && target_uid != 0) || !allow_root) {
+ if (setuid(0) == 0) {
+ if (!allow_root &&
+ (target_uid == 0 || target_uid == (uid_t)-1))
+ i_fatal("This process must not be run as root");
+
+ i_fatal("We couldn't drop root privileges");
+ }
+ }
+
+ if (set->first_valid_gid != 0)
+ allow_root_gid = FALSE;
+ else if (process_primary_gid == 0 || process_privileged_gid == 0)
+ allow_root_gid = TRUE;
+ else
+ allow_root_gid = FALSE;
+
+ if (!allow_root_gid && target_uid != 0 &&
+ (target_uid != (uid_t)-1 || !is_root)) {
+ if (getgid() == 0 || getegid() == 0 || setgid(0) == 0) {
+ if (process_primary_gid == 0)
+ i_fatal("GID 0 isn't permitted");
+ i_fatal("We couldn't drop root group privileges "
+ "(wanted=%s, gid=%s, egid=%s)",
+ get_gid_str(process_primary_gid),
+ get_gid_str(getgid()), get_gid_str(getegid()));
+ }
+ }
+}
+
+void restrict_access_set_env(const struct restrict_access_settings *set)
+{
+ if (set->system_groups_user != NULL &&
+ *set->system_groups_user != '\0')
+ env_put("RESTRICT_USER", set->system_groups_user);
+ if (set->chroot_dir != NULL && *set->chroot_dir != '\0')
+ env_put("RESTRICT_CHROOT", set->chroot_dir);
+
+ if (set->uid != (uid_t)-1)
+ env_put("RESTRICT_SETUID", dec2str(set->uid));
+ if (set->gid != (gid_t)-1)
+ env_put("RESTRICT_SETGID", dec2str(set->gid));
+ if (set->privileged_gid != (gid_t)-1)
+ env_put("RESTRICT_SETGID_PRIV", dec2str(set->privileged_gid));
+ if (set->extra_groups != NULL && *set->extra_groups != '\0')
+ env_put("RESTRICT_SETEXTRAGROUPS", set->extra_groups);
+
+ if (set->first_valid_gid != 0)
+ env_put("RESTRICT_GID_FIRST", dec2str(set->first_valid_gid));
+ if (set->last_valid_gid != 0)
+ env_put("RESTRICT_GID_LAST", dec2str(set->last_valid_gid));
+}
+
+static const char *null_if_empty(const char *str)
+{
+ return str == NULL || *str == '\0' ? NULL : str;
+}
+
+void restrict_access_get_env(struct restrict_access_settings *set_r)
+{
+ const char *value;
+
+ restrict_access_init(set_r);
+ if ((value = getenv("RESTRICT_SETUID")) != NULL) {
+ if (str_to_uid(value, &set_r->uid) < 0)
+ i_fatal("Invalid uid: %s", value);
+ }
+ if ((value = getenv("RESTRICT_SETGID")) != NULL) {
+ if (str_to_gid(value, &set_r->gid) < 0)
+ i_fatal("Invalid gid: %s", value);
+ }
+ if ((value = getenv("RESTRICT_SETGID_PRIV")) != NULL) {
+ if (str_to_gid(value, &set_r->privileged_gid) < 0)
+ i_fatal("Invalid privileged_gid: %s", value);
+ }
+ if ((value = getenv("RESTRICT_GID_FIRST")) != NULL) {
+ if (str_to_gid(value, &set_r->first_valid_gid) < 0)
+ i_fatal("Invalid first_valid_gid: %s", value);
+ }
+ if ((value = getenv("RESTRICT_GID_LAST")) != NULL) {
+ if (str_to_gid(value, &set_r->last_valid_gid) < 0)
+ i_fatal("Invalid last_value_gid: %s", value);
+ }
+
+ set_r->extra_groups = null_if_empty(getenv("RESTRICT_SETEXTRAGROUPS"));
+ set_r->system_groups_user = null_if_empty(getenv("RESTRICT_USER"));
+ set_r->chroot_dir = null_if_empty(getenv("RESTRICT_CHROOT"));
+}
+
+void restrict_access_by_env(enum restrict_access_flags flags, const char *home)
+{
+ struct restrict_access_settings set;
+
+ restrict_access_get_env(&set);
+ restrict_access(&set, flags, home);
+
+ /* clear the environment, so we don't fail if we get back here */
+ env_remove("RESTRICT_SETUID");
+ if (process_privileged_gid == (gid_t)-1) {
+ /* if we're dropping privileges before executing and
+ a privileged group is set, the groups must be fixed
+ after exec */
+ env_remove("RESTRICT_SETGID");
+ env_remove("RESTRICT_SETGID_PRIV");
+ }
+ env_remove("RESTRICT_GID_FIRST");
+ env_remove("RESTRICT_GID_LAST");
+ if (getuid() != 0)
+ env_remove("RESTRICT_SETEXTRAGROUPS");
+ else {
+ /* Preserve RESTRICT_SETEXTRAGROUPS, so if we're again dropping
+ more privileges we'll still preserve the extra groups. This
+ mainly means preserving service { extra_groups } for lmtp
+ and doveadm accesses. */
+ }
+ env_remove("RESTRICT_USER");
+ env_remove("RESTRICT_CHROOT");
+}
+
+const char *restrict_access_get_current_chroot(void)
+{
+ return chroot_dir;
+}
+
+void restrict_access_set_dumpable(bool allow ATTR_UNUSED)
+{
+#ifdef HAVE_PR_SET_DUMPABLE
+ if (prctl(PR_SET_DUMPABLE, allow ? 1 : 0, 0, 0, 0) < 0)
+ i_error("prctl(PR_SET_DUMPABLE) failed: %m");
+#endif
+}
+
+bool restrict_access_get_dumpable(void)
+{
+#ifdef HAVE_PR_SET_DUMPABLE
+ bool allow = FALSE;
+ if (prctl(PR_GET_DUMPABLE, &allow, 0, 0, 0) < 0)
+ i_error("prctl(PR_GET_DUMPABLE) failed: %m");
+ return allow;
+#endif
+ return TRUE;
+}
+
+void restrict_access_allow_coredumps(bool allow)
+{
+ if (getenv("PR_SET_DUMPABLE") != NULL) {
+ restrict_access_set_dumpable(allow);
+ }
+}
+
+int restrict_access_use_priv_gid(void)
+{
+ i_assert(!process_using_priv_gid);
+
+ if (process_privileged_gid == (gid_t)-1)
+ return 0;
+ if (setegid(process_privileged_gid) < 0) {
+ i_error("setegid(privileged) failed: %m");
+ return -1;
+ }
+ process_using_priv_gid = TRUE;
+ return 0;
+}
+
+void restrict_access_drop_priv_gid(void)
+{
+ if (!process_using_priv_gid)
+ return;
+
+ if (setegid(process_primary_gid) < 0)
+ i_fatal("setegid(primary) failed: %m");
+ process_using_priv_gid = FALSE;
+}
+
+bool restrict_access_have_priv_gid(void)
+{
+ return process_privileged_gid != (gid_t)-1;
+}
+
+void restrict_access_deinit(void)
+{
+ i_free(chroot_dir);
+}