1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
#ifndef RESTRICT_ACCESS_H
#define RESTRICT_ACCESS_H
enum restrict_access_flags {
/* If flags given to restrict_access() include
* RESTRICT_ACCESS_FLAG_ALLOW_ROOT, we won't kill
* ourself when we have root privileges. */
RESTRICT_ACCESS_FLAG_ALLOW_ROOT = 1,
};
struct restrict_access_settings {
/* UID to use, or (uid_t)-1 if you don't want to change it */
uid_t uid;
/* Effective GID to use, or (gid_t)-1 if you don't want to change it */
gid_t gid;
/* If not (gid_t)-1, the privileged GID can be temporarily
enabled/disabled. */
gid_t privileged_gid;
/* Add access to these space or comma -separated extra groups */
const char *extra_groups;
/* Add access to groups this system user belongs to */
const char *system_groups_user;
/* All specified GIDs must be in this range. If extra_groups or system
group user contains other GIDs, they're silently dropped. */
gid_t first_valid_gid, last_valid_gid;
/* Human readable "source" of UID and GID values. If non-NULL,
displayed on error messages about failing to change uid/gid. */
const char *uid_source, *gid_source;
/* Chroot directory */
const char *chroot_dir;
/* Allow running in setuid-root mode, where real UID is root and
* effective UID is non-root. By default the real UID is changed
* to be the same as the effective UID. */
bool allow_setuid_root;
};
/* Initialize settings with values that don't change anything. */
void restrict_access_init(struct restrict_access_settings *set);
/* Restrict access as specified by the settings. If home is not NULL,
it's chdir()ed after chrooting, otherwise it chdirs to / (the chroot). */
void restrict_access(const struct restrict_access_settings *set,
enum restrict_access_flags flags, const char *home)
ATTR_NULL(3);
/* Set environment variables so they can be read with
restrict_access_by_env(). */
void restrict_access_set_env(const struct restrict_access_settings *set);
/* Read restrict_access_set_env() environments back into struct. */
void restrict_access_get_env(struct restrict_access_settings *set_r);
/* Read restrictions from environment and call restrict_access().
If flags do not include RESTRICT_ACCESS_FLAG_ALLOW_ROOT, we'll kill ourself
unless the RESTRICT_* environments caused root privileges to be dropped */
void restrict_access_by_env(enum restrict_access_flags flags,
const char *home) ATTR_NULL(2);
/* Return the chrooted directory if restrict_access*() chrooted,
otherwise NULL. */
const char *restrict_access_get_current_chroot(void);
/*
Checks if PR_SET_DUMPABLE environment variable is set, and if it is,
calls restrict_access_set_dumpable(allow).
*/
void restrict_access_allow_coredumps(bool allow);
/* Sets process dumpable true or false. Setting this true allows core dumping,
reading /proc/self/io, attaching with PTRACE_ATTACH, and also changes
ownership of /proc/[pid] directory. */
void restrict_access_set_dumpable(bool allow);
/* Gets process dumpability, returns TRUE if not supported, because
we then assume that constraint is not present. */
bool restrict_access_get_dumpable(void);
/* If privileged_gid was set, these functions can be used to temporarily
gain access to the group. */
int restrict_access_use_priv_gid(void);
void restrict_access_drop_priv_gid(void);
/* Returns TRUE if privileged GID exists for this process. */
bool restrict_access_have_priv_gid(void);
gid_t *restrict_get_groups_list(unsigned int *gid_count_r);
void restrict_access_deinit(void);
#endif
|
