privs.h revision 54158
110154Sache/* 210154Sache * privs.h - header for privileged operations 37767Sache * Copyright (C) 1993 Thomas Koenig 4941Snate * 510154Sache * Redistribution and use in source and binary forms, with or without 610154Sache * modification, are permitted provided that the following conditions 710154Sache * are met: 810154Sache * 1. Redistributions of source code must retain the above copyright 910154Sache * notice, this list of conditions and the following disclaimer. 1010154Sache * 2. The name of the author(s) may not be used to endorse or promote 1110154Sache * products derived from this software without specific prior written 1210154Sache * permission. 13941Snate * 1410154Sache * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR 1510154Sache * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 1610154Sache * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 1710154Sache * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, 1810154Sache * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 1910154Sache * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 2010154Sache * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 2110154Sache * THEORY OF LIABILITY, WETHER IN CONTRACT, STRICT LIABILITY, OR TORT 2210154Sache * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 2310154Sache * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 2454158Scharnier * 2554158Scharnier * $FreeBSD: head/usr.bin/at/privs.h 54158 1999-12-05 19:57:14Z charnier $ 26941Snate */ 27941Snate 28941Snate#ifndef _PRIVS_H 29941Snate#define _PRIVS_H 30941Snate 317767Sache#ifndef _USE_BSD 327767Sache#define _USE_BSD 1 33941Snate#include <unistd.h> 347767Sache#undef _USE_BSD 357767Sache#else 367767Sache#include <unistd.h> 377767Sache#endif 38941Snate 397767Sache/* Relinquish privileges temporarily for a setuid or setgid program 40941Snate * with the option of getting them back later. This is done by swapping 41941Snate * the real and effective userid BSD style. Call RELINQUISH_PRIVS once 4254158Scharnier * at the beginning of the main program. This will cause all operations 43941Snate * to be executed with the real userid. When you need the privileges 447767Sache * of the setuid/setgid invocation, call PRIV_START; when you no longer 45941Snate * need it, call PRIV_END. Note that it is an error to call PRIV_START 46941Snate * and not PRIV_END within the same function. 47941Snate * 487767Sache * Use RELINQUISH_PRIVS_ROOT(a,b) if your program started out running 49941Snate * as root, and you want to drop back the effective userid to a 50941Snate * and the effective group id to b, with the option to get them back 51941Snate * later. 52941Snate * 53941Snate * If you no longer need root privileges, but those of some other 547767Sache * userid/groupid, you can call REDUCE_PRIV(a,b) when your effective 55941Snate * is the user's. 56941Snate * 57941Snate * Problems: Do not use return between PRIV_START and PRIV_END; this 58941Snate * will cause the program to continue running in an unprivileged 59941Snate * state. 60941Snate * 61941Snate * It is NOT safe to call exec(), system() or popen() with a user- 62941Snate * supplied program (i.e. without carefully checking PATH and any 63941Snate * library load paths) with relinquished privileges; the called program 6454158Scharnier * can acquire them just as easily. Set both effective and real userid 65941Snate * to the real userid before calling any of them. 66941Snate */ 67941Snate 68941Snate#ifndef MAIN 69941Snateextern 70941Snate#endif 71941Snateuid_t real_uid, effective_uid; 72941Snate 7310154Sache#ifndef MAIN 747767Sacheextern 757767Sache#endif 767767Sachegid_t real_gid, effective_gid; 777767Sache 78941Snate#define RELINQUISH_PRIVS { \ 797767Sache real_uid = getuid(); \ 807767Sache effective_uid = geteuid(); \ 817767Sache real_gid = getgid(); \ 827767Sache effective_gid = getegid(); \ 838112Sache setreuid(effective_uid, real_uid); \ 847767Sache setregid(effective_gid, real_gid); \ 857767Sache } 86941Snate 877767Sache#define RELINQUISH_PRIVS_ROOT(a,b) { \ 887767Sache real_uid = (a); \ 897767Sache effective_uid = geteuid(); \ 907767Sache real_gid = (b); \ 917767Sache effective_gid = getegid(); \ 9210154Sache setregid(effective_gid, real_gid); \ 938112Sache setreuid(effective_uid, real_uid); \ 947767Sache } 95941Snate 967767Sache#define PRIV_START {\ 977767Sache setreuid(real_uid, effective_uid); \ 987767Sache setregid(real_gid, effective_gid); 99941Snate 100941Snate#define PRIV_END \ 10110154Sache setregid(effective_gid, real_gid); \ 1028112Sache setreuid(effective_uid, real_uid); \ 1037767Sache } 104941Snate 1057767Sache#define REDUCE_PRIV(a,b) {\ 1067767Sache setreuid(real_uid, effective_uid); \ 1077767Sache setregid(real_gid, effective_gid); \ 1087767Sache effective_uid = (a); \ 1097767Sache effective_gid = (b); \ 1108112Sache setregid(effective_gid, real_gid); \ 1118112Sache setreuid(effective_uid, real_uid); \ 1127767Sache } 113941Snate#endif 114