194209Sdes/*-
2115619Sdes * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3228690Sdes * Copyright (c) 2004-2011 Dag-Erling Sm��rgrav
494209Sdes * All rights reserved.
594209Sdes *
694209Sdes * This software was developed for the FreeBSD Project by ThinkSec AS and
799158Sdes * Network Associates Laboratories, the Security Research Division of
899158Sdes * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
999158Sdes * ("CBOSS"), as part of the DARPA CHATS research program.
1094209Sdes *
1194209Sdes * Redistribution and use in source and binary forms, with or without
1294209Sdes * modification, are permitted provided that the following conditions
1394209Sdes * are met:
1494209Sdes * 1. Redistributions of source code must retain the above copyright
1594209Sdes *    notice, this list of conditions and the following disclaimer.
1694209Sdes * 2. Redistributions in binary form must reproduce the above copyright
1794209Sdes *    notice, this list of conditions and the following disclaimer in the
1894209Sdes *    documentation and/or other materials provided with the distribution.
1994209Sdes * 3. The name of the author may not be used to endorse or promote
2094209Sdes *    products derived from this software without specific prior written
2194209Sdes *    permission.
2294209Sdes *
2394209Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
2494209Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2594209Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2694209Sdes * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
2794209Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2894209Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2994209Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3094209Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3194209Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3294209Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3394209Sdes * SUCH DAMAGE.
3494209Sdes *
35348980Sdes * $OpenPAM: openpam_restore_cred.c 938 2017-04-30 21:34:42Z des $
3694209Sdes */
3794209Sdes
38228690Sdes#ifdef HAVE_CONFIG_H
39228690Sdes# include "config.h"
40228690Sdes#endif
41228690Sdes
4294209Sdes#include <sys/param.h>
4394209Sdes
44115619Sdes#include <grp.h>
45117610Sdes#include <limits.h>
4694209Sdes#include <pwd.h>
4794209Sdes#include <stdlib.h>
4894209Sdes#include <unistd.h>
4994209Sdes
5094209Sdes#include <security/pam_appl.h>
5194209Sdes
5294209Sdes#include "openpam_impl.h"
53255376Sdes#include "openpam_cred.h"
5494209Sdes
5594209Sdes/*
5694209Sdes * OpenPAM extension
5794209Sdes *
5894209Sdes * Restore credentials
5994209Sdes */
6094209Sdes
6194209Sdesint
6294209Sdesopenpam_restore_cred(pam_handle_t *pamh)
6394209Sdes{
64174832Sdes	const struct pam_saved_cred *scred;
65174832Sdes	const void *scredp;
6694209Sdes	int r;
6794209Sdes
68107937Sdes	ENTER();
69125647Sdes	r = pam_get_data(pamh, PAM_SAVED_CRED, &scredp);
7094209Sdes	if (r != PAM_SUCCESS)
71107937Sdes		RETURNC(r);
72125647Sdes	if (scredp == NULL)
73107937Sdes		RETURNC(PAM_SYSTEM_ERR);
74125647Sdes	scred = scredp;
75110503Sdes	if (scred->euid != geteuid()) {
76115619Sdes		if (seteuid(scred->euid) < 0 ||
77115619Sdes		    setgroups(scred->ngroups, scred->groups) < 0 ||
78115619Sdes		    setegid(scred->egid) < 0)
79110503Sdes			RETURNC(PAM_SYSTEM_ERR);
80110503Sdes	}
8194209Sdes	pam_set_data(pamh, PAM_SAVED_CRED, NULL, NULL);
82107937Sdes	RETURNC(PAM_SUCCESS);
8394209Sdes}
8494209Sdes
8594209Sdes/*
8694209Sdes * Error codes:
8794209Sdes *
8894209Sdes *	=pam_get_data
8994209Sdes *	PAM_SYSTEM_ERR
9094209Sdes */
9194209Sdes
9294209Sdes/**
9394209Sdes * The =openpam_restore_cred function restores the credentials saved by
9494209Sdes * =openpam_borrow_cred.
9594209Sdes *
96141098Sdes * >setegid 2
97141098Sdes * >seteuid 2
98141098Sdes * >setgroups 2
9994209Sdes */
100