194209Sdes/*- 2115619Sdes * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 3228690Sdes * Copyright (c) 2004-2011 Dag-Erling Sm��rgrav 494209Sdes * All rights reserved. 594209Sdes * 694209Sdes * This software was developed for the FreeBSD Project by ThinkSec AS and 799158Sdes * Network Associates Laboratories, the Security Research Division of 899158Sdes * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 999158Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 1094209Sdes * 1194209Sdes * Redistribution and use in source and binary forms, with or without 1294209Sdes * modification, are permitted provided that the following conditions 1394209Sdes * are met: 1494209Sdes * 1. Redistributions of source code must retain the above copyright 1594209Sdes * notice, this list of conditions and the following disclaimer. 1694209Sdes * 2. Redistributions in binary form must reproduce the above copyright 1794209Sdes * notice, this list of conditions and the following disclaimer in the 1894209Sdes * documentation and/or other materials provided with the distribution. 1994209Sdes * 3. The name of the author may not be used to endorse or promote 2094209Sdes * products derived from this software without specific prior written 2194209Sdes * permission. 2294209Sdes * 2394209Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2494209Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2594209Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2694209Sdes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2794209Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2894209Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2994209Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3094209Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3194209Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3294209Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3394209Sdes * SUCH DAMAGE. 3494209Sdes * 35348980Sdes * $OpenPAM: openpam_restore_cred.c 938 2017-04-30 21:34:42Z des $ 3694209Sdes */ 3794209Sdes 38228690Sdes#ifdef HAVE_CONFIG_H 39228690Sdes# include "config.h" 40228690Sdes#endif 41228690Sdes 4294209Sdes#include <sys/param.h> 4394209Sdes 44115619Sdes#include <grp.h> 45117610Sdes#include <limits.h> 4694209Sdes#include <pwd.h> 4794209Sdes#include <stdlib.h> 4894209Sdes#include <unistd.h> 4994209Sdes 5094209Sdes#include <security/pam_appl.h> 5194209Sdes 5294209Sdes#include "openpam_impl.h" 53255376Sdes#include "openpam_cred.h" 5494209Sdes 5594209Sdes/* 5694209Sdes * OpenPAM extension 5794209Sdes * 5894209Sdes * Restore credentials 5994209Sdes */ 6094209Sdes 6194209Sdesint 6294209Sdesopenpam_restore_cred(pam_handle_t *pamh) 6394209Sdes{ 64174832Sdes const struct pam_saved_cred *scred; 65174832Sdes const void *scredp; 6694209Sdes int r; 6794209Sdes 68107937Sdes ENTER(); 69125647Sdes r = pam_get_data(pamh, PAM_SAVED_CRED, &scredp); 7094209Sdes if (r != PAM_SUCCESS) 71107937Sdes RETURNC(r); 72125647Sdes if (scredp == NULL) 73107937Sdes RETURNC(PAM_SYSTEM_ERR); 74125647Sdes scred = scredp; 75110503Sdes if (scred->euid != geteuid()) { 76115619Sdes if (seteuid(scred->euid) < 0 || 77115619Sdes setgroups(scred->ngroups, scred->groups) < 0 || 78115619Sdes setegid(scred->egid) < 0) 79110503Sdes RETURNC(PAM_SYSTEM_ERR); 80110503Sdes } 8194209Sdes pam_set_data(pamh, PAM_SAVED_CRED, NULL, NULL); 82107937Sdes RETURNC(PAM_SUCCESS); 8394209Sdes} 8494209Sdes 8594209Sdes/* 8694209Sdes * Error codes: 8794209Sdes * 8894209Sdes * =pam_get_data 8994209Sdes * PAM_SYSTEM_ERR 9094209Sdes */ 9194209Sdes 9294209Sdes/** 9394209Sdes * The =openpam_restore_cred function restores the credentials saved by 9494209Sdes * =openpam_borrow_cred. 9594209Sdes * 96141098Sdes * >setegid 2 97141098Sdes * >seteuid 2 98141098Sdes * >setgroups 2 9994209Sdes */ 100