From 98e1c93a21612537733b52036a425b043bbf37b3 Mon Sep 17 00:00:00 2001 From: Roland McGrath Date: Mon, 13 May 2002 01:27:28 +0000 Subject: 2002-05-12 Roland McGrath * hurd/hurdexec.c (_hurd_exec): Reauthenticate ports/dtable used in file_exec to effect svuid=euid, svgid=egid if that is not a no-op. --- hurd/hurdexec.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 190 insertions(+), 39 deletions(-) (limited to 'hurd') diff --git a/hurd/hurdexec.c b/hurd/hurdexec.c index 510eca8..beae869 100644 --- a/hurd/hurdexec.c +++ b/hurd/hurdexec.c @@ -1,4 +1,5 @@ -/* Copyright (C) 1991,92,93,94,95,96,97,99,2001 Free Software Foundation, Inc. +/* Copyright (C) 1991,92,93,94,95,96,97,99,2001,02 + Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -25,6 +26,7 @@ #include #include #include +#include #include #include @@ -41,12 +43,17 @@ _hurd_exec (task_t task, file_t file, int ints[INIT_INT_MAX]; mach_port_t ports[_hurd_nports]; struct hurd_userlink ulink_ports[_hurd_nports]; + inline void free_port (unsigned int i) + { + _hurd_port_free (&_hurd_ports[i], &ulink_ports[i], ports[i]); + } file_t *dtable; unsigned int dtablesize, i; struct hurd_port **dtable_cells; struct hurd_userlink *ulink_dtable; struct hurd_sigstate *ss; mach_port_t *please_dealloc, *pdp; + int reauth = 0; /* XXX needs to be hurdmalloc XXX */ if (argv == NULL) @@ -67,7 +74,7 @@ _hurd_exec (task_t task, file_t file, if (err = __USEPORT (PROC, __proc_task2proc (port, task, &ports[i]))) { while (--i > 0) - _hurd_port_free (&_hurd_ports[i], &ulink_ports[i], ports[i]); + free_port (i); goto outenv; } } @@ -132,7 +139,7 @@ _hurd_exec (task_t task, file_t file, them, the new program would have duplicate user references for them. But we cannot deallocate them ourselves, because we must still have them after a failed exec call. */ - please_dealloc = __alloca ((_hurd_nports + (2 * dtablesize)) + please_dealloc = __alloca ((_hurd_nports + 3 + (3 * dtablesize)) * sizeof (mach_port_t)); else please_dealloc = NULL; @@ -190,55 +197,199 @@ _hurd_exec (task_t task, file_t file, while (dtablesize > 0 && dtable[dtablesize - 1] == MACH_PORT_NULL) --dtablesize; - /* The information is all set up now. Try to exec the file. */ + /* See if we need to diddle the auth port of the new program. + The purpose of this is to get the effect setting the saved-set UID and + GID to the respective effective IDs after the exec, as POSIX.1 requires. + Note that we don't reauthenticate with the proc server; that would be a + no-op since it only keeps track of the effective UIDs, and if it did + keep track of the available IDs we would have the problem that we'd be + changing the IDs before the exec and have to change them back after a + failure. Arguably we could skip all the reauthentications because the + available IDs have no bearing on any filesystem. But the conservative + approach is to reauthenticate all the io ports so that no state anywhere + reflects that our whole ID set differs from what we've set it to. */ + __mutex_lock (&_hurd_id.lock); + err = _hurd_check_ids (); + if (err == 0 && ((_hurd_id.aux.nuids >= 2 && _hurd_id.gen.nuids >= 1 + && _hurd_id.aux.uids[1] != _hurd_id.gen.uids[0]) + || (_hurd_id.aux.ngids >= 2 && _hurd_id.gen.ngids >= 1 + && _hurd_id.aux.gids[1] != _hurd_id.gen.gids[0]))) + { + /* We have euid != svuid or egid != svgid. POSIX.1 says that exec + sets svuid = euid and svgid = egid. So we must get a new auth + port and reauthenticate everything with it. We'll pass the new + ports in file_exec instead of our own ports. */ - { - int flags; + auth_t newauth; - if (pdp) - { - /* Request the exec server to deallocate some ports from us if the exec - succeeds. The init ports and descriptor ports will arrive in the - new program's exec_startup message. If we failed to deallocate - them, the new program would have duplicate user references for them. - But we cannot deallocate them ourselves, because we must still have - them after a failed exec call. */ - - for (i = 0; i < _hurd_nports; ++i) - *pdp++ = ports[i]; - for (i = 0; i < dtablesize; ++i) - *pdp++ = dtable[i]; - } + _hurd_id.aux.uids[1] = _hurd_id.gen.uids[0]; + _hurd_id.aux.gids[1] = _hurd_id.gen.gids[0]; + _hurd_id.valid = 0; + if (_hurd_id.rid_auth != MACH_PORT_NULL) + { + __mach_port_deallocate (__mach_task_self (), _hurd_id.rid_auth); + _hurd_id.rid_auth = MACH_PORT_NULL; + } + + err = __auth_makeauth (ports[INIT_PORT_AUTH], + NULL, MACH_MSG_TYPE_COPY_SEND, 0, + _hurd_id.gen.uids, _hurd_id.gen.nuids, + _hurd_id.aux.uids, _hurd_id.aux.nuids, + _hurd_id.gen.gids, _hurd_id.gen.ngids, + _hurd_id.aux.gids, _hurd_id.aux.ngids, + &newauth); + if (err == 0) + { + /* Now we have to reauthenticate the ports with this new ID. + */ + + inline error_t reauth_io (io_t port, io_t *newport) + { + mach_port_t ref = __mach_reply_port (); + *newport = MACH_PORT_NULL; + error_t err = __io_reauthenticate (port, + ref, MACH_MSG_TYPE_MAKE_SEND); + if (!err) + err = __auth_user_authenticate (newauth, + ref, MACH_MSG_TYPE_MAKE_SEND, + newport); + __mach_port_destroy (__mach_task_self (), ref); + return err; + } + inline void reauth_port (unsigned int idx) + { + io_t newport; + err = reauth_io (ports[idx], &newport) ?: err; + if (pdp) + *pdp++ = ports[idx]; /* XXX presumed still in _hurd_ports */ + free_port (idx); + ports[idx] = newport; + } + + if (pdp) + *pdp++ = ports[INIT_PORT_AUTH]; + free_port (INIT_PORT_AUTH); + ports[INIT_PORT_AUTH] = newauth; + + reauth_port (INIT_PORT_CRDIR); + reauth_port (INIT_PORT_CWDIR); + + if (!err) + { + /* Now we'll reauthenticate each file descriptor. */ + if (ulink_dtable == NULL) + { + assert (dtable == _hurd_init_dtable); + dtable = __alloca (dtablesize * sizeof (dtable[0])); + for (i = 0; i < dtablesize; ++i) + if (_hurd_init_dtable[i] != MACH_PORT_NULL) + { + if (pdp) + *pdp++ = _hurd_init_dtable[i]; + err = reauth_io (_hurd_init_dtable[i], &dtable[i]); + if (err) + { + while (++i < dtablesize) + dtable[i] = MACH_PORT_NULL; + break; + } + } + else + dtable[i] = MACH_PORT_NULL; + } + else + { + if (pdp) + { + /* Ask to deallocate all the old fd ports, + since we will have new ones in DTABLE. */ + memcpy (pdp, dtable, dtablesize * sizeof pdp[0]); + pdp += dtablesize; + } + for (i = 0; i < dtablesize; ++i) + if (dtable[i] != MACH_PORT_NULL) + { + io_t newport; + err = reauth_io (dtable[i], &newport); + _hurd_port_free (dtable_cells[i], &ulink_dtable[i], + dtable[i]); + dtable[i] = newport; + if (err) + { + while (++i < dtablesize) + _hurd_port_free (dtable_cells[i], + &ulink_dtable[i], dtable[i]); + break; + } + } + ulink_dtable = NULL; + dtable_cells = NULL; + } + } + } + + reauth = 1; + } + __mutex_unlock (&_hurd_id.lock); + + /* The information is all set up now. Try to exec the file. */ + if (!err) + { + int flags; - flags = 0; + if (pdp) + { + /* Request the exec server to deallocate some ports from us if + the exec succeeds. The init ports and descriptor ports will + arrive in the new program's exec_startup message. If we + failed to deallocate them, the new program would have + duplicate user references for them. But we cannot deallocate + them ourselves, because we must still have them after a failed + exec call. */ + + for (i = 0; i < _hurd_nports; ++i) + *pdp++ = ports[i]; + for (i = 0; i < dtablesize; ++i) + *pdp++ = dtable[i]; + } + + flags = 0; #ifdef EXEC_SIGTRAP - /* PTRACE_TRACEME sets all bits in _hurdsig_traced, which is propagated - through exec by INIT_TRACEMASK, so this checks if PTRACE_TRACEME has - been called in this process in any of its current or prior lives. */ - if (__sigismember (&_hurdsig_traced, SIGKILL)) - flags |= EXEC_SIGTRAP; + /* PTRACE_TRACEME sets all bits in _hurdsig_traced, which is + propagated through exec by INIT_TRACEMASK, so this checks if + PTRACE_TRACEME has been called in this process in any of its + current or prior lives. */ + if (__sigismember (&_hurdsig_traced, SIGKILL)) + flags |= EXEC_SIGTRAP; #endif - err = __file_exec (file, task, flags, - args, argslen, env, envlen, - dtable, MACH_MSG_TYPE_COPY_SEND, dtablesize, - ports, MACH_MSG_TYPE_COPY_SEND, _hurd_nports, - ints, INIT_INT_MAX, - please_dealloc, pdp - please_dealloc, - &_hurd_msgport, task == __mach_task_self () ? 1 : 0); - } + err = __file_exec (file, task, flags, + args, argslen, env, envlen, + dtable, MACH_MSG_TYPE_COPY_SEND, dtablesize, + ports, MACH_MSG_TYPE_COPY_SEND, _hurd_nports, + ints, INIT_INT_MAX, + please_dealloc, pdp - please_dealloc, + &_hurd_msgport, task == __mach_task_self () ? 1 : 0); + } /* Release references to the standard ports. */ for (i = 0; i < _hurd_nports; ++i) - if (i == INIT_PORT_PROC && task != __mach_task_self ()) + if ((i == INIT_PORT_PROC && task != __mach_task_self ()) + || (reauth && (i == INIT_PORT_AUTH + || i == INIT_PORT_CRDIR || i == INIT_PORT_CWDIR))) __mach_port_deallocate (__mach_task_self (), ports[i]); else - _hurd_port_free (&_hurd_ports[i], &ulink_ports[i], ports[i]); + free_port (i); + /* Release references to the file descriptor ports. */ if (ulink_dtable != NULL) - /* Release references to the file descriptor ports. */ + { + for (i = 0; i < dtablesize; ++i) + if (dtable[i] != MACH_PORT_NULL) + _hurd_port_free (dtable_cells[i], &ulink_dtable[i], dtable[i]); + } + else if (dtable && dtable != _hurd_init_dtable) for (i = 0; i < dtablesize; ++i) - if (dtable[i] != MACH_PORT_NULL) - _hurd_port_free (dtable_cells[i], &ulink_dtable[i], dtable[i]); + __mach_port_deallocate (__mach_task_self (), dtable[i]); /* Release lock on the file descriptor table. */ __mutex_unlock (&_hurd_dtable_lock); -- cgit v1.1