1 /* Dropping uid/gid privileges of the current process temporarily.
2 Copyright (C) 2009-2023 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
23 #include <sys/types.h>
26 /* The privileged uid and gid that the process had earlier. */
28 static int saved_uid
= -1;
31 static int saved_gid
= -1;
35 idpriv_temp_drop (void)
37 #if HAVE_GETEUID && HAVE_GETEGID && (HAVE_SETRESUID || HAVE_SETREUID) && (HAVE_SETRESGID || HAVE_SETREGID)
41 /* Find out about the privileged uid and gid at the first call. */
43 saved_uid
= geteuid ();
45 saved_gid
= getegid ();
47 /* Drop the gid privilege first, because in some cases the gid privilege
48 cannot be dropped after the uid privilege has been dropped. */
50 /* This is for executables that have the setgid bit set. */
51 # if HAVE_SETRESGID /* glibc, FreeBSD, OpenBSD, HP-UX */
52 if (setresgid (-1, gid
, saved_gid
) < 0)
54 # else /* Mac OS X, NetBSD, AIX, IRIX, Solaris >= 2.5, OSF/1, Cygwin */
55 if (setregid (-1, gid
) < 0)
59 /* This is for executables that have the setuid bit set. */
60 # if HAVE_SETRESUID /* glibc, FreeBSD, OpenBSD, HP-UX */
62 Hao Chen, David Wagner, Drew Dean: Setuid Demystified
63 <https://www.usenix.org/legacy/publications/library/proceedings/sec02/full_papers/chen/chen.pdf>
65 if (setresuid (-1, uid
, saved_uid
) < 0)
67 # else /* Mac OS X, NetBSD, AIX, IRIX, Solaris >= 2.5, OSF/1, Cygwin */
68 if (setreuid (-1, uid
) < 0)
72 /* Verify that the privileges have really been dropped.
73 This verification is here for security reasons. Doesn't matter if it
74 takes a couple of system calls.
75 When the verification fails, it indicates that we need to use different
76 API in the code above. Therefore 'abort ()', not 'return -1'. */
77 # if HAVE_GETRESUID /* glibc, FreeBSD, OpenBSD, HP-UX */
82 if (getresuid (&real
, &effective
, &saved
) < 0
85 || saved
!= saved_uid
)
90 if (geteuid () != uid
)
96 # if HAVE_GETRESGID /* glibc, FreeBSD, OpenBSD, HP-UX */
101 if (getresgid (&real
, &effective
, &saved
) < 0
104 || saved
!= saved_gid
)
109 if (getegid () != gid
)
112 if (getgid () != gid
)
124 idpriv_temp_restore (void)
126 #if HAVE_GETEUID && HAVE_GETEGID && (HAVE_SETRESUID || HAVE_SETREUID) && (HAVE_SETRESGID || HAVE_SETREGID)
130 if (saved_uid
== -1 || saved_gid
== -1)
131 /* Caller error: idpriv_temp_drop was never invoked. */
134 /* Acquire the gid privilege last, because in some cases the gid privilege
135 cannot be acquired before the uid privilege has been acquired. */
137 /* This is for executables that have the setuid bit set. */
138 # if HAVE_SETRESUID /* glibc, FreeBSD, OpenBSD, HP-UX */
140 Hao Chen, David Wagner, Drew Dean: Setuid Demystified
141 <https://www.usenix.org/legacy/publications/library/proceedings/sec02/full_papers/chen/chen.pdf>
143 if (setresuid (-1, saved_uid
, -1) < 0)
145 # else /* Mac OS X, NetBSD, AIX, IRIX, Solaris >= 2.5, OSF/1, Cygwin */
146 if (setreuid (-1, saved_uid
) < 0)
150 /* This is for executables that have the setgid bit set. */
151 # if HAVE_SETRESGID /* glibc, FreeBSD, OpenBSD, HP-UX */
152 if (setresgid (-1, saved_gid
, -1) < 0)
154 # else /* Mac OS X, NetBSD, AIX, IRIX, Solaris >= 2.5, OSF/1, Cygwin */
155 if (setregid (-1, saved_gid
) < 0)
159 /* Verify that the privileges have really been acquired.
160 This verification is here for security reasons. Doesn't matter if it
161 takes a couple of system calls.
162 When the verification fails, it indicates that we need to use different
163 API in the code above. Therefore 'abort ()', not 'return -1'. */
164 # if HAVE_GETRESUID /* glibc, FreeBSD, OpenBSD, HP-UX */
169 if (getresuid (&real
, &effective
, &saved
) < 0
171 || effective
!= saved_uid
172 || saved
!= saved_uid
)
177 if (geteuid () != saved_uid
)
180 if (getuid () != uid
)
183 # if HAVE_GETRESGID /* glibc, FreeBSD, OpenBSD, HP-UX */
188 if (getresgid (&real
, &effective
, &saved
) < 0
190 || effective
!= saved_gid
191 || saved
!= saved_gid
)
196 if (getegid () != saved_gid
)
199 if (getgid () != gid
)