+static int get_user_infos_from_uid(
+ uid_t uid, char **username, gid_t *primary_gid)
+{
+ int ret;
+ char *buf = NULL;
+ long raw_get_pw_buf_size;
+ size_t get_pw_buf_size;
+ struct passwd pwd;
+ struct passwd *result = NULL;
+
+ /* Fetch the max size for the temporary buffer. */
+ errno = 0;
+ raw_get_pw_buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
+ if (raw_get_pw_buf_size < 0) {
+ if (errno != 0) {
+ PERROR("Failed to query _SC_GETPW_R_SIZE_MAX");
+ goto error;
+ }
+
+ /* Limit is indeterminate. */
+ WARN("Failed to query _SC_GETPW_R_SIZE_MAX as it is "
+ "indeterminate; falling back to default buffer size");
+ raw_get_pw_buf_size = GETPW_BUFFER_FALLBACK_SIZE;
+ }
+
+ get_pw_buf_size = (size_t) raw_get_pw_buf_size;
+
+ buf = zmalloc(get_pw_buf_size);
+ if (buf == NULL) {
+ PERROR("Failed to allocate buffer to get password file entries");
+ goto error;
+ }
+
+ ret = getpwuid_r(uid, &pwd, buf, get_pw_buf_size, &result);
+ if (ret < 0) {
+ PERROR("Failed to get user information for user: uid = %d",
+ (int) uid);
+ goto error;
+ }
+
+ if (result == NULL) {
+ ERR("Failed to find user information in password entries: uid = %d",
+ (int) uid);
+ ret = -1;
+ goto error;
+ }
+
+ *username = strdup(result->pw_name);
+ if (*username == NULL) {
+ PERROR("Failed to copy user name");
+ goto error;
+ }
+
+ *primary_gid = result->pw_gid;
+
+end:
+ free(buf);
+ return ret;
+error:
+ *username = NULL;
+ *primary_gid = -1;
+ ret = -1;
+ goto end;
+}
+
+static int demote_creds(
+ uid_t prev_uid, gid_t prev_gid, uid_t new_uid, gid_t new_gid)
+{
+ int ret = 0;
+ gid_t primary_gid;
+ char *username = NULL;
+
+ /* Change the group id. */
+ if (prev_gid != new_gid) {
+ ret = setegid(new_gid);
+ if (ret < 0) {
+ PERROR("Failed to set effective group id: new_gid = %d",
+ (int) new_gid);
+ goto end;
+ }
+ }
+
+ /* Change the user id. */
+ if (prev_uid != new_uid) {
+ ret = get_user_infos_from_uid(new_uid, &username, &primary_gid);
+ if (ret < 0) {
+ goto end;
+ }
+
+ /*
+ * Initialize the supplementary group access list.
+ *
+ * This is needed to handle cases where the supplementary groups
+ * of the user the process is demoting-to would give it access
+ * to a given file/folder, but not it's primary group.
+ *
+ * e.g
+ * username: User1
+ * Primary Group: User1
+ * Secondary group: Disk, Network
+ *
+ * mkdir inside the following directory must work since User1
+ * is part of the Network group.
+ *
+ * drwxrwx--- 2 root Network 4096 Jul 23 17:17 /tmp/my_folder/
+ *
+ *
+ * The order of the following initgroups and seteuid calls is
+ * important here;
+ * Only a root process or one with CAP_SETGID capability can
+ * call the the initgroups() function. We must initialize the
+ * supplementary groups before we change the effective
+ * UID to a less-privileged user.
+ */
+ ret = initgroups(username, primary_gid);
+ if (ret < 0) {
+ PERROR("Failed to init the supplementary group access list: "
+ "username = `%s`, primary gid = %d", username,
+ (int) primary_gid);
+ goto end;
+ }
+
+ ret = seteuid(new_uid);
+ if (ret < 0) {
+ PERROR("Failed to set effective user id: new_uid = %d",
+ (int) new_uid);
+ goto end;
+ }
+ }
+end:
+ free(username);
+ return ret;
+}
+
+static int promote_creds(
+ uid_t prev_uid, gid_t prev_gid, uid_t new_uid, gid_t new_gid)
+{
+ int ret = 0;
+ gid_t primary_gid;
+ char *username = NULL;
+
+ /* Change the group id. */
+ if (prev_gid != new_gid) {
+ ret = setegid(new_gid);
+ if (ret < 0) {
+ PERROR("Failed to set effective group id: new_gid = %d",
+ (int) new_gid);
+ goto end;
+ }
+ }
+
+ /* Change the user id. */
+ if (prev_uid != new_uid) {
+ ret = get_user_infos_from_uid(new_uid, &username, &primary_gid);
+ if (ret < 0) {
+ goto end;
+ }
+
+ /*
+ * seteuid call must be done before the initgroups call because
+ * we need to be privileged (CAP_SETGID) to call initgroups().
+ */
+ ret = seteuid(new_uid);
+ if (ret < 0) {
+ PERROR("Failed to set effective user id: new_uid = %d",
+ (int) new_uid);
+ goto end;
+ }
+
+ /*
+ * Initialize the supplementary group access list.
+ *
+ * There is a possibility the groups we set in the following
+ * initgroups() call are not exactly the same as the ones we
+ * had when we originally demoted. This can happen if the
+ * /etc/group file is modified after the runas process is
+ * forked. This is very unlikely.
+ */
+ ret = initgroups(username, primary_gid);
+ if (ret < 0) {
+ PERROR("Failed to init the supplementary group access "
+ "list: username = `%s`, primary gid = %d",
+ username, (int) primary_gid)
+ goto end;
+ }
+ }
+end:
+ free(username);
+ return ret;
+}
+