*/
#define _LGPL_SOURCE
+#include <assert.h>
+#include <fcntl.h>
+#include <grp.h>
#include <limits.h>
+#include <pwd.h>
+#include <sched.h>
+#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <sys/wait.h>
-#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
#include <unistd.h>
-#include <fcntl.h>
-#include <sched.h>
-#include <signal.h>
-#include <assert.h>
-#include <signal.h>
+#include <common/bytecode/bytecode.h>
#include <common/lttng-kernel.h>
#include <common/common.h>
#include <common/utils.h>
#include <common/sessiond-comm/sessiond-comm.h>
#include <common/filter/filter-ast.h>
-#include <common/filter/filter-bytecode.h>
#include "runas.h"
+#define GETPW_BUFFER_FALLBACK_SIZE 4096
+
struct run_as_data;
struct run_as_ret;
typedef int (*run_as_fct)(struct run_as_data *data, struct run_as_ret *ret_value);
struct run_as_extract_sdt_probe_offsets_ret {
uint32_t num_offset;
- uint64_t offsets[LTTNG_KERNEL_MAX_UPROBE_NUM];
+ uint64_t offsets[LTTNG_KERNEL_ABI_MAX_UPROBE_NUM];
} LTTNG_PACKED;
struct run_as_generate_filter_bytecode_ret {
goto end;
}
- if (num_offset <= 0 || num_offset > LTTNG_KERNEL_MAX_UPROBE_NUM) {
+ if (num_offset <= 0 || num_offset > LTTNG_KERNEL_ABI_MAX_UPROBE_NUM) {
DBG("Wrong number of probes.");
ret = -1;
ret_value->_error = true;
for (i = 0; i < fd_count; i++) {
if (fds[i] < 0) {
- ERR("Attempt to send invalid file descriptor to master (fd = %i)",
+ DBG("Attempt to send invalid file descriptor (fd = %i)",
fds[i]);
/* Return 0 as this is not a fatal error. */
return 0;
}
for (i = 0; i < COMMAND_OUT_FD_COUNT(cmd); i++) {
- int ret_close = close(COMMAND_OUT_FDS(cmd, run_as_ret)[i]);
+ int fd = COMMAND_OUT_FDS(cmd, run_as_ret)[i];
+ if (fd >= 0) {
+ int ret_close = close(fd);
- if (ret_close < 0) {
- PERROR("Failed to close result file descriptor");
+ if (ret_close < 0) {
+ PERROR("Failed to close result file descriptor (fd = %i)",
+ fd);
+ }
}
}
end:
return ret;
}
+static int get_user_infos_from_uid(
+ uid_t uid, char **username, gid_t *primary_gid)
+{
+ int ret;
+ char *buf = NULL;
+ long raw_get_pw_buf_size;
+ size_t get_pw_buf_size;
+ struct passwd pwd;
+ struct passwd *result = NULL;
+
+ /* Fetch the max size for the temporary buffer. */
+ errno = 0;
+ raw_get_pw_buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
+ if (raw_get_pw_buf_size < 0) {
+ if (errno != 0) {
+ PERROR("Failed to query _SC_GETPW_R_SIZE_MAX");
+ goto error;
+ }
+
+ /* Limit is indeterminate. */
+ WARN("Failed to query _SC_GETPW_R_SIZE_MAX as it is "
+ "indeterminate; falling back to default buffer size");
+ raw_get_pw_buf_size = GETPW_BUFFER_FALLBACK_SIZE;
+ }
+
+ get_pw_buf_size = (size_t) raw_get_pw_buf_size;
+
+ buf = zmalloc(get_pw_buf_size);
+ if (buf == NULL) {
+ PERROR("Failed to allocate buffer to get password file entries");
+ goto error;
+ }
+
+ ret = getpwuid_r(uid, &pwd, buf, get_pw_buf_size, &result);
+ if (ret < 0) {
+ PERROR("Failed to get user information for user: uid = %d",
+ (int) uid);
+ goto error;
+ }
+
+ if (result == NULL) {
+ ERR("Failed to find user information in password entries: uid = %d",
+ (int) uid);
+ ret = -1;
+ goto error;
+ }
+
+ *username = strdup(result->pw_name);
+ if (*username == NULL) {
+ PERROR("Failed to copy user name");
+ goto error;
+ }
+
+ *primary_gid = result->pw_gid;
+
+end:
+ free(buf);
+ return ret;
+error:
+ *username = NULL;
+ *primary_gid = -1;
+ ret = -1;
+ goto end;
+}
+
+static int demote_creds(
+ uid_t prev_uid, gid_t prev_gid, uid_t new_uid, gid_t new_gid)
+{
+ int ret = 0;
+ gid_t primary_gid;
+ char *username = NULL;
+
+ /* Change the group id. */
+ if (prev_gid != new_gid) {
+ ret = setegid(new_gid);
+ if (ret < 0) {
+ PERROR("Failed to set effective group id: new_gid = %d",
+ (int) new_gid);
+ goto end;
+ }
+ }
+
+ /* Change the user id. */
+ if (prev_uid != new_uid) {
+ ret = get_user_infos_from_uid(new_uid, &username, &primary_gid);
+ if (ret < 0) {
+ goto end;
+ }
+
+ /*
+ * Initialize the supplementary group access list.
+ *
+ * This is needed to handle cases where the supplementary groups
+ * of the user the process is demoting-to would give it access
+ * to a given file/folder, but not it's primary group.
+ *
+ * e.g
+ * username: User1
+ * Primary Group: User1
+ * Secondary group: Disk, Network
+ *
+ * mkdir inside the following directory must work since User1
+ * is part of the Network group.
+ *
+ * drwxrwx--- 2 root Network 4096 Jul 23 17:17 /tmp/my_folder/
+ *
+ *
+ * The order of the following initgroups and seteuid calls is
+ * important here;
+ * Only a root process or one with CAP_SETGID capability can
+ * call the the initgroups() function. We must initialize the
+ * supplementary groups before we change the effective
+ * UID to a less-privileged user.
+ */
+ ret = initgroups(username, primary_gid);
+ if (ret < 0) {
+ PERROR("Failed to init the supplementary group access list: "
+ "username = `%s`, primary gid = %d", username,
+ (int) primary_gid);
+ goto end;
+ }
+
+ ret = seteuid(new_uid);
+ if (ret < 0) {
+ PERROR("Failed to set effective user id: new_uid = %d",
+ (int) new_uid);
+ goto end;
+ }
+ }
+end:
+ free(username);
+ return ret;
+}
+
+static int promote_creds(
+ uid_t prev_uid, gid_t prev_gid, uid_t new_uid, gid_t new_gid)
+{
+ int ret = 0;
+ gid_t primary_gid;
+ char *username = NULL;
+
+ /* Change the group id. */
+ if (prev_gid != new_gid) {
+ ret = setegid(new_gid);
+ if (ret < 0) {
+ PERROR("Failed to set effective group id: new_gid = %d",
+ (int) new_gid);
+ goto end;
+ }
+ }
+
+ /* Change the user id. */
+ if (prev_uid != new_uid) {
+ ret = get_user_infos_from_uid(new_uid, &username, &primary_gid);
+ if (ret < 0) {
+ goto end;
+ }
+
+ /*
+ * seteuid call must be done before the initgroups call because
+ * we need to be privileged (CAP_SETGID) to call initgroups().
+ */
+ ret = seteuid(new_uid);
+ if (ret < 0) {
+ PERROR("Failed to set effective user id: new_uid = %d",
+ (int) new_uid);
+ goto end;
+ }
+
+ /*
+ * Initialize the supplementary group access list.
+ *
+ * There is a possibility the groups we set in the following
+ * initgroups() call are not exactly the same as the ones we
+ * had when we originally demoted. This can happen if the
+ * /etc/group file is modified after the runas process is
+ * forked. This is very unlikely.
+ */
+ ret = initgroups(username, primary_gid);
+ if (ret < 0) {
+ PERROR("Failed to init the supplementary group access "
+ "list: username = `%s`, primary gid = %d",
+ username, (int) primary_gid)
+ goto end;
+ }
+ }
+end:
+ free(username);
+ return ret;
+}
+
/*
* Return < 0 on error, 0 if OK, 1 on hangup.
*/
static
int handle_one_cmd(struct run_as_worker *worker)
{
- int ret = 0;
+ int ret = 0, promote_ret;
struct run_as_data data = {};
ssize_t readlen, writelen;
struct run_as_ret sendret = {};
run_as_fct cmd;
- uid_t prev_euid;
+ const uid_t prev_ruid = getuid();
+ const gid_t prev_rgid = getgid();
/*
* Stage 1: Receive run_as_data struct from the master.
goto end;
}
- prev_euid = getuid();
- if (data.gid != getegid()) {
- ret = setegid(data.gid);
- if (ret < 0) {
- sendret._error = true;
- sendret._errno = errno;
- PERROR("setegid");
- goto write_return;
- }
- }
- if (data.uid != prev_euid) {
- ret = seteuid(data.uid);
- if (ret < 0) {
- sendret._error = true;
- sendret._errno = errno;
- PERROR("seteuid");
- goto write_return;
- }
+ ret = demote_creds(prev_ruid, prev_rgid, data.uid, data.gid);
+ if (ret < 0) {
+ goto write_return;
}
/*
ret = cleanup_received_fds(&data);
if (ret < 0) {
ERR("Error cleaning up FD");
- goto end;
+ goto promote_back;
}
/*
if (writelen < sizeof(sendret)) {
PERROR("lttcomm_send_unix_sock error");
ret = -1;
- goto end;
+ goto promote_back;
}
/*
ret = send_fds_to_master(worker, data.cmd, &sendret);
if (ret < 0) {
DBG("Sending FD to master returned an error");
- goto end;
}
- if (seteuid(prev_euid) < 0) {
- PERROR("seteuid");
- ret = -1;
- goto end;
- }
ret = 0;
+
+promote_back:
+ /* Return to previous uid/gid. */
+ promote_ret = promote_creds(data.uid, data.gid, prev_ruid, prev_rgid);
+ if (promote_ret < 0) {
+ ERR("Failed to promote back to the initial credentials");
+ }
+
end:
return ret;
}
reset_sighandler();
set_worker_sighandlers();
+
+ logger_set_thread_name("Run-as worker", true);
+
if (clean_up_func) {
if (clean_up_func(clean_up_user_data) < 0) {
ERR("Run-as post-fork clean-up failed, exiting.");
LTTNG_HIDDEN
int run_as_generate_filter_bytecode(const char *filter_expression,
- uid_t uid,
- gid_t gid,
- struct lttng_filter_bytecode **bytecode)
+ const struct lttng_credentials *creds,
+ struct lttng_bytecode **bytecode)
{
int ret;
struct run_as_data data = {};
struct run_as_ret run_as_ret = {};
- const struct lttng_filter_bytecode *view_bytecode = NULL;
- struct lttng_filter_bytecode *local_bytecode = NULL;
+ const struct lttng_bytecode *view_bytecode = NULL;
+ struct lttng_bytecode *local_bytecode = NULL;
+ const uid_t uid = lttng_credentials_get_uid(creds);
+ const gid_t gid = lttng_credentials_get_gid(creds);
DBG3("generate_filter_bytecode() from expression=\"%s\" for uid %d and gid %d",
filter_expression, (int) uid, (int) gid);
goto error;
}
- view_bytecode = (const struct lttng_filter_bytecode *) run_as_ret.u.generate_filter_bytecode.bytecode;
+ view_bytecode = (const struct lttng_bytecode *) run_as_ret.u.generate_filter_bytecode.bytecode;
local_bytecode = zmalloc(sizeof(*local_bytecode) + view_bytecode->len);
if (!local_bytecode) {