summaryrefslogtreecommitdiff
path: root/hurd
diff options
context:
space:
mode:
authorRoland McGrath <roland@gnu.org>2002-05-13 01:27:28 +0000
committerRoland McGrath <roland@gnu.org>2002-05-13 01:27:28 +0000
commit98e1c93a21612537733b52036a425b043bbf37b3 (patch)
tree4a2f0b9e20e9dfa2c662b6a8afb2fc957424fc51 /hurd
parent8f7500ba69f151f9bca511456bb361d2a5621322 (diff)
downloadglibc-98e1c93a21612537733b52036a425b043bbf37b3.tar.gz
2002-05-12 Roland McGrath <roland@frob.com>
* hurd/hurdexec.c (_hurd_exec): Reauthenticate ports/dtable used in file_exec to effect svuid=euid, svgid=egid if that is not a no-op.
Diffstat (limited to 'hurd')
-rw-r--r--hurd/hurdexec.c229
1 files changed, 190 insertions, 39 deletions
diff --git a/hurd/hurdexec.c b/hurd/hurdexec.c
index 510eca83e5..beae869cf1 100644
--- a/hurd/hurdexec.c
+++ b/hurd/hurdexec.c
@@ -1,4 +1,5 @@
-/* Copyright (C) 1991,92,93,94,95,96,97,99,2001 Free Software Foundation, Inc.
+/* Copyright (C) 1991,92,93,94,95,96,97,99,2001,02
+ Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
@@ -25,6 +26,7 @@
#include <hurd.h>
#include <hurd/fd.h>
#include <hurd/signal.h>
+#include <hurd/id.h>
#include <assert.h>
#include <argz.h>
@@ -41,12 +43,17 @@ _hurd_exec (task_t task, file_t file,
int ints[INIT_INT_MAX];
mach_port_t ports[_hurd_nports];
struct hurd_userlink ulink_ports[_hurd_nports];
+ inline void free_port (unsigned int i)
+ {
+ _hurd_port_free (&_hurd_ports[i], &ulink_ports[i], ports[i]);
+ }
file_t *dtable;
unsigned int dtablesize, i;
struct hurd_port **dtable_cells;
struct hurd_userlink *ulink_dtable;
struct hurd_sigstate *ss;
mach_port_t *please_dealloc, *pdp;
+ int reauth = 0;
/* XXX needs to be hurdmalloc XXX */
if (argv == NULL)
@@ -67,7 +74,7 @@ _hurd_exec (task_t task, file_t file,
if (err = __USEPORT (PROC, __proc_task2proc (port, task, &ports[i])))
{
while (--i > 0)
- _hurd_port_free (&_hurd_ports[i], &ulink_ports[i], ports[i]);
+ free_port (i);
goto outenv;
}
}
@@ -132,7 +139,7 @@ _hurd_exec (task_t task, file_t file,
them, the new program would have duplicate user references for them.
But we cannot deallocate them ourselves, because we must still have
them after a failed exec call. */
- please_dealloc = __alloca ((_hurd_nports + (2 * dtablesize))
+ please_dealloc = __alloca ((_hurd_nports + 3 + (3 * dtablesize))
* sizeof (mach_port_t));
else
please_dealloc = NULL;
@@ -190,55 +197,199 @@ _hurd_exec (task_t task, file_t file,
while (dtablesize > 0 && dtable[dtablesize - 1] == MACH_PORT_NULL)
--dtablesize;
- /* The information is all set up now. Try to exec the file. */
+ /* See if we need to diddle the auth port of the new program.
+ The purpose of this is to get the effect setting the saved-set UID and
+ GID to the respective effective IDs after the exec, as POSIX.1 requires.
+ Note that we don't reauthenticate with the proc server; that would be a
+ no-op since it only keeps track of the effective UIDs, and if it did
+ keep track of the available IDs we would have the problem that we'd be
+ changing the IDs before the exec and have to change them back after a
+ failure. Arguably we could skip all the reauthentications because the
+ available IDs have no bearing on any filesystem. But the conservative
+ approach is to reauthenticate all the io ports so that no state anywhere
+ reflects that our whole ID set differs from what we've set it to. */
+ __mutex_lock (&_hurd_id.lock);
+ err = _hurd_check_ids ();
+ if (err == 0 && ((_hurd_id.aux.nuids >= 2 && _hurd_id.gen.nuids >= 1
+ && _hurd_id.aux.uids[1] != _hurd_id.gen.uids[0])
+ || (_hurd_id.aux.ngids >= 2 && _hurd_id.gen.ngids >= 1
+ && _hurd_id.aux.gids[1] != _hurd_id.gen.gids[0])))
+ {
+ /* We have euid != svuid or egid != svgid. POSIX.1 says that exec
+ sets svuid = euid and svgid = egid. So we must get a new auth
+ port and reauthenticate everything with it. We'll pass the new
+ ports in file_exec instead of our own ports. */
- {
- int flags;
+ auth_t newauth;
- if (pdp)
- {
- /* Request the exec server to deallocate some ports from us if the exec
- succeeds. The init ports and descriptor ports will arrive in the
- new program's exec_startup message. If we failed to deallocate
- them, the new program would have duplicate user references for them.
- But we cannot deallocate them ourselves, because we must still have
- them after a failed exec call. */
-
- for (i = 0; i < _hurd_nports; ++i)
- *pdp++ = ports[i];
- for (i = 0; i < dtablesize; ++i)
- *pdp++ = dtable[i];
- }
+ _hurd_id.aux.uids[1] = _hurd_id.gen.uids[0];
+ _hurd_id.aux.gids[1] = _hurd_id.gen.gids[0];
+ _hurd_id.valid = 0;
+ if (_hurd_id.rid_auth != MACH_PORT_NULL)
+ {
+ __mach_port_deallocate (__mach_task_self (), _hurd_id.rid_auth);
+ _hurd_id.rid_auth = MACH_PORT_NULL;
+ }
+
+ err = __auth_makeauth (ports[INIT_PORT_AUTH],
+ NULL, MACH_MSG_TYPE_COPY_SEND, 0,
+ _hurd_id.gen.uids, _hurd_id.gen.nuids,
+ _hurd_id.aux.uids, _hurd_id.aux.nuids,
+ _hurd_id.gen.gids, _hurd_id.gen.ngids,
+ _hurd_id.aux.gids, _hurd_id.aux.ngids,
+ &newauth);
+ if (err == 0)
+ {
+ /* Now we have to reauthenticate the ports with this new ID.
+ */
+
+ inline error_t reauth_io (io_t port, io_t *newport)
+ {
+ mach_port_t ref = __mach_reply_port ();
+ *newport = MACH_PORT_NULL;
+ error_t err = __io_reauthenticate (port,
+ ref, MACH_MSG_TYPE_MAKE_SEND);
+ if (!err)
+ err = __auth_user_authenticate (newauth,
+ ref, MACH_MSG_TYPE_MAKE_SEND,
+ newport);
+ __mach_port_destroy (__mach_task_self (), ref);
+ return err;
+ }
+ inline void reauth_port (unsigned int idx)
+ {
+ io_t newport;
+ err = reauth_io (ports[idx], &newport) ?: err;
+ if (pdp)
+ *pdp++ = ports[idx]; /* XXX presumed still in _hurd_ports */
+ free_port (idx);
+ ports[idx] = newport;
+ }
+
+ if (pdp)
+ *pdp++ = ports[INIT_PORT_AUTH];
+ free_port (INIT_PORT_AUTH);
+ ports[INIT_PORT_AUTH] = newauth;
+
+ reauth_port (INIT_PORT_CRDIR);
+ reauth_port (INIT_PORT_CWDIR);
+
+ if (!err)
+ {
+ /* Now we'll reauthenticate each file descriptor. */
+ if (ulink_dtable == NULL)
+ {
+ assert (dtable == _hurd_init_dtable);
+ dtable = __alloca (dtablesize * sizeof (dtable[0]));
+ for (i = 0; i < dtablesize; ++i)
+ if (_hurd_init_dtable[i] != MACH_PORT_NULL)
+ {
+ if (pdp)
+ *pdp++ = _hurd_init_dtable[i];
+ err = reauth_io (_hurd_init_dtable[i], &dtable[i]);
+ if (err)
+ {
+ while (++i < dtablesize)
+ dtable[i] = MACH_PORT_NULL;
+ break;
+ }
+ }
+ else
+ dtable[i] = MACH_PORT_NULL;
+ }
+ else
+ {
+ if (pdp)
+ {
+ /* Ask to deallocate all the old fd ports,
+ since we will have new ones in DTABLE. */
+ memcpy (pdp, dtable, dtablesize * sizeof pdp[0]);
+ pdp += dtablesize;
+ }
+ for (i = 0; i < dtablesize; ++i)
+ if (dtable[i] != MACH_PORT_NULL)
+ {
+ io_t newport;
+ err = reauth_io (dtable[i], &newport);
+ _hurd_port_free (dtable_cells[i], &ulink_dtable[i],
+ dtable[i]);
+ dtable[i] = newport;
+ if (err)
+ {
+ while (++i < dtablesize)
+ _hurd_port_free (dtable_cells[i],
+ &ulink_dtable[i], dtable[i]);
+ break;
+ }
+ }
+ ulink_dtable = NULL;
+ dtable_cells = NULL;
+ }
+ }
+ }
+
+ reauth = 1;
+ }
+ __mutex_unlock (&_hurd_id.lock);
+
+ /* The information is all set up now. Try to exec the file. */
+ if (!err)
+ {
+ int flags;
- flags = 0;
+ if (pdp)
+ {
+ /* Request the exec server to deallocate some ports from us if
+ the exec succeeds. The init ports and descriptor ports will
+ arrive in the new program's exec_startup message. If we
+ failed to deallocate them, the new program would have
+ duplicate user references for them. But we cannot deallocate
+ them ourselves, because we must still have them after a failed
+ exec call. */
+
+ for (i = 0; i < _hurd_nports; ++i)
+ *pdp++ = ports[i];
+ for (i = 0; i < dtablesize; ++i)
+ *pdp++ = dtable[i];
+ }
+
+ flags = 0;
#ifdef EXEC_SIGTRAP
- /* PTRACE_TRACEME sets all bits in _hurdsig_traced, which is propagated
- through exec by INIT_TRACEMASK, so this checks if PTRACE_TRACEME has
- been called in this process in any of its current or prior lives. */
- if (__sigismember (&_hurdsig_traced, SIGKILL))
- flags |= EXEC_SIGTRAP;
+ /* PTRACE_TRACEME sets all bits in _hurdsig_traced, which is
+ propagated through exec by INIT_TRACEMASK, so this checks if
+ PTRACE_TRACEME has been called in this process in any of its
+ current or prior lives. */
+ if (__sigismember (&_hurdsig_traced, SIGKILL))
+ flags |= EXEC_SIGTRAP;
#endif
- err = __file_exec (file, task, flags,
- args, argslen, env, envlen,
- dtable, MACH_MSG_TYPE_COPY_SEND, dtablesize,
- ports, MACH_MSG_TYPE_COPY_SEND, _hurd_nports,
- ints, INIT_INT_MAX,
- please_dealloc, pdp - please_dealloc,
- &_hurd_msgport, task == __mach_task_self () ? 1 : 0);
- }
+ err = __file_exec (file, task, flags,
+ args, argslen, env, envlen,
+ dtable, MACH_MSG_TYPE_COPY_SEND, dtablesize,
+ ports, MACH_MSG_TYPE_COPY_SEND, _hurd_nports,
+ ints, INIT_INT_MAX,
+ please_dealloc, pdp - please_dealloc,
+ &_hurd_msgport, task == __mach_task_self () ? 1 : 0);
+ }
/* Release references to the standard ports. */
for (i = 0; i < _hurd_nports; ++i)
- if (i == INIT_PORT_PROC && task != __mach_task_self ())
+ if ((i == INIT_PORT_PROC && task != __mach_task_self ())
+ || (reauth && (i == INIT_PORT_AUTH
+ || i == INIT_PORT_CRDIR || i == INIT_PORT_CWDIR)))
__mach_port_deallocate (__mach_task_self (), ports[i]);
else
- _hurd_port_free (&_hurd_ports[i], &ulink_ports[i], ports[i]);
+ free_port (i);
+ /* Release references to the file descriptor ports. */
if (ulink_dtable != NULL)
- /* Release references to the file descriptor ports. */
+ {
+ for (i = 0; i < dtablesize; ++i)
+ if (dtable[i] != MACH_PORT_NULL)
+ _hurd_port_free (dtable_cells[i], &ulink_dtable[i], dtable[i]);
+ }
+ else if (dtable && dtable != _hurd_init_dtable)
for (i = 0; i < dtablesize; ++i)
- if (dtable[i] != MACH_PORT_NULL)
- _hurd_port_free (dtable_cells[i], &ulink_dtable[i], dtable[i]);
+ __mach_port_deallocate (__mach_task_self (), dtable[i]);
/* Release lock on the file descriptor table. */
__mutex_unlock (&_hurd_dtable_lock);