X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/eed65c79322c3c79facdea44ce39033b21972e36..68ba0b7f4e1c03edfb6f621e7e7314ea610af96b:/apt-pkg/contrib/fileutl.cc?ds=sidebyside diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index 8e7313e8f..f6351b7b5 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -857,11 +857,7 @@ bool ExecWait(pid_t Pid,const char *Name,bool Reap) return true; } /*}}}*/ - - -// StartsWithGPGClearTextSignature - Check if a file is Pgp/GPG clearsigned /*{{{*/ -// --------------------------------------------------------------------- -/* */ +// StartsWithGPGClearTextSignature - Check if a file is Pgp/GPG clearsigned /*{{{*/ bool StartsWithGPGClearTextSignature(string const &FileName) { static const char* SIGMSG = "-----BEGIN PGP SIGNED MESSAGE-----\n"; @@ -877,7 +873,7 @@ bool StartsWithGPGClearTextSignature(string const &FileName) return true; } - + /*}}}*/ class FileFdPrivate { /*{{{*/ public: @@ -896,7 +892,7 @@ class FileFdPrivate { /*{{{*/ bool eof; bool compressing; - LZMAFILE() : file(NULL), eof(false), compressing(false) {} + LZMAFILE() : file(NULL), eof(false), compressing(false) { buffer[0] = '\0'; } ~LZMAFILE() { if (compressing == true) { @@ -1525,7 +1521,7 @@ bool FileFd::Read(void *To,unsigned long long Size,unsigned long long *Actual) int err; char const * const errmsg = BZ2_bzerror(d->bz2, &err); if (err != BZ_IO_ERROR) - return FileFdError("BZ2_bzread: %s (%d: %s)", _("Read error"), err, errmsg); + return FileFdError("BZ2_bzread: %s %s (%d: %s)", FileName.c_str(), _("Read error"), err, errmsg); } #endif #ifdef HAVE_LZMA @@ -2035,10 +2031,7 @@ APT_DEPRECATED gzFile FileFd::gzFd() { #endif } - -// Glob - wrapper around "glob()" /*{{{*/ -// --------------------------------------------------------------------- -/* */ +// Glob - wrapper around "glob()" /*{{{*/ std::vector Glob(std::string const &pattern, int flags) { std::vector result; @@ -2064,8 +2057,7 @@ std::vector Glob(std::string const &pattern, int flags) return result; } /*}}}*/ - -std::string GetTempDir() +std::string GetTempDir() /*{{{*/ { const char *tmpdir = getenv("TMPDIR"); @@ -2081,8 +2073,8 @@ std::string GetTempDir() return string(tmpdir); } - -FileFd* GetTempFile(std::string const &Prefix, bool ImmediateUnlink) + /*}}}*/ +FileFd* GetTempFile(std::string const &Prefix, bool ImmediateUnlink) /*{{{*/ { char fn[512]; FileFd *Fd = new FileFd(); @@ -2106,19 +2098,19 @@ FileFd* GetTempFile(std::string const &Prefix, bool ImmediateUnlink) return Fd; } - -bool Rename(std::string From, std::string To) + /*}}}*/ +bool Rename(std::string From, std::string To) /*{{{*/ { if (rename(From.c_str(),To.c_str()) != 0) { _error->Error(_("rename failed, %s (%s -> %s)."),strerror(errno), From.c_str(),To.c_str()); return false; - } + } return true; } - -bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode) + /*}}}*/ +bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode)/*{{{*/ { int fd; if (Mode != FileFd::ReadOnly && Mode != FileFd::WriteOnly) @@ -2126,10 +2118,8 @@ bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode) int Pipe[2] = {-1, -1}; if(pipe(Pipe) != 0) - { return _error->Errno("pipe", _("Failed to create subprocess IPC")); - return NULL; - } + std::set keep_fds; keep_fds.insert(Pipe[0]); keep_fds.insert(Pipe[1]); @@ -2172,31 +2162,42 @@ bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode) return true; } - -bool DropPrivs() + /*}}}*/ +bool DropPrivileges() /*{{{*/ { - /* uid will be 0 in the end, but gid might be different anyway */ - uid_t old_uid = getuid(); - gid_t old_gid = getgid(); - - if (old_uid != 0) - return true; if(_config->FindB("Debug::NoDropPrivs", false) == true) return true; - const std::string nobody = _config->Find("APT::User::Nobody", "_apt"); - struct passwd *pw = getpwnam(nobody.c_str()); - if (pw == NULL) - return _error->Warning("No user %s, can not drop rights", nobody.c_str()); + // empty setting disables DropPrivilidges - this also ensures + // backward compatibility, see bug #764506 + const std::string toUser = _config->Find("APT::Sandbox::User"); + if (toUser.empty()) + return true; #if __gnu_linux__ - // see prctl(2), needs linux3.5 - int ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0,0, 0); - if(ret < 0) +#if defined(PR_SET_NO_NEW_PRIVS) && ( PR_SET_NO_NEW_PRIVS != 38 ) +#error "PR_SET_NO_NEW_PRIVS is defined, but with a different value than expected!" +#endif + // see prctl(2), needs linux3.5 at runtime - magic constant to avoid it at buildtime + int ret = prctl(38, 1, 0, 0, 0); + // ignore EINVAL - kernel is too old to understand the option + if(ret < 0 && errno != EINVAL) _error->Warning("PR_SET_NO_NEW_PRIVS failed with %i", ret); #endif - if (setgroups(1, &pw->pw_gid) != 1) + // uid will be 0 in the end, but gid might be different anyway + uid_t const old_uid = getuid(); + gid_t const old_gid = getgid(); + + if (old_uid != 0) + return true; + + struct passwd *pw = getpwnam(toUser.c_str()); + if (pw == NULL) + return _error->Error("No user %s, can not drop rights", toUser.c_str()); + + // Do not change the order here, it might break things + if (setgroups(1, &pw->pw_gid)) return _error->Errno("setgroups", "Failed to setgroups"); if (setegid(pw->pw_gid) != 0) @@ -2207,27 +2208,20 @@ bool DropPrivs() if (setuid(pw->pw_uid) != 0) return _error->Errno("setuid", "Failed to setuid"); + // the seteuid() is probably uneeded (at least thats what the linux // man-page says about setuid(2)) but we cargo culted it anyway - - if (seteuid(pw->pw_uid) != 0) return _error->Errno("seteuid", "Failed to seteuid"); - /* Try changing GID/EGID */ - if (pw->pw_gid != old_gid && (setgid(old_gid) != -1 || setegid(old_gid) != -1)) - return _error->Error("Could restore a gid to root, privilege dropping did not work"); - - if (pw->pw_uid != old_uid && (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) - return _error->Error("Could restore a uid to root, privilege dropping did not work"); - - /* Verify the list of supplementary groups is what we expected */ + // Verify that the user has only a single group, and the correct one gid_t groups[1]; if (getgroups(1, groups) != 1) return _error->Errno("getgroups", "Could not get new groups"); if (groups[0] != pw->pw_gid) return _error->Error("Could not switch group"); - /* Verify gid, egid, uid, and euid */ + + // Verify that gid, egid, uid, and euid changed if (getgid() != pw->pw_gid) return _error->Error("Could not switch group"); if (getegid() != pw->pw_gid) @@ -2237,6 +2231,35 @@ bool DropPrivs() if (geteuid() != pw->pw_uid) return _error->Error("Could not switch effective user"); - /* TODO: Check saved uid/saved gid as well */ +#ifdef HAVE_GETRESUID + // verify that the saved set-user-id was changed as well + uid_t ruid = 0; + uid_t euid = 0; + uid_t suid = 0; + if (getresuid(&ruid, &euid, &suid)) + return _error->Errno("getresuid", "Could not get saved set-user-ID"); + if (suid != pw->pw_uid) + return _error->Error("Could not switch saved set-user-ID"); +#endif + +#ifdef HAVE_GETRESGID + // verify that the saved set-group-id was changed as well + gid_t rgid = 0; + gid_t egid = 0; + gid_t sgid = 0; + if (getresgid(&rgid, &egid, &sgid)) + return _error->Errno("getresuid", "Could not get saved set-group-ID"); + if (sgid != pw->pw_gid) + return _error->Error("Could not switch saved set-group-ID"); +#endif + + // Check that uid and gid changes do not work anymore + if (pw->pw_gid != old_gid && (setgid(old_gid) != -1 || setegid(old_gid) != -1)) + return _error->Error("Could restore a gid to root, privilege dropping did not work"); + + if (pw->pw_uid != old_uid && (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) + return _error->Error("Could restore a uid to root, privilege dropping did not work"); + return true; } + /*}}}*/