Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 33548 From evanc@cello.synapse.net Sun Nov 23 01:04:59 1997 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id BAA22682 for ; Sun, 23 Nov 1997 01:04:58 -0500 Received: from cello.synapse.net by MIT.EDU with SMTP id AA21169; Sun, 23 Nov 97 01:04:57 EST Received: (qmail 10658 invoked by uid 1001); 23 Nov 1997 06:04:49 -0000 Message-Id: <19971123060449.10657.qmail@cello.synapse.net> Date: 23 Nov 1997 06:04:49 -0000 From: evanc@synapse.net To: krb5-bugs@MIT.EDU Cc: evanc@synapse.net Subject: patch to make krb5 consistently use one set-effective-uid function X-Send-Pr-Version: 3.99 >Number: 505 >Category: krb5-libs >Synopsis: patch to make krb5 consistently use one set-effective-uid fn >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: closed >Class: change-request >Submitter-Id: unknown >Arrival-Date: Sun Nov 23 01:05:01 EST 1997 >Last-Modified: Sun Feb 22 20:19:05 EST 1998 >Originator: Evan Champion >Organization: >Release: krb5-1.0.3 >Environment: System: FreeBSD cello.synapse.net 3.0-CURRENT FreeBSD 3.0-CURRENT #0: Fri Nov 21 11:09:40 EST 1997 evanc@cello.synapse.net:/usr/src/sys/compile/CELLO i386 >Description: Kerberos is a little indiscriminant in which set-effective-uid function it uses. Sometimes it is seteuid(), sometimes setreuid(). On platforms where one of the two is broken, this can cause some grief as some things work and others don't... Even in the best case, it means you're using two functions where one could have done the job. Of the 3 set-effective-uid choices, seteuid() is the only one that is POSIX-approved, so I chose to implement everything in terms of seteuid. From Kerberos' perspective, seteuid() is completely sufficient in all cases. Portability to platforms that do not contain seteuid() and setegid() is maintained through the inclusion of src/include/seteuid.h. This header includes almost verbatim code that was already in existing modules to redefine seteuid() based on the most appropriate alternate function. Placing the redefinitions in a separate header file ensures consistent implementation. It would probably be a good idea to include these #defines in k5-int.h instead, but you will have to wrap the whole thing with something like: #if defined(HAVE_SETEUID) || defined(HAVE_SETREUID) || defined(HAVE_SETRESUID) as very few makefiles actually define HAVE_SET*UID. krb5_seteuid() is now unused and was removed. These patches have been tested on FreeBSD 3.0 and BSD/OS 3.1. As they only standardise the use of definitions already in Kerberos, I do not expect problems with other platforms beyond what may already exist. >How-To-Repeat: >Fix: Diffs plus a new header file, src/include/seteuid.h. The diffs also include a minor patch to do shared libraries on FreeBSD the same way as on NetBSD. ----------------- krb5-seteuid.diff ----------------- diff -r -c 1/krb5-1.0.3/src/appl/bsd/krcp.c krb5-1.0.3/src/appl/bsd/krcp.c *** 1/krb5-1.0.3/src/appl/bsd/krcp.c Mon Nov 17 22:45:37 1997 --- krb5-1.0.3/src/appl/bsd/krcp.c Sat Nov 22 23:48:32 1997 *************** *** 66,77 **** #include #endif ! #ifdef HAVE_SETRESUID ! #ifndef HAVE_SETREUID ! #define HAVE_SETREUID ! #define setreuid(r,e) setresuid(r,e,-1) ! #endif ! #endif #ifndef roundup #define roundup(x,y) ((((x)+(y)-1)/(y))*(y)) #endif --- 66,73 ---- #include #endif ! #include "seteuid.h" ! #ifndef roundup #define roundup(x,y) ((((x)+(y)-1)/(y))*(y)) #endif *************** *** 546,558 **** } euid = geteuid(); - #ifdef HAVE_SETREUID - if (euid == 0) - (void) setreuid(0, userid); - sink(1, argv+argc-1); - if (euid == 0) - (void) setreuid(userid, 0); - #else if (euid == 0) { (void) setuid(0); if(seteuid(userid)) { --- 542,547 ---- *************** *** 565,581 **** perror("rcp seteuid 0"); errs++; exit(errs); } } - #endif #else rem = rcmd(&host, port, pwd->pw_name, suser, buf, 0); if (rem < 0) continue; - #ifdef HAVE_SETREUID - (void) setreuid(0, userid); - sink(1, argv+argc-1); - (void) setreuid(userid, 0); - #else (void) setuid(0); if(seteuid(userid)) { perror("rcp seteuid user"); errs++; exit(errs); --- 554,564 ---- *************** *** 584,590 **** if(seteuid(0)) { perror("rcp seteuid 0"); errs++; exit(errs); } - #endif #endif /* KERBEROS */ (void) close(rem); rem = -1; --- 567,572 ---- diff -r -c 1/krb5-1.0.3/src/appl/bsd/v4rcp.c krb5-1.0.3/src/appl/bsd/v4rcp.c *** 1/krb5-1.0.3/src/appl/bsd/v4rcp.c Mon Nov 17 22:45:38 1997 --- krb5-1.0.3/src/appl/bsd/v4rcp.c Sat Nov 22 22:40:20 1997 *************** *** 265,276 **** #define vfork fork #endif - #ifdef hpux - #define setreuid(r,e) setresuid(r,e,-1) - #endif - #ifdef __svr4__ - #define setreuid(r,e) setuid(r) - #endif #ifndef roundup #define roundup(x,y) ((((x)+(y)-1)/(y))*(y)) #endif --- 265,270 ---- diff -r -c 1/krb5-1.0.3/src/appl/gssftp/ftpd/ftpd.c krb5-1.0.3/src/appl/gssftp/ftpd/ftpd.c *** 1/krb5-1.0.3/src/appl/gssftp/ftpd/ftpd.c Mon Nov 17 22:45:46 1997 --- krb5-1.0.3/src/appl/gssftp/ftpd/ftpd.c Sat Nov 22 23:50:28 1997 *************** *** 101,112 **** extern char *mktemp (); ! #ifndef HAVE_SETEUID ! #ifdef HAVE_SETRESUID ! #define seteuid(e) setresuid(-1,e,-1) ! #define setegid(e) setresgid(-1,e,-1) ! #endif ! #endif #ifdef STDARG extern reply(int, char *, ...); --- 101,107 ---- extern char *mktemp (); ! #include "seteuid.h" #ifdef STDARG extern reply(int, char *, ...); diff -r -c 1/krb5-1.0.3/src/clients/ksu/ccache.c krb5-1.0.3/src/clients/ksu/ccache.c *** 1/krb5-1.0.3/src/clients/ksu/ccache.c Mon Nov 17 22:46:18 1997 --- krb5-1.0.3/src/clients/ksu/ccache.c Sat Nov 22 22:57:28 1997 *************** *** 28,33 **** --- 28,35 ---- #include "ksu.h" #include "adm_proto.h" + #include "seteuid.h" + /****************************************************************** krb5_cache_copy *************** *** 93,99 **** return EINVAL; } ! if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { return errno; } --- 95,101 ---- return EINVAL; } ! if (seteuid(0)||seteuid(target_uid)) { return errno; } *************** *** 681,687 **** return EINVAL; } ! if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { return errno; } --- 683,689 ---- return EINVAL; } ! if (seteuid(0)||seteuid(target_uid)) { return errno; } diff -r -c 1/krb5-1.0.3/src/clients/ksu/configure krb5-1.0.3/src/clients/ksu/configure *** 1/krb5-1.0.3/src/clients/ksu/configure Mon Nov 17 22:52:52 1997 --- krb5-1.0.3/src/clients/ksu/configure Sat Nov 22 23:24:43 1997 *************** *** 531,537 **** fi ! ac_reltopdir=../../. case "$ac_reltopdir" in /*) echo "Configure script built with absolute localdir pathname" --- 531,537 ---- fi ! ac_reltopdir=./../.. case "$ac_reltopdir" in /*) echo "Configure script built with absolute localdir pathname" *************** *** 1181,1187 **** fi ! for ac_func in getusershell lstat do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then --- 1181,1187 ---- fi ! for ac_func in getusershell lstat seteuid setreuid setresuid do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then *************** *** 1328,1336 **** done - kutil_deplib="\$(TOPLIBD)/libkrb5util.a" - kutil_lib=-lkrb5util - save_LIBS="$LIBS" LIBS=-lgen for ac_func in compile step --- 1328,1333 ---- *************** *** 1340,1346 **** echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; }; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else --- 1361,1367 ---- ; return 0; } EOF ! if { (eval echo configure:1365: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else diff -r -c 1/krb5-1.0.3/src/clients/ksu/configure.in krb5-1.0.3/src/clients/ksu/configure.in *** 1/krb5-1.0.3/src/clients/ksu/configure.in Mon Nov 17 22:46:18 1997 --- krb5-1.0.3/src/clients/ksu/configure.in Sat Nov 22 23:16:16 1997 *************** *** 3,11 **** AC_PROG_INSTALL USE_ANAME AC_HEADER_STDARG ! AC_CHECK_FUNCS(getusershell lstat ) AC_CHECK_HEADERS(unistd.h) - USE_KRB5UTIL_LIBRARY KRB5_LIBRARIES V5_USE_SHARED_LIB V5_AC_OUTPUT_MAKEFILE --- 3,10 ---- AC_PROG_INSTALL USE_ANAME AC_HEADER_STDARG ! AC_CHECK_FUNCS(getusershell lstat seteuid setreuid setresuid) AC_CHECK_HEADERS(unistd.h) KRB5_LIBRARIES V5_USE_SHARED_LIB V5_AC_OUTPUT_MAKEFILE diff -r -c 1/krb5-1.0.3/src/clients/ksu/heuristic.c krb5-1.0.3/src/clients/ksu/heuristic.c *** 1/krb5-1.0.3/src/clients/ksu/heuristic.c Mon Nov 17 22:46:18 1997 --- krb5-1.0.3/src/clients/ksu/heuristic.c Sat Nov 22 23:55:44 1997 *************** *** 27,37 **** #include "ksu.h" #ifdef HAVE_UNISTD_H #include #endif - /******************************************************************* get_all_princ_from_file - retrieves all principal names from file pointed to by fp. --- 27,38 ---- #include "ksu.h" + #include "seteuid.h" + #ifdef HAVE_UNISTD_H #include #endif /******************************************************************* get_all_princ_from_file - retrieves all principal names from file pointed to by fp. *************** *** 596,602 **** } /* Become root, then target for looking at .k5login.*/ ! if (krb5_seteuid(0) || krb5_seteuid(target_uid) ) { return errno; } --- 597,603 ---- } /* Become root, then target for looking at .k5login.*/ ! if (seteuid(0) || seteuid(target_uid) ) { return errno; } diff -r -c 1/krb5-1.0.3/src/clients/ksu/krb_auth_su.c krb5-1.0.3/src/clients/ksu/krb_auth_su.c *** 1/krb5-1.0.3/src/clients/ksu/krb_auth_su.c Mon Nov 17 22:46:19 1997 --- krb5-1.0.3/src/clients/ksu/krb_auth_su.c Sat Nov 22 22:57:46 1997 *************** *** 26,31 **** --- 26,33 ---- */ #include "ksu.h" + + #include "seteuid.h" static krb5_error_code krb5_verify_tkt_def PROTOTYPE((krb5_context, *************** *** 144,150 **** if (! got_it){ #ifdef GET_TGT_VIA_PASSWD ! if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { com_err("ksu", errno, "while switching to target uid"); return FALSE; } --- 146,152 ---- if (! got_it){ #ifdef GET_TGT_VIA_PASSWD ! if (seteuid(0)||seteuid(target_uid)) { com_err("ksu", errno, "while switching to target uid"); return FALSE; } *************** *** 156,167 **** /*get the ticket granting ticket, via passwd(promt for passwd)*/ if (krb5_get_tkt_via_passwd (context, &cc, client, tgtq.server, options, & zero_password) == FALSE){ ! krb5_seteuid(0); return FALSE; } *path_passwd = 1; ! if (krb5_seteuid(0)) { com_err("ksu", errno, "while reclaiming root uid"); return FALSE; } --- 158,169 ---- /*get the ticket granting ticket, via passwd(promt for passwd)*/ if (krb5_get_tkt_via_passwd (context, &cc, client, tgtq.server, options, & zero_password) == FALSE){ ! seteuid(0); return FALSE; } *path_passwd = 1; ! if (seteuid(0)) { com_err("ksu", errno, "while reclaiming root uid"); return FALSE; } diff -r -c 1/krb5-1.0.3/src/clients/ksu/main.c krb5-1.0.3/src/clients/ksu/main.c *** 1/krb5-1.0.3/src/clients/ksu/main.c Mon Nov 17 22:46:19 1997 --- krb5-1.0.3/src/clients/ksu/main.c Sat Nov 22 22:58:03 1997 *************** *** 26,31 **** --- 26,34 ---- */ #include "ksu.h" + + #include "seteuid.h" + #include "adm_proto.h" #include #include *************** *** 382,388 **** if (cc_source_tag_tmp == (char *) 1) cc_source_tag_tmp = cc_source_tag; } ! if (krb5_seteuid(source_uid)) { com_err ( prog_name, errno, "while setting euid to source user"); exit(1); } --- 385,391 ---- if (cc_source_tag_tmp == (char *) 1) cc_source_tag_tmp = cc_source_tag; } ! if (seteuid(source_uid)) { com_err ( prog_name, errno, "while setting euid to source user"); exit(1); } *************** *** 410,416 **** /* We may be running as either source or target, depending on what happened; become source.*/ if ( geteuid() != source_uid) { ! if (krb5_seteuid(0) || krb5_seteuid(source_uid) ) { com_err(prog_name, errno, "while returning to source uid after finding best principal"); exit(1); } --- 413,419 ---- /* We may be running as either source or target, depending on what happened; become source.*/ if ( geteuid() != source_uid) { ! if (seteuid(0) || seteuid(source_uid) ) { com_err(prog_name, errno, "while returning to source uid after finding best principal"); exit(1); } *************** *** 542,548 **** } /* Become root for authentication*/ ! if (krb5_seteuid(0)) { com_err(prog_name, errno, "while reclaiming root uid"); exit(1); } --- 545,551 ---- } /* Become root for authentication*/ ! if (seteuid(0)) { com_err(prog_name, errno, "while reclaiming root uid"); exit(1); } *************** *** 641,647 **** source_user,ontty()); /* Run authorization as target.*/ ! if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, "whiel switching to target for authorization check"); sweep_up(ksu_context, use_source_cache, cc_target); exit(1); --- 644,650 ---- source_user,ontty()); /* Run authorization as target.*/ ! if (seteuid(target_uid)) { com_err(prog_name, errno, "whiel switching to target for authorization check"); sweep_up(ksu_context, use_source_cache, cc_target); exit(1); *************** *** 650,661 **** if ((retval = krb5_authorization(ksu_context, client,target_user, cmd, &authorization_val, &exec_cmd))){ com_err(prog_name,retval,"while checking authorization"); ! krb5_seteuid(0); /*So we have some chance of sweeping up*/ sweep_up(ksu_context, use_source_cache, cc_target); exit(1); } ! if (krb5_seteuid(0)) { com_err(prog_name, errno, "while switching back from target after authorization check"); sweep_up(ksu_context, use_source_cache, cc_target); exit(1); --- 653,664 ---- if ((retval = krb5_authorization(ksu_context, client,target_user, cmd, &authorization_val, &exec_cmd))){ com_err(prog_name,retval,"while checking authorization"); ! seteuid(0); /*So we have some chance of sweeping up*/ sweep_up(ksu_context, use_source_cache, cc_target); exit(1); } ! if (seteuid(0)) { com_err(prog_name, errno, "while switching back from target after authorization check"); sweep_up(ksu_context, use_source_cache, cc_target); exit(1); *************** *** 935,942 **** char * cc_name; struct stat st_temp; ! krb5_seteuid(0); ! krb5_seteuid(target_uid); if (! use_source_cache){ cc_name = krb5_cc_get_name(context, cc); --- 938,945 ---- char * cc_name; struct stat st_temp; ! seteuid(0); ! seteuid(target_uid); if (! use_source_cache){ cc_name = krb5_cc_get_name(context, cc); diff -r -c 1/krb5-1.0.3/src/configure krb5-1.0.3/src/configure *** 1/krb5-1.0.3/src/configure Mon Nov 17 22:51:57 1997 --- krb5-1.0.3/src/configure Sat Nov 22 22:49:16 1997 *************** *** 1156,1163 **** enableval="$enable_shared" case $krb5_cv_host in ! *-*-netbsd*) ! echo "Enabling shared libraries for NetBSD...." krb5_cv_shlibs_cflags=-fpic krb5_cv_shlibs_ext=so krb5_cv_noshlibs_ext=a --- 1156,1163 ---- enableval="$enable_shared" case $krb5_cv_host in ! *-*-netbsd*|*-*-freebsd*) ! echo "Enabling shared libraries for NetBSD/FreeBSD...." krb5_cv_shlibs_cflags=-fpic krb5_cv_shlibs_ext=so krb5_cv_noshlibs_ext=a diff -r -c 1/krb5-1.0.3/src/include/k5-int.h krb5-1.0.3/src/include/k5-int.h *** 1/krb5-1.0.3/src/include/k5-int.h Mon Nov 17 22:46:27 1997 --- krb5-1.0.3/src/include/k5-int.h Sat Nov 22 22:54:05 1997 *************** *** 1358,1365 **** #define KRB5_VERIFY_MAGIC(structure,magic_number) \ if ((structure)->magic != (magic_number)) return (magic_number); - int krb5_seteuid KRB5_PROTOTYPE((int)); - int krb5_setenv KRB5_PROTOTYPE((const char *, const char *, int)); void krb5_unsetenv KRB5_PROTOTYPE((const char *)); --- 1358,1363 ---- diff -r -c 1/krb5-1.0.3/src/lib/krb4/in_tkt.c krb5-1.0.3/src/lib/krb4/in_tkt.c *** 1/krb5-1.0.3/src/lib/krb4/in_tkt.c Mon Nov 17 22:48:49 1997 --- krb5-1.0.3/src/lib/krb4/in_tkt.c Sat Nov 22 23:51:36 1997 *************** *** 28,42 **** * success, or KFAILURE if something goes wrong. */ ! #ifndef HAVE_SETREUID ! #ifdef HAVE_SETRESUID ! /* for hpux */ ! #define setreuid(r,e) setresuid(r,e,-1) ! #else ! /* for svr4 */ ! #define setreuid(r,e) setuid(r) ! #endif ! #endif #ifndef O_SYNC #define O_SYNC 0 --- 28,34 ---- * success, or KFAILURE if something goes wrong. */ ! #include "seteuid.h" #ifndef O_SYNC #define O_SYNC 0 *************** *** 98,107 **** This isn't a security problem, since the ticket file, if it already exists, has the right uid (== ruid) and mode. */ if (me != metoo) { ! if (setreuid(metoo, me) < 0) { /* can't switch??? barf! */ if (krb_debug) ! perror("in_tkt: setreuid"); return(KFAILURE); } else if (krb_debug) --- 90,99 ---- This isn't a security problem, since the ticket file, if it already exists, has the right uid (== ruid) and mode. */ if (me != metoo) { ! if (seteuid(me) < 0) { /* can't switch??? barf! */ if (krb_debug) ! perror("in_tkt: seteuid"); return(KFAILURE); } else if (krb_debug) *************** *** 118,127 **** } umask(mask); if (me != metoo) { ! if (setreuid(me, metoo) < 0) { /* can't switch??? barf! */ if (krb_debug) ! perror("in_tkt: setreuid2"); return(KFAILURE); } else if (krb_debug) --- 110,119 ---- } umask(mask); if (me != metoo) { ! if (seteuid(metoo) < 0) { /* can't switch??? barf! */ if (krb_debug) ! perror("in_tkt: seteuid2"); return(KFAILURE); } else if (krb_debug) diff -r -c 1/krb5-1.0.3/src/lib/krb4/kuserok.c krb5-1.0.3/src/lib/krb4/kuserok.c *** 1/krb5-1.0.3/src/lib/krb4/kuserok.c Mon Nov 17 22:48:50 1997 --- krb5-1.0.3/src/lib/krb4/kuserok.c Sat Nov 22 22:58:20 1997 *************** *** 27,38 **** #include #endif ! #ifndef HAVE_SETEUID ! #ifdef HAVE_SETRESUID ! #define seteuid(e) setresuid(-1,e,-1) ! #define setegid(e) setresgid(-1,e,-1) ! #endif ! #endif #define OK 0 #define NOTOK 1 --- 27,33 ---- #include #endif ! #include "seteuid.h" #define OK 0 #define NOTOK 1 diff -r -c 1/krb5-1.0.3/src/lib/krb4/tf_shm.c krb5-1.0.3/src/lib/krb4/tf_shm.c *** 1/krb5-1.0.3/src/lib/krb4/tf_shm.c Mon Nov 17 22:48:54 1997 --- krb5-1.0.3/src/lib/krb4/tf_shm.c Sat Nov 22 22:58:24 1997 *************** *** 22,27 **** --- 22,29 ---- #define MAX_BUFF sizeof(des_cblock)*1000 /* room for 1k keys */ + #include "seteuid.h" + extern int krb_debug; /* *************** *** 71,80 **** /* arrange so the file is owned by the ruid (swap real & effective uid if necessary). */ if (me != metoo) { ! if (setreuid(metoo, me) < 0) { /* can't switch??? barf! */ if (krb_debug) ! perror("krb_shm_create: setreuid"); (void) shmctl(shmid, IPC_RMID, 0); return(KFAILURE); } else --- 73,82 ---- /* arrange so the file is owned by the ruid (swap real & effective uid if necessary). */ if (me != metoo) { ! if (seteuid(me) < 0) { /* can't switch??? barf! */ if (krb_debug) ! perror("krb_shm_create: seteuid"); (void) shmctl(shmid, IPC_RMID, 0); return(KFAILURE); } else *************** *** 94,103 **** return(KFAILURE); /* XXX */ } if (me != metoo) { ! if (setreuid(me, metoo) < 0) { /* can't switch??? barf! */ if (krb_debug) ! perror("krb_shm_create: setreuid2"); (void) shmctl(shmid, IPC_RMID, 0); return(KFAILURE); } else --- 96,105 ---- return(KFAILURE); /* XXX */ } if (me != metoo) { ! if (seteuid(metoo) < 0) { /* can't switch??? barf! */ if (krb_debug) ! perror("krb_shm_create: seteuid2"); (void) shmctl(shmid, IPC_RMID, 0); return(KFAILURE); } else diff -r -c 1/krb5-1.0.3/src/lib/krb5util/Makefile.in krb5-1.0.3/src/lib/krb5util/Makefile.in *** 1/krb5-1.0.3/src/lib/krb5util/Makefile.in Mon Nov 17 22:49:40 1997 --- krb5-1.0.3/src/lib/krb5util/Makefile.in Sat Nov 22 22:42:06 1997 *************** *** 6,14 **** .c.o: $(CC) $(CFLAGS) -c $(srcdir)/$*.c ! OBJS= compat_recv.$(OBJEXT) seteuid.$(OBJEXT) ! SRCS= $(srcdir)/compat_recv.c $(srcdir)/seteuid.c LIB_SUBDIRS= . LIBDONE= DONE --- 6,14 ---- .c.o: $(CC) $(CFLAGS) -c $(srcdir)/$*.c ! OBJS= compat_recv.$(OBJEXT) ! SRCS= $(srcdir)/compat_recv.c LIB_SUBDIRS= . LIBDONE= DONE diff -r -c 1/krb5-1.0.3/src/util/makeshlib.sh krb5-1.0.3/src/util/makeshlib.sh *** 1/krb5-1.0.3/src/util/makeshlib.sh Mon Nov 17 22:50:24 1997 --- krb5-1.0.3/src/util/makeshlib.sh Sat Nov 22 22:49:30 1997 *************** *** 17,23 **** VERSION="$1" ; shift case $host in ! *-*-netbsd*) FILES=`for i do sed -e "s;^;$i/shared/;" -e "s; ; $i/shared/;g" -e "s;^$i/shared/\$;;" $i/DONE --- 17,23 ---- VERSION="$1" ; shift case $host in ! *-*-netbsd*|*-*-freebsd*) FILES=`for i do sed -e "s;^;$i/shared/;" -e "s; ; $i/shared/;g" -e "s;^$i/shared/\$;;" $i/DONE ----------------- seteuid.h ----------------- /* * if seteuid()/setegid() are not available, emulate them using * setreuid() or setresuid(). */ #ifndef __SETEUID__ #define __SETEUID__ #ifndef HAVE_SETEUID #define HAVE_SETEUID #if defined(HAVE_SETREUID) #define seteuid(e) setreuid(-1,e) #define setegid(e) setregid(-1,e) #elif defined(HAVE_SETRESUID) #define seteuid(e) setresuid(-1,e,-1) #define seteuid(e) setresgid(-1,e,-1) #else /* * You are running a very wierd OS and will have to * code your own seteuid() and setegid() functions. */ #endif /* HAVE_SETREUID */ #endif /* HAVE_SETEUID */ #endif /* __SETEUID__ */ >Audit-Trail: From: tytso@MIT.EDU To: krb5-bugs@MIT.EDU, evanc@synapse.net Cc: gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU Subject: Re: krb5-libs/505: patch to make krb5 consistently use one set-effective-uid function Date: Thu, 4 Dec 1997 14:32:09 -0500 Date: 23 Nov 1997 06:04:49 -0000 From: evanc@synapse.net Of the 3 set-effective-uid choices, seteuid() is the only one that is POSIX-approved, so I chose to implement everything in terms of seteuid. From Kerberos' perspective, seteuid() is completely sufficient in all cases. Actually, no, seteuid() is not POSIX-approved. The only function which is defined by POSIX is setuid(). Seteuid() is also not enough, for those platforms which don't implement the POSIX saved-setuid functionality (which is OPTIONAL to implement). For example, if you simply use seteuid() to temporarily drop root privileges, and you're on a system which doesn't implement saved-setuid, there's no way to get root privileges back. Obviously, seteuid() is also not sufficent when you actually want to set the real-userid. What was there a specific problem you were trying to solve with these patches? - Ted From: Evan Champion To: tytso@MIT.EDU Cc: krb5-bugs@MIT.EDU, gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU Subject: Re: krb5-libs/505: patch to make krb5 consistently use one set-effective-uid function Date: Thu, 4 Dec 1997 15:24:36 -0500 (EST) On Thu, 4 Dec 1997 tytso@MIT.EDU wrote: > Actually, no, seteuid() is not POSIX-approved. The only function which > is defined by POSIX is setuid(). Ack, sorry I misread the manpage. It says: The seteuid() and setegid() functions are extensions based on the POSIX concept of _POSIX_SAVED_IDS, and have been proposed for a future revision of the standard. > Seteuid() is also not enough, for those platforms which don't implement > the POSIX saved-setuid functionality (which is OPTIONAL to implement). > For example, if you simply use seteuid() to temporarily drop root > privileges, and you're on a system which doesn't implement saved-setuid, > there's no way to get root privileges back. Hum. I think one could define seteuid() to be setuid(0); seteuid(X) in this case. Or, the reverse of my patch could be used; always implement things in terms of setreuid(). But I suspect seteuid() is the more progressive of the two functions. It looks like having a properly-defined HAVE_SAVED_IDS would be useful here. You can't rely on _POSIX_SAVED_IDS; this is not set on 4.4BSD, because setuid() does not implement saved ids, while seteuid() does. In this respect, krb5_seteuid() is broken, because seteuid() is a perfectly viable function for it to use on 4.4BSD, but it will never choose it because _POSIX_SAVED_IDS is not defined. I'm not exactly sure though how one can reliably find out if the seteuid() is saved-id. > Obviously, seteuid() is also not sufficent when you actually want to set > the real-userid. ... which never happens, or at least if it does do it it uses setuid() directly. You can see from my patches every single occurance of seteuid()/setreuid() in Kerberos, and except in one function where setreuid() was used to swap the real and effective uids, the real uid was never changed. > What was there a specific problem you were trying to solve with these > patches? Yes; setreuid() doesn't work on BSD/OS. In particular, you can use it to switch to root, but from there you can't switch to any non-root user using setreuid(). I noticed this in particular with ksu, but it may be a problem elsewhere too. Once I forced seteuid() everywhere, everything worked just peachy. While I was running through the code to find all the setreuid()'s (to change them to seteuid() so I could be sure they'd work), I found that there was no consistency in how either seteuid() or setreuid() was being redefined if it was not available, nor was there any consistency in the order in which each function would be used (for example, some preferred setreuid() to seteuid(), and some the opposite). That was when I decided to change them to all use the same #define's, and in doing so fix the preference order. I have since thought about my solution, and decided that it would be better to not use seteuid() as the set-effective function, but rather krb5_seteuid(), and have krb5_seteuid() be defined to whatever is required to get set-effective to work on that platform. This is because you might get bizarre behaviour if you start on some new code and forget to #include the seteuid() redefinitions; by using something with a totally different name, there should be no confusion. The idea is still the same, however, and when the next drop is released, I'll work something up. Evan From: "Theodore Y. Ts'o" To: Evan Champion Cc: krb5-bugs@MIT.EDU, gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU Subject: Re: krb5-libs/505: patch to make krb5 consistently use one set-effective-uid function Date: Thu, 4 Dec 1997 16:17:44 -0500 Date: Thu, 4 Dec 1997 15:24:36 -0500 (EST) From: Evan Champion Yes; setreuid() doesn't work on BSD/OS. In particular, you can use it to switch to root, but from there you can't switch to any non-root user using setreuid(). I noticed this in particular with ksu, but it may be a problem elsewhere too. Once I forced seteuid() everywhere, everything worked just peachy. So the following doesn't work under BSD/OS? setreuid(0, myid); ... setreuid(myid, 0); I find that highly ironic, since that's the original BSD 4.x approved way to temporarily drop root privileges, and indeed it was BSD that originally came up with the setreuid() interface in the first place. And you're telling us that BSD/OS has gratuitously broken this? I'd submit a bug report to BSDI..... (And this is the last time I'm going to let a BSD bigot complain about how Linux doesn't follow "the BSD API" ---- the BSD API is not defined anywhere, and obviously means whatever the BSD folks want it to mean. :-) - Ted From: Evan Champion To: "Theodore Y. Ts'o" Cc: krb5-bugs@MIT.EDU, gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU Subject: Re: krb5-libs/505: patch to make krb5 consistently use one set-effective-uid function Date: Thu, 4 Dec 1997 18:29:34 -0500 (EST) On Thu, 4 Dec 1997, Theodore Y. Ts'o wrote: > And you're telling us that BSD/OS has gratuitously broken this? I'd > submit a bug report to BSDI..... Most of the 4.4BSDs didn't work with the set* functions, or at least not in a way that other programs expected them to work. FreeBSD fixed most of theirs; it seems that BSDI still hasn't fixed setreuid(). Evan From: "Theodore Y. Ts'o" To: Evan Champion Cc: "Theodore Y. Ts'o" , krb5-bugs@MIT.EDU, gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU Subject: Re: krb5-libs/505: patch to make krb5 consistently use one set-effective-uid function Date: Thu, 4 Dec 1997 21:14:39 -0500 Date: Thu, 4 Dec 1997 18:29:34 -0500 (EST) From: Evan Champion On Thu, 4 Dec 1997, Theodore Y. Ts'o wrote: > And you're telling us that BSD/OS has gratuitously broken this? I'd > submit a bug report to BSDI..... Most of the 4.4BSDs didn't work with the set* functions, or at least not in a way that other programs expected them to work. FreeBSD fixed most of theirs; it seems that BSDI still hasn't fixed setreuid(). Many commercial operating systems are based on BSD 4.2 and BSD 4.3, and setreuid() is the "least common denominator interface". For CSRG to remove setreuid() (as I am told they did) was (a) arrogant, and (b) stupid. For BSDI to put it back, and but implement it incorrectly, is even worse.... I'd call this a BSD/OS bug, and BSDI should fix it. - Ted From: "Evan Champion" To: "Theodore Y. Ts'o" Cc: , , Subject: Re: krb5-libs/505: patch to make krb5 consistently use one set-effective-uid function Date: Thu, 4 Dec 1997 21:50:41 -0500 >Many commercial operating systems are based on BSD 4.2 and BSD 4.3, and >setreuid() is the "least common denominator interface". For CSRG to >remove setreuid() (as I am told they did) was (a) arrogant, and (b) >stupid. For BSDI to put it back, and but implement it incorrectly, is >even worse.... It may have been arrogant and stupid, but that was what they did. From their perspective, setreuid() is a deprecated function which has been superceded by more sane ways of doing things (likewise for setruid(), which was also dropped). Yes, they should have at least provided it as a compat library, but they didn't, and now we have to live with the fallout. >I'd call this a BSD/OS bug, and BSDI should fix it. I'd call it a 4.4BSD bug, and yes BSDI should fix it, but there is more to 4.4BSD than BSDI. As I said, these functions are commonly broken up until the more recent versions of _all_ the 4.4BSD's. For example, I think they were only all working in FreeBSD 2.2, which can't be much more than a year old. There must be an acceptable programmatic solution to this problem. Evan State-Changed-From-To: open-closed State-Changed-By: tlyu State-Changed-When: Sun Feb 22 20:15:12 1998 State-Changed-Why: Fixed, except using krb5_seteuid() as a function in case it is necessary to do something more sophisticated later. src/include/k5-int.h 1.67 src/include/k5-util.h 1.1 src/lib/krb5util/configure.in 1.5 src/lib/krb5util/seteuid.c 1.6 src/appl/bsd/krcp.c 5.55 src/appl/bsd/v4rcp.c 5.5 src/appl/gssftp/ftpd/Makefile.in 1.23 src/appl/gssftp/ftpd/ftpd.c 1.23 >Unformatted: