1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
/*
* Copyright (c) 2001 Proofpoint, Inc. and its suppliers.
* All rights reserved.
*
* By using this file, you agree to the terms and conditions set
* forth in the LICENSE file which can be found at the top level of
* the sendmail distribution.
*
*/
/*
** This program checks to see if your version of setgid works.
** Compile it, make it set-group-ID guest, and run it as yourself (NOT as
** root and not as member of the group guest).
**
** Compilation is trivial -- just "cc t_dropgid.c". Make it set-group-ID
** guest and then execute it as a non-root user.
*/
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#ifndef lint
static char id[] = "@(#)$Id: t_dropgid.c,v 1.7 2013-11-22 20:52:01 ca Exp $";
#endif
static void
printgids(str, r, e)
char *str;
gid_t r, e;
{
printf("%s (should be %d/%d): r/egid=%d/%d\n", str, (int) r, (int) e,
(int) getgid(), (int) getegid());
}
/* define only one of these */
#if HASSETEGID
# define SETGIDCALL "setegid"
#endif
#if HASSETREGID
# define SETGIDCALL "setregid"
#endif
#if HASSETRESGID
# define SETGIDCALL "setresgid"
#endif
#ifndef SETGIDCALL
# define SETGIDCALL "setgid"
#endif
int
main(argc, argv)
int argc;
char **argv;
{
int fail = 0;
int res;
gid_t realgid = getgid();
gid_t effgid = getegid();
char *prg = argv[0];
printgids("initial gids", realgid, effgid);
if (effgid == realgid)
{
printf("SETUP ERROR: re-run set-group-ID guest\n");
printf("Use chgrp(1) and chmod(1)\n");
printf("For example, do this as root ");
printf("(nobody is the name of a group in this example):\n");
printf("# chgrp nobody %s\n", prg);
printf("# chmod g+s nobody %s\n", prg);
exit(1);
}
#if HASSETREGID
res = setregid(realgid, realgid);
printf("setregid(%d)=%d %s\n", (int) realgid, res,
res < 0 ? "failure" : "ok");
printgids("after setregid()", realgid, realgid);
#endif /* HASSETREGID */
#if HASSETRESGID
res = setresgid(realgid, realgid, realgid);
printf("setresgid(%d)=%d %s\n", (int) realgid, res,
res < 0 ? "failure" : "ok");
printgids("after setresgid()", realgid, realgid);
#endif /* HASSETRESGID */
#if HASSETEGID
res = setegid(realgid);
printf("setegid(%d)=%d %s\n", (int) realgid, res,
res < 0 ? "failure" : "ok");
printgids("after setegid()", realgid, realgid);
#endif /* HASSETEGID */
res = setgid(realgid);
printf("setgid(%d)=%d %s\n", (int) realgid, res,
res < 0 ? "failure" : "ok");
printgids("after setgid()", realgid, realgid);
if (getegid() != realgid)
{
fail++;
printf("MAYDAY! Wrong effective gid\n");
}
if (getgid() != realgid)
{
fail++;
printf("MAYDAY! Wrong real gid\n");
}
/* do activity here */
if (setgid(effgid) == 0)
{
fail++;
printf("MAYDAY! setgid(%d) succeeded (should have failed)\n",
effgid);
}
else
{
printf("setgid(%d) failed (this is correct)\n", effgid);
}
printgids("after setgid() to egid", realgid, realgid);
if (getegid() != realgid)
{
fail++;
printf("MAYDAY! Wrong effective gid\n");
}
if (getgid() != realgid)
{
fail++;
printf("MAYDAY! Wrong real gid\n");
}
printf("\n");
if (fail > 0)
{
printf("\nThis system cannot use %s to give up set-group-ID rights\n",
SETGIDCALL);
#if !HASSETEGID
printf("Maybe compile with -DHASSETEGID and try again\n");
#endif
#if !HASSETREGID
printf("Maybe compile with -DHASSETREGID and try again\n");
#endif
#if !HASSETRESGID
printf("Maybe compile with -DHASSETRESGID and try again\n");
#endif
exit(1);
}
printf("\nIt is possible to use %s on this system\n", SETGIDCALL);
exit(0);
}
|
