servers/slapd/user.c

1.1.1.2     lukem /*	$NetBSD: user.c,v 1.1.1.5 2017/02/09 01:46:59 christos Exp $	*/
1.1.1.2     lukem
    1.1     lukem /* user.c - set user id, group id and group access list */
1.1.1.4      tron /* $OpenLDAP$ */
    1.1     lukem /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
    1.1     lukem  *
1.1.1.5  christos  * Copyright 1998-2016 The OpenLDAP Foundation.
    1.1     lukem  * Portions Copyright 1999 PM Lashley.
    1.1     lukem  * All rights reserved.
    1.1     lukem  *
    1.1     lukem  * Redistribution and use in source and binary forms, with or without
    1.1     lukem  * modification, are permitted only as authorized by the OpenLDAP
    1.1     lukem  * Public License.
    1.1     lukem  *
    1.1     lukem  * A copy of this license is available in the file LICENSE in the
    1.1     lukem  * top-level directory of the distribution or, alternatively, at
    1.1     lukem  * <http://www.OpenLDAP.org/license.html>.
    1.1     lukem  */
    1.1     lukem
1.1.1.5  christos #include <sys/cdefs.h>
1.1.1.5  christos __RCSID("$NetBSD: user.c,v 1.1.1.5 2017/02/09 01:46:59 christos Exp $");
1.1.1.5  christos
    1.1     lukem #include "portable.h"
    1.1     lukem
    1.1     lukem #if defined(HAVE_SETUID) && defined(HAVE_SETGID)
    1.1     lukem
    1.1     lukem #include <stdio.h>
    1.1     lukem
    1.1     lukem #include <ac/stdlib.h>
    1.1     lukem
    1.1     lukem #ifdef HAVE_PWD_H
    1.1     lukem #include <pwd.h>
    1.1     lukem #endif
    1.1     lukem #ifdef HAVE_GRP_H
    1.1     lukem #include <grp.h>
    1.1     lukem #endif
    1.1     lukem
    1.1     lukem #include <ac/ctype.h>
    1.1     lukem #include <ac/unistd.h>
    1.1     lukem
    1.1     lukem #include "slap.h"
    1.1     lukem #include "lutil.h"
    1.1     lukem
    1.1     lukem /*
    1.1     lukem  * Set real and effective user id and group id, and group access list
    1.1     lukem  * The user and group arguments are freed.
    1.1     lukem  */
    1.1     lukem
    1.1     lukem void
    1.1     lukem slap_init_user( char *user, char *group )
    1.1     lukem {
    1.1     lukem     uid_t	uid = 0;
    1.1     lukem     gid_t	gid = 0;
    1.1     lukem     int		got_uid = 0, got_gid = 0;
    1.1     lukem
    1.1     lukem     if ( user ) {
    1.1     lukem 	struct passwd *pwd;
    1.1     lukem 	if ( isdigit( (unsigned char) *user ) ) {
    1.1     lukem 	    unsigned u;
    1.1     lukem
    1.1     lukem 	    got_uid = 1;
    1.1     lukem 	    if ( lutil_atou( &u, user ) != 0 ) {
    1.1     lukem 		Debug( LDAP_DEBUG_ANY, "Unble to parse user %s\n",
    1.1     lukem 		       user, 0, 0 );
    1.1     lukem
    1.1     lukem 		exit( EXIT_FAILURE );
    1.1     lukem 	    }
    1.1     lukem 	    uid = (uid_t)u;
    1.1     lukem #ifdef HAVE_GETPWUID
    1.1     lukem 	    pwd = getpwuid( uid );
    1.1     lukem 	    goto did_getpw;
    1.1     lukem #else
    1.1     lukem 	    free( user );
    1.1     lukem 	    user = NULL;
    1.1     lukem #endif
    1.1     lukem 	} else {
    1.1     lukem 	    pwd = getpwnam( user );
    1.1     lukem 	did_getpw:
    1.1     lukem 	    if ( pwd == NULL ) {
    1.1     lukem 		Debug( LDAP_DEBUG_ANY, "No passwd entry for user %s\n",
    1.1     lukem 		       user, 0, 0 );
    1.1     lukem
    1.1     lukem 		exit( EXIT_FAILURE );
    1.1     lukem 	    }
    1.1     lukem 	    if ( got_uid ) {
    1.1     lukem 		free( user );
    1.1     lukem 		user = (pwd != NULL ? ch_strdup( pwd->pw_name ) : NULL);
    1.1     lukem 	    } else {
    1.1     lukem 		got_uid = 1;
    1.1     lukem 		uid = pwd->pw_uid;
    1.1     lukem 	    }
    1.1     lukem 	    got_gid = 1;
    1.1     lukem 	    gid = pwd->pw_gid;
    1.1     lukem #ifdef HAVE_ENDPWENT
    1.1     lukem 	    endpwent();
    1.1     lukem #endif
    1.1     lukem 	}
    1.1     lukem     }
    1.1     lukem
    1.1     lukem     if ( group ) {
    1.1     lukem 	struct group *grp;
    1.1     lukem 	if ( isdigit( (unsigned char) *group )) {
    1.1     lukem 	    unsigned g;
    1.1     lukem
    1.1     lukem 	    if ( lutil_atou( &g, group ) != 0 ) {
    1.1     lukem 		Debug( LDAP_DEBUG_ANY, "Unble to parse group %s\n",
    1.1     lukem 		       group, 0, 0 );
    1.1     lukem
    1.1     lukem 		exit( EXIT_FAILURE );
    1.1     lukem 	    }
    1.1     lukem 	    gid = (uid_t)g;
    1.1     lukem #ifdef HAVE_GETGRGID
    1.1     lukem 	    grp = getgrgid( gid );
    1.1     lukem 	    goto did_group;
    1.1     lukem #endif
    1.1     lukem 	} else {
    1.1     lukem 	    grp = getgrnam( group );
    1.1     lukem 	    if ( grp != NULL )
    1.1     lukem 		gid = grp->gr_gid;
    1.1     lukem 	did_group:
    1.1     lukem 	    if ( grp == NULL ) {
    1.1     lukem 		Debug( LDAP_DEBUG_ANY, "No group entry for group %s\n",
    1.1     lukem 		       group, 0, 0 );
    1.1     lukem
    1.1     lukem 		exit( EXIT_FAILURE );
    1.1     lukem 	    }
    1.1     lukem 	}
    1.1     lukem 	free( group );
    1.1     lukem 	got_gid = 1;
    1.1     lukem     }
    1.1     lukem
    1.1     lukem     if ( user ) {
    1.1     lukem 	if ( getuid() == 0 && initgroups( user, gid ) != 0 ) {
    1.1     lukem 	    Debug( LDAP_DEBUG_ANY,
    1.1     lukem 		   "Could not set the group access (gid) list\n", 0, 0, 0 );
    1.1     lukem
    1.1     lukem 	    exit( EXIT_FAILURE );
    1.1     lukem 	}
    1.1     lukem 	free( user );
    1.1     lukem     }
    1.1     lukem
    1.1     lukem #ifdef HAVE_ENDGRENT
    1.1     lukem     endgrent();
    1.1     lukem #endif
    1.1     lukem
    1.1     lukem     if ( got_gid ) {
    1.1     lukem 	if ( setgid( gid ) != 0 ) {
    1.1     lukem 	    Debug( LDAP_DEBUG_ANY, "Could not set real group id to %d\n",
    1.1     lukem 		       (int) gid, 0, 0 );
    1.1     lukem
    1.1     lukem 	    exit( EXIT_FAILURE );
    1.1     lukem 	}
    1.1     lukem #ifdef HAVE_SETEGID
    1.1     lukem 	if ( setegid( gid ) != 0 ) {
    1.1     lukem 	    Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n",
    1.1     lukem 		       (int) gid, 0, 0 );
    1.1     lukem
    1.1     lukem 	    exit( EXIT_FAILURE );
    1.1     lukem 	}
    1.1     lukem #endif
    1.1     lukem     }
    1.1     lukem
    1.1     lukem     if ( got_uid ) {
    1.1     lukem 	if ( setuid( uid ) != 0 ) {
    1.1     lukem 	    Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n",
    1.1     lukem 		       (int) uid, 0, 0 );
    1.1     lukem
    1.1     lukem 	    exit( EXIT_FAILURE );
    1.1     lukem 	}
    1.1     lukem #ifdef HAVE_SETEUID
    1.1     lukem 	if ( seteuid( uid ) != 0 ) {
    1.1     lukem 	    Debug( LDAP_DEBUG_ANY, "Could not set effective user id to %d\n",
    1.1     lukem 		       (int) uid, 0, 0 );
    1.1     lukem
    1.1     lukem 	    exit( EXIT_FAILURE );
    1.1     lukem 	}
    1.1     lukem #endif
    1.1     lukem     }
    1.1     lukem }
    1.1     lukem
    1.1     lukem #endif /* HAVE_PWD_H && HAVE_GRP_H */