00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00112
00113
00114
00115 #include <stdio.h>
00116 #include <stdlib.h>
00117 #include <string.h>
00118 #include <pwd.h>
00119 #include <grp.h>
00120 #include <ctype.h>
00121
00122 #include "lcmaps_config.h"
00123 #include "lcmaps_modules.h"
00124 #include "lcmaps_arguments.h"
00125 #include "lcmaps_cred_data.h"
00126
00127
00128
00129
00130 #define MAX_UNDEFINED ((int)(-1))
00131
00132 #ifndef NGROUPS
00133 #ifdef NGROUPS_MAX
00134 #define NGROUPS NGROUPS_MAX
00135 #else
00136 #define NGROUPS 32
00137 #endif
00138 #endif
00139
00140
00141
00142
00143
00144
00145 #ifndef MAX_LOG_BUFFER_SIZE
00146 #define MAX_LOG_BUFFER_SIZE 500
00147 #endif
00148
00149
00150
00151
00152
00153 static int log_cred (
00154 char *dn,
00155 uid_t *uid,
00156 int cntUid,
00157 gid_t *priGid,
00158 int cntPriGid,
00159 gid_t *secGid,
00160 int cntSecGid
00161 );
00162
00163
00164
00165
00166
00167
00168 static int maxuid = MAX_UNDEFINED;
00169 static int maxpgid = MAX_UNDEFINED;
00170 static int maxsgid = MAX_UNDEFINED;
00171 static int set_only_euid = 0;
00172 static int set_only_egid = 0;
00173
00174
00175
00176
00177
00178
00179
00180
00181
00182
00183
00184
00185
00186
00187
00188
00189
00190
00191
00192
00193 static int log_cred (char *dn,
00194 uid_t *uid,
00195 int cntUid,
00196 gid_t *priGid,
00197 int cntPriGid,
00198 gid_t *secGid,
00199 int cntSecGid)
00200 {
00201 char * logstr = " lcmaps_plugin_posix_enf-log_cred()";
00202
00203 struct passwd * user_info = NULL;
00204 struct group * grp_info = NULL;
00205
00206 char * logbuf = NULL;
00207 int i;
00208 int ngroups;
00209 gid_t * list = NULL;
00210
00211 char * bufptr = NULL;
00212 int buflen = 0;
00213 int totalchars = 0;
00214
00215
00216 logbuf = malloc(MAX_LOG_BUFFER_SIZE * sizeof(char));
00217
00218 bufptr=logbuf;
00219 buflen=MAX_LOG_BUFFER_SIZE;
00220
00221
00222 totalchars=snprintf(bufptr,(size_t)buflen,"uid=");
00223 if ( (totalchars+1) > buflen )
00224 {
00225 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00226 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00227 return 1;
00228 }
00229 else if ( totalchars < 0 )
00230 {
00231 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00232 return 1;
00233 }
00234 else
00235 {
00236 bufptr+=totalchars;
00237 buflen-=totalchars;
00238 }
00239 uid_t found_uid=-1;
00240
00241 if (set_only_euid)
00242 found_uid = geteuid();
00243 else
00244 found_uid = getuid();
00245 user_info = getpwuid(found_uid);
00246
00247 if (user_info != NULL)
00248 totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_uid, user_info->pw_name);
00249 else
00250 totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_uid, "n\\a");
00251 if ( (totalchars+1) > buflen )
00252 {
00253 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00254 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00255 return 1;
00256 }
00257 else if ( totalchars < 0 )
00258 {
00259 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00260 return 1;
00261 }
00262 else
00263 {
00264 bufptr+=totalchars;
00265 buflen-=totalchars;
00266 }
00267
00268
00269
00270
00271
00272 totalchars=snprintf(bufptr,(size_t)buflen,":pgid=");
00273 if ( (totalchars+1) > buflen )
00274 {
00275 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00276 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00277 return 1;
00278 }
00279 else if ( totalchars < 0 )
00280 {
00281 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00282 return 1;
00283 }
00284 else
00285 {
00286 bufptr+=totalchars;
00287 buflen-=totalchars;
00288 }
00289 if (cntPriGid == 1)
00290 {
00291 gid_t found_gid=-1;
00292
00293 if (set_only_egid)
00294 found_gid = getegid();
00295 else
00296 found_gid = getgid();
00297 grp_info = getgrgid(found_gid);
00298
00299 if (grp_info != NULL)
00300 {
00301 totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, grp_info->gr_name);
00302 }
00303 else
00304 {
00305 totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, "n\\a");
00306 }
00307 if ( (totalchars+1) > buflen )
00308 {
00309 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00310 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00311 return 1;
00312 }
00313 else if ( totalchars < 0 )
00314 {
00315 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00316 return 1;
00317 }
00318 else
00319 {
00320 bufptr+=totalchars;
00321 buflen-=totalchars;
00322 }
00323 }
00324 else
00325 {
00326 for (i = 0; i < cntPriGid; i++)
00327 {
00328 gid_t found_gid=priGid[i];
00329
00330 grp_info = getgrgid(found_gid);
00331 if (grp_info != NULL)
00332 {
00333 if (i == 0)
00334 totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, grp_info->gr_name);
00335 else
00336 totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", found_gid, grp_info->gr_name);
00337 }
00338 else
00339 {
00340 if (i == 0)
00341 totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", found_gid, "n\\a");
00342 else
00343 totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", found_gid, "n\\a");
00344 }
00345 if ( (totalchars+1) > buflen )
00346 {
00347 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00348 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00349 return 1;
00350 }
00351 else if ( totalchars < 0 )
00352 {
00353 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00354 return 1;
00355 }
00356 else
00357 {
00358 bufptr+=totalchars;
00359 buflen-=totalchars;
00360 }
00361 }
00362 }
00363
00364
00365
00366
00367 if ((ngroups=getgroups(0, NULL)) > 0)
00368 {
00369 if (ngroups != cntSecGid)
00370 {
00371 lcmaps_log_debug(1,"%s: something strange going on, the number of sec. gids from getgroups() (%d)\n",logstr,ngroups);
00372 lcmaps_log_debug(1,"%s: differs from the number of gids set (cntSecGid=%d)\n",logstr,cntSecGid);
00373 }
00374 if (ngroups < 0)
00375 {
00376 lcmaps_log(0,"%s: error in getgroups() (failure)\n",logstr);
00377 return 1;
00378 }
00379 list = (gid_t *) malloc(ngroups * sizeof(gid_t));
00380 if (getgroups(ngroups, list) > 0)
00381 {
00382 totalchars=snprintf(bufptr,(size_t)buflen,":sgid=");
00383 if ( (totalchars+1) > buflen )
00384 {
00385 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00386 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00387 return 1;
00388 }
00389 else if ( totalchars < 0 )
00390 {
00391 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00392 return 1;
00393 }
00394 else
00395 {
00396 bufptr+=totalchars;
00397 buflen-=totalchars;
00398 }
00399 for (i = 0; i < ngroups; i++)
00400 {
00401 grp_info = getgrgid(list[i]);
00402
00403 if (grp_info != NULL)
00404 {
00405 if (i == 0)
00406 totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", (list[i]), grp_info->gr_name);
00407 else
00408 totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", (list[i]), grp_info->gr_name);
00409 }
00410 else
00411 {
00412 if (i == 0)
00413 totalchars=snprintf(bufptr,(size_t)buflen,"%d(%s)", (list[i]), "n\\a");
00414 else
00415 totalchars=snprintf(bufptr,(size_t)buflen,",%d(%s)", (list[i]), "n\\a");
00416 }
00417 if ( (totalchars+1) > buflen )
00418 {
00419 lcmaps_log(0,"%s: could not write all characters into credential log string\n",logstr);
00420 lcmaps_log(0,"%s: excess of characters: %d\n",logstr,totalchars+1-buflen);
00421 return 1;
00422 }
00423 else if ( totalchars < 0 )
00424 {
00425 lcmaps_log(0,"%s: error in snprintf()\n",logstr);
00426 return 1;
00427 }
00428 else
00429 {
00430 bufptr+=totalchars;
00431 buflen-=totalchars;
00432 }
00433 }
00434 }
00435 if (list != NULL)
00436 {
00437 free(list);
00438 list = NULL;
00439 }
00440 }
00441 lcmaps_log_debug(5,"%s: At the end we still have %d spaces left in the buffer\n", logstr, buflen);
00442
00443 lcmaps_log_time(LOG_INFO, "%s: %s\n", logstr, logbuf);
00444
00445
00446
00447 if (logbuf != NULL)
00448 {
00449 free(logbuf);
00450 logbuf = NULL;
00451 }
00452 return 0;
00453 }
00454
00455
00456
00457
00458
00459
00460
00461
00462
00463
00464
00465
00466
00467
00468
00469 int plugin_initialize(
00470 int argc,
00471 char ** argv
00472 )
00473 {
00474 int i, j;
00475 char * logstr = "\tlcmaps_plugin_posix_enf-plugin_initialize()";
00476
00477
00478 lcmaps_log_debug(1,"%s: passed arguments:\n", logstr);
00479 for (i=0; i < argc; i++)
00480 {
00481 lcmaps_log_debug(2,"%s: arg %d is %s\n", logstr, i, argv[i]);
00482 }
00483
00484
00485
00486
00487 for (i = 1; i < argc; i++)
00488 {
00489
00490 if ( (((strcmp(argv[i], "-maxuid") == 0) ||
00491 (strcmp(argv[i], "-MAXUID") == 0)) &&
00492 (maxuid == MAX_UNDEFINED))
00493 && (i + 1 < argc) )
00494 {
00495 if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00496 {
00497 lcmaps_log_debug(2,"%s: Checking if argument behind \"-maxuid\" is a number\n", logstr);
00498 for (j = 0; j < strlen(argv[i + 1]); j++)
00499 {
00500 if (!isdigit((argv[i + 1])[j]))
00501 {
00502 lcmaps_log(0,"%s\tError: maybe found some digits, but there is at least one char corrupting this parameter: %s\n", logstr, argv[i + 1]);
00503 maxuid = -1;
00504 goto fail_posix;
00505 }
00506 }
00507 maxuid = atoi(argv[i + 1]);
00508 }
00509 else
00510 {
00511 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00512 goto fail_posix;
00513 }
00514 i++;
00515 }
00516
00517
00518 else if ( (((strcmp(argv[i], "-maxpgid") == 0) ||
00519 (strcmp(argv[i], "-MAXPGID") == 0)) &&
00520 (maxpgid == MAX_UNDEFINED))
00521 && (i + 1 < argc) )
00522 {
00523 if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00524 {
00525 lcmaps_log_debug(2,"%s: Checking if argument behind \"-maxpgid\" is a number\n", logstr);
00526 for (j = 0; j < strlen(argv[i + 1]); j++)
00527 {
00528 if (!isdigit((argv[i + 1])[j]))
00529 {
00530 lcmaps_log(0,"%s\tError: maybe found some digits, but there is at least one char corrupting this parameter: %s\n", logstr, argv[i + 1]);
00531 maxpgid = -1;
00532 goto fail_posix;
00533 }
00534 }
00535 maxpgid = atoi(argv[i + 1]);
00536 }
00537 else
00538 {
00539 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00540 goto fail_posix;
00541 }
00542 i++;
00543 }
00544
00545
00546 else if ( (((strcmp(argv[i], "-maxsgid") == 0) ||
00547 (strcmp(argv[i], "-MAXSGID") == 0)) &&
00548 (maxsgid == MAX_UNDEFINED))
00549 && (i + 1 < argc) )
00550 {
00551 if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00552 {
00553 lcmaps_log_debug(2,"%s: Checking if argument behind \"-maxsgid\" is a number\n", logstr);
00554 for (j = 0; j < strlen(argv[i + 1]); j++)
00555 {
00556 if (!isdigit((argv[i + 1])[j]))
00557 {
00558 lcmaps_log(0,"%s\tError: maybe found some digits, but there is atleast one char corrupting this parameter: %s\n", logstr, argv[i + 1]);
00559 maxsgid = -1;
00560 goto fail_posix;
00561 }
00562 }
00563 maxsgid = atoi(argv[i + 1]);
00564 }
00565 else
00566 {
00567 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00568 goto fail_posix;
00569 }
00570 i++;
00571 }
00572 else if ( (strcmp(argv[i], "-set_only_euid") == 0)
00573 && (i + 1 < argc) )
00574 {
00575 if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00576 {
00577 if (strcmp(argv[i+1],"yes") == 0)
00578 {
00579 set_only_euid = 1;
00580 }
00581 else if (strcmp(argv[i+1],"no") == 0)
00582 {
00583 set_only_euid = 0;
00584 }
00585 else
00586 {
00587 lcmaps_log(0,"%s: use \"yes\" or \"no\" for option %s\n", logstr, argv[i]);
00588 goto fail_posix;
00589 }
00590 }
00591 else
00592 {
00593 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00594 goto fail_posix;
00595 }
00596 i++;
00597 }
00598 else if ( (strcmp(argv[i], "-set_only_egid") == 0)
00599 && (i + 1 < argc) )
00600 {
00601 if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
00602 {
00603 if (strcmp(argv[i+1],"yes") == 0)
00604 {
00605 set_only_egid = 1;
00606 }
00607 else if (strcmp(argv[i+1],"no") == 0)
00608 {
00609 set_only_egid = 0;
00610 }
00611 else
00612 {
00613 lcmaps_log(0,"%s: use \"yes\" or \"no\" for option %s\n", logstr, argv[i]);
00614 goto fail_posix;
00615 }
00616 }
00617 else
00618 {
00619 lcmaps_log(0,"%s: no argument found for %s (failure)\n", logstr, argv[i]);
00620 goto fail_posix;
00621 }
00622 i++;
00623 }
00624 }
00625
00626 if (maxsgid > NGROUPS)
00627 {
00628 lcmaps_log(0,"%s\tError: The prefered set maximum of %d Secondary Gid's exceeds the system maximum of NGROUPS witch is set to %d on this system\n", logstr, maxsgid, NGROUPS);
00629 goto fail_posix;
00630 }
00631 else if (maxsgid == MAX_UNDEFINED)
00632 {
00633 lcmaps_log(0,"%s\tAuto set maximum Secondary Gid's to system maximum of NGROUPS witch is set to %d on this system\n", logstr, NGROUPS);
00634 }
00635
00636
00637 lcmaps_log_debug(2,"%s: Summary init maxuid : %d\n", logstr, maxuid);
00638 lcmaps_log_debug(2,"%s: Summary init maxpgid : %d\n", logstr, maxpgid);
00639 lcmaps_log_debug(2,"%s: Summary init maxsgid : %d\n", logstr, maxsgid);
00640
00641 return LCMAPS_MOD_SUCCESS;
00642
00643
00644 fail_posix:
00645 return LCMAPS_MOD_FAIL;
00646 }
00647
00648
00649
00650
00651
00652
00653
00654
00655
00656
00657
00658 int plugin_introspect(
00659 int * argc,
00660 lcmaps_argument_t ** argv
00661 )
00662 {
00663 char * logstr = "\tlcmaps_plugin_posix_enf-plugin_introspect()";
00664
00665 static lcmaps_argument_t argList[] = {
00666 {NULL , NULL , -1, NULL}
00667 };
00668
00669 lcmaps_log_debug(1,"%s: introspecting\n", logstr);
00670
00671 *argv = argList;
00672 *argc = lcmaps_cntArgs(argList);
00673 lcmaps_log_debug(1,"%s: address first argument: 0x%x\n", logstr, argList);
00674
00675 return LCMAPS_MOD_SUCCESS;
00676 }
00677
00678
00679
00680
00681
00682
00683
00684
00685
00686
00687
00688
00689
00690 int plugin_run(
00691 int argc,
00692 lcmaps_argument_t * argv
00693 )
00694 {
00695 char * logstr = "\tlcmaps_plugin_posix_enf-plugin_run()";
00696 int i, t;
00697 gid_t * list = NULL;
00698 int ngroups = 0;
00699
00700 char * dn = NULL;
00701 uid_t * uid = NULL;
00702 int cntUid;
00703 gid_t * priGid = NULL;
00704 int cntPriGid;
00705 gid_t * secGid = NULL;
00706 int cntSecGid;
00707 struct passwd * root_info = NULL;
00708
00709
00710
00711
00712 lcmaps_log_debug(1,"%s\n", logstr);
00713
00714 uid = getCredentialData(UID, &cntUid);
00715 priGid = getCredentialData(PRI_GID, &cntPriGid);
00716 secGid = getCredentialData(SEC_GID, &cntSecGid);
00717 lcmaps_log_debug(2,"%s: number of uids: %d, priGids: %d, secGids: %d\n", logstr, cntUid,cntPriGid,cntSecGid);
00718
00719
00720 if (maxuid != MAX_UNDEFINED)
00721 {
00722 lcmaps_log_debug(2,"%s: max number of uids: %d\n", logstr, maxuid);
00723 if (cntUid > maxuid)
00724 {
00725 lcmaps_log(0, "%s:\tError: The set amount of uid's gathered exceeds the maximum of %d uid('s) by %d\n", logstr, maxuid, (cntUid - maxuid));
00726 goto fail_posix;
00727 }
00728 }
00729 if (maxpgid != MAX_UNDEFINED)
00730 {
00731 lcmaps_log_debug(2,"%s: max number of primary gid('s): %d\n", logstr, maxpgid);
00732 if (cntPriGid > maxpgid)
00733 {
00734 lcmaps_log(0, "%s:\tError: The set amount of primary gid's gathered exceeds the maximum of %d primary gid('s) by %d\n", logstr, maxpgid, (cntPriGid - maxpgid));
00735 goto fail_posix;
00736 }
00737 }
00738 if (maxsgid != MAX_UNDEFINED)
00739 {
00740 lcmaps_log_debug(2,"%s: max number of secondary gid's: %d\n", logstr, maxsgid);
00741 if (cntSecGid > maxsgid)
00742 {
00743 lcmaps_log(0, "%s:\tError: The set amount of secondary gid's gathered exceeds the maximum of %d secunadary gid's by %d\n", logstr, maxsgid, (cntSecGid - maxsgid));
00744 goto fail_posix;
00745 }
00746 }
00747
00748
00749
00750 if (getuid() != 0)
00751 {
00752 lcmaps_log(0, "%s: The service did not initialize with Root! -> %d\n", logstr, getuid());
00753 goto fail_posix;
00754 }
00755
00756
00757 if ((root_info=getpwuid(0)) == NULL)
00758 {
00759 lcmaps_log(0, "%s: cannot get passwd info for root\n", logstr);
00760 if (errno==ENOMEM)
00761 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00762 goto fail_posix;
00763 }
00764 lcmaps_log_debug(3,"%s: Name of root: %s\n", logstr, root_info->pw_name);
00765 lcmaps_log_debug(3,"%s: Je real GID was -> %d\n", logstr, getgid());
00766 lcmaps_log_debug(3,"%s: Je effective GID was -> %d\n", logstr, getegid());
00767
00768
00769 if (cntPriGid > 0)
00770 {
00771 if (set_only_egid)
00772 if (setregid(-1, priGid[0]) != 0)
00773 {
00774 lcmaps_log(0, "%s: cannot set effective gid by setregid()\n", logstr);
00775 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00776 }
00777 else
00778 {
00779 lcmaps_log_debug(1,"%s: Setting only effective primary gid to %d\n", logstr, (int) priGid[0]);
00780 }
00781 else
00782 if (setregid(priGid[0], priGid[0]) != 0)
00783 {
00784 lcmaps_log(0, "%s: cannot set real and effective setregid()\n", logstr);
00785 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00786 }
00787 }
00788 else
00789 {
00790 lcmaps_log(0, "%s: No primary group IDs found, need at least 1 !\n", logstr);
00791 goto fail_posix;
00792 }
00793
00794 lcmaps_log_debug(3,"%s: Je real GID is nu -> %d\n", logstr, getgid());
00795 lcmaps_log_debug(3,"%s: Je effective GID is nu -> %d\n", logstr, getegid());
00796
00797
00798 if (initgroups(root_info->pw_name, root_info->pw_gid)!=0)
00799 {
00800 lcmaps_log(0, "%s: error in initgroups() call\n", logstr);
00801 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00802 goto fail_posix;
00803 }
00804
00805
00806 if ((ngroups=getgroups(0, NULL)) < 0)
00807 {
00808 lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00809 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00810 goto fail_posix;
00811 }
00812 lcmaps_log_debug(3,"%s: found %d sec group IDs initially\n", logstr, ngroups);
00813 list = (gid_t *) malloc(ngroups * sizeof(gid_t));
00814
00815
00816 if (getgroups(ngroups, list) < 0)
00817 {
00818 lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00819 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00820 goto fail_posix;
00821 }
00822 for (t = 0; t < ngroups; t++)
00823 {
00824 lcmaps_log_debug(3,"%s: Je Sec. Gids waren -> %d\n", logstr, list[t]);
00825 }
00826 if (list) free(list);
00827 list=(gid_t *) NULL;
00828
00829
00830 if (setgroups(cntSecGid, secGid)!=0)
00831 {
00832 switch (errno)
00833 {
00834 case EFAULT :
00835 {
00836 lcmaps_log_debug(1, "%s: Not that fatal but serious error\n", logstr);
00837 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00838 goto fail_posix;
00839 break;
00840 }
00841 case EPERM :
00842 {
00843 lcmaps_log_debug(1, "%s: You are not ROOT\n", logstr);
00844 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00845 goto fail_posix;
00846 break;
00847 }
00848 case EINVAL :
00849 {
00850 for (i = 0; i < cntSecGid; i++)
00851 {
00852 lcmaps_log_debug(1,"%s: > i = %d met %d\n", logstr, i, secGid[i]);
00853 }
00854 lcmaps_log_debug(1, "%s: Invalid GID list\n", logstr);
00855 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00856 goto fail_posix;
00857 break;
00858 }
00859 default :
00860 {
00861 lcmaps_log_debug(1, "%s: Unspecified error in setgroups()\n", logstr);
00862 goto fail_posix;
00863 }
00864 }
00865 }
00866
00867 if ((ngroups=getgroups(0, NULL)) < 0)
00868 {
00869 lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00870 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00871 goto fail_posix;
00872 }
00873 lcmaps_log_debug(1,"%s: found %d sec gids after setgroups(), cntSecGid=%d\n", logstr, ngroups,cntSecGid);
00874 list = (gid_t *) malloc(ngroups * sizeof(gid_t));
00875
00876
00877 if (getgroups(ngroups, list) < 0)
00878 {
00879 lcmaps_log(0, "%s: error in getgroups() call\n", logstr);
00880 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00881 goto fail_posix;
00882 }
00883 for (t = 0; t < ngroups; t++)
00884 {
00885 lcmaps_log_debug(2,"%s: Je Sec. Gid s zijn nu -> %d\n", logstr, list[t]);
00886 }
00887
00888 lcmaps_log_debug(2,"%s: Je was user -> %d\n", logstr, getuid());
00889
00890
00891 if (cntUid > 0)
00892 {
00893 if (set_only_euid)
00894 if (setreuid(-1, uid[0]) != 0)
00895 {
00896 lcmaps_log(0, "%s: cannot set effective uid by setreuid()\n", logstr);
00897 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00898 }
00899 else
00900 {
00901 lcmaps_log_debug(1,"%s: Setting only effective uid to %d\n", logstr, (int) uid[0]);
00902 }
00903 else
00904 if (setreuid(uid[0], uid[0]) != 0)
00905 {
00906 lcmaps_log(0, "%s: cannot setreuid()\n", logstr);
00907 lcmaps_log(0, "%s: %s\n", logstr, strerror(errno));
00908 }
00909 }
00910 else
00911 {
00912 lcmaps_log(0, "%s: No user IDs found, need at least 1 !\n", logstr);
00913 goto fail_posix;
00914 }
00915
00916 lcmaps_log_debug(2,"%s: Je bent nu geworden -> %d\n", logstr, getuid());
00917 lcmaps_log_debug(1,"%s: Je real UID is -> %d\n", logstr, getuid());
00918 lcmaps_log_debug(1,"%s: Je effective UID is -> %d\n", logstr, geteuid());
00919
00920
00921
00922
00923
00924
00925
00926
00927
00928
00929
00930 if ( (!set_only_euid) && ((getuid() == 0) || (geteuid() == 0)) )
00931 {
00932 lcmaps_log(0, "%s: real and or effective uid == 0, which is not allowed at this stage\n", logstr);
00933 goto fail_posix;
00934 }
00935 else if (geteuid() == 0)
00936 {
00937 lcmaps_log(0, "%s: effective uid == 0, which is not allowed at this stage\n", logstr);
00938 goto fail_posix;
00939 }
00940
00941 if ( (!set_only_egid) && ((getgid() == 0) || (getegid() == 0)) )
00942 {
00943 lcmaps_log(0, "%s: real and or effective gid == 0, which is not allowed at this stage\n", logstr);
00944 goto fail_posix;
00945 }
00946 else if (getegid() == 0)
00947 {
00948 lcmaps_log(0, "%s: effective gid == 0, which is not allowed at this stage\n", logstr);
00949 goto fail_posix;
00950 }
00951
00952
00953
00954
00955
00956
00957
00958
00959 if (log_cred(dn, uid, cntUid, priGid, cntPriGid, secGid, cntSecGid) != 0)
00960 {
00961 lcmaps_log(0, "%s: Something wrong in printing the logged credentials (failure)\n", logstr);
00962 goto fail_posix;
00963 }
00964
00965
00966
00967 success_posix:
00968 if (list) free(list);
00969 lcmaps_log_time(0,"%s: posix_enf plugin succeeded\n", logstr);
00970 return LCMAPS_MOD_SUCCESS;
00971
00972 fail_posix:
00973 if (list) free(list);
00974 lcmaps_log_time(0,"%s: posix_enf plugin failed\n", logstr);
00975 return LCMAPS_MOD_FAIL;
00976 }
00977
00978
00979
00980
00981
00982
00983
00984
00985
00986
00987
00988 int plugin_terminate()
00989 {
00990 char * logstr = "\tlcmaps_plugin_posix_enf-plugin_introspect()";
00991
00992 lcmaps_log_debug(1,"%s: terminating\n", logstr);
00993
00994 return LCMAPS_MOD_SUCCESS;
00995 }
00996
00997
00998
00999
01000
01001
01002
01003