diff options
| author | Kaz Kylheku <kaz@kylheku.com> | 2016-05-02 21:09:19 -0700 |
|---|---|---|
| committer | Kaz Kylheku <kaz@kylheku.com> | 2016-05-02 21:09:19 -0700 |
| commit | 94c4ac621f23e55b42f10d4cba920f2c7580005e (patch) | |
| tree | 769051da2c54b0e9cca04b798b5129b4272bfaac /txr.1 | |
| parent | 112aa0b16bcc53b06633dfb9878194f6d59ada4d (diff) | |
| download | txr-94c4ac621f23e55b42f10d4cba920f2c7580005e.tar.gz txr-94c4ac621f23e55b42f10d4cba920f2c7580005e.tar.bz2 txr-94c4ac621f23e55b42f10d4cba920f2c7580005e.zip | |
Implement setgid script support.
TXR now notices that it's running setgid, and
implements setgid logic for scripts.
* sysif.c (orig_egid, real_gid, is_setgid): New static
variables.
(repress_privilege): Treat real and effective
group ID similarly to user ID. Save them in global
variables, and set the is_setgid flag.
(drop_privilege): Drop setgid privilege similarly
to setuid. Operate selectively: if neither setuid
nor setgid is in effect, do nothing, but if just
one is in effect, don't do anything for the other.
(simulate_setuid): Function renamed to simulate_setuid_setgid.
A small change is made here: if the fstat fails, just drop
privilege, don't abort. Implement setgid operation
independently of setuid. The is_setgid and is_setuid
flags are manipulated here now to get the drop_privileges
function to selectively drop setuid if we are running
a script which is only segid, or drop setgid if we are running
a setuid only script.
* sysif.h (simulate_setuid): Declaration name change to
simulate_setuid_setgid.
* txr.c (txr_main): Follow rename of simulate_setuid.
* txr.1: SETUID OPERATION section changed to SETUID/SETGID
operation, and setgid description worked into the text.
Diffstat (limited to 'txr.1')
| -rw-r--r-- | txr.1 | 45 |
1 files changed, 39 insertions, 6 deletions
@@ -41392,14 +41392,15 @@ If multi-line mode is toggled interactively from within the listener, the variable is updated to reflect the latest state. This happens when the command is submitted for evaluation. -.SH* SETUID OPERATION +.SH* SETUID/SETGID OPERATION On platforms with the Unix filesystem and process security model, \*(TX has -support for executing setuid scripts, even on platforms whose operating system -kernel does not honor the setuid bit on hash bang scripts. On these systems, -taking advantage of the feature requires \*(TX to be installed as a setuid -executable. For this reason, \*(TX is aware when it is executed setuid and -takes care to manage privileges. +support for executing setuid/setgid scripts, even on platforms whose operating system +kernel does not honor the setuid/setgid bit on hash bang scripts. On these +systems, taking advantage of the feature requires \*(TX to be installed as a +setuid/setgid executable. For this reason, \*(TX is aware when it is executed +setuid and takes care to manage privileges. The following description about +the handling of setuid applies to the parallel handling of setgid also. When \*(TX starts, early in its execution it determines whether or not is is executing setuid. If so, it temporarily drops privileges, as a precaution. @@ -41456,6 +41457,38 @@ where is the previously noted effective user ID. In other words, it attempts to re-gain the dropped privilege by recovering the previous effective ID. If this attempt succeeds, \*(TX immediately aborts. +Dropping setgid privileges is similar. Where +.code setresgid +is available it is used, otherwise an attempt is made with +.code "setegid(r)" +where +.code r +is the previously noted real group ID. Then a test using +.code "setegid(e)" +is performed using the original effective group ID as +.codn e . +This is done after dropping any setuid root user ID privilege +which would allow such a test to succeed. + +If \*(TX is running both setuid and setgid, and execute a script +which is setuid only, it will still drop group privileges, and vice +versa: if it executed a setgid script, it will drop user privileges. +For instance, if a root-owned \*(TX runs a setgid script which is owned by +user +.code 10 +and group-owned by group +.codn 20 , +that script will run with an effective group ID of 20. The effective user ID +will be that of the user who invoked the script: \*(TX will drop the root +privilege to the original real ID of the user, and while for the setgid +operation, it will change to the group ID of the script. + +The setuid/setgid privilege machinery in \*(TX does not manipulate +the list of supplementary ("ancillary", in the language of POSIX) group IDs. +It is unnecessary for security because the list does not change while +running with setuid privilege. No group IDs are added to the list which +need to be retracted when privileges are dropped. The supplementary +groups also persist across the execution of a setuid/setgid script. .SH* DEBUGGER \*(TX has a simple, crude, built-in debugger. The debugger is invoked by adding |