Submitted By: Robert Connolly (ashes) Date: 2007-04-25 Initial Package Version: 2.5 Upstream Status: Not Submitted Origin: Alt-Linux and Me. Description: This adds the issetugid() library function as a frontend to the __libc_enable_secure() dynamic linker function. This wasn't really nescessary, but the patch effectively clones the OpenBSD issetugid() library function so it can be found and used by packages like Ncurses, and KDE. Adding this issetugid() wrapper keeps us from needing to patch many packages to use __libc_enable_secure(). You will probably want to install the (modified) manual/issetugid.3 manual page too. diff -Naur glibc-2.5.orig/manual/issetugid.3 glibc-2.5/manual/issetugid.3 --- glibc-2.5.orig/manual/issetugid.3 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.5/manual/issetugid.3 2007-04-25 23:23:21.000000000 +0000 @@ -0,0 +1,106 @@ +.\" $OpenBSD: issetugid.2,v 1.18 2003/06/02 20:18:39 millert Exp $ +.\" +.\" Copyright (c) 1980, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd August 25, 1996 +.Dt ISSETUGID 3 +.Os +.Sh NAME +.Nm issetugid +.Nd is current executable running setuid or setgid +.Sh SYNOPSIS +.Fd #include +.Ft int +.Fn issetugid void +.Sh DESCRIPTION +The +.Fn issetugid +function returns 1 if the process was made setuid or setgid as +the result of the last or other previous +.Fn execve +system calls. +Otherwise it returns 0. +.Pp +This function exists so that library routines (inside libtermlib, libc, +or other libraries) can guarantee safe behavior when used inside +setuid or setgid programs. This implementation uses the +__libc_enable_secure() function from Glibc's dynamic linker. +Some library routines may be passed insufficient information and hence +not know whether the current program was started setuid or setgid +because higher level calling code may have made changes to the uid, euid, +gid, or egid. +Hence these low-level library routines are unable to determine if they +are being run with elevated or normal privileges. +.Pp +In particular, it is wise to use this call to determine if a +pathname returned from a +.Fn getenv +call may safely be used to +.Fn open +the specified file. +Quite often this is not wise because the status of the effective uid +is not known. +.Pp +The +.Fn issetugid +system call's result is unaffected by calls to +.Fn setuid , +.Fn setgid , +or other such calls. +In case of a +.Fn fork , +the child process inherits the same status. +.Pp +The status of +.Fn issetugid +is only affected by +.Fn execve . +If a child process executes a new executable file, a new issetugid +status will be determined. +This status is based on the existing process's uid, euid, gid, +and egid permissions and on the modes of the executable file. +If the new executable file modes are setuid or setgid, or if +the existing process is executing the new image with +uid != euid or gid != egid, the new process will be considered +issetugid. +.Sh ERRORS +The +.Fn issetugid +function is always successful, and no return value is reserved to +indicate an error. +.Sh SEE ALSO +.Xr execve 2 , +.Xr setegid 2 , +.Xr seteuid 2 , +.Xr setgid 2 , +.Xr setuid 2 +.Sh HISTORY +The +.Fn issetugid +function call first appeared in +.Ox 2.0 . diff -Naur glibc-2.5.orig/posix/Makefile glibc-2.5/posix/Makefile --- glibc-2.5.orig/posix/Makefile 2006-09-07 13:50:05.000000000 +0000 +++ glibc-2.5/posix/Makefile 2007-04-25 23:23:21.000000000 +0000 @@ -47,7 +47,7 @@ getpid getppid \ getuid geteuid getgid getegid getgroups setuid setgid group_member \ getpgid setpgid getpgrp bsd-getpgrp setpgrp getsid setsid \ - getresuid getresgid setresuid setresgid \ + getresuid getresgid setresuid setresgid issetugid \ getlogin getlogin_r setlogin \ pathconf sysconf fpathconf \ glob glob64 fnmatch regex \ diff -Naur glibc-2.5.orig/posix/Versions glibc-2.5/posix/Versions --- glibc-2.5.orig/posix/Versions 2004-05-03 21:25:44.000000000 +0000 +++ glibc-2.5/posix/Versions 2007-04-25 23:23:21.000000000 +0000 @@ -38,6 +38,9 @@ getopt_long_only; getpgid; getpgrp; getpid; getppid; getsid; getuid; glob; glob_pattern_p; globfree; group_member; + # i* + issetugid; + # n* nanosleep; diff -Naur glibc-2.5.orig/posix/issetugid.c glibc-2.5/posix/issetugid.c --- glibc-2.5.orig/posix/issetugid.c 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.5/posix/issetugid.c 2007-04-25 23:23:21.000000000 +0000 @@ -0,0 +1,61 @@ +/* + * Copyright (C) - 2007 Robert Connolly + * + * Permission to reproduce, copy, delete, distribute, transmit, use, modify, + * build upon or otherwise exploit this software, in any form, for any + * purpose, in any way, and by anyone, including by methods that have not + * yet been invented or conceived, is hereby granted. + */ + +#include + +extern int __libc_enable_secure; + +int issetugid(void) +{ + if (__libc_enable_secure) + { + return 1; + } + + if (getuid() != geteuid()) + { + return 1; + } + + if (getgid() != getegid()) + { + return 1; + } + + /* Else */ + return 0; +} + +#if defined(TEST) + +# include + +int main(void) +{ + int GETUID=getuid(), GETGID=getgid(); + int GETEUID=geteuid(), GETEGID=getegid(); + int ISSETUGID=issetugid(); + + printf("Your real user ID is %d\n", GETUID); + printf("Your real group ID is %d\n", GETGID); + printf("Your effective user ID is %d\n", GETEUID); + printf("Your effective group ID is %d\n", GETEGID); + + if (ISSETUGID == 1) + { + printf("issetugid() says this program is SUID\n"); + } + else + { + printf("issetugid() says this program is not SUID\n"); + } + + return 0; +} +#endif /* TEST */ diff -Naur glibc-2.5.orig/posix/unistd.h glibc-2.5/posix/unistd.h --- glibc-2.5.orig/posix/unistd.h 2006-08-24 06:46:27.000000000 +0000 +++ glibc-2.5/posix/unistd.h 2007-04-25 23:23:21.000000000 +0000 @@ -648,6 +648,10 @@ /* Get the effective group ID of the calling process. */ extern __gid_t getegid (void) __THROW; +/* Call __libc_enable_secure() and tell us whether the process is + SUID or SGID */ +extern int issetugid(void); + /* If SIZE is zero, return the number of supplementary groups the calling process is in. Otherwise, fill in the group IDs of its supplementary groups in LIST and return the number written. */ diff -Naur glibc-2.5.orig/scripts/data/localplt-i386-linux-gnu.data glibc-2.5/scripts/data/localplt-i386-linux-gnu.data --- glibc-2.5.orig/scripts/data/localplt-i386-linux-gnu.data 2006-01-11 21:06:19.000000000 +0000 +++ glibc-2.5/scripts/data/localplt-i386-linux-gnu.data 2007-04-25 23:23:53.000000000 +0000 @@ -1,6 +1,10 @@ libc.so: _Unwind_Find_FDE libc.so: calloc libc.so: free +libc.so: getegid +libc.so: geteuid +libc.so: getgid +libc.so: getuid libc.so: malloc libc.so: memalign libc.so: realloc