2 * Routines for handling privileges, e.g. set-UID and set-GID on UNIX.
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 2006 Gerald Combs
8 * SPDX-License-Identifier: GPL-2.0-or-later
13 #if defined(HAVE_SETRESUID) || defined(HAVE_SETREGUID)
14 #define _GNU_SOURCE /* Otherwise [sg]etres[gu]id won't be defined on Linux */
19 #include "privileges.h"
27 * Called when the program starts, to save whatever credential information
28 * we'll need later, and to do whatever other specialized platform-dependent
29 * initialization we want.
32 init_process_policies(void)
35 * If we have SetProcessDEPPolicy(), turn "data execution
36 * prevention" on - i.e., if the MMU lets you set execute
37 * permission on a per-page basis, turn execute permission
38 * off on most data pages. SetProcessDEPPolicy() fails on
39 * 64-bit Windows (it's *always* on there), but if it fails,
40 * we don't care (we did our best), so we don't check for
44 SetProcessDEPPolicy(PROCESS_DEP_ENABLE);
48 * For now, we say the program wasn't started with special privileges.
49 * There are ways of running programs with credentials other than those
50 * for the session in which it's run, but I don't know whether that'd be
51 * done with Wireshark/TShark or not.
54 started_with_special_privs(void)
60 * For now, we say the program isn't running with special privileges.
61 * There are ways of running programs with credentials other than those
62 * for the session in which it's run, but I don't know whether that'd be
63 * done with Wireshark/TShark or not.
66 running_with_special_privs(void)
72 * For now, we don't do anything when asked to relinquish special privileges.
75 relinquish_special_privs_perm(void)
80 * Get the current username. String must be g_free()d after use.
83 get_cur_username(void) {
85 username = g_strdup("UNKNOWN");
90 * Get the current group. String must be g_free()d after use.
93 get_cur_groupname(void) {
95 groupname = g_strdup("UNKNOWN");
101 #ifdef HAVE_SYS_TYPES_H
102 # include <sys/types.h>
120 static uid_t ruid, euid;
121 static gid_t rgid, egid;
122 static gboolean init_process_policies_called = FALSE;
125 * Called when the program starts, to save whatever credential information
126 * we'll need later, and to do whatever other specialized platform-dependent
127 * initialization we want.
129 * The credential information we'll need later on UNIX is the real and
130 * effective UID and GID.
132 * XXX - do any UN*Xes have opt-in "no execute on data pages by default"
133 * permission? This would be the place to request it.
136 init_process_policies(void)
143 init_process_policies_called = TRUE;
147 * "Started with special privileges" means "started out set-UID or set-GID",
148 * or run as the root user or group.
151 started_with_special_privs(void)
153 g_assert(init_process_policies_called);
154 #ifdef HAVE_ISSETUGID
157 return (ruid != euid || rgid != egid || ruid == 0 || rgid == 0);
162 * Return TRUE if the real, effective, or saved (if we can check it) user
166 running_with_special_privs(void)
168 #ifdef HAVE_SETRESUID
171 #ifdef HAVE_SETRESGID
175 #ifdef HAVE_SETRESUID
176 getresuid(&ru, &eu, &su);
177 if (ru == 0 || eu == 0 || su == 0)
180 if (getuid() == 0 || geteuid() == 0)
183 #ifdef HAVE_SETRESGID
184 getresgid(&rg, &eg, &sg);
185 if (rg == 0 || eg == 0 || sg == 0)
188 if (getgid() == 0 || getegid() == 0)
195 * Permanently relinquish set-UID and set-GID privileges.
196 * If error, abort since we probably shouldn't continue
197 * with elevated privileges.
198 * Note that if this error occurs when dumpcap is called from
199 * wireshark or tshark, the message seen will be
200 * "Child dumpcap process died:". This is obscure but we'll
201 * consider it acceptable since it should be highly unlikely
202 * that this error will occur.
206 setxid_fail(const gchar *str)
208 g_error("Attempt to relinguish privileges failed [%s()] - aborting: %s\n",
209 str, g_strerror(errno));
213 relinquish_special_privs_perm(void)
216 * If we were started with special privileges, set the
217 * real and effective group and user IDs to the original
218 * values of the real and effective group and user IDs.
219 * If we're not, don't bother - doing so seems to mung
220 * our group set, at least in Mac OS X 10.5.
222 * (Set the effective UID last - that takes away our
223 * rights to set anything else.)
225 if (started_with_special_privs()) {
226 #ifdef HAVE_SETRESGID
227 if (setresgid(rgid, rgid, rgid) == -1) {setxid_fail("setresgid");}
229 if (setgid(rgid) == -1) {setxid_fail("setgid"); }
230 if (setegid(rgid) == -1) {setxid_fail("setegid");}
233 #ifdef HAVE_SETRESUID
234 if (setresuid(ruid, ruid, ruid) == -1) {setxid_fail("setresuid");}
236 if (setuid(ruid) == -1) {setxid_fail("setuid"); }
237 if (seteuid(ruid) == -1) {setxid_fail("seteuid");}
243 * Get the current username. String must be g_free()d after use.
246 get_cur_username(void) {
248 struct passwd *pw = getpwuid(getuid());
251 username = g_strdup(pw->pw_name);
253 username = g_strdup("UNKNOWN");
260 * Get the current group. String must be g_free()d after use.
263 get_cur_groupname(void) {
265 struct group *gr = getgrgid(getgid());
268 groupname = g_strdup(gr->gr_name);
270 groupname = g_strdup("UNKNOWN");
284 * indent-tabs-mode: t
287 * ex: set shiftwidth=8 tabstop=8 noexpandtab:
288 * :indentSize=8:tabSize=8:noTabs=false: