From: Todd C. Miller Date: Wed, 13 Oct 2004 16:46:19 +0000 (+0000) Subject: Kill use of POSIX saved uids; they aren't worth bothering with. X-Git-Tag: SUDO_1_7_0~881 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=48cdd1dec3848bade5a0f3f3eae427be447c69d0;p=sudo Kill use of POSIX saved uids; they aren't worth bothering with. --- diff --git a/INSTALL b/INSTALL index f469c3714..c7e0f797b 100644 --- a/INSTALL +++ b/INSTALL @@ -256,11 +256,6 @@ Special features/options: With this option, sudo will run the mailer as the invoking user which some people consider to be safer. - --disable-saved-ids - Disable use of POSIX saved IDs. Normally, sudo will try - to use POSIX saved IDs if they are supported. However, - some implementations are broken. - --disable-setreuid Disable use of the setreuid() function for operating systems where it is broken. 4.4BSD has setreuid() but it doesn't @@ -673,10 +668,6 @@ Linux: fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, if you need to NFS-mount sudoers on older Linux kernels. - Linux kernels 2.2.16-2.2.19 appear to have broken POSIX saved - ID support. You must run configure with the --disable-saved-ids - flag to get a working sudo. - Mac OS X: It has been reported that for sudo to work on Mac OS X it must either be built with the --with-password-timeout=0 option or the diff --git a/PORTING b/PORTING index 1d42ebd6b..861e0c03e 100644 --- a/PORTING +++ b/PORTING @@ -21,12 +21,6 @@ the POSIX sysconf(2) it will be used instead of getdtablesize(2). ulimit(2) or getrlimit(2) can also be used on some OS's. If all else fails you can use the value of NOFILE in . -Also, some operating systems have a broken implementation of POSIX -saved IDs. If sudo prints the error message "seteuid(0) failed, -your operating system may have broken POSIX saved ID support" this -means saved IDs are not implemented properly. You should run -configure with the "--disable-saved-ids" option and rebuild sudo. - Sudo tries to clear the environment of dangerous environment variables such as LD_* to prevent shared library spoofing. If you are porting sudo to a new OS that has shared libraries you'll want to mask out diff --git a/TROUBLESHOOTING b/TROUBLESHOOTING index 94a93ccbc..d5d6b86aa 100644 --- a/TROUBLESHOOTING +++ b/TROUBLESHOOTING @@ -17,13 +17,6 @@ A) Sudo must be setuid root to do its work. You need to do something like your $PATH before the directory containing sudo. If you are going to have '.' in your path you should make sure it is at the end. -Q) Sudo compiles but when I run it I get "seteuid(0) failed, your operating - system may have broken POSIX saved ID support\nTry running configure with - --disable-saved-ids" and sudo quits. -A) The operating system you are running probably has broken support for - POSIX saved IDs. You should run configure with the "--disable-saved-ids" - option and rebuild sudo. - Q) Sudo never gives me a chance to enter a password using PAM, it just says 'Sorry, try again.' three times and quits. A) You didn't setup PAM to work with sudo. On Linux this generally diff --git a/config.h.in b/config.h.in index 57beec97b..0ac4fbed3 100644 --- a/config.h.in +++ b/config.h.in @@ -451,9 +451,6 @@ /* Define to 1 if root should not be allowed to use sudo. */ #undef NO_ROOT_SUDO -/* Define to avoid using POSIX saved ids. */ -#undef NO_SAVED_IDS - /* The default password prompt. */ #undef PASSPROMPT diff --git a/configure b/configure index 0b583ee38..386c0bca3 100755 --- a/configure +++ b/configure @@ -1021,7 +1021,6 @@ Optional Features: --disable-root-mailer Don't run the mailer as root, run as the user --disable-setreuid Don't try to use the setreuid() function --disable-setresuid Don't try to use the setresuid() function - --disable-saved-ids Don't try to use POSIX saved ids --disable-shadow Never use shadow passwords --disable-root-sudo Don't allow root to run sudo --enable-log-host Log the hostname in the log file @@ -3337,34 +3336,6 @@ if test "${enable_setresuid+set}" = set; then fi; -echo "$as_me:$LINENO: checking whether to disable use of POSIX saved ids" >&5 -echo $ECHO_N "checking whether to disable use of POSIX saved ids... $ECHO_C" >&6 -# Check whether --enable-saved-ids or --disable-saved-ids was given. -if test "${enable_saved_ids+set}" = set; then - enableval="$enable_saved_ids" - case "$enableval" in - yes) echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - no) echo "$as_me:$LINENO: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - cat >>confdefs.h <<\_ACEOF -#define NO_SAVED_IDS 1 -_ACEOF - - ;; - *) echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6 - { echo "$as_me:$LINENO: WARNING: Ignoring unknown argument to --enable-saved-ids: $enableval" >&5 -echo "$as_me: WARNING: Ignoring unknown argument to --enable-saved-ids: $enableval" >&2;} - ;; - esac - -else - echo "$as_me:$LINENO: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi; - echo "$as_me:$LINENO: checking whether to disable shadow password support" >&5 echo $ECHO_N "checking whether to disable shadow password support... $ECHO_C" >&6 # Check whether --enable-shadow or --disable-shadow was given. @@ -5546,7 +5517,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 5549 "configure"' > conftest.$ac_ext + echo '#line 5520 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -6775,7 +6746,7 @@ fi # Provide some information about the compiler. -echo "$as_me:6778:" \ +echo "$as_me:6749:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -7806,11 +7777,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7809: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7780: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7813: \$? = $ac_status" >&5 + echo "$as_me:7784: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -8038,11 +8009,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8041: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8012: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8045: \$? = $ac_status" >&5 + echo "$as_me:8016: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -8105,11 +8076,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8108: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8079: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8112: \$? = $ac_status" >&5 + echo "$as_me:8083: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10191,7 +10162,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:12419: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:12452: \$? = $ac_status" >&5 + echo "$as_me:12423: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -12512,11 +12483,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:12515: $lt_compile\"" >&5) + (eval echo "\"\$as_me:12486: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:12519: \$? = $ac_status" >&5 + echo "$as_me:12490: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13802,7 +13773,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:14696: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:14729: \$? = $ac_status" >&5 + echo "$as_me:14700: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -14789,11 +14760,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14792: $lt_compile\"" >&5) + (eval echo "\"\$as_me:14763: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:14796: \$? = $ac_status" >&5 + echo "$as_me:14767: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -16723,11 +16694,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16726: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16697: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16730: \$? = $ac_status" >&5 + echo "$as_me:16701: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -16955,11 +16926,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16958: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16929: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16962: \$? = $ac_status" >&5 + echo "$as_me:16933: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -17022,11 +16993,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17025: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16996: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:17029: \$? = $ac_status" >&5 + echo "$as_me:17000: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -19108,7 +19079,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Define $ac_func to an innocuous variant, in case declares $ac_func. - For example, HP-UX 11i declares gettimeofday. */ -#define $ac_func innocuous_$ac_func - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef $ac_func - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -{ -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -char (*f) () = $ac_func; -#endif -#ifdef __cplusplus -} -#endif - -int -main () -{ -return f != $ac_func; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 - (eval $ac_link) 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -z "$ac_c_werror_flag" - || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -eval "$as_ac_var=no" -fi -rm -f conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -else - cat >>confdefs.h <<\_ACEOF -#define NO_SAVED_IDS 1 -_ACEOF - -fi -done - if test -z "$SKIP_SETRESUID"; then for ac_func in setresuid @@ -34054,8 +33918,6 @@ fi - - diff --git a/configure.in b/configure.in index 7c3e4ec03..9fd96e211 100644 --- a/configure.in +++ b/configure.in @@ -1035,21 +1035,6 @@ AC_ARG_ENABLE(setresuid, esac ]) -AC_MSG_CHECKING(whether to disable use of POSIX saved ids) -AC_ARG_ENABLE(saved-ids, -[ --disable-saved-ids Don't try to use POSIX saved ids], -[ case "$enableval" in - yes) AC_MSG_RESULT(no) - ;; - no) AC_MSG_RESULT(yes) - AC_DEFINE(NO_SAVED_IDS) - ;; - *) AC_MSG_RESULT(no) - AC_MSG_WARN([Ignoring unknown argument to --enable-saved-ids: $enableval]) - ;; - esac -], AC_MSG_RESULT(no)) - AC_MSG_CHECKING(whether to disable shadow password support) AC_ARG_ENABLE(shadow, [ --disable-shadow Never use shadow passwords], @@ -1691,7 +1676,6 @@ dnl Function checks dnl AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ strftime setrlimit initgroups fstat) -AC_CHECK_FUNCS(seteuid, , [AC_DEFINE(NO_SAVED_IDS)]) if test -z "$SKIP_SETRESUID"; then AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes]) fi @@ -2294,7 +2278,6 @@ AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.]) AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.]) AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.]) -AH_TEMPLATE(NO_SAVED_IDS, [Define to avoid using POSIX saved ids.]) AH_TEMPLATE(PC_INSULTS, [Define to 1 to replace politically incorrect insults with less offensive ones.]) AH_TEMPLATE(SECURE_PATH, [Define to 1 to override the user's path with a built-in one.]) AH_TEMPLATE(SEND_MAIL_WHEN_NOT_OK, [Define to 1 to send mail when the user is not allowed to run a command.]) diff --git a/set_perms.c b/set_perms.c index 2839fdd3a..245b28697 100644 --- a/set_perms.c +++ b/set_perms.c @@ -67,90 +67,6 @@ static const char rcsid[] = "$Sudo$"; static void runas_setup __P((void)); static void fatal __P((char *, int)); -#if !defined(HAVE_SETRESUID) && !defined(HAVE_SETREUID) && \ - !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION) -/* - * Set real and effective uids and gids based on perm. - * Since we have POSIX saved IDs we can get away with just - * toggling the effective uid/gid unless we are headed for an exec(). - */ -void -set_perms_posix(perm) - int perm; -{ - int error; - - switch (perm) { - case PERM_ROOT: - if (seteuid(ROOT_UID)) - fatal("seteuid(ROOT_UID) failed, your operating system may have broken POSIX saved ID support\nTry running configure with --disable-saved-ids", 0); - break; - - case PERM_FULL_ROOT: - /* headed for exec() */ - (void) seteuid(ROOT_UID); - if (setuid(ROOT_UID)) - fatal("setuid(ROOT_UID)", 1); - break; - - case PERM_USER: - (void) setegid(user_gid); - if (seteuid(user_uid)) - fatal("seteuid(user_uid)", 1); - break; - - case PERM_FULL_USER: - /* headed for exec() */ - (void) setgid(user_gid); - if (setuid(user_uid)) - fatal("setuid(user_uid)", 1); - break; - - case PERM_RUNAS: - if (seteuid(runas_pw->pw_uid)) - fatal("unable to change to runas uid", 1); - break; - - case PERM_FULL_RUNAS: - /* headed for exec(), assume euid == ROOT_UID */ - runas_setup(); - if (def_stay_setuid) - error = seteuid(runas_pw->pw_uid); - else - error = setuid(runas_pw->pw_uid); - if (error) - fatal("unable to change to runas uid", 1); - break; - - case PERM_SUDOERS: - /* assume euid == ROOT_UID, ruid == user */ - if (setegid(SUDOERS_GID)) - fatal("unable to change to sudoers gid", 1); - - /* - * If SUDOERS_UID == ROOT_UID and SUDOERS_MODE - * is group readable we use a non-zero - * uid in order to avoid NFS lossage. - * Using uid 1 is a bit bogus but should - * work on all OS's. - */ - if (SUDOERS_UID == ROOT_UID) { - if ((SUDOERS_MODE & 040) && seteuid(1)) - fatal("seteuid(1)", 1); - } else { - if (seteuid(SUDOERS_UID)) - fatal("seteuid(SUDOERS_UID)", 1); - } - break; - case PERM_TIMESTAMP: - if (seteuid(timestamp_uid)) - fatal("seteuid(timestamp_uid)", 1); - break; - - } -} -#endif /* !NO_SAVED_IDS && _SC_SAVED_IDS && _SC_VERSION */ - #ifdef HAVE_SETRESUID /* * Set real and effective and saved uids and gids based on perm. @@ -159,7 +75,7 @@ set_perms_posix(perm) * This version of set_perms() works fine with the "stay_setuid" option. */ void -set_perms_suid(perm) +set_perms(perm) int perm; { int error; @@ -236,7 +152,7 @@ set_perms_suid(perm) * This version of set_perms() works fine with the "stay_setuid" option. */ void -set_perms_suid(perm) +set_perms(perm) int perm; { int error; @@ -305,79 +221,7 @@ set_perms_suid(perm) } } -# else -# ifdef HAVE_SETREUID - -/* - * Set real and effective uids and gids based on perm. - * NOTE: does not support the "stay_setuid" option. - */ -void -set_perms_nosuid(perm) - int perm; -{ - - /* - * Since we only have setuid() and seteuid() we have to set - * real and effective uids to ROOT_UID initially. - */ - if (setuid(ROOT_UID)) - fatal("setuid(ROOT_UID)", 1); - - switch (perm) { - case PERM_USER: - (void) setegid(user_gid); - if (seteuid(user_uid)) - fatal("seteuid(user_uid)", 1); - break; - - case PERM_FULL_USER: - /* headed for exec() */ - (void) setgid(user_gid); - if (setuid(user_uid)) - fatal("setuid(user_uid)", 1); - break; - - case PERM_RUNAS: - if (seteuid(runas_pw->pw_uid)) - fatal("unable to change to runas uid", 1); - break; - - case PERM_FULL_RUNAS: - /* headed for exec(), assume euid == ROOT_UID */ - runas_setup(); - if (setuid(runas_pw->pw_uid)) - fatal("unable to change to runas uid", 1); - break; - - case PERM_SUDOERS: - /* assume euid == ROOT_UID, ruid == user */ - if (setegid(SUDOERS_GID)) - fatal("unable to change to sudoers gid", 1); - - /* - * If SUDOERS_UID == ROOT_UID and SUDOERS_MODE - * is group readable we use a non-zero - * uid in order to avoid NFS lossage. - * Using uid 1 is a bit bogus but should - * work on all OS's. - */ - if (SUDOERS_UID == ROOT_UID) { - if ((SUDOERS_MODE & 040) && seteuid(1)) - fatal("seteuid(1)", 1); - } else { - if (seteuid(SUDOERS_UID)) - fatal("seteuid(SUDOERS_UID)", 1); - } - break; - case PERM_TIMESTAMP: - if (seteuid(timestamp_uid)) - fatal("seteuid(timestamp_uid)", 1); - break; - } -} - -# else +# else /* !HAVE_SETRESUID && !HAVE_SETREUID */ /* * Set uids and gids based on perm via setuid() and setgid(). @@ -385,7 +229,7 @@ set_perms_nosuid(perm) * Also, SUDOERS_UID and SUDOERS_GID are not used. */ void -set_perms_nosuid(perm) +set_perms(perm) int perm; { @@ -416,7 +260,6 @@ set_perms_nosuid(perm) break; } } -# endif /* HAVE_SETEUID */ # endif /* HAVE_SETREUID */ #endif /* HAVE_SETRESUID */ diff --git a/sudo.c b/sudo.c index d18da6aaf..d92feb2a5 100644 --- a/sudo.c +++ b/sudo.c @@ -140,7 +140,6 @@ login_cap_t *lc; char *login_style; #endif /* HAVE_BSD_AUTH_H */ sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld; -void (*set_perms) __P((int)); int @@ -193,7 +192,7 @@ main(argc, argv, envp) (void) sigaction(SIGCHLD, &sa, &saved_sa_chld); /* - * Turn off core dumps, close open files and setup set_perms(). + * Turn off core dumps and close open files. */ initial_setup(); setpwent(); @@ -277,22 +276,6 @@ main(argc, argv, envp) validated = sudoers_lookup(pwflag); } - /* - * If we are using set_perms_posix() and the stay_setuid flag was not set, - * set the real, effective and saved uids to 0 and use set_perms_nosuid() - * instead of set_perms_posix(). - */ -#if !defined(HAVE_SETRESUID) && !defined(HAVE_SETREUID) && \ - !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION) - if (!def_stay_setuid && set_perms == set_perms_posix) { - if (setuid(0)) { - perror("setuid(0)"); - exit(1); - } - set_perms = set_perms_nosuid; - } -#endif - /* * Look up the timestamp dir owner if one is specified. */ @@ -950,24 +933,6 @@ initial_setup() #endif /* RLIMIT_CORE && !SUDO_DEVEL */ closefrom(STDERR_FILENO + 1); - - /* - * Make set_perms point to the correct function. - * If we are using setresuid() or setreuid() we only need to set this - * once. If we are using POSIX saved uids we will switch to - * set_perms_nosuid after sudoers has been parsed if the "stay_suid" - * option is not set. - */ -#if defined(HAVE_SETRESUID) || defined(HAVE_SETREUID) - set_perms = set_perms_suid; -#else -# if !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION) - if (sysconf(_SC_SAVED_IDS) == 1 && sysconf(_SC_VERSION) >= 199009) - set_perms = set_perms_posix; - else -# endif - set_perms = set_perms_nosuid; -#endif /* HAVE_SETRESUID || HAVE_SETREUID */ } #ifdef HAVE_LOGIN_CAP_H diff --git a/sudo.h b/sudo.h index cc010af41..9ad767f61 100644 --- a/sudo.h +++ b/sudo.h @@ -210,9 +210,7 @@ int sudoers_lookup __P((int)); int sudo_ldap_check __P((int)); void sudo_ldap_list_matches __P((void)); #endif -void set_perms_nosuid __P((int)); -void set_perms_posix __P((int)); -void set_perms_suid __P((int)); +void set_perms __P((int)); void remove_timestamp __P((int)); int check_secureware __P((char *)); void sia_attempt_auth __P((void)); @@ -252,8 +250,6 @@ extern struct passwd *auth_pw; extern FILE *sudoers_fp; extern int tgetpass_flags; extern uid_t timestamp_uid; - -extern void (*set_perms) __P((int)); #endif #ifndef errno extern int errno;