[SCM] UID Wrapper Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Dec 2 13:37:42 UTC 2021
The branch, master has been updated
via 207ecf8 uwrap: Add support for getgroups_chk()
via 1580b91 config: Add missing define for HAVE_GETGROUPS
via 2f31c3b Update README.install
via 4684f31 Update README
from f48c658 tests: fix unused-result error in tests/test_uwrap_disabled.c
https://git.samba.org/?p=uid_wrapper.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 207ecf82e4c39abab7b557a9f8cdb393d3e8b148
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 8 16:19:12 2021 +0100
uwrap: Add support for getgroups_chk()
This is required by software built with FORTIFY_SOURCE=2.
https://bugzilla.redhat.com/show_bug.cgi?id=2021214
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1580b9105190f4643a99b11e9326ed219e589b2b
Author: Andreas Schneider <asn at samba.org>
Date: Wed Nov 24 10:49:01 2021 +0100
config: Add missing define for HAVE_GETGROUPS
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2f31c3b2286a1c5fb55294562d007b6faee8fd2f
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 8 16:33:46 2021 +0100
Update README.install
This is detected automatically in the meantime.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4684f31b16c9931608aa9a15db48893398c8a2d8
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 25 08:22:00 2020 +0100
Update README
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
ConfigureChecks.cmake | 1 +
README.install | 4 ----
README.md | 2 +-
config.h.cmake | 4 ++++
src/uid_wrapper.c | 41 +++++++++++++++++++++++++++++++++++++++++
5 files changed, 47 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index 930904e..e299f6e 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -65,6 +65,7 @@ check_function_exists(setregid HAVE_SETREGID)
check_function_exists(setresgid HAVE_SETRESGID)
check_function_exists(getgroups HAVE_GETGROUPS)
+check_function_exists(__getgroups_chk HAVE___GETGROUPS_CHK)
check_function_exists(setgroups HAVE_SETGROUPS)
if (HAVE_SETGROUPS)
diff --git a/README.install b/README.install
index c677381..aa05faa 100644
--- a/README.install
+++ b/README.install
@@ -32,10 +32,6 @@ Next, run cmake to configure the build, e.g.
$ cmake -DCMAKE_INSTALL_PREFIX=<prefix> ..
-or on a 64 bit red hat system:
-
- $ cmake -DCMAKE_INSTALL_PREFIX=<prefix> -DLIB_SUFFIX=64 ..
-
The "<prefix>" should be replaced by the intended installation
target prefix directory, typically /usr or /usr/local.
diff --git a/README.md b/README.md
index eb10497..2a0f57d 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
UID_WRAPPER
===========
-This is a wrapper for the user, group and hosts NSS API.
+This is a testing tool to fake privilege separition without being root.
DESCRIPTION
-----------
diff --git a/config.h.cmake b/config.h.cmake
index 8e05723..5b342e3 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -41,6 +41,10 @@
/* Define to 1 if you have the `getresgid' function. */
#cmakedefine HAVE_GETRESGID 1
+/* Define to 1 if you have the `getgroups' function. */
+#cmakedefine HAVE_GETGROUPS 1
+#cmakedefine HAVE___GETGROUPS_CHK 1
+
/* Define to 1 if you have the `setgroups' function. */
#cmakedefine HAVE_SETGROUPS 1
#cmakedefine HAVE_SETGROUPS_INT 1
diff --git a/src/uid_wrapper.c b/src/uid_wrapper.c
index 4d31f52..f04642a 100644
--- a/src/uid_wrapper.c
+++ b/src/uid_wrapper.c
@@ -240,6 +240,9 @@ typedef int (*__libc_getresgid)(gid_t *rgid, gid_t *egid, gid_t *sgid);
typedef gid_t (*__libc_getegid)(void);
typedef int (*__libc_getgroups)(int size, gid_t list[]);
+#ifdef HAVE___GETGROUPS_CHK
+typedef int (*__libc___getgroups_chk)(int size, gid_t list[], size_t listlen);
+#endif
typedef int (*__libc_setgroups)(size_t size, const gid_t *list);
@@ -285,6 +288,9 @@ struct uwrap_libc_symbols {
#endif
UWRAP_SYMBOL_ENTRY(getegid);
UWRAP_SYMBOL_ENTRY(getgroups);
+#ifdef HAVE___GETGROUPS_CHK
+ UWRAP_SYMBOL_ENTRY(__getgroups_chk);
+#endif
UWRAP_SYMBOL_ENTRY(setgroups);
#ifdef HAVE_SYSCALL
UWRAP_SYMBOL_ENTRY(syscall);
@@ -637,6 +643,17 @@ static int libc_getgroups(int size, gid_t list[])
return uwrap.libc.symbols._libc_getgroups.f(size, list);
}
+#ifdef HAVE___GETGROUPS_CHK
+static int libc___getgroups_chk(int size, gid_t list[], size_t listlen)
+{
+ uwrap_bind_symbol_libc(__getgroups_chk);
+
+ return uwrap.libc.symbols._libc___getgroups_chk.f(size,
+ list,
+ listlen);
+}
+#endif /* HAVE___GETGROUPS_CHK */
+
static int libc_setgroups(size_t size, const gid_t *list)
{
uwrap_bind_symbol_libc(setgroups);
@@ -2137,6 +2154,30 @@ int getgroups(int size, gid_t *list)
return uwrap_getgroups(size, list);
}
+#ifdef HAVE___GETGROUPS_CHK
+static int uwrap___getgroups_chk(int size, gid_t *list, size_t listlen)
+{
+ if (size * sizeof(gid_t) > listlen) {
+ UWRAP_LOG(UWRAP_LOG_DEBUG, "Buffer overflow detected");
+ abort();
+ }
+
+ return uwrap_getgroups(size, list);
+}
+
+int __getgroups_chk(int size, gid_t *list, size_t listlen);
+
+int __getgroups_chk(int size, gid_t *list, size_t listlen)
+{
+ if (!uid_wrapper_enabled()) {
+ return libc___getgroups_chk(size, list, listlen);
+ }
+
+ uwrap_init();
+ return uwrap___getgroups_chk(size, list, listlen);
+}
+#endif /* HAVE___GETGROUPS_CHK */
+
#if (defined(HAVE_SYS_SYSCALL_H) || defined(HAVE_SYSCALL_H)) \
&& (defined(SYS_setreuid) || defined(SYS_setreuid32))
static long int uwrap_syscall (long int sysno, va_list vp)
--
UID Wrapper Repository
More information about the samba-cvs
mailing list