6802931 krb5 nfs allows access to shares without credentials by symlinking to someone else's cred cache

6840235 Some slight changes need to be made to gssd_getuid.c to be more readable

3 files changed, 86 insertions, 18 deletions

diff --git a/usr/src/cmd/gss/gssd/Makefile b/usr/src/cmd/gss/gssd/Makefile
index f5e43e5f1b..1bb54488f5 100644
--- a/usr/src/cmd/gss/gssd/Makefile
+++ b/usr/src/cmd/gss/gssd/Makefile
@@ -19,11 +19,9 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 
 TESTPROG = gssdtest
 
@@ -107,6 +105,10 @@ gssd.x:	$(GSSDX)
 
 #  Rules to generate derived rpcgen files from gssd.x spec file.
 
+# NOTE WELL: There is code in gssd that assumes gssd is NOT
+# multi-threaded.  Do NOT add -A to the rpcgen argument list in the
+# Makefile unless you also remove this assumption.
+
 gssd.h:        gssd.x
 	$(RM) $@
 	$(RPCGEN) -M -h gssd.x > $@
diff --git a/usr/src/cmd/gss/gssd/gss.xml b/usr/src/cmd/gss/gssd/gss.xml
index 04c3c408e8..0dcdf947c9 100644
--- a/usr/src/cmd/gss/gssd/gss.xml
+++ b/usr/src/cmd/gss/gssd/gss.xml
@@ -2,15 +2,14 @@
 <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
 
 <!--
- Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  Use is subject to license terms.
 
  CDDL HEADER START
 
  The contents of this file are subject to the terms of the
- Common Development and Distribution License, Version 1.0 only
- (the "License").  You may not use this file except in compliance
- with the License.
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
 
  You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  or http://www.opensolaris.org/os/licensing.
@@ -25,8 +24,6 @@
 
  CDDL HEADER END
 
-	ident	"%Z%%M%	%I%	%E% SMI"
-
 	NOTE:  This service manifest is not editable; its contents will
 	be overwritten by package or patch operations, including
 	operating system upgrade.  Make customizations in a different
@@ -70,8 +67,9 @@
 	    <method_context>
 		<method_credential
 			user='root'
-			group='root'
-			privileges='basic,!file_link_any,!proc_info,!proc_session,net_privaddr,file_chown,file_dac_read,file_dac_write'
+			group='nogroup'
+			privileges='basic,!file_link_any,!proc_info,!proc_session,net_privaddr,file_chown,file_dac_read,file_dac_write,proc_setid'
+			limit_privileges='basic,!file_link_any,!proc_info,!proc_session,net_privaddr,file_chown,file_dac_read,file_dac_write,proc_setid'
 		/>
 	    </method_context>
 	</exec_method>
diff --git a/usr/src/cmd/gss/gssd/gssd_getuid.c b/usr/src/cmd/gss/gssd/gssd_getuid.c
index 874f7d1d52..0835247f72 100644
--- a/usr/src/cmd/gss/gssd/gssd_getuid.c
+++ b/usr/src/cmd/gss/gssd/gssd_getuid.c
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 /*
  *  Routines to set gssd value of uid and replace getuid libsys call.
  */
@@ -34,18 +32,88 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <libintl.h>
+#include <priv.h>
+#include <errno.h>
+#include <syslog.h>
 
 static uid_t krb5_cc_uid;
+#define	LOWPRIVS	"basic,!file_link_any,!proc_info,!proc_session," \
+			"!proc_fork,!proc_exec"
+
+static priv_set_t *lowprivs = NULL;
+static priv_set_t *highprivs = NULL;
+
+/*
+ * NOTE WELL: This assumes gssd is NOT multi-threaded.  Do NOT add -A to
+ * the rpcgen argument list in the Makefile unless you also remove this
+ * assumption.
+ */
 
 void
 set_gssd_uid(uid_t uid)
 {
+	/* Initialize */
+	if (lowprivs == NULL) {
+		/* L, P & I shall not change in gssd; we manipulate P though */
+		if ((highprivs = priv_allocset()) == NULL ||
+		    (lowprivs = priv_str_to_set(LOWPRIVS, ",", NULL)) == NULL) {
+			printf(gettext(
+			    "fatal: can't allocate privilege set (%s)\n"),
+			    strerror(ENOMEM));
+			syslog(LOG_ERR, "Fatal: can't allocate privilege "
+			    "set (%s)"), strerror(ENOMEM);
+			exit(1);
+		}
+		/* P has the privs we need when we need privs */
+		(void) getppriv(PRIV_PERMITTED, highprivs);
+
+		/*
+		 * In case "basic" grows privs not excluded in LOWPRIVS
+		 * but excluded in the service's method_context
+		 */
+		priv_intersect(highprivs, lowprivs);
+
+		(void) setpflags(PRIV_AWARE, 1);
+	}
+
+	printf(gettext("set_gssd_uid called with uid = %d\n"), uid);
+
 	/*
-	 * set the value of krb5_cc_uid, so it can be retrieved when
-	 * app_krb5_user_uid() is called by the underlying mechanism libraries.
+	 * nfsd runs as UID 1, so upcalls triggered by nfsd will cause uid to
+	 * 1 here, but nfsd's upcalls need to run as root with privs here.
+	 */
+	if (uid == 1)
+		uid = 0;
+
+	/*
+	 * Set the value of krb5_cc_uid, so it can be retrieved when
+	 * app_krb5_user_uid() is called by the underlying mechanism
+	 * libraries.  This should go away soon.
 	 */
-	printf(gettext("set_gssd_uid called with uid = %d\n"), uid);
 	krb5_cc_uid = uid;
+
+	/* Claw privs back */
+	(void) setppriv(PRIV_SET, PRIV_EFFECTIVE, highprivs);
+
+	/*
+	 * Switch uid and set the saved set-uid to 0 so setuid(0) will work
+	 * later.
+	 */
+	if (setuid(0) != 0 ||
+	    (uid != 0 && setreuid(uid, -1) != 0) ||
+	    (uid != 0 && seteuid(uid) != 0)) {
+
+		/* Not enough privs, so bail! */
+		printf(gettext(
+		    "fatal: gssd is running with insufficient privilege\n"));
+		syslog(LOG_ERR, "Fatal: gssd is running with insufficient "
+		    "privilege.");
+		exit(1);
+	}
+
+	/* Temporarily drop privs, but only if uid != 0 */
+	if (uid != 0)
+		(void) setppriv(PRIV_SET, PRIV_EFFECTIVE, lowprivs);
 }
 
 uid_t
@@ -60,6 +128,6 @@ app_krb5_user_uid(void)
 	 * in files and directories specific to the user
 	 */
 	printf(gettext(
-		"getuid called and returning gsssd_uid = %d\n"), krb5_cc_uid);
+	    "getuid called and returning krb5_cc_uid = %d\n"), krb5_cc_uid);
 	return (krb5_cc_uid);
 }