The branch, master has been updated via 207ecf8 uwrap: Add support for getgroups_chk() via 1580b91 config: Add missing define for HAVE_GETGROUPS via 2f31c3b Update README.install via 4684f31 Update README from f48c658 tests: fix unused-result error in tests/test_uwrap_disabled.c
https://git.samba.org/?p=uid_wrapper.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 207ecf82e4c39abab7b557a9f8cdb393d3e8b148 Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 8 16:19:12 2021 +0100 uwrap: Add support for getgroups_chk() This is required by software built with FORTIFY_SOURCE=2. https://bugzilla.redhat.com/show_bug.cgi?id=2021214 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 1580b9105190f4643a99b11e9326ed219e589b2b Author: Andreas Schneider <a...@samba.org> Date: Wed Nov 24 10:49:01 2021 +0100 config: Add missing define for HAVE_GETGROUPS Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2f31c3b2286a1c5fb55294562d007b6faee8fd2f Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 8 16:33:46 2021 +0100 Update README.install This is detected automatically in the meantime. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 4684f31b16c9931608aa9a15db48893398c8a2d8 Author: Andreas Schneider <a...@samba.org> Date: Wed Mar 25 08:22:00 2020 +0100 Update README Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: ConfigureChecks.cmake | 1 + README.install | 4 ---- README.md | 2 +- config.h.cmake | 4 ++++ src/uid_wrapper.c | 41 +++++++++++++++++++++++++++++++++++++++++ 5 files changed, 47 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake index 930904e..e299f6e 100644 --- a/ConfigureChecks.cmake +++ b/ConfigureChecks.cmake @@ -65,6 +65,7 @@ check_function_exists(setregid HAVE_SETREGID) check_function_exists(setresgid HAVE_SETRESGID) check_function_exists(getgroups HAVE_GETGROUPS) +check_function_exists(__getgroups_chk HAVE___GETGROUPS_CHK) check_function_exists(setgroups HAVE_SETGROUPS) if (HAVE_SETGROUPS) diff --git a/README.install b/README.install index c677381..aa05faa 100644 --- a/README.install +++ b/README.install @@ -32,10 +32,6 @@ Next, run cmake to configure the build, e.g. $ cmake -DCMAKE_INSTALL_PREFIX=<prefix> .. -or on a 64 bit red hat system: - - $ cmake -DCMAKE_INSTALL_PREFIX=<prefix> -DLIB_SUFFIX=64 .. - The "<prefix>" should be replaced by the intended installation target prefix directory, typically /usr or /usr/local. diff --git a/README.md b/README.md index eb10497..2a0f57d 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ UID_WRAPPER =========== -This is a wrapper for the user, group and hosts NSS API. +This is a testing tool to fake privilege separition without being root. DESCRIPTION ----------- diff --git a/config.h.cmake b/config.h.cmake index 8e05723..5b342e3 100644 --- a/config.h.cmake +++ b/config.h.cmake @@ -41,6 +41,10 @@ /* Define to 1 if you have the `getresgid' function. */ #cmakedefine HAVE_GETRESGID 1 +/* Define to 1 if you have the `getgroups' function. */ +#cmakedefine HAVE_GETGROUPS 1 +#cmakedefine HAVE___GETGROUPS_CHK 1 + /* Define to 1 if you have the `setgroups' function. */ #cmakedefine HAVE_SETGROUPS 1 #cmakedefine HAVE_SETGROUPS_INT 1 diff --git a/src/uid_wrapper.c b/src/uid_wrapper.c index 4d31f52..f04642a 100644 --- a/src/uid_wrapper.c +++ b/src/uid_wrapper.c @@ -240,6 +240,9 @@ typedef int (*__libc_getresgid)(gid_t *rgid, gid_t *egid, gid_t *sgid); typedef gid_t (*__libc_getegid)(void); typedef int (*__libc_getgroups)(int size, gid_t list[]); +#ifdef HAVE___GETGROUPS_CHK +typedef int (*__libc___getgroups_chk)(int size, gid_t list[], size_t listlen); +#endif typedef int (*__libc_setgroups)(size_t size, const gid_t *list); @@ -285,6 +288,9 @@ struct uwrap_libc_symbols { #endif UWRAP_SYMBOL_ENTRY(getegid); UWRAP_SYMBOL_ENTRY(getgroups); +#ifdef HAVE___GETGROUPS_CHK + UWRAP_SYMBOL_ENTRY(__getgroups_chk); +#endif UWRAP_SYMBOL_ENTRY(setgroups); #ifdef HAVE_SYSCALL UWRAP_SYMBOL_ENTRY(syscall); @@ -637,6 +643,17 @@ static int libc_getgroups(int size, gid_t list[]) return uwrap.libc.symbols._libc_getgroups.f(size, list); } +#ifdef HAVE___GETGROUPS_CHK +static int libc___getgroups_chk(int size, gid_t list[], size_t listlen) +{ + uwrap_bind_symbol_libc(__getgroups_chk); + + return uwrap.libc.symbols._libc___getgroups_chk.f(size, + list, + listlen); +} +#endif /* HAVE___GETGROUPS_CHK */ + static int libc_setgroups(size_t size, const gid_t *list) { uwrap_bind_symbol_libc(setgroups); @@ -2137,6 +2154,30 @@ int getgroups(int size, gid_t *list) return uwrap_getgroups(size, list); } +#ifdef HAVE___GETGROUPS_CHK +static int uwrap___getgroups_chk(int size, gid_t *list, size_t listlen) +{ + if (size * sizeof(gid_t) > listlen) { + UWRAP_LOG(UWRAP_LOG_DEBUG, "Buffer overflow detected"); + abort(); + } + + return uwrap_getgroups(size, list); +} + +int __getgroups_chk(int size, gid_t *list, size_t listlen); + +int __getgroups_chk(int size, gid_t *list, size_t listlen) +{ + if (!uid_wrapper_enabled()) { + return libc___getgroups_chk(size, list, listlen); + } + + uwrap_init(); + return uwrap___getgroups_chk(size, list, listlen); +} +#endif /* HAVE___GETGROUPS_CHK */ + #if (defined(HAVE_SYS_SYSCALL_H) || defined(HAVE_SYSCALL_H)) \ && (defined(SYS_setreuid) || defined(SYS_setreuid32)) static long int uwrap_syscall (long int sysno, va_list vp) -- UID Wrapper Repository