OpenVAS Libraries  9.0.3
drop_privileges.h File Reference
#include <glib.h>
Include dependency graph for drop_privileges.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define OPENVAS_DROP_PRIVILEGES   g_quark_from_static_string ("openvas-drop-privileges-error-quark")
 The GQuark for privilege dropping errors. More...
 
#define OPENVAS_DROP_PRIVILEGES_ERROR_ALREADY_SET   -1
 
#define OPENVAS_DROP_PRIVILEGES_OK   0
 
#define OPENVAS_DROP_PRIVILEGES_FAIL_NOT_ROOT   1
 
#define OPENVAS_DROP_PRIVILEGES_FAIL_UNKNOWN_USER   2
 
#define OPENVAS_DROP_PRIVILEGES_FAIL_DROP_GID   3
 
#define OPENVAS_DROP_PRIVILEGES_FAIL_DROP_UID   4
 
#define OPENVAS_DROP_PRIVILEGES_FAIL_SUPPLEMENTARY   5
 

Functions

int drop_privileges (gchar *username, GError **error)
 Naive attempt to drop privileges. More...
 

Macro Definition Documentation

◆ OPENVAS_DROP_PRIVILEGES

#define OPENVAS_DROP_PRIVILEGES   g_quark_from_static_string ("openvas-drop-privileges-error-quark")

The GQuark for privilege dropping errors.

Definition at line 35 of file drop_privileges.h.

◆ OPENVAS_DROP_PRIVILEGES_ERROR_ALREADY_SET

#define OPENVAS_DROP_PRIVILEGES_ERROR_ALREADY_SET   -1

Definition at line 38 of file drop_privileges.h.

◆ OPENVAS_DROP_PRIVILEGES_FAIL_DROP_GID

#define OPENVAS_DROP_PRIVILEGES_FAIL_DROP_GID   3

Definition at line 43 of file drop_privileges.h.

◆ OPENVAS_DROP_PRIVILEGES_FAIL_DROP_UID

#define OPENVAS_DROP_PRIVILEGES_FAIL_DROP_UID   4

Definition at line 44 of file drop_privileges.h.

◆ OPENVAS_DROP_PRIVILEGES_FAIL_NOT_ROOT

#define OPENVAS_DROP_PRIVILEGES_FAIL_NOT_ROOT   1

Definition at line 41 of file drop_privileges.h.

◆ OPENVAS_DROP_PRIVILEGES_FAIL_SUPPLEMENTARY

#define OPENVAS_DROP_PRIVILEGES_FAIL_SUPPLEMENTARY   5

Definition at line 45 of file drop_privileges.h.

◆ OPENVAS_DROP_PRIVILEGES_FAIL_UNKNOWN_USER

#define OPENVAS_DROP_PRIVILEGES_FAIL_UNKNOWN_USER   2

Definition at line 42 of file drop_privileges.h.

◆ OPENVAS_DROP_PRIVILEGES_OK

#define OPENVAS_DROP_PRIVILEGES_OK   0

Definition at line 40 of file drop_privileges.h.

Function Documentation

◆ drop_privileges()

int drop_privileges ( gchar *  username,
GError **  error 
)

Naive attempt to drop privileges.

We try to drop our (root) privileges and setuid to

Parameters
usernameto minimize the risk of privilege escalation. The current implementation is somewhat linux-specific and may not work on other platforms.
[in]usernameThe user to become. Its safe to pass "NULL", in which case it will default to "nobody".
[out]errorReturn location for errors or NULL if not interested in errors.
Returns
OPENVAS_DROP_PRIVILEGES_OK in case of success. Sets
Parameters
errorotherwise and returns the error code.

Definition at line 79 of file drop_privileges.c.

80 {
81  struct passwd *user_pw = NULL;
82 
83  g_return_val_if_fail (*error == NULL,
85 
86  if (username == NULL)
87  username = "nobody";
88 
89  if (geteuid () == 0)
90  {
91  if ((user_pw = getpwnam (username)))
92  {
93  if (initgroups (username, user_pw->pw_gid) != 0)
94  return drop_privileges_error
95  (error,
97  "Failed to drop supplementary groups privileges!\n");
98  if (setgid (user_pw->pw_gid) != 0)
99  return drop_privileges_error
100  (error,
102  "Failed to drop group privileges!\n");
103  if (setuid (user_pw->pw_uid) != 0)
104  return drop_privileges_error
105  (error,
107  "Failed to drop user privileges!\n");
108  }
109  else
110  {
111  g_set_error (error, OPENVAS_DROP_PRIVILEGES,
113  "Failed to get gid and uid for user %s.", username);
115  }
117  }
118  else
119  {
120  return drop_privileges_error (error,
122  "Only root can drop its privileges.");
123  }
124 }
#define OPENVAS_DROP_PRIVILEGES_FAIL_NOT_ROOT
#define OPENVAS_DROP_PRIVILEGES_ERROR_ALREADY_SET
#define OPENVAS_DROP_PRIVILEGES_FAIL_DROP_UID
#define OPENVAS_DROP_PRIVILEGES_FAIL_DROP_GID
#define OPENVAS_DROP_PRIVILEGES_FAIL_SUPPLEMENTARY
#define OPENVAS_DROP_PRIVILEGES_OK
#define OPENVAS_DROP_PRIVILEGES_FAIL_UNKNOWN_USER
#define OPENVAS_DROP_PRIVILEGES
The GQuark for privilege dropping errors.

References OPENVAS_DROP_PRIVILEGES_ERROR_ALREADY_SET.