2 Bacula(R) - The Network Backup Solution
4 Copyright (C) 2000-2016 Kern Sibbald
6 The original author of Bacula is Kern Sibbald, with contributions
7 from many others, a complete list can be found in the file AUTHORS.
9 You may use this file and others of this release according to the
10 license defined in the LICENSE file, which includes the Affero General
11 Public License, v3.0 ("AGPLv3") and some additional permissions and
12 terms pursuant to its AGPLv3 Section 7.
14 This notice must be preserved when any source code is
15 conveyed and/or propagated.
17 Bacula(R) is a registered trademark of Kern Sibbald.
22 #undef ENABLE_KEEP_READALL_CAPS_SUPPORT
23 #if defined(HAVE_SYS_PRCTL_H) && defined(HAVE_SYS_CAPABILITY_H) && \
24 defined(HAVE_PRCTL) && defined(HAVE_SETREUID) && defined(HAVE_LIBCAP)
25 # include <sys/prctl.h>
26 # include <sys/capability.h>
27 # if defined(PR_SET_KEEPCAPS)
28 # define ENABLE_KEEP_READALL_CAPS_SUPPORT
34 extern "C" int initgroups(const char *,int);
39 * Lower privileges by switching to new UID and GID if non-NULL.
40 * If requested, keep readall capabilities after switch.
42 void drop(char *uname, char *gname, bool keep_readall_caps)
44 #if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
45 struct passwd *passw = NULL;
46 struct group *group = NULL;
51 Dmsg2(900, "uname=%s gname=%s\n", uname?uname:"NONE", gname?gname:"NONE");
52 if (!uname && !gname) {
53 return; /* Nothing to do */
57 if ((passw = getpwnam(uname)) == NULL) {
59 Emsg2(M_ERROR_TERM, 0, _("Could not find userid=%s: ERR=%s\n"), uname,
63 if ((passw = getpwuid(getuid())) == NULL) {
65 Emsg1(M_ERROR_TERM, 0, _("Could not find password entry. ERR=%s\n"),
68 uname = passw->pw_name;
71 /* Any OS uname pointer may get overwritten, so save name, uid, and gid */
72 bstrncpy(username, uname, sizeof(username));
76 if ((group = getgrnam(gname)) == NULL) {
78 Emsg2(M_ERROR_TERM, 0, _("Could not find group=%s: ERR=%s\n"), gname,
83 if (initgroups(username, gid)) {
86 Emsg3(M_ERROR_TERM, 0, _("Could not initgroups for group=%s, userid=%s: ERR=%s\n"),
87 gname, username, be.bstrerror());
89 Emsg2(M_ERROR_TERM, 0, _("Could not initgroups for userid=%s: ERR=%s\n"),
90 username, be.bstrerror());
96 Emsg2(M_ERROR_TERM, 0, _("Could not set group=%s: ERR=%s\n"), gname,
100 if (keep_readall_caps) {
101 #ifdef ENABLE_KEEP_READALL_CAPS_SUPPORT
104 if (prctl(PR_SET_KEEPCAPS, 1)) {
106 Emsg1(M_ERROR_TERM, 0, _("prctl failed: ERR=%s\n"), be.bstrerror());
108 if (setreuid(uid, uid)) {
110 Emsg1(M_ERROR_TERM, 0, _("setreuid failed: ERR=%s\n"), be.bstrerror());
112 if (!(caps = cap_from_text("cap_dac_read_search=ep"))) {
114 Emsg1(M_ERROR_TERM, 0, _("cap_from_text failed: ERR=%s\n"), be.bstrerror());
116 if (cap_set_proc(caps) < 0) {
118 Emsg1(M_ERROR_TERM, 0, _("cap_set_proc failed: ERR=%s\n"), be.bstrerror());
122 Emsg0(M_ERROR_TERM, 0, _("Keep readall caps not implemented this OS or missing libraries.\n"));
124 } else if (setuid(uid)) {
126 Emsg1(M_ERROR_TERM, 0, _("Could not set specified userid: %s\n"), username);