Changeset 5703 in vbox

Timestamp:

Nov 12, 2007 1:01:48 PM (17 years ago)

Author:

vboxsync

Message:

Solaris setuid wrapper, in progress.

Location:

trunk

Files:

• Config.kmk (modified) (1 diff)
• src/VBox/Devices/Makefile.kmk (modified) (2 diffs)
• src/VBox/Devices/Storage/DrvHostBase.cpp (modified) (2 diffs)
• src/VBox/Devices/Storage/DrvHostDVD.cpp (modified) (8 diffs)

trunk/Config.kmk

@@ -245 +245 @@
 # Enable Crossbow support for Solaris.
 #VBOX_WITH_CROSSBOW = 1
+# Enable setuid wrapper for Solaris.
+#VBOX_WITH_SUID_WRAPPER = 1
 
 

trunk/src/VBox/Devices/Makefile.kmk

@@ -139 +139 @@
  ifdef VBOX_WITH_CROSSBOW
   VBoxDD_LIBS          += dladm # or maybe try libdladm.so.1 ?
+ endif
+ ifdef VBOX_WITH_SUID_WRAPPER
+  VBoxDD_LIBS          += secdb
  endif
 endif
@@ -527 +530 @@
         Network/solaris
  endif
+ ifdef VBOX_WITH_SUID_WRAPPER
+  Drivers_DEFS += VBOX_WITH_SUID_WRAPPER
+ endif
 endif
 

trunk/src/VBox/Devices/Storage/DrvHostBase.cpp

@@ -948 +948 @@
 static int drvHostBaseOpen(PDRVHOSTBASE pThis, PRTFILE pFileBlockDevice, PRTFILE pFileRawDevice, bool fReadOnly)
 {
-    unsigned fFlags = (pThis->fReadOnlyConfig ? RTFILE_O_READ : RTFILE_O_READWRITE) | RTFILE_O_NON_BLOCK;
+    unsigned fFlags = (fReadOnly ? RTFILE_O_READ : RTFILE_O_READWRITE) | RTFILE_O_NON_BLOCK;
     int rc = RTFileOpen(pFileBlockDevice, pThis->pszDeviceOpen, fFlags);
     if (RT_SUCCESS(rc))
@@ -954 +954 @@
         rc = RTFileOpen(pFileRawDevice, pThis->pszRawDeviceOpen, fFlags);
         if (RT_FAILURE(rc))
+        {
+            LogRel(("DVD: failed to open device %s\n", pThis->pszRawDeviceOpen));
             RTFileClose(*pFileBlockDevice);
-    }
+        }
+    }
+    else
+        LogRel(("DVD: failed to open device %s\n", pThis->pszRawDeviceOpen));
     return rc;
 }

trunk/src/VBox/Devices/Storage/DrvHostDVD.cpp

@@ -58 +58 @@
 # include <pwd.h>
 # include <unistd.h>
-# include <auth_attr.h>
+# include <syslog.h>
+# ifdef VBOX_WITH_SUID_WRAPPER
+#  include <auth_attr.h>
+# endif
 # include <sys/dkio.h>
 # include <sys/sockio.h>
@@ -89 +92 @@
 
 static DECLCALLBACK(int) drvHostDvdDoLock(PDRVHOSTBASE pThis, bool fLock);
+#ifdef VBOX_WITH_SUID_WRAPPER
+static int solarisCheckUserAuth();
+static int solarisEnterRootMode(uid_t *pEffUserID);
+static int solarisExitRootMode(uid_t *pEffUserID);
+#endif
 
 
@@ -508 +516 @@
 
     /* We need root privileges for user-SCSI under Solaris. */
+#ifdef VBOX_WITH_SUID_WRAPPER
+    uid_t effUserID = geteuid();
+    solarisEnterRootMode(&effUserID); /** @todo check return code when this really works. */
+#endif
     rc = ioctl(pThis->FileRawDevice, USCSICMD, &usc);
+#ifdef VBOX_WITH_SUID_WRAPPER
+    solarisExitRootMode(&effUserID);
+#endif
     if (rc < 0)
     {
@@ -589 +604 @@
 }
 
-#if 0
+#ifdef VBOX_WITH_SUID_WRAPPER
 /* These functions would have to go into a seperate solaris binary with
  * the setuid permission set, which would run the user-SCSI ioctl and
@@ -616 +631 @@
  *
  * @returns VBox error code.
- * @param   pUserID        Pointer to user ID.
  * @param   pEffUserID     Pointer to effective user ID.
  */
-static int solarisEnterRootMode(uid_t *pUserID, uid_t *pEffUserID)
+static int solarisEnterRootMode(uid_t *pEffUserID)
 {
     /* Increase privilege if required */
-    if (*pEffUserID == 0)
-        return VINF_SUCCESS;
-    else
+    if (*pEffUserID != 0)
     {
         if (seteuid(0) == 0)
@@ -631 +643 @@
             return VINF_SUCCESS;
         }
-        else
-            return VERR_PERMISSION_DENIED;
-    }
+        return VERR_PERMISSION_DENIED;
+    }
+    return VINF_SUCCESS;
 }
 
@@ -640 +652 @@
  *
  * @returns VBox error code.
- * @param   pUserID        Pointer to user ID.
  * @param   pEffUserID     Pointer to effective user ID.
  */
-static int solarisExitRootMode(uid_t *pUserID, uid_t *pEffUserID)
+static int solarisExitRootMode(uid_t *pEffUserID)
 {
     /* Get back to user mode. */
     if (*pEffUserID == 0)
     {
-        if (seteuid(*pUserID) == 0)
+        uid_t realID = getuid();
+        if (seteuid(realID) == 0)
         {
-            *pEffUserID = *pUserID;
-            return VINF_SUCCESS;
-        }
-        else
-            return VERR_PERMISSION_DENIED;
-    }
-    return VINF_SUCCESS;
-}
-
-/**
- * Setuid wrapper to gain root access.
- *
- * @returns VBox error code.
- * @param   pUserID        Pointer to user ID.
- * @param   pEffUserID     Pointer to effective user ID.
- */
-static int solarisEnterRootMode(uid_t *pUserID, uid_t *pEffUserID)
-{
-    /* Increase privilege if required */
-    if (*pEffUserID == 0)
-        return VINF_SUCCESS;
-    if (seteuid(0) == 0)
-    {
-        *pEffUserID = 0;
-        return VINF_SUCCESS;
-    }
-    return VERR_PERMISSION_DENIED;
-}
-
-/**
- * Setuid wrapper to relinquish root access.
- *
- * @returns VBox error code.
- * @param   pUserID        Pointer to user ID.
- * @param   pEffUserID     Pointer to effective user ID.
- */
-static int solarisExitRootMode(uid_t *pUserID, uid_t *pEffUserID)
-{
-    /* Get back to user mode. */
-    if (*pEffUserID == 0)
-    {
-        if (seteuid(*pUserID) == 0)
-        {
-            *pEffUserID = *pUserID;
+            *pEffUserID = realID;
             return VINF_SUCCESS;
         }
@@ -746 +715 @@
             /* Passthrough requires opening the device in R/W mode. */
             pThis->fReadOnlyConfig = false;
+# ifdef VBOX_WITH_SUID_WRAPPER  /* Solaris setuid for Passthrough mode. */
+            rc = solarisCheckUserAuth();
+            if (VBOX_FAILURE(rc))
+            {
+                Log(("DVD: solarisCheckUserAuth failed. Permission denied!\n"));
+                return rc;
+            }
+# endif /* VBOX_WITH_SUID_WRAPPER */
         }
 #endif /* !RT_OS_L4 */