remove issetuigid wrappers, now that all getenv calls are gone.

From deraadt@ upstream:

Remove all getenv() calls, especially those wrapped by issetugid().
getenv()'s wrapped by issetugid() are safe, but issetugid() is ...
difficult to impliment on many operating systems.  By accident, a grand
experiment was run over the last year, where issetugid() returned 1 (the
safe value) on a few operating systems.  Noone noticed & complained that
certain environment variables were not working.......

README

@@ -43,8 +43,8 @@ programs to LibreSSL in order to use it, just as in moving from OpenSSL 0.9.8
 to 1.0.1.
 
 The project attempts to provide working alternatives for operating systems with
-limited or broken security primitives (e.g. arc4random(3), issetugid(2)) and
-assists with improving OS-native implementations where possible.
+limited or broken security primitives (e.g. arc4random(3)) and assists with
+improving OS-native implementations where possible.
 
 LibreSSL portable will build on any reasonably modern version of Linux,
 Solaris, or OSX with a standards-compliant compiler and C library.

configure.ac

@@ -220,7 +220,7 @@ CFLAGS="$save_cflags $AM_CFLAGS"
 AM_PROG_AS
 
 AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
-AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray])
+AC_CHECK_FUNCS([getentropy memmem poll reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([symlink])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
@@ -230,7 +230,6 @@ AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
-AM_CONDITIONAL([HAVE_ISSETUGID], [test "x$ac_cv_func_issetugid" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
@@ -251,11 +250,6 @@ AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
 	   -a "x$HOST_OS" != xnetbsd \
 	   -a "x$ac_cv_func_arc4random_buf" = xyes])
 
-# overrides for issetugid implementations with known issues
-AM_CONDITIONAL([HAVE_ISSETUGID],
-       [test "x$HOST_OS" != xdarwin \
-	  -a "x$ac_cv_func_issetugid" = xyes])
-
 AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
 	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <stdarg.h>

crypto/Makefile.am

@@ -97,24 +97,6 @@ endif
 
 endif
 
-if !HAVE_ISSETUGID
-if HOST_AIX
-libcompat_la_SOURCES += compat/issetugid_aix.c
-endif
-if HOST_LINUX
-libcompat_la_SOURCES += compat/issetugid_linux.c
-endif
-if HOST_HPUX
-libcompat_la_SOURCES += compat/issetugid_hpux.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/issetugid_osx.c
-endif
-if HOST_WIN
-libcompat_la_SOURCES += compat/issetugid_win.c
-endif
-endif
-
 noinst_HEADERS =
 noinst_HEADERS += compat/arc4random.h
 noinst_HEADERS += compat/arc4random_aix.h

crypto/compat/issetugid_aix.c

@@ -1,107 +0,0 @@
-/*	  $OpenBSD: $	 */
-
-/*
- * Copyright (c) 2015 Michael Felt <aixtools@gmail.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- */
-
-#include <sys/id.h>
-#include <sys/priv.h>
-
-#include <stdio.h>
-#include <unistd.h>
-
-/*
- * AIX does not have issetugid().
- * This experimental implementation uses getpriv() and get*id().
- * First, try getpriv() and check equality of pv_priv values
- * When these values are equal, using get*id() including login uid.
- *
- */
-int issetugid(void)
-{
-	/*
-	 * Return fail-safe while we evaluate primitives in AIX. There does
-	 * not yet appear to be a single atomic test to tell if privileges of
-	 * the process changed from that of the user who is in control of the
-	 * environment.
-	 */
-	return (1);
-
-#define PEPRIV(a,b) a.pv_priv[b]
-	/*
-	 * effective priv is what I can do now
-	 * inherited priv is what the caller gave or could have given
-	 * basically when inherited == 0 and effective != 0 then
-	 * some kind of priv escalation has occurred
-	 * when 'demoted' -- inherited != 0 but effective == 0
-	 * there is also a change, so, will report 1 as well - to be safe
-	 * PROBABLY there needs more study re: how RBAC subtley affects
-	 * the priv_t values - for now, they are either zero - nothing added
-	 * or non-zero - something added
-	 */
-	priv_t effective,inherited;
-	int luid;
-	int euid, ruid;
-
-	getpriv(PRIV_EFFECTIVE, &effective, sizeof(priv_t));
-	getpriv(PRIV_INHERITED, &inherited, sizeof(priv_t));
-
-	if (PEPRIV(effective,0) | PEPRIV(effective,1)) { /* have something */
-		if ((PEPRIV(inherited,0) | PEPRIV(inherited,1)) == 0) /* had nothing - classic u+s  bit */
-			return (1);
-	} else {
-		/*
-		 * effective priv elevation is NULL/NONE
-		 * was there something and removed via setuid()?
-		 */
-		if (PEPRIV(inherited,0) | PEPRIV(inherited,1))
-			return (1);
-	}
-
-	/*
-	 * if we get this far, then "no" differences in process priv noted
-	 * compare the different uid
-	 * the comparision of login id with effective says "TRUE" when different.
-	 * this may not work as expected when using sudo for elevation
-	 * again, looking at RBAC affects on priv may be more truthful
-	 *
-	 * ruid - real uid
-	 * euid - effictive uid
-	 * luid - login uid
-	 */
-
-	/*
-	 * if these differ (not common on AIX), return changed
-	 */
-	ruid = getuid();
-	euid = geteuid();
-	if (euid != ruid)
-		return (1);
-
-	if (getgid() != getegid())
-		return (1);
-
-	/*
-	 * luid == login id, su/sudo do not/cannot change this afaik
-	 * perhaps this is "too strict", but same as in
-	 * issetugid_win.c - err on the safe side for now
-	 */
-	luid = getuidx(ID_LOGIN);
-	if (euid != luid)
-		return (1);
-
-	return (0);
-}

crypto/compat/issetugid_hpux.c

@@ -1,17 +0,0 @@
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/pstat.h>
-
-/*
- * HP-UX does not have issetugid().
- * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
- * cannot be used, assume we must be running in a privileged environment.
- */
-int issetugid(void)
-{
-	struct pst_status buf;
-	if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
-	    !(buf.pst_flag & PS_CHANGEDPRIV))
-		return 0;
-	return 1;
-}

crypto/compat/issetugid_linux.c

@@ -1,47 +0,0 @@
-/*
- * issetugid implementation for Linux
- * Public domain
- */
-
-#include <errno.h>
-#include <gnu/libc-version.h>
-#include <string.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-/*
- * Linux-specific glibc 2.16+ interface for determining if a process was
- * launched setuid/setgid or with additional capabilities.
- */
-#ifdef HAVE_GETAUXVAL
-#include <sys/auxv.h>
-#endif
-
-int issetugid(void)
-{
-#ifdef HAVE_GETAUXVAL
-	/*
-	 * The API for glibc < 2.19 does not indicate if there is an error with
-	 * getauxval. While it should not be the case that any 2.6 or greater
-	 * kernel ever does not supply AT_SECURE, an emulated software environment
-	 * might rewrite the aux vector.
-	 *
-	 * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
-	 *
-	 * Perhaps this code should just read the aux vector itself, so we have
-	 * backward-compatibility and error handling in older glibc versions.
-	 * info: http://lwn.net/Articles/519085/
-	 *
-	 */
-	const char *glcv = gnu_get_libc_version();
-	if (strverscmp(glcv, "2.19") >= 0) {
-		errno = 0;
-		if (getauxval(AT_SECURE) == 0) {
-			if (errno != ENOENT) {
-				return 0;
-			}
-		}
-	}
-#endif
-	return 1;
-}

crypto/compat/issetugid_osx.c

@@ -1,16 +0,0 @@
-/*
- * issetugid implementation for OS X
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * OS X has issetugid, but it is not fork-safe as of version 10.10.
- * See this Solaris report for test code that fails similarly:
- * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
- */
-int issetugid(void)
-{
-	return 1;
-}

crypto/compat/issetugid_win.c

@@ -1,26 +0,0 @@
-/*
- * issetugid implementation for Windows
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * Windows does not have a native setuid/setgid functionality.
- * A user must enter credentials each time a process elevates its
- * privileges.
- *
- * So, in theory, this could always return 0, given what I know currently.
- * However, it makes sense to stub out initially in 'safe' mode until we
- * understand more (and determine if any disabled functionality is actually
- * useful on Windows anyway).
- *
- * Future versions of this function that are made more 'open' should thoroughly
- * consider the case of this code running as a privileged service with saved
- * user credentials or privilege escalations by other means (e.g. the old
- * RunAsEx utility.)
- */
-int issetugid(void)
-{
-	return 1;
-}

include/unistd.h

@@ -12,8 +12,4 @@
 int getentropy(void *buf, size_t buflen);
 #endif
 
-#ifndef HAVE_ISSETUGID
-int issetugid(void);
-#endif
-
 #endif