remove issetuigid wrappers, now that all getenv calls are gone.

From deraadt@ upstream:

Remove all getenv() calls, especially those wrapped by issetugid().
getenv()'s wrapped by issetugid() are safe, but issetugid() is ...
difficult to impliment on many operating systems.  By accident, a grand
experiment was run over the last year, where issetugid() returned 1 (the
safe value) on a few operating systems.  Noone noticed & complained that
certain environment variables were not working.......

9 files changed, 3 insertions, 244 deletions

diff --git a/README b/README
index ce1d9ef..8ac40af 100644
--- a/README
+++ b/README
@@ -43,8 +43,8 @@ programs to LibreSSL in order to use it, just as in moving from OpenSSL 0.9.8
 to 1.0.1.
 
 The project attempts to provide working alternatives for operating systems with
-limited or broken security primitives (e.g. arc4random(3), issetugid(2)) and
-assists with improving OS-native implementations where possible.
+limited or broken security primitives (e.g. arc4random(3)) and assists with
+improving OS-native implementations where possible.
 
 LibreSSL portable will build on any reasonably modern version of Linux,
 Solaris, or OSX with a standards-compliant compiler and C library.
diff --git a/configure.ac b/configure.ac
index 75a1ec2..2cd9814 100644
--- a/configure.ac
+++ b/configure.ac
@@ -220,7 +220,7 @@ CFLAGS="$save_cflags $AM_CFLAGS"
 AM_PROG_AS
 
 AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
-AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray])
+AC_CHECK_FUNCS([getentropy memmem poll reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([symlink])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
@@ -230,7 +230,6 @@ AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
-AM_CONDITIONAL([HAVE_ISSETUGID], [test "x$ac_cv_func_issetugid" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
@@ -251,11 +250,6 @@ AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
            -a "x$HOST_OS" != xnetbsd \
            -a "x$ac_cv_func_arc4random_buf" = xyes])
 
-# overrides for issetugid implementations with known issues
-AM_CONDITIONAL([HAVE_ISSETUGID],
-       [test "x$HOST_OS" != xdarwin \
-          -a "x$ac_cv_func_issetugid" = xyes])
-
 AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
         AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <stdarg.h>
diff --git a/crypto/Makefile.am b/crypto/Makefile.am
index 83bf0c6..757197f 100644
--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -97,24 +97,6 @@ endif
 
 endif
 
-if !HAVE_ISSETUGID
-if HOST_AIX
-libcompat_la_SOURCES += compat/issetugid_aix.c
-endif
-if HOST_LINUX
-libcompat_la_SOURCES += compat/issetugid_linux.c
-endif
-if HOST_HPUX
-libcompat_la_SOURCES += compat/issetugid_hpux.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/issetugid_osx.c
-endif
-if HOST_WIN
-libcompat_la_SOURCES += compat/issetugid_win.c
-endif
-endif
-
 noinst_HEADERS =
 noinst_HEADERS += compat/arc4random.h
 noinst_HEADERS += compat/arc4random_aix.h
diff --git a/crypto/compat/issetugid_aix.c b/crypto/compat/issetugid_aix.c
deleted file mode 100644
index 16f0a6d..0000000
--- a/crypto/compat/issetugid_aix.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*        $OpenBSD: $    */
-
-/*
- * Copyright (c) 2015 Michael Felt <aixtools@gmail.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- */
-
-#include <sys/id.h>
-#include <sys/priv.h>
-
-#include <stdio.h>
-#include <unistd.h>
-
-/*
- * AIX does not have issetugid().
- * This experimental implementation uses getpriv() and get*id().
- * First, try getpriv() and check equality of pv_priv values
- * When these values are equal, using get*id() including login uid.
- *
- */
-int issetugid(void)
-{
-        /*
-         * Return fail-safe while we evaluate primitives in AIX. There does
-         * not yet appear to be a single atomic test to tell if privileges of
-         * the process changed from that of the user who is in control of the
-         * environment.
-         */
-        return (1);
-
-#define PEPRIV(a,b) a.pv_priv[b]
-        /*
-         * effective priv is what I can do now
-         * inherited priv is what the caller gave or could have given
-         * basically when inherited == 0 and effective != 0 then
-         * some kind of priv escalation has occurred
-         * when 'demoted' -- inherited != 0 but effective == 0
-         * there is also a change, so, will report 1 as well - to be safe
-         * PROBABLY there needs more study re: how RBAC subtley affects
-         * the priv_t values - for now, they are either zero - nothing added
-         * or non-zero - something added
-         */
-        priv_t effective,inherited;
-        int luid;
-        int euid, ruid;
-
-        getpriv(PRIV_EFFECTIVE, &effective, sizeof(priv_t));
-        getpriv(PRIV_INHERITED, &inherited, sizeof(priv_t));
-
-        if (PEPRIV(effective,0) | PEPRIV(effective,1)) { /* have something */
-                if ((PEPRIV(inherited,0) | PEPRIV(inherited,1)) == 0) /* had nothing - classic u+s  bit */
-                        return (1);
-        } else {
-                /*
-                 * effective priv elevation is NULL/NONE
-                 * was there something and removed via setuid()?
-                 */
-                if (PEPRIV(inherited,0) | PEPRIV(inherited,1))
-                        return (1);
-        }
-
-        /*
-         * if we get this far, then "no" differences in process priv noted
-         * compare the different uid
-         * the comparision of login id with effective says "TRUE" when different.
-         * this may not work as expected when using sudo for elevation
-         * again, looking at RBAC affects on priv may be more truthful
-         *
-         * ruid - real uid
-         * euid - effictive uid
-         * luid - login uid
-         */
-
-        /*
-         * if these differ (not common on AIX), return changed
-         */
-        ruid = getuid();
-        euid = geteuid();
-        if (euid != ruid)
-                return (1);
-
-        if (getgid() != getegid())
-                return (1);
-
-        /*
-         * luid == login id, su/sudo do not/cannot change this afaik
-         * perhaps this is "too strict", but same as in
-         * issetugid_win.c - err on the safe side for now
-         */
-        luid = getuidx(ID_LOGIN);
-        if (euid != luid)
-                return (1);
-
-        return (0);
-}
diff --git a/crypto/compat/issetugid_hpux.c b/crypto/compat/issetugid_hpux.c
deleted file mode 100644
index ca0e42c..0000000
--- a/crypto/compat/issetugid_hpux.c
+++ /dev/null
@@ -1,17 +0,0 @@
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/pstat.h>
-
-/*
- * HP-UX does not have issetugid().
- * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
- * cannot be used, assume we must be running in a privileged environment.
- */
-int issetugid(void)
-{
-        struct pst_status buf;
-        if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
-            !(buf.pst_flag & PS_CHANGEDPRIV))
-                return 0;
-        return 1;
-}
diff --git a/crypto/compat/issetugid_linux.c b/crypto/compat/issetugid_linux.c
deleted file mode 100644
index 669edce..0000000
--- a/crypto/compat/issetugid_linux.c
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * issetugid implementation for Linux
- * Public domain
- */
-
-#include <errno.h>
-#include <gnu/libc-version.h>
-#include <string.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-/*
- * Linux-specific glibc 2.16+ interface for determining if a process was
- * launched setuid/setgid or with additional capabilities.
- */
-#ifdef HAVE_GETAUXVAL
-#include <sys/auxv.h>
-#endif
-
-int issetugid(void)
-{
-#ifdef HAVE_GETAUXVAL
-        /*
-         * The API for glibc < 2.19 does not indicate if there is an error with
-         * getauxval. While it should not be the case that any 2.6 or greater
-         * kernel ever does not supply AT_SECURE, an emulated software environment
-         * might rewrite the aux vector.
-         *
-         * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
-         *
-         * Perhaps this code should just read the aux vector itself, so we have
-         * backward-compatibility and error handling in older glibc versions.
-         * info: http://lwn.net/Articles/519085/
-         *
-         */
-        const char *glcv = gnu_get_libc_version();
-        if (strverscmp(glcv, "2.19") >= 0) {
-                errno = 0;
-                if (getauxval(AT_SECURE) == 0) {
-                        if (errno != ENOENT) {
-                                return 0;
-                        }
-                }
-        }
-#endif
-        return 1;
-}
diff --git a/crypto/compat/issetugid_osx.c b/crypto/compat/issetugid_osx.c
deleted file mode 100644
index ad6cb58..0000000
--- a/crypto/compat/issetugid_osx.c
+++ /dev/null
@@ -1,16 +0,0 @@
-/*
- * issetugid implementation for OS X
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * OS X has issetugid, but it is not fork-safe as of version 10.10.
- * See this Solaris report for test code that fails similarly:
- * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
- */
-int issetugid(void)
-{
-        return 1;
-}
diff --git a/crypto/compat/issetugid_win.c b/crypto/compat/issetugid_win.c
deleted file mode 100644
index d0c598d..0000000
--- a/crypto/compat/issetugid_win.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * issetugid implementation for Windows
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * Windows does not have a native setuid/setgid functionality.
- * A user must enter credentials each time a process elevates its
- * privileges.
- *
- * So, in theory, this could always return 0, given what I know currently.
- * However, it makes sense to stub out initially in 'safe' mode until we
- * understand more (and determine if any disabled functionality is actually
- * useful on Windows anyway).
- *
- * Future versions of this function that are made more 'open' should thoroughly
- * consider the case of this code running as a privileged service with saved
- * user credentials or privilege escalations by other means (e.g. the old
- * RunAsEx utility.)
- */
-int issetugid(void)
-{
-        return 1;
-}
diff --git a/include/unistd.h b/include/unistd.h
index 3aecd68..9b12034 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -12,8 +12,4 @@
 int getentropy(void *buf, size_t buflen);
 #endif
 
-#ifndef HAVE_ISSETUGID
-int issetugid(void);
-#endif
-
 #endif