remove issetuigid wrappers, now that all getenv calls are gone.

From deraadt@ upstream:

Remove all getenv() calls, especially those wrapped by issetugid().
getenv()'s wrapped by issetugid() are safe, but issetugid() is ...
difficult to impliment on many operating systems.  By accident, a grand
experiment was run over the last year, where issetugid() returned 1 (the
safe value) on a few operating systems.  Noone noticed & complained that
certain environment variables were not working.......

6 files changed, 0 insertions, 231 deletions

diff --git a/crypto/Makefile.am b/crypto/Makefile.am
index 83bf0c6..757197f 100644
--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -97,24 +97,6 @@ endif
 
 endif
 
-if !HAVE_ISSETUGID
-if HOST_AIX
-libcompat_la_SOURCES += compat/issetugid_aix.c
-endif
-if HOST_LINUX
-libcompat_la_SOURCES += compat/issetugid_linux.c
-endif
-if HOST_HPUX
-libcompat_la_SOURCES += compat/issetugid_hpux.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/issetugid_osx.c
-endif
-if HOST_WIN
-libcompat_la_SOURCES += compat/issetugid_win.c
-endif
-endif
-
 noinst_HEADERS =
 noinst_HEADERS += compat/arc4random.h
 noinst_HEADERS += compat/arc4random_aix.h
diff --git a/crypto/compat/issetugid_aix.c b/crypto/compat/issetugid_aix.c
deleted file mode 100644
index 16f0a6d..0000000
--- a/crypto/compat/issetugid_aix.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*        $OpenBSD: $    */
-
-/*
- * Copyright (c) 2015 Michael Felt <aixtools@gmail.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- */
-
-#include <sys/id.h>
-#include <sys/priv.h>
-
-#include <stdio.h>
-#include <unistd.h>
-
-/*
- * AIX does not have issetugid().
- * This experimental implementation uses getpriv() and get*id().
- * First, try getpriv() and check equality of pv_priv values
- * When these values are equal, using get*id() including login uid.
- *
- */
-int issetugid(void)
-{
-        /*
-         * Return fail-safe while we evaluate primitives in AIX. There does
-         * not yet appear to be a single atomic test to tell if privileges of
-         * the process changed from that of the user who is in control of the
-         * environment.
-         */
-        return (1);
-
-#define PEPRIV(a,b) a.pv_priv[b]
-        /*
-         * effective priv is what I can do now
-         * inherited priv is what the caller gave or could have given
-         * basically when inherited == 0 and effective != 0 then
-         * some kind of priv escalation has occurred
-         * when 'demoted' -- inherited != 0 but effective == 0
-         * there is also a change, so, will report 1 as well - to be safe
-         * PROBABLY there needs more study re: how RBAC subtley affects
-         * the priv_t values - for now, they are either zero - nothing added
-         * or non-zero - something added
-         */
-        priv_t effective,inherited;
-        int luid;
-        int euid, ruid;
-
-        getpriv(PRIV_EFFECTIVE, &effective, sizeof(priv_t));
-        getpriv(PRIV_INHERITED, &inherited, sizeof(priv_t));
-
-        if (PEPRIV(effective,0) | PEPRIV(effective,1)) { /* have something */
-                if ((PEPRIV(inherited,0) | PEPRIV(inherited,1)) == 0) /* had nothing - classic u+s  bit */
-                        return (1);
-        } else {
-                /*
-                 * effective priv elevation is NULL/NONE
-                 * was there something and removed via setuid()?
-                 */
-                if (PEPRIV(inherited,0) | PEPRIV(inherited,1))
-                        return (1);
-        }
-
-        /*
-         * if we get this far, then "no" differences in process priv noted
-         * compare the different uid
-         * the comparision of login id with effective says "TRUE" when different.
-         * this may not work as expected when using sudo for elevation
-         * again, looking at RBAC affects on priv may be more truthful
-         *
-         * ruid - real uid
-         * euid - effictive uid
-         * luid - login uid
-         */
-
-        /*
-         * if these differ (not common on AIX), return changed
-         */
-        ruid = getuid();
-        euid = geteuid();
-        if (euid != ruid)
-                return (1);
-
-        if (getgid() != getegid())
-                return (1);
-
-        /*
-         * luid == login id, su/sudo do not/cannot change this afaik
-         * perhaps this is "too strict", but same as in
-         * issetugid_win.c - err on the safe side for now
-         */
-        luid = getuidx(ID_LOGIN);
-        if (euid != luid)
-                return (1);
-
-        return (0);
-}
diff --git a/crypto/compat/issetugid_hpux.c b/crypto/compat/issetugid_hpux.c
deleted file mode 100644
index ca0e42c..0000000
--- a/crypto/compat/issetugid_hpux.c
+++ /dev/null
@@ -1,17 +0,0 @@
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/pstat.h>
-
-/*
- * HP-UX does not have issetugid().
- * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
- * cannot be used, assume we must be running in a privileged environment.
- */
-int issetugid(void)
-{
-        struct pst_status buf;
-        if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
-            !(buf.pst_flag & PS_CHANGEDPRIV))
-                return 0;
-        return 1;
-}
diff --git a/crypto/compat/issetugid_linux.c b/crypto/compat/issetugid_linux.c
deleted file mode 100644
index 669edce..0000000
--- a/crypto/compat/issetugid_linux.c
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * issetugid implementation for Linux
- * Public domain
- */
-
-#include <errno.h>
-#include <gnu/libc-version.h>
-#include <string.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-/*
- * Linux-specific glibc 2.16+ interface for determining if a process was
- * launched setuid/setgid or with additional capabilities.
- */
-#ifdef HAVE_GETAUXVAL
-#include <sys/auxv.h>
-#endif
-
-int issetugid(void)
-{
-#ifdef HAVE_GETAUXVAL
-        /*
-         * The API for glibc < 2.19 does not indicate if there is an error with
-         * getauxval. While it should not be the case that any 2.6 or greater
-         * kernel ever does not supply AT_SECURE, an emulated software environment
-         * might rewrite the aux vector.
-         *
-         * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
-         *
-         * Perhaps this code should just read the aux vector itself, so we have
-         * backward-compatibility and error handling in older glibc versions.
-         * info: http://lwn.net/Articles/519085/
-         *
-         */
-        const char *glcv = gnu_get_libc_version();
-        if (strverscmp(glcv, "2.19") >= 0) {
-                errno = 0;
-                if (getauxval(AT_SECURE) == 0) {
-                        if (errno != ENOENT) {
-                                return 0;
-                        }
-                }
-        }
-#endif
-        return 1;
-}
diff --git a/crypto/compat/issetugid_osx.c b/crypto/compat/issetugid_osx.c
deleted file mode 100644
index ad6cb58..0000000
--- a/crypto/compat/issetugid_osx.c
+++ /dev/null
@@ -1,16 +0,0 @@
-/*
- * issetugid implementation for OS X
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * OS X has issetugid, but it is not fork-safe as of version 10.10.
- * See this Solaris report for test code that fails similarly:
- * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
- */
-int issetugid(void)
-{
-        return 1;
-}
diff --git a/crypto/compat/issetugid_win.c b/crypto/compat/issetugid_win.c
deleted file mode 100644
index d0c598d..0000000
--- a/crypto/compat/issetugid_win.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * issetugid implementation for Windows
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * Windows does not have a native setuid/setgid functionality.
- * A user must enter credentials each time a process elevates its
- * privileges.
- *
- * So, in theory, this could always return 0, given what I know currently.
- * However, it makes sense to stub out initially in 'safe' mode until we
- * understand more (and determine if any disabled functionality is actually
- * useful on Windows anyway).
- *
- * Future versions of this function that are made more 'open' should thoroughly
- * consider the case of this code running as a privileged service with saved
- * user credentials or privilege escalations by other means (e.g. the old
- * RunAsEx utility.)
- */
-int issetugid(void)
-{
-        return 1;
-}