7b0156775c
ADDED: * Convenience functions to determine if a process is running in an elevated/dropped privileges context
164 lines
2.8 KiB
Go
164 lines
2.8 KiB
Go
package sysutils
|
|
|
|
// Checked consolidates all the provided checked functions.
|
|
func (i *IDState) Checked() (checked bool) {
|
|
|
|
if i == nil {
|
|
return
|
|
}
|
|
|
|
checked = i.uidsChecked &&
|
|
i.gidsChecked &&
|
|
i.sudoChecked &&
|
|
i.ppidUidChecked &&
|
|
i.ppidGidChecked
|
|
|
|
return
|
|
}
|
|
|
|
/*
|
|
IsReal consolidates all the elevation/dropped-privs checks into a single method.
|
|
|
|
It will only return true if no sudo was detected and *all* UIDs/GIDs match.
|
|
*/
|
|
func (i *IDState) IsReal(real bool) {
|
|
|
|
if i == nil {
|
|
return
|
|
}
|
|
|
|
real = true
|
|
|
|
for _, b := range []bool{
|
|
i.IsSuid(),
|
|
i.IsSgid(),
|
|
i.IsSudoUser(),
|
|
i.IsSudoGroup(),
|
|
} {
|
|
if b {
|
|
real = false
|
|
return
|
|
}
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
/*
|
|
IsSudoGroup is true if any of the group sudo env vars are set,
|
|
or the parent process has a different group (and is not PID 1).
|
|
|
|
It will always return false if SudoChecked returns false oor PPIDGIDsChecked returns false.
|
|
*/
|
|
func (i *IDState) IsSudoGroup() (sudo bool) {
|
|
|
|
if i == nil || !i.sudoChecked || !i.ppidGidChecked {
|
|
return
|
|
}
|
|
|
|
sudo = i.SudoEnvGroup || !i.PPIDGidMatch
|
|
|
|
return
|
|
}
|
|
|
|
/*
|
|
IsSudoUser is true if any of the user sudo env vars are set,
|
|
or the parent process has a different owner (and is not PID 1).
|
|
|
|
It will always return false if SudoChecked returns false or PPIDUIDsChecked returns false.
|
|
*/
|
|
func (i *IDState) IsSudoUser() (sudo bool) {
|
|
|
|
if i == nil || !i.sudoChecked || !i.ppidUidChecked {
|
|
return
|
|
}
|
|
|
|
sudo = i.SudoEnvUser || !i.PPIDUidMatch
|
|
|
|
return
|
|
}
|
|
|
|
// IsSuid is true if the RUID does not match EUID or SUID. It will always return false if UIDsChecked returns false.
|
|
func (i *IDState) IsSuid() (suid bool) {
|
|
|
|
if i == nil || !i.uidsChecked {
|
|
return
|
|
}
|
|
|
|
suid = i.RUID != i.EUID || i.RUID != i.SUID
|
|
|
|
return
|
|
}
|
|
|
|
// IsSgid is true if the RGID does not match EGID or SGID. It will always return false if GIDsChecked returns false.
|
|
func (i *IDState) IsSgid() (sgid bool) {
|
|
|
|
if i == nil || !i.gidsChecked {
|
|
return
|
|
}
|
|
|
|
sgid = i.RGID != i.EGID || i.RGID != i.SGID
|
|
|
|
return
|
|
}
|
|
|
|
// GIDsChecked is true if the GIDs presented can be trusted.
|
|
func (i *IDState) GIDsChecked() (checked bool) {
|
|
|
|
if i == nil {
|
|
return
|
|
}
|
|
|
|
checked = i.gidsChecked
|
|
|
|
return
|
|
}
|
|
|
|
// PPIDGIDsChecked is true if PPIDGidMatch can be trusted.
|
|
func (i *IDState) PPIDGIDsChecked() (checked bool) {
|
|
|
|
if i == nil {
|
|
return
|
|
}
|
|
|
|
checked = i.ppidGidChecked
|
|
|
|
return
|
|
}
|
|
|
|
// PPIDUIDsChecked is true if PPIDUidMatch can be trusted.
|
|
func (i *IDState) PPIDUIDsChecked() (checked bool) {
|
|
|
|
if i == nil {
|
|
return
|
|
}
|
|
|
|
checked = i.ppidUidChecked
|
|
|
|
return
|
|
}
|
|
|
|
// SudoChecked is true if SudoEnvVars can be trusted
|
|
func (i *IDState) SudoChecked() (checked bool) {
|
|
|
|
if i == nil {
|
|
return
|
|
}
|
|
|
|
checked = i.sudoChecked
|
|
|
|
return
|
|
}
|
|
|
|
// UIDsChecked is true if the UIDs presented can be trusted.
|
|
func (i *IDState) UIDsChecked() (checked bool) {
|
|
|
|
if i == nil {
|
|
return
|
|
}
|
|
|
|
checked = i.uidsChecked
|
|
|
|
return
|
|
}
|