zshrs 0.11.3

The first compiled Unix shell — bytecode VM, worker pool, AOP intercept, Rkyv caching
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269

//! Port of `Src/openssh_bsd_setres_id.c` — `setresuid()` /
//! `setresgid()` wrappers for platforms whose libc lacks the native
//! syscalls (or has broken `setreuid()` / `setregid()` like NetBSD).
//!
//! Strict 1:1 mirror of the upstream control flow. The configure-time
//! macros are translated to compile-time `cfg!` checks against
//! `target_os`:
//!
//! * `BROKEN_SETREUID` / `BROKEN_SETREGID` — set on NetBSD, where
//!   `setreuid()` / `setregid()` fail to reset the saved uid/gid when
//!   the real id isn't modified. Falls back to `setegid()` +
//!   `setgid()` (resp. `seteuid()` + `setuid()`) which reset all
//!   three.
//! * `SETEUID_BREAKS_SETUID` — not known to apply to any modern
//!   platform we target; the `seteuid()` branch is therefore always
//!   taken in the non-native fallback.
//!
//! On platforms whose libc already provides `setresuid(2)` /
//! `setresgid(2)` (Linux, FreeBSD, OpenBSD, DragonFly), prefer those
//! syscalls directly; the wrappers below are only used as a fallback
//! for platforms that lack them. This matches the upstream
//! `ZSH_IMPLEMENT_SETRES{U,G}ID` configure gate.

#![allow(clippy::needless_return)]

use crate::utils::zwarnnam;
use std::cell::UnsafeCell;

/// True on platforms whose `setregid()` does not reset the saved gid.
/// Mirrors `#define BROKEN_SETREGID` under `#ifdef __NetBSD__`.
#[inline]
const fn broken_setregid() -> bool {
    cfg!(target_os = "netbsd")
}

/// True on platforms whose `setreuid()` does not reset the saved uid.
/// Mirrors `#define BROKEN_SETREUID` under `#ifdef __NetBSD__`.
#[inline]
const fn broken_setreuid() -> bool {
    cfg!(target_os = "netbsd")
}

/// True on platforms whose libc provides a native `setregid()` we can
/// call. Mirrors `ZSH_HAVE_NATIVE_SETREGID`; configure detects this on
/// every Unix we currently support, so it is unconditionally true.
#[inline]
const fn have_native_setregid() -> bool {
    cfg!(unix)
}

/// True on platforms whose libc provides a native `setreuid()` we can
/// call. Mirrors `ZSH_HAVE_NATIVE_SETREUID`.
#[inline]
const fn have_native_setreuid() -> bool {
    cfg!(unix)
}

/// True on platforms where calling `seteuid()` first prevents a
/// later `setuid()` from succeeding. Mirrors `SETEUID_BREAKS_SETUID`,
/// which is not detected on any platform we target.
#[inline]
const fn seteuid_breaks_setuid() -> bool {
    false
}

/// Port of `setresgid(gid_t rgid, gid_t egid, gid_t sgid)` from Src/openssh_bsd_setres_id.c:70.
///
/// Set the real, effective and saved group ids. Implementation
/// requires `rgid == sgid` (the only combination zsh ever passes);
/// any other combination returns `-1` with `errno = ENOSYS`, exactly
/// as the C source does.
///
/// # Safety
///
/// Calls into libc to alter the calling process's credentials. The
/// caller must have appropriate privileges; behaviour matches the
/// underlying syscalls.
#[cfg(unix)]
pub unsafe fn setresgid(rgid: libc::gid_t, egid: libc::gid_t, sgid: libc::gid_t) -> libc::c_int {
    let mut ret: libc::c_int = 0;
    let mut saved_errno: libc::c_int;

    if rgid != sgid {
        errno_set(libc::ENOSYS);
        return -1;
    }

    if have_native_setregid() && !broken_setregid() {
        if libc::setregid(rgid, egid) < 0 {
            saved_errno = errno_get();
            zwarnnam("setregid", &format!("to gid {}: {}", rgid as i64, errno_str(saved_errno)));
            errno_set(saved_errno);
            ret = -1;
        }
    } else {
        if libc::setegid(egid) < 0 {
            saved_errno = errno_get();
            zwarnnam("setegid", &format!("to gid {}: {}", egid as i64, errno_str(saved_errno)));
            errno_set(saved_errno);
            ret = -1;
        }
        if libc::setgid(rgid) < 0 {
            saved_errno = errno_get();
            zwarnnam("setgid", &format!("to gid {}: {}", rgid as i64, errno_str(saved_errno)));
            errno_set(saved_errno);
            ret = -1;
        }
    }
    ret
}

/// Port of `setresuid(uid_t ruid, uid_t euid, uid_t suid)` from Src/openssh_bsd_setres_id.c:105.
///
/// Set the real, effective and saved user ids. As with `setresgid()`,
/// only `ruid == suid` is supported; other combinations return `-1`
/// with `errno = ENOSYS`.
///
/// # Safety
///
/// Calls into libc to alter the calling process's credentials. The
/// caller must have appropriate privileges; behaviour matches the
/// underlying syscalls.
#[cfg(unix)]
pub unsafe fn setresuid(ruid: libc::uid_t, euid: libc::uid_t, suid: libc::uid_t) -> libc::c_int {
    let mut ret: libc::c_int = 0;
    let mut saved_errno: libc::c_int;

    if ruid != suid {
        errno_set(libc::ENOSYS);
        return -1;
    }

    if have_native_setreuid() && !broken_setreuid() {
        if libc::setreuid(ruid, euid) < 0 {
            saved_errno = errno_get();
            zwarnnam("setreuid", &format!("to uid {}: {}", ruid as i64, errno_str(saved_errno)));
            errno_set(saved_errno);
            ret = -1;
        }
    } else {
        if !seteuid_breaks_setuid() {
            if libc::seteuid(euid) < 0 {
                saved_errno = errno_get();
                zwarnnam("seteuid", &format!("to uid {}: {}", euid as i64, errno_str(saved_errno)));
                errno_set(saved_errno);
                ret = -1;
            }
        }
        if libc::setuid(ruid) < 0 {
            saved_errno = errno_get();
            zwarnnam("setuid", &format!("to uid {}: {}", ruid as i64, errno_str(saved_errno)));
            errno_set(saved_errno);
            ret = -1;
        }
    }
    ret
}

// WARNING: NOT IN OPENSSH_BSD_SETRES_ID.C — Rust-only errno-read
// helper. C reads `errno` (thread-local int via libc) directly; Rust
// has no portable mutable errno accessor in `std`, so this fn wraps
// `std::io::Error::last_os_error().raw_os_error()`.
#[cfg(unix)]
#[inline]
fn errno_get() -> libc::c_int {
    std::io::Error::last_os_error().raw_os_error().unwrap_or(0)
}

// WARNING: NOT IN OPENSSH_BSD_SETRES_ID.C — Rust-only errno-write
// helper; see `errno_get` above. libc exposes `__errno_location()`
// on Linux, `__error()` on macOS/BSD; this fn dispatches per
// target_os to get the right thread-local accessor. Exotic targets
// fall back to a Rust thread_local; callers re-read via `errno_get()`.
#[cfg(unix)]
#[inline]
fn errno_set(e: libc::c_int) {
    unsafe {
        let p: *mut libc::c_int = {
            #[cfg(any(target_os = "linux", target_os = "android"))]
            { libc::__errno_location() }
            #[cfg(any(target_os = "macos", target_os = "ios", target_os = "freebsd", target_os = "dragonfly"))]
            { libc::__error() }
            #[cfg(any(target_os = "openbsd", target_os = "netbsd"))]
            {
                extern "C" {
                    fn __errno() -> *mut libc::c_int;
                }
                __errno()
            }
            #[cfg(not(any(
                target_os = "linux",
                target_os = "android",
                target_os = "macos",
                target_os = "ios",
                target_os = "freebsd",
                target_os = "dragonfly",
                target_os = "openbsd",
                target_os = "netbsd",
            )))]
            {
                thread_local! {
                    static ERRNO: UnsafeCell<libc::c_int> = const { UnsafeCell::new(0) };
                }
                ERRNO.with(|c| c.get())
            }
        };
        *p = e;
    }
}

// WARNING: NOT IN OPENSSH_BSD_SETRES_ID.C — Rust-only error-string
// formatter. C uses `strerror(errno)` directly; Rust uses
// `std::io::Error::from_raw_os_error(e).to_string()`.
#[cfg(unix)]
#[inline]
fn errno_str(e: libc::c_int) -> String {
    std::io::Error::from_raw_os_error(e).to_string()
}

#[cfg(test)]
mod tests {
    use super::*;

    /// `rgid != sgid` must be rejected with ENOSYS, matching the C
    /// pre-check at openssh_bsd_setres_id.c:74.
    #[test]
    #[cfg(unix)]
    fn setresgid_rejects_split_real_saved() {
        unsafe {
            let r = setresgid(1, 2, 3);
            assert_eq!(r, -1);
            assert_eq!(errno_get(), libc::ENOSYS);
        }
    }

    /// Likewise for `setresuid()` at openssh_bsd_setres_id.c:109.
    #[test]
    #[cfg(unix)]
    fn setresuid_rejects_split_real_saved() {
        unsafe {
            let r = setresuid(1, 2, 3);
            assert_eq!(r, -1);
            assert_eq!(errno_get(), libc::ENOSYS);
        }
    }

    /// Equal real/saved with the *current* uid must succeed (no
    /// privileges actually changed). Mirrors the success path at
    /// openssh_bsd_setres_id.c:113.
    #[test]
    #[cfg(unix)]
    fn setresuid_noop_succeeds() {
        unsafe {
            let me = libc::getuid();
            let r = setresuid(me, me, me);
            assert_eq!(r, 0);
        }
    }

    #[test]
    #[cfg(unix)]
    fn setresgid_noop_succeeds() {
        unsafe {
            let me = libc::getgid();
            let r = setresgid(me, me, me);
            assert_eq!(r, 0);
        }
    }
}