/* This file is part of GNU Radius.
   Copyright (C) 2000,2001,2002,2003 Free Software Foundation, Inc.

   Written by Sergey Poznyakoff

   GNU Radius is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.

   GNU Radius is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with GNU Radius; if not, write to the Free Software Foundation,
   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */

#ifdef HAVE_CONFIG_H
# include <config.h>
#endif

#include <sys/types.h>
#include <unistd.h>
#include <radiusd.h>

int
drop_privileges(struct user_info *user)
{
	if (user->uid == 0 && user->gid == 0) return 0;

	if (user->gid != 0 && setgid(user->gid)) {
		radlog(L_ERR|L_PERROR,
		       _("setgid(%d) failed"), user->gid);
		return -1;
	}

	if (user->uid != 0) {
#if defined(HAVE_SETUID)
		if (setuid(user->uid)) {
		    radlog(L_ERR|L_PERROR,
			   _("setuid(%d) failed (ruid=%d, euid=%d)"), 
			   user->uid, getuid(), geteuid());
		    return -1;
		}
#elif defined(HAVE_SETREUID)
		if (setreuid(user->uid, user->uid)) {
		    radlog(L_ERR|L_PERROR,
			   _("setreuid(%d,%d) failed (ruid=%d, euid=%d)"), 
			   user->uid, user->uid, getuid(), geteuid());
		    return -1;
		}
#elif defined(HAVE_SETRUID) && defined(HAVE_SETEUID)
		if (seteuid(user->uid) || setruid(user->uid)) {
		    radlog(L_ERR|L_PERROR,
			   _("seteuid/setruid(%d) failed (ruid=%d, euid=%d)"), 
			   user->uid, getuid(), geteuid());
		    return -1;
		}
#elif defined(HAVE_SETEUID)
		if (seteuid(user->uid)) {
		    radlog(L_ERR|L_PERROR,
			   _("seteuid(%d) failed (ruid=%d, euid=%d)"), 
			   user->uid, getuid(), geteuid());
		    return -1;
		}
		radlog(L_WARN,
		       _("Incomplete drop of privileges to user %s (uid %d): "
			 "only the effective uid is set"), 
                       user->username, user->uid);
#else
# error "*** NO WAY TO SET REAL AND EFFECTIVE UID IN drop_privileges() ***"
#endif
	}

        radlog(L_INFO, 
	       _("Dropped privileges: user=%s gid=%d ruid=%d euid=%d"),
	       user->username, getgid(), getuid(), geteuid());

	return 0;
}