Context Navigation

source: trunk/src/trustfile.c@ 176

Last change on this file since 176 was 171, checked in by katerina, 16 years ago
Include dnmalloc (ticket #108) and fix bugs #106 (EINPROGRESS) and #107 (compressBound).
File size: 27.3 KB

Line
1	/* debug problems */
2	/* #define TRUST_DEBUG */
3
4	/* switch off full check */
5	/* #define TEST_ONLY */
6
7	/* standalone */
8	/* #define TRUST_MAIN */
9	/* $(CC) -DTRUST_MAIN -DSL_ALWAYS_TRUSTED=... */
10
11	/* LINTLIBRARY */
12	/*
13	* This is the file with all the library routines in it
14	*
15	* Author information:
16	* Matt Bishop
17	* Department of Computer Science
18	* University of California at Davis
19	* Davis, CA 95616-8562
20	* phone (916) 752-8060
21	* email bishop@cs.ucdavis.edu
22	*
23	* This code is placed in the public domain. I do ask that
24	* you keep my name associated with it, that you not represent
25	* it as written by you, and that you preserve these comments.
26	* This software is provided "as is" and without any guarantees
27	* of any sort.
28	*
29	* Compilation notes:
30	* * this does NOT use malloc(3), but fixed storage. this means we
31	* do lots of bounds checking, but it still is faster, and smaller,
32	* than forcing inclusion of malloc. All buffers etc. are of size
33	* MAXFILENAME (defined in trustfile.h); to get more room, recompile
34	* with this set larger.
35	* * if you support the following directory semantics, define STICKY;
36	* otherwise, undefine it
37	* "if a directory is both world-writeable AND has the sticky bit
38	* set, then ONLY the owner of an existing file may delete it"
39	* On some systems (eg, IRIX), you can delete the file under these
40	* conditions if the file is world writeable. Foor our purposes,
41	* this is irrelevant since if the file is world-writeable it is
42	* untrustworthy; either it can be replaced with another file (the
43	* IRIX version) or it can be altered (all versions).
44	* if this is true and STICKY is not set, the sticky bit is ignored
45	* and the directory will be flagged as untrustworthy, even when only
46	* a trusted user could delete the file
47	* * this uses a library call to get the name of the current working
48	* directory. Define the following to get the various versions:
49	* GETCWD for Solaris 2.x, SunOS 4.1.x, IRIX 5.x
50	* char getcwd(char buf, int bufsz);
51	* where buf is a buffer for the path name, and bufsz is
52	* the size of the buffer; if the size if too small, you
53	* get an error return (NULL)
54	* GETWD for Ultrix 4.4
55	* char getwd(char buf)
56	* where buf is a buffer for the path name, and it is
57	* assumed to be at lease as big as MAXPATHLEN.
58	* * IMPORTANT NOTE *
59	* Ultrix supports getcwd as well, but it uses popen to
60	* run the command "pwd" (according to the manual). This
61	* means it's vulnerable to a number of attacks if used
62	* in a privileged program. YOU DON'T WANT THIS.
63	* * the debugging flag DEBUG prints out each step of the file name
64	* checking, as well as info on symbolic links (if S_IFLNK defined),
65	* file name canonicalization, and user, group, and permission for
66	* each file or directory; this is useful if you want to be sure
67	* you're checking the right file
68	*
69	* Version information:
70	* 1.0 December 28, 1995 Matt Bishop
71	*
72	* 2.0 March 26, 2000 Rainer Wichmann -- adapted for slib.
73	*/
74
75	/* --- Why strcpy is safe here: ---- */
76
77	/* The input path is checked once, and then either shortened [in dirz()],
78	* or safely expanded (symlinks) with bound checking.
79	* I.e., the path length can never exceed (MAXFILENAME-1), while the path
80	* is always copied between buffers of length MAXFILENAME.
81	*/
82
83	#ifndef TRUST_MAIN
84	#include "config_xor.h"
85	#include "sh_calls.h"
86	#else
87	#define UID_CAST long
88	#endif
89
90	#include <stdio.h>
91	#include <stdlib.h>
92	#include <sys/types.h>
93	#include <sys/stat.h>
94	#include <grp.h>
95	#include <pwd.h>
96	#include <string.h>
97	#include <unistd.h>
98
99
100	#ifndef TRUST_MAIN
101
102	#include "slib.h"
103	#define SH_NEED_PWD_GRP 1
104	#include "sh_static.h"
105	#include "sh_pthread.h"
106
107	#else
108
109	#define sh_getgrgid getgrgid
110	#define sh_getgrgid_r getgrgid_r
111	#define sh_getpwnam getpwnam
112	#define sh_getpwnam_r getpwnam_r
113	#define sh_getpwuid getpwuid
114	#define sh_getpwuid_r getpwuid_r
115	#define sh_getpwent getpwent
116	#define sh_endpwent endpwent
117
118	#define TRUST_DEBUG
119	#define SL_FALSE 0
120	#define SL_TRUE 1
121	#define SL_ENTER(string)
122	#define SL_IRETURN(a, b) return a
123	#define retry_lstat(a,b,c,d) lstat(c,d)
124	#define _(string) string
125	#define N_(string) string
126	#define MAXFILENAME 4096
127	static int sl_errno = 0;
128	#define SL_ENONE 0
129	#define SL_ENULL -1024 /* Invalid use of NULL pointer. */
130	#define SL_ERANGE -1025 /* Argument out of range. */
131	#define SL_ETRUNC -1026 /* Result truncated. */
132	#define SL_EINTERNAL -1028 /* Internal error. */
133	#define SL_EBADFILE -1030 /* File access error. Check errno. */
134	#define SL_EBADNAME -1040 /* Invalid name. */
135	#define SL_ESTAT -1041 /* stat of file failed. Check errno. */
136	#define SL_EBADUID -1050 /* Owner not trustworthy. */
137	#define SL_EBADGID -1051 /* Group writeable and not trustworthy.*/
138	#define SL_EBADOTH -1052 /* World writeable. */
139
140	#endif
141
142
143	#if defined(__linux__) \|\| defined(__FreeBSD__)
144	#define STICKY
145	#endif
146
147	#undef FIL__
148	#define FIL__ _("trustfile.c")
149
150	/*
151	* the get current working directory function
152	* every version of UNIX seems to have its own
153	* idea of how to do this, so we group them by
154	* arguments ...
155	* all must return a pointer to the right name
156	*/
157
158
159	#ifndef TRUST_MAIN
160
161	#if defined(HAVE_GETCWD) && !defined(HAVE_BROKEN_GETCWD)
162	#define CURDIR(buf,nbuf) getcwd((buf), (nbuf))
163	#elif defined(HAVE_GETWD)
164	#define CURDIR(buf,nbuf) getwd((buf))
165	#endif
166
167	#else
168
169	#define CURDIR(buf,nbuf) getcwd((buf), (nbuf))
170
171	#endif
172
173
174
175	/*
176	* this checks to see if there are symbolic links
177	* assumes the link bit in the protection mask is called S_IFLNK
178	* (seems to be true on all UNIXes with them)
179	*/
180	#ifndef S_IFLNK
181	#define lstat stat
182	#endif
183
184
185	/*
186	* these are useful global variables
187	*
188	* first set: who you gonna trust, by default?
189	* if the user does not specify a trusted or untrusted set of users,
190	* all users are considered untrusted EXCEPT:
191	* UID 0 -- root as root can do anything on most UNIX systems, this
192	* seems reasonable
193	* tf_euid -- programmer-selectable UID
194	* if the caller specifies a specific UID by putting
195	* it in this variable, it will be trusted; this is
196	* typically used to trust the effective UID of the
197	* process (note: NOT the real UID, which will cause all
198	* sorts of problems!) By default, this is set to -1,
199	* so if it's not set, root is the only trusted user
200	*/
201
202	/* modified Tue Feb 22 10:36:44 NFT 2000 Rainer Wichmann */
203
204
205	#ifndef SL_ALWAYS_TRUSTED
206	#define SL_ALWAYS_TRUSTED 0
207	#endif
208	static uid_t test_rootonly[] = { SL_ALWAYS_TRUSTED };
209
210	#define tf_uid_neg ((uid_t)-1)
211
212	uid_t rootonly[] = { SL_ALWAYS_TRUSTED,
213	tf_uid_neg, tf_uid_neg, tf_uid_neg, tf_uid_neg,
214	tf_uid_neg, tf_uid_neg, tf_uid_neg, tf_uid_neg,
215	tf_uid_neg, tf_uid_neg, tf_uid_neg, tf_uid_neg,
216	tf_uid_neg, tf_uid_neg, tf_uid_neg, tf_uid_neg };
217
218	uid_t tf_euid = tf_uid_neg;
219	int EUIDSLOT = sizeof(test_rootonly)/sizeof(uid_t);
220	int ORIG_EUIDSLOT = sizeof(test_rootonly)/sizeof(uid_t);
221
222	char tf_path[MAXFILENAME]; /* error path for trust function */
223	uid_t tf_baduid;
224	gid_t tf_badgid;
225
226	static
227	int dirz(char *path)
228	{
229	register char p = path;/ points to rest of path to clean up */
230	register char q; / temp pointer for skipping over stuff */
231
232	static char swp[MAXFILENAME];
233
234	SL_ENTER(_("dirz"));
235	/*
236	* standard error checking
237	*/
238	if (path == NULL)
239	SL_IRETURN(SL_ENULL, _("dirz"));
240	if (path[0] == '.')
241	SL_IRETURN(SL_EINTERNAL, _("dirz"));
242
243
244	/*
245	* loop over the path name until everything is checked
246	*/
247	while(*p)
248	{
249	/* skip
250	*/
251	if (*p != '/')
252	{
253	p++;
254	continue;
255	}
256
257	/* "/./" or "/."
258	*/
259	if (p[1] == '.' && (p[2] == '/' \|\| p[2] == '\0'))
260	{
261	/* yes -- delete "/."
262	*/
263	(void) strcpy(swp, &p[2]); /* known to fit */
264	(void) strcpy(p, swp); /* known to fit */
265
266	/* special case "/." as full path name
267	*/
268	if (p == path && *p == '\0')
269	{
270	*p++ = '/';
271	*p = '\0';
272	}
273	}
274
275	/* "//"
276	*/
277	else if (p[1] == '/')
278	{
279	/* yes -- skip
280	*/
281	for(q = &p[2]; *q == '/'; q++)
282	;
283	(void) strcpy(swp, q); /* known to fit */
284	(void) strcpy(&p[1], swp); /* known to fit */
285	}
286
287	/* "/../" or "/.."
288	*/
289	else if (p[1] == '.' && p[2] == '.' && (p[3] == '/' \|\| p[3] == '\0'))
290	{
291	/* yes -- if it's root, delete .. only
292	*/
293	if (p == path)
294	{
295	(void) strcpy(swp, &p[3]); /* known to fit */
296	(void) strcpy(p, swp); /* known to fit */
297	}
298	else
299	{
300	/* back up over previous component
301	*/
302	q = p - 1;
303	while(q != path && *q != '/')
304	q--;
305	/* now wipe it out
306	*/
307	(void) strcpy(swp, &p[3]); /* known to fit */
308	(void) strcpy(q, swp); /* known to fit */
309	p = q;
310	}
311	}
312	else
313	p++;
314	}
315	SL_IRETURN(SL_ENONE, _("dirz"));
316	}
317
318
319
320	/* not static to circumvent stupid gcc 4 bug */
321	int getfname(char fname, char rbuf, int rsz)
322	{
323	#ifndef TRUST_MAIN
324	register int status;
325	#endif
326
327	SL_ENTER(_("getfname"));
328	/*
329	* do the initial checking
330	* NULL pointer
331	*/
332	if (fname == NULL \|\| rbuf == NULL)
333	SL_IRETURN(SL_ENULL, _("getfname"));
334	if (rsz <= 0)
335	SL_IRETURN(SL_ERANGE, _("getfname"));
336
337
338	/* already a full path name */
339	if (*fname == '/')
340	rbuf[0] = '\0';
341	else
342	{
343	if (CURDIR(rbuf, rsz) == NULL)
344	{
345	#ifdef TRUST_DEBUG
346	fprintf(stderr, "trustfile: getcwd failed\n");
347	#endif
348	SL_IRETURN(SL_EBADNAME, _("getfname"));
349	}
350	}
351
352	/*
353	* append the file name and reduce
354	*/
355	if (fname != NULL && *fname != '\0')
356	{
357	#ifndef TRUST_MAIN
358	status = sl_strlcat(rbuf, "/", rsz);
359	if (status == SL_ENONE)
360	status = sl_strlcat(rbuf, fname, rsz);
361	if (status != SL_ENONE)
362	SL_IRETURN(status, _("getfname"));
363	#else
364	strncat(rbuf, "/", rsz-strlen(rbuf));
365	strncat(rbuf, fname, rsz-strlen(rbuf));
366	#endif
367	}
368	SL_IRETURN(dirz(rbuf), _("getfname"));
369	}
370
371	static
372	int isin(uid_t n, uid_t *list)
373	{
374	SL_ENTER(_("isin"));
375	if (list == NULL)
376	SL_IRETURN(SL_FALSE, _("isin"));
377
378	while(list != tf_uid_neg && list != n)
379	{
380	#ifdef TRUST_DEBUG
381	fprintf (stderr,
382	"trustfile: owner_uid=%ld, trusted uid=%ld, no match\n",
383	(UID_CAST) n, (UID_CAST) *list);
384	#endif
385	list++;
386	}
387
388	if (*list == tf_uid_neg)
389	{
390	#ifdef TRUST_DEBUG
391	fprintf (stderr,
392	"trustfile: owner_uid=%ld, no match with any trusted user --> ERROR\n",
393	(UID_CAST) n);
394	#endif
395	SL_IRETURN(SL_FALSE, _("isin"));
396	}
397
398	#ifdef TRUST_DEBUG
399	fprintf (stderr,
400	"trustfile: owner_uid=%ld, trusted_uid=%ld, match found --> OK\n",
401	(UID_CAST)n, (UID_CAST)*list);
402	#endif
403	SL_IRETURN(SL_TRUE, _("isin"));
404	}
405
406	/* comment added by R. Wichmann
407	* RETURN TRUE if ANYONE in ulist is group member
408	*/
409	/* not static to circumvent stupid gcc 4 bug */
410	int isingrp(gid_t grp, uid_t *ulist)
411	{
412	struct passwd w; / info about group member */
413	register uid_t u; / points to current ulist member */
414	register char *p; / points to current group member */
415	struct group g; / pointer to group information */
416
417	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETGRGID_R)
418	struct group gr;
419	char buffer[SH_GRBUF_SIZE];
420	struct passwd pwd;
421	char pbuffer[SH_PWBUF_SIZE];
422	#endif
423
424	SL_ENTER(_("isingrp"));
425
426	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETGRGID_R)
427	sh_getgrgid_r(grp, &gr, buffer, sizeof(buffer), &g);
428	#else
429	g = sh_getgrgid(grp);
430	#endif
431
432	if (g == NULL)
433	{
434	SL_IRETURN(SL_FALSE, _("isingrp") );
435	}
436	/*
437	if(g->gr_mem == NULL \|\| g->gr_mem[0] == NULL )
438	SL_IRETURN(SL_FALSE, _("isingrp") );
439	*/
440
441	/* this will return at the first match
442	*/
443	for(p = g->gr_mem; *p != NULL; p++)
444	{
445	for(u = ulist; *u != tf_uid_neg; u++)
446	{
447	/* map user name to UID and compare */
448	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
449	sh_getpwnam_r(*p, &pwd, pbuffer, sizeof(pbuffer), &w);
450	#else
451	w = sh_getpwnam(*p);
452	#endif
453
454	#ifdef TRUST_MAIN
455	if (w != NULL && *u == (uid_t)(w->pw_uid) )
456	SL_IRETURN(SL_TRUE, _("isingrp"));
457	#else
458	if (w != NULL && *u == (uid_t)(w->pw_uid) )
459	{
460	SL_IRETURN(SL_TRUE, _("isingrp"));
461	}
462	#endif
463	}
464	}
465	/* added by R. Wichmann Fri Mar 30 08:16:14 CEST 2001:
466	* a user can have a GID but no entry in /etc/group
467	*/
468	for(u = ulist; *u != tf_uid_neg; u++)
469	{
470	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWUID_R)
471	sh_getpwuid_r(*u, &pwd, pbuffer, sizeof(pbuffer), &w);
472	#else
473	w = sh_getpwuid(*u);
474	#endif
475	#ifdef TRUST_MAIN
476	if (w != NULL && grp == (gid_t)(w->pw_gid) )
477	SL_IRETURN(SL_TRUE, _("isingrp"));
478	#else
479	if (w != NULL && grp == (gid_t)(w->pw_gid) )
480	{
481	SL_IRETURN(SL_TRUE, _("isingrp"));
482	}
483	#endif
484	}
485
486	SL_IRETURN(SL_FALSE, _("isingrp"));
487	}
488
489	/* added by R. Wichmann Fri Mar 30 08:16:14 CEST 2001
490	* RETURN TRUE only if ALL group members are trusted
491	*/
492	/* not static to circumvent stupid gcc 4 bug */
493	int onlytrustedingrp(gid_t grp, uid_t *ulist)
494	{
495	struct passwd w; / info about group member */
496	register uid_t u; / points to current ulist member */
497	register char *p; / points to current group member */
498	struct group g; / pointer to group information */
499	register int flag = -1; /* group member found */
500
501	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETGRGID_R)
502	struct group gr;
503	char buffer[SH_GRBUF_SIZE];
504	struct passwd pw;
505	char pbuffer[SH_PWBUF_SIZE];
506	#endif
507
508	int retval = SL_FALSE;
509
510	SL_ENTER(_("onlytrustedingrp"));
511
512	#ifdef TRUST_DEBUG
513	fprintf(stderr, "trustfile: group writeable, group_gid: %ld\n",
514	(UID_CAST)grp);
515	#endif
516
517	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETGRGID_R)
518	sh_getgrgid_r(grp, &gr, buffer, sizeof(buffer), &g);
519	#else
520	g = sh_getgrgid(grp);
521	#endif
522
523	if (g == NULL)
524	{
525	#ifdef TRUST_DEBUG
526	fprintf(stderr,
527	"trustfile: group_gid: %ld, no such group --> ERROR\n",
528	(UID_CAST)grp);
529	#endif
530	SL_IRETURN(SL_FALSE, _("onlytrustedingrp") );
531	}
532
533	/* empty group -> no problem
534
535	if(g->gr_mem == NULL \|\| g->gr_mem[0] == NULL )
536	SL_IRETURN(SL_TRUE, _("onlytrustedingrp") );
537	*/
538
539	/* check for untrusted members of the group
540	*/
541	for(p = g->gr_mem; *p != NULL; p++)
542	{
543	flag = -1;
544	#ifdef TRUST_DEBUG
545	fprintf(stderr, "trustfile: group_member: %s\n", *p);
546	#endif
547	/* map user name to UID and compare
548	*/
549	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
550	sh_getpwnam_r(*p, &pw, pbuffer, sizeof(pbuffer), &w);
551	#else
552	w = sh_getpwnam(*p);
553	#endif
554
555	if (w == NULL) /* not a valid user, ignore */
556	{
557	flag = 0;
558	}
559	else /* check list of trusted users */
560	{
561	#ifdef TRUST_DEBUG
562	fprintf (stderr,
563	"trustfile: uid=%ld, checking whether it is trusted\n",
564	(UID_CAST)(w->pw_uid));
565	#endif
566	for(u = ulist; *u != tf_uid_neg; u++)
567	{
568	if (*u == (w->pw_uid) )
569	{
570	#ifdef TRUST_DEBUG
571	fprintf (stderr,
572	"trustfile: uid=%ld, trusted_uid=%ld, match found --> OK\n",
573	(UID_CAST)(w->pw_uid), (UID_CAST)*u);
574	#endif
575	flag = 0;
576	break;
577	}
578	else
579	{
580	#ifdef TRUST_DEBUG
581	fprintf (stderr,
582	"trustfile: uid=%ld, trusted_uid=%ld, no match\n",
583	(UID_CAST)(w->pw_uid), (UID_CAST)*u);
584	#endif
585	;
586	}
587	}
588	}
589	/* not found
590	*/
591	if (flag == -1)
592	{
593	#ifdef TRUST_DEBUG
594	fprintf (stderr,
595	"trustfile: user=%s (gid %ld), not a trusted user --> ERROR\n", *p, (UID_CAST)grp);
596	#endif
597	tf_baduid = w->pw_uid;
598	SL_IRETURN(SL_FALSE, _("onlytrustedingrp"));
599	}
600	}
601
602	#ifndef TEST_ONLY
603	#ifdef HAVE_GETPWENT
604	/* now check ALL users for their GID !!!
605	*/
606	SH_MUTEX_LOCK(mutex_pwent);
607
608	while (NULL != (w = sh_getpwent()))
609	{
610	if (grp == (gid_t)(w->pw_gid))
611	{
612	#ifdef TRUST_DEBUG
613	fprintf(stderr, "trustfile: checking group member %s, uid %ld\n",
614	w->pw_name, (UID_CAST)w->pw_uid);
615	#endif
616	/* is it a trusted user ?
617	*/
618	flag = -1;
619	for(u = ulist; *u != tf_uid_neg; u++)
620	{
621	if (*u == (uid_t)(w->pw_uid))
622	{
623	#ifdef TRUST_DEBUG
624	fprintf (stderr,
625	"trustfile: uid=%ld, trusted_uid=%ld, match found --> OK\n",
626	(UID_CAST)(w->pw_uid), *u);
627	#endif
628	flag = 0;
629	break;
630	}
631	else
632	{
633	#ifdef TRUST_DEBUG
634	fprintf (stderr,
635	"trustfile: uid=%ld, trusted_uid=%ld, no match\n",
636	(UID_CAST)(w->pw_uid), (UID_CAST)*u);
637	#endif
638	;
639	}
640	}
641	/* not found */
642	if (flag == -1)
643	{
644	#ifdef TRUST_DEBUG
645	fprintf(stderr,"trustfile: group member %s not found in trusted users --> ERROR\n", w->pw_name);
646	#endif
647	tf_baduid = w->pw_uid;
648	retval = SL_FALSE;
649	goto out;
650	/* SL_IRETURN(SL_FALSE, _("onlytrustedingrp")); */
651	}
652	}
653	}
654	retval = SL_TRUE;
655
656	out:
657
658	#ifdef HAVE_ENDPWENT
659	sh_endpwent();
660	#endif
661
662	SH_MUTEX_UNLOCK(mutex_pwent);
663
664	/* TEST_ONLY */
665	#endif
666	/* #ifdef HAVE_GETPWENT */
667	#endif
668
669	#ifdef TRUST_DEBUG
670	if (retval == SL_TRUE)
671	fprintf(stderr,
672	"trustfile: group %ld: all members are trusted users --> OK\n",
673	(UID_CAST)grp);
674	#endif
675	/* all found
676	*/
677	SL_IRETURN(retval, _("onlytrustedingrp"));
678	}
679
680	int sl_trustfile(char fname, uid_t okusers, uid_t *badusers)
681	{
682	char fexp[MAXFILENAME]; /* file name fully expanded */
683	register char p = fexp; / used to hold name to be checked */
684	struct stat stbuf; /* used to check file permissions */
685	char c; /* used to hold temp char */
686
687	SL_ENTER(_("sl_trustfile"));
688	if (fname == NULL)
689	SL_IRETURN(SL_EBADFILE, _("sl_trustfile"));
690
691	/*
692	* next expand to the full file name
693	* getfname sets sl_errno as appropriate
694	*/
695	#ifdef TRUST_MAIN
696	sl_errno = getfname(fname, fexp, MAXFILENAME);
697	if (sl_errno != 0)
698	return sl_errno;
699	#else
700	if (SL_ISERROR(getfname(fname, fexp, MAXFILENAME)))
701	SL_IRETURN(sl_errno, _("sl_trustfile"));
702	#endif
703
704	if (okusers == NULL && badusers == NULL)
705	{
706	okusers = rootonly;
707	rootonly[EUIDSLOT] = tf_euid;
708	}
709
710	/*
711	* now loop through the path a component at a time
712	* note we have to special-case root
713	*/
714	while(*p)
715	{
716	/*
717	* get next component
718	*/
719	while(p && p != '/')
720	p++;
721
722	/* save where you are
723	*/
724	if (p == fexp)
725	{
726	/* keep the / if it's the root dir
727	*/
728	c = p[1];
729	p[1] = '\0';
730	}
731	else
732	{
733	/* clobber the / if it isn't the root dir
734	*/
735	c = *p;
736	*p = '\0';
737	}
738
739	/*
740	* now get the information
741	*/
742	if (retry_lstat(FIL__, __LINE__, fexp, &stbuf) < 0)
743	{
744	(void) strncpy(tf_path, fexp, sizeof(tf_path));
745	tf_path[sizeof(tf_path)-1] = '\0';
746	#ifdef TRUST_MAIN
747	fprintf(stderr, "---------------------------------------------\n");
748	fprintf(stderr, "trustfile: ESTAT: stat(%s) failed,\n", fexp);
749	fprintf(stderr, "maybe the file does not exist\n");
750	fprintf(stderr, "---------------------------------------------\n");
751	#endif
752	SL_IRETURN(SL_ESTAT, _("sl_trustfile"));
753	}
754
755	#ifdef S_IFLNK
756	/*
757	* if it's a symbolic link, recurse
758	*/
759	if ((stbuf.st_mode & S_IFLNK) == S_IFLNK)
760	{
761	/*
762	* this is tricky
763	* if the symlink is to an absolute path
764	* name, just call trustfile on it; but
765	* if it's a relative path name, it's
766	* interpreted WRT the current working
767	* directory AND NOT THE FILE NAME!!!!!
768	* so, we simply put /../ at the end of
769	* the file name, then append the symlink
770	* contents; trustfile will canonicalize
771	* this, and the /../ we added "undoes"
772	* the name of the symlink to put us in
773	* the current working directory, at
774	* which point the symlink contents (appended
775	* to the CWD) are interpreted correctly.
776	* got it?
777	*/
778	char csym[MAXFILENAME]; /* contents of symlink file */
779	char full[MAXFILENAME]; /* "full" name of symlink */
780	register char b, t; /* used to copy stuff around */
781	register int lsym; /* num chars in symlink ref */
782	register int i; /* trustworthy or not? */
783	const char * t_const;
784	char *end;
785
786	/*
787	* get what the symbolic link points to
788	*
789	* The original code does not check the return code of readlink(),
790	* and has an off-by-one error
791	* (MAXFILENAME instead of MAXFILENAME-1)
792	* R.W. Tue May 29 22:05:16 CEST 2001
793	*/
794	lsym = readlink(fexp, csym, MAXFILENAME-1);
795	if (lsym >= 0)
796	csym[lsym] = '\0';
797	else
798	{
799	#ifdef TRUST_MAIN
800	fprintf(stderr, "---------------------------------------------\n");
801	fprintf(stderr, "trustfile: EBADNAME: readlink(%s) failed\n",
802	fexp);
803	fprintf(stderr, "---------------------------------------------\n");
804	#endif
805	SL_IRETURN(SL_EBADNAME, _("sl_trustfile"));
806	}
807
808	/*
809	* relative or absolute referent?
810	*/
811	if (csym[0] != '/')
812	{
813	/* pointer to one above last element
814	*/
815	end = &full[MAXFILENAME-1]; ++end;
816
817	/* initialize pointers
818	*/
819	b = full;
820
821	/* copy in base path
822	*/
823	t = fexp;
824	while(*t && b < end)
825	b++ = t++;
826
827	/* smack on the /../
828	*/
829	t_const = "/../";
830	while(*t && b < end)
831	b++ = t_const++;
832
833	/* append the symlink referent
834	*/
835	t = csym;
836	while(*t && b < end)
837	b++ = t++;
838
839	/* see if we're too big
840	*/
841	if (*t \|\| b == end)
842	{
843	/* yes -- error
844	*/
845	(void) strncpy(tf_path, fexp, sizeof(tf_path));
846	tf_path[sizeof(tf_path)-1] = '\0';
847	#ifdef TRUST_MAIN
848	fprintf(stderr, "---------------------------------------------\n");
849	fprintf(stderr,
850	"trustfile: ETRUNC: normalized path too long (%s)\n",
851	fexp);
852	fprintf(stderr, "---------------------------------------------\n");
853	#endif
854	SL_IRETURN(SL_ETRUNC, _("sl_trustfile"));
855	}
856	*b = '\0';
857	}
858	else
859	{
860	/* absolute -- just copy */
861	/* overflow can't occur as the arrays */
862	/* are the same size */
863	(void) strcpy(full, csym); /* known to fit */
864	}
865	/*
866	* now check out this file and its ancestors
867	*/
868	if ((i = sl_trustfile(full, okusers, badusers)) != SL_ENONE)
869	SL_IRETURN(i, _("sl_trustfile"));
870
871	/*
872	* okay, this part is valid ... let's check the rest
873	* put the / back
874	*/
875	if (p == fexp)
876	{
877	/* special case for root */
878	p[1] = c;
879	p++;
880	}
881	else
882	{
883	/* ordinary case for everything else */
884	*p = c;
885	if (*p)
886	p++;
887	}
888	continue;
889	}
890	#endif
891
892
893	#ifdef TRUST_DEBUG
894	fprintf(stderr, "\ntrustfile: checking path=%s\n", fexp);
895	#endif
896	/*
897	* if the owner is not trusted then -- as the owner can
898	* change protection modes -- he/she can write to the
899	* file regardless of permissions, so bomb
900	*/
901	if (((okusers != NULL && SL_FALSE == isin((uid_t)stbuf.st_uid,okusers))\|\|
902	(badusers != NULL && SL_TRUE == isin((uid_t)stbuf.st_uid,badusers))))
903	{
904	#ifdef TRUST_DEBUG
905	fprintf(stderr, "---------------------------------------------\n");
906	fprintf(stderr, "trustfile: EBADUID %s (owner not trusted)\n",
907	fexp);
908	fprintf(stderr, "The owner of this file/directory is not in samhains\n");
909	fprintf(stderr, "list of trusted users.\n");
910	fprintf(stderr, "Please run ./configure again with the option\n");
911	fprintf(stderr, " ./configure [more options] --with-trusted=0,...,UID\n");
912	fprintf(stderr, "where UID is the UID of the (yet) untrusted user.\n");
913	fprintf(stderr, "---------------------------------------------\n");
914	#endif
915	(void) strncpy(tf_path, fexp, sizeof(tf_path));
916	tf_path[sizeof(tf_path)-1] = '\0';
917
918	tf_baduid = (uid_t) stbuf.st_uid;
919	SL_IRETURN(SL_EBADUID, _("sl_trustfile"));
920	}
921
922	/*
923	* if a group member can write but the
924	* member is not trusted, bomb; but if
925	* sticky bit semantics are honored, it's
926	* okay
927	*/
928	/* Thu Mar 29 21:10:28 CEST 2001 Rainer Wichmann
929	* replace !isingrp() with onlytrustedingrp(), as isingrp()
930	* will return at the first trusted user, even if there are additional
931	* (untrusted) users in the group
932	*/
933	if (((stbuf.st_mode & S_IWGRP) == S_IWGRP) &&
934	((okusers != NULL && !onlytrustedingrp((gid_t)stbuf.st_gid,okusers))\|\|
935	(badusers != NULL && isingrp((gid_t)stbuf.st_gid, badusers)))
936	#ifdef STICKY
937	&& ((stbuf.st_mode&S_IFDIR) != S_IFDIR \|\|
938	(stbuf.st_mode&S_ISVTX) != S_ISVTX)
939	#endif
940	)
941	{
942	#ifdef TRUST_DEBUG
943	fprintf(stderr, "---------------------------------------------\n");
944	fprintf(stderr,
945	"trustfile: EBADGID %ld %s (group member not trusted)\n",
946	(UID_CAST)stbuf.st_gid, fexp);
947	fprintf(stderr, "This file/directory is group writeable, and one of the group members\n");
948	fprintf(stderr, "is not in samhains list of trusted users.\n");
949	fprintf(stderr, "Please run ./configure again with the option\n");
950	fprintf(stderr, " ./configure [more options] --with-trusted=0,...,UID\n");
951	fprintf(stderr, "where UID is the UID of the (yet) untrusted user.\n");
952	fprintf(stderr, "---------------------------------------------\n");
953	#endif
954	(void) strncpy(tf_path, fexp, sizeof(tf_path));
955	tf_path[sizeof(tf_path)-1] = '\0';
956
957	tf_badgid = (gid_t) stbuf.st_gid;
958	SL_IRETURN(SL_EBADGID, _("sl_trustfile"));
959	}
960	/*
961	* if other can write, bomb; but if the sticky
962	* bit semantics are honored, it's okay
963	*/
964	if (((stbuf.st_mode & S_IWOTH) == S_IWOTH)
965	#ifdef STICKY
966	&& ((stbuf.st_mode&S_IFDIR) != S_IFDIR \|\|
967	(stbuf.st_mode&S_ISVTX) != S_ISVTX)
968	#endif
969	)
970	{
971	#ifdef TRUST_DEBUG
972	fprintf(stderr, "---------------------------------------------\n");
973	fprintf(stderr, "trustfile: EBADOTH (world writeable): %s\n",
974	fexp);
975	fprintf(stderr, "This file/directory is world writeable.\n");
976	fprintf(stderr, "---------------------------------------------\n");
977	#endif
978	(void) strncpy(tf_path, fexp, sizeof(tf_path));
979	tf_path[sizeof(tf_path)-1] = '\0';
980
981	SL_IRETURN(SL_EBADOTH, _("sl_trustfile"));
982	}
983	/*
984	* put the / back
985	*/
986	if (p == fexp)
987	{
988	/* special case for root */
989	p[1] = c;
990	p++;
991	}
992	else
993	{
994	/* ordinary case for everything else */
995	*p = c;
996	if (*p)
997	p++;
998	}
999	}
1000	/*
1001	* yes, it can be trusted
1002	*/
1003	(void) strncpy(tf_path, fexp, sizeof(tf_path));
1004	tf_path[sizeof(tf_path)-1] = '\0';
1005
1006	SL_IRETURN(SL_ENONE, _("sl_trustfile"));
1007	}
1008
1009	#ifdef TRUST_MAIN
1010	int main (int argc, char * argv[])
1011	{
1012	int status;
1013	#if defined(SH_WITH_SERVER)
1014	struct passwd * pass;
1015	#endif
1016
1017	if (argc < 2) {
1018	fprintf(stderr, "%s: Usage: %s <fullpath>\n", argv[0], argv[0]);
1019	return 1;
1020	}
1021
1022	tf_path[0] = '\0';
1023	#if defined(SH_WITH_SERVER)
1024	pass = sh_getpwnam(SH_IDENT); /* TESTONLY */
1025	if (pass != NULL)
1026	tf_euid = pass->pw_uid;
1027	else
1028	{
1029	fprintf(stderr, "trustfile: ERROR: getpwnam(%s) failed\n",
1030	SH_IDENT);
1031	return 1;
1032	}
1033	#else
1034	tf_euid = geteuid();
1035	#endif
1036
1037	status = sl_trustfile(argv[1], NULL, NULL);
1038	if (status != SL_ENONE)
1039	{
1040	fprintf(stderr, "trustfile: ERROR: not a trusted path: %s\n",
1041	argv[1]);
1042	return 1;
1043	}
1044	return 0;
1045	}
1046	#endif
1047
1048
1049

Note: See TracBrowser for help on using the repository browser.

Download in other formats: