Context Navigation

source: trunk/src/trustfile.c@ 220

Last change on this file since 220 was 220, checked in by katerina, 16 years ago
Fix problem with standalone trustfile (ticket #147).
File size: 27.6 KB

Line
1	/* debug problems */
2	/* #define TRUST_DEBUG */
3
4	/* switch off full check */
5	/* #define TEST_ONLY */
6
7	/* standalone */
8	/* #define TRUST_MAIN */
9	/* $(CC) -DTRUST_MAIN -DSL_ALWAYS_TRUSTED=... */
10
11	/* LINTLIBRARY */
12	/*
13	* This is the file with all the library routines in it
14	*
15	* Author information:
16	* Matt Bishop
17	* Department of Computer Science
18	* University of California at Davis
19	* Davis, CA 95616-8562
20	* phone (916) 752-8060
21	* email bishop@cs.ucdavis.edu
22	*
23	* This code is placed in the public domain. I do ask that
24	* you keep my name associated with it, that you not represent
25	* it as written by you, and that you preserve these comments.
26	* This software is provided "as is" and without any guarantees
27	* of any sort.
28	*
29	* Compilation notes:
30	* * this does NOT use malloc(3), but fixed storage. this means we
31	* do lots of bounds checking, but it still is faster, and smaller,
32	* than forcing inclusion of malloc. All buffers etc. are of size
33	* MAXFILENAME (defined in trustfile.h); to get more room, recompile
34	* with this set larger.
35	* * if you support the following directory semantics, define STICKY;
36	* otherwise, undefine it
37	* "if a directory is both world-writeable AND has the sticky bit
38	* set, then ONLY the owner of an existing file may delete it"
39	* On some systems (eg, IRIX), you can delete the file under these
40	* conditions if the file is world writeable. Foor our purposes,
41	* this is irrelevant since if the file is world-writeable it is
42	* untrustworthy; either it can be replaced with another file (the
43	* IRIX version) or it can be altered (all versions).
44	* if this is true and STICKY is not set, the sticky bit is ignored
45	* and the directory will be flagged as untrustworthy, even when only
46	* a trusted user could delete the file
47	* * this uses a library call to get the name of the current working
48	* directory. Define the following to get the various versions:
49	* GETCWD for Solaris 2.x, SunOS 4.1.x, IRIX 5.x
50	* char getcwd(char buf, int bufsz);
51	* where buf is a buffer for the path name, and bufsz is
52	* the size of the buffer; if the size if too small, you
53	* get an error return (NULL)
54	* GETWD for Ultrix 4.4
55	* char getwd(char buf)
56	* where buf is a buffer for the path name, and it is
57	* assumed to be at lease as big as MAXPATHLEN.
58	* * IMPORTANT NOTE *
59	* Ultrix supports getcwd as well, but it uses popen to
60	* run the command "pwd" (according to the manual). This
61	* means it's vulnerable to a number of attacks if used
62	* in a privileged program. YOU DON'T WANT THIS.
63	* * the debugging flag DEBUG prints out each step of the file name
64	* checking, as well as info on symbolic links (if S_IFLNK defined),
65	* file name canonicalization, and user, group, and permission for
66	* each file or directory; this is useful if you want to be sure
67	* you're checking the right file
68	*
69	* Version information:
70	* 1.0 December 28, 1995 Matt Bishop
71	*
72	* 2.0 March 26, 2000 Rainer Wichmann -- adapted for slib.
73	*/
74
75	/* --- Why strcpy is safe here: ---- */
76
77	/* The input path is checked once, and then either shortened [in dirz()],
78	* or safely expanded (symlinks) with bound checking.
79	* I.e., the path length can never exceed (MAXFILENAME-1), while the path
80	* is always copied between buffers of length MAXFILENAME.
81	*/
82
83	#ifndef TRUST_MAIN
84	#include "config_xor.h"
85	#include "sh_calls.h"
86	#else
87	#define UID_CAST long
88	#define HAVE_GETPWENT
89	#define SH_MUTEX_LOCK(a) ((void)0)
90	#define SH_MUTEX_UNLOCK(a) ((void)0)
91	#endif
92
93	#include <stdio.h>
94	#include <stdlib.h>
95	#include <sys/types.h>
96	#include <sys/stat.h>
97	#include <grp.h>
98	#include <pwd.h>
99	#include <string.h>
100	#include <unistd.h>
101
102
103	#ifndef TRUST_MAIN
104
105	#include "slib.h"
106	#define SH_NEED_PWD_GRP 1
107	#include "sh_static.h"
108	#include "sh_pthread.h"
109
110	#else
111
112	#define sh_getgrgid getgrgid
113	#define sh_getgrgid_r getgrgid_r
114	#define sh_getpwnam getpwnam
115	#define sh_getpwnam_r getpwnam_r
116	#define sh_getpwuid getpwuid
117	#define sh_getpwuid_r getpwuid_r
118	#define sh_getpwent getpwent
119	#define sh_endpwent endpwent
120
121	#define TRUST_DEBUG
122	#define SL_FALSE 0
123	#define SL_TRUE 1
124	#define SL_ENTER(string)
125	#define SL_IRETURN(a, b) return a
126	#define retry_lstat(a,b,c,d) lstat(c,d)
127	#define _(string) string
128	#define N_(string) string
129	#define MAXFILENAME 4096
130	static int sl_errno = 0;
131	#define SL_ENONE 0
132	#define SL_ENULL -1024 /* Invalid use of NULL pointer. */
133	#define SL_ERANGE -1025 /* Argument out of range. */
134	#define SL_ETRUNC -1026 /* Result truncated. */
135	#define SL_EINTERNAL -1028 /* Internal error. */
136	#define SL_EBADFILE -1030 /* File access error. Check errno. */
137	#define SL_EBADNAME -1040 /* Invalid name. */
138	#define SL_ESTAT -1041 /* stat of file failed. Check errno. */
139	#define SL_EBADUID -1050 /* Owner not trustworthy. */
140	#define SL_EBADGID -1051 /* Group writeable and not trustworthy.*/
141	#define SL_EBADOTH -1052 /* World writeable. */
142
143	#endif
144
145
146	#if defined(__linux__) \|\| defined(__FreeBSD__)
147	#define STICKY
148	#endif
149
150	#undef FIL__
151	#define FIL__ _("trustfile.c")
152
153	/*
154	* the get current working directory function
155	* every version of UNIX seems to have its own
156	* idea of how to do this, so we group them by
157	* arguments ...
158	* all must return a pointer to the right name
159	*/
160
161
162	#ifndef TRUST_MAIN
163
164	#if defined(HAVE_GETCWD) && !defined(HAVE_BROKEN_GETCWD)
165	#define CURDIR(buf,nbuf) getcwd((buf), (nbuf))
166	#elif defined(HAVE_GETWD)
167	#define CURDIR(buf,nbuf) getwd((buf))
168	#endif
169
170	#else
171
172	#define CURDIR(buf,nbuf) getcwd((buf), (nbuf))
173
174	#endif
175
176
177
178	/*
179	* this checks to see if there are symbolic links
180	* assumes the link bit in the protection mask is called S_IFLNK
181	* (seems to be true on all UNIXes with them)
182	*/
183	#ifndef S_IFLNK
184	#define lstat stat
185	#endif
186
187
188	/*
189	* these are useful global variables
190	*
191	* first set: who you gonna trust, by default?
192	* if the user does not specify a trusted or untrusted set of users,
193	* all users are considered untrusted EXCEPT:
194	* UID 0 -- root as root can do anything on most UNIX systems, this
195	* seems reasonable
196	* tf_euid -- programmer-selectable UID
197	* if the caller specifies a specific UID by putting
198	* it in this variable, it will be trusted; this is
199	* typically used to trust the effective UID of the
200	* process (note: NOT the real UID, which will cause all
201	* sorts of problems!) By default, this is set to -1,
202	* so if it's not set, root is the only trusted user
203	*/
204
205	/* modified Tue Feb 22 10:36:44 NFT 2000 Rainer Wichmann */
206
207
208	#ifndef SL_ALWAYS_TRUSTED
209	#define SL_ALWAYS_TRUSTED 0
210	#endif
211	static uid_t test_rootonly[] = { SL_ALWAYS_TRUSTED };
212
213	#define tf_uid_neg ((uid_t)-1)
214
215	uid_t rootonly[] = { SL_ALWAYS_TRUSTED,
216	tf_uid_neg, tf_uid_neg, tf_uid_neg, tf_uid_neg,
217	tf_uid_neg, tf_uid_neg, tf_uid_neg, tf_uid_neg,
218	tf_uid_neg, tf_uid_neg, tf_uid_neg, tf_uid_neg,
219	tf_uid_neg, tf_uid_neg, tf_uid_neg, tf_uid_neg };
220
221	uid_t tf_euid = tf_uid_neg;
222	int EUIDSLOT = sizeof(test_rootonly)/sizeof(uid_t);
223	int ORIG_EUIDSLOT = sizeof(test_rootonly)/sizeof(uid_t);
224
225	char tf_path[MAXFILENAME]; /* error path for trust function */
226	uid_t tf_baduid;
227	gid_t tf_badgid;
228
229	static
230	int dirz(char *path)
231	{
232	register char p = path;/ points to rest of path to clean up */
233	register char q; / temp pointer for skipping over stuff */
234
235	static char swp[MAXFILENAME];
236
237	SL_ENTER(_("dirz"));
238	/*
239	* standard error checking
240	*/
241	if (path == NULL)
242	SL_IRETURN(SL_ENULL, _("dirz"));
243	if (path[0] == '.')
244	SL_IRETURN(SL_EINTERNAL, _("dirz"));
245
246
247	/*
248	* loop over the path name until everything is checked
249	*/
250	while(*p)
251	{
252	/* skip
253	*/
254	if (*p != '/')
255	{
256	p++;
257	continue;
258	}
259
260	/* "/./" or "/."
261	*/
262	if (p[1] == '.' && (p[2] == '/' \|\| p[2] == '\0'))
263	{
264	/* yes -- delete "/."
265	*/
266	(void) strcpy(swp, &p[2]); /* known to fit */
267	(void) strcpy(p, swp); /* known to fit */
268
269	/* special case "/." as full path name
270	*/
271	if (p == path && *p == '\0')
272	{
273	*p++ = '/';
274	*p = '\0';
275	}
276	}
277
278	/* "//"
279	*/
280	else if (p[1] == '/')
281	{
282	/* yes -- skip
283	*/
284	for(q = &p[2]; *q == '/'; q++)
285	;
286	(void) strcpy(swp, q); /* known to fit */
287	(void) strcpy(&p[1], swp); /* known to fit */
288	}
289
290	/* "/../" or "/.."
291	*/
292	else if (p[1] == '.' && p[2] == '.' && (p[3] == '/' \|\| p[3] == '\0'))
293	{
294	/* yes -- if it's root, delete .. only
295	*/
296	if (p == path)
297	{
298	(void) strcpy(swp, &p[3]); /* known to fit */
299	(void) strcpy(p, swp); /* known to fit */
300	}
301	else
302	{
303	/* back up over previous component
304	*/
305	q = p - 1;
306	while(q != path && *q != '/')
307	q--;
308	/* now wipe it out
309	*/
310	(void) strcpy(swp, &p[3]); /* known to fit */
311	(void) strcpy(q, swp); /* known to fit */
312	p = q;
313	}
314	}
315	else
316	p++;
317	}
318	SL_IRETURN(SL_ENONE, _("dirz"));
319	}
320
321
322
323	/* not static to circumvent stupid gcc 4 bug */
324	int getfname(const char fname, char rbuf, int rsz)
325	{
326	#ifndef TRUST_MAIN
327	register int status;
328	#endif
329
330	SL_ENTER(_("getfname"));
331	/*
332	* do the initial checking
333	* NULL pointer
334	*/
335	if (fname == NULL \|\| rbuf == NULL)
336	SL_IRETURN(SL_ENULL, _("getfname"));
337	if (rsz <= 0)
338	SL_IRETURN(SL_ERANGE, _("getfname"));
339
340
341	/* already a full path name */
342	if (*fname == '/')
343	rbuf[0] = '\0';
344	else
345	{
346	if (CURDIR(rbuf, rsz) == NULL)
347	{
348	#ifdef TRUST_DEBUG
349	fprintf(stderr, "trustfile: getcwd failed\n");
350	#endif
351	SL_IRETURN(SL_EBADNAME, _("getfname"));
352	}
353	}
354
355	/*
356	* append the file name and reduce
357	*/
358	if (fname != NULL && *fname != '\0')
359	{
360	#ifndef TRUST_MAIN
361	status = sl_strlcat(rbuf, "/", rsz);
362	if (status == SL_ENONE)
363	status = sl_strlcat(rbuf, fname, rsz);
364	if (status != SL_ENONE)
365	SL_IRETURN(status, _("getfname"));
366	#else
367	strncat(rbuf, "/", rsz-strlen(rbuf)-1);
368	strncat(rbuf, fname, rsz-strlen(rbuf)-1);
369	rbuf[rsz-1] = '\0';
370	#endif
371	}
372	SL_IRETURN(dirz(rbuf), _("getfname"));
373	}
374
375	static
376	int isin(uid_t n, uid_t *list)
377	{
378	SL_ENTER(_("isin"));
379	if (list == NULL)
380	SL_IRETURN(SL_FALSE, _("isin"));
381
382	while(list != tf_uid_neg && list != n)
383	{
384	#ifdef TRUST_DEBUG
385	fprintf (stderr,
386	"trustfile: owner_uid=%ld, trusted uid=%ld, no match\n",
387	(UID_CAST) n, (UID_CAST) *list);
388	#endif
389	list++;
390	}
391
392	if (*list == tf_uid_neg)
393	{
394	#ifdef TRUST_DEBUG
395	fprintf (stderr,
396	"trustfile: owner_uid=%ld, no match with any trusted user --> ERROR\n",
397	(UID_CAST) n);
398	#endif
399	SL_IRETURN(SL_FALSE, _("isin"));
400	}
401
402	#ifdef TRUST_DEBUG
403	fprintf (stderr,
404	"trustfile: owner_uid=%ld, trusted_uid=%ld, match found --> OK\n",
405	(UID_CAST)n, (UID_CAST)*list);
406	#endif
407	SL_IRETURN(SL_TRUE, _("isin"));
408	}
409
410	/* comment added by R. Wichmann
411	* RETURN TRUE if ANYONE in ulist is group member
412	*/
413	/* not static to circumvent stupid gcc 4 bug */
414	int isingrp(gid_t grp, uid_t *ulist)
415	{
416	struct passwd w; / info about group member */
417	register uid_t u; / points to current ulist member */
418	register char *p; / points to current group member */
419	struct group g; / pointer to group information */
420
421	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETGRGID_R)
422	struct group gr;
423	char buffer[SH_GRBUF_SIZE];
424	struct passwd pwd;
425	char pbuffer[SH_PWBUF_SIZE];
426	#endif
427
428	SL_ENTER(_("isingrp"));
429
430	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETGRGID_R)
431	sh_getgrgid_r(grp, &gr, buffer, sizeof(buffer), &g);
432	#else
433	g = sh_getgrgid(grp);
434	#endif
435
436	if (g == NULL)
437	{
438	SL_IRETURN(SL_FALSE, _("isingrp") );
439	}
440	/*
441	if(g->gr_mem == NULL \|\| g->gr_mem[0] == NULL )
442	SL_IRETURN(SL_FALSE, _("isingrp") );
443	*/
444
445	/* this will return at the first match
446	*/
447	for(p = g->gr_mem; *p != NULL; p++)
448	{
449	for(u = ulist; *u != tf_uid_neg; u++)
450	{
451	/* map user name to UID and compare */
452	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
453	sh_getpwnam_r(*p, &pwd, pbuffer, sizeof(pbuffer), &w);
454	#else
455	w = sh_getpwnam(*p);
456	#endif
457
458	#ifdef TRUST_MAIN
459	if (w != NULL && *u == (uid_t)(w->pw_uid) )
460	SL_IRETURN(SL_TRUE, _("isingrp"));
461	#else
462	if (w != NULL && *u == (uid_t)(w->pw_uid) )
463	{
464	SL_IRETURN(SL_TRUE, _("isingrp"));
465	}
466	#endif
467	}
468	}
469	/* added by R. Wichmann Fri Mar 30 08:16:14 CEST 2001:
470	* a user can have a GID but no entry in /etc/group
471	*/
472	for(u = ulist; *u != tf_uid_neg; u++)
473	{
474	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWUID_R)
475	sh_getpwuid_r(*u, &pwd, pbuffer, sizeof(pbuffer), &w);
476	#else
477	w = sh_getpwuid(*u);
478	#endif
479	#ifdef TRUST_MAIN
480	if (w != NULL && grp == (gid_t)(w->pw_gid) )
481	SL_IRETURN(SL_TRUE, _("isingrp"));
482	#else
483	if (w != NULL && grp == (gid_t)(w->pw_gid) )
484	{
485	SL_IRETURN(SL_TRUE, _("isingrp"));
486	}
487	#endif
488	}
489
490	SL_IRETURN(SL_FALSE, _("isingrp"));
491	}
492
493	/* added by R. Wichmann Fri Mar 30 08:16:14 CEST 2001
494	* RETURN TRUE only if ALL group members are trusted
495	*/
496	/* not static to circumvent stupid gcc 4 bug */
497	int onlytrustedingrp(gid_t grp, uid_t *ulist)
498	{
499	struct passwd w; / info about group member */
500	register uid_t u; / points to current ulist member */
501	register char *p; / points to current group member */
502	struct group g; / pointer to group information */
503	register int flag = -1; /* group member found */
504
505	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETGRGID_R)
506	struct group gr;
507	char buffer[SH_GRBUF_SIZE];
508	struct passwd pw;
509	char pbuffer[SH_PWBUF_SIZE];
510	#endif
511
512	int retval = SL_FALSE;
513
514	SL_ENTER(_("onlytrustedingrp"));
515
516	#ifdef TRUST_DEBUG
517	fprintf(stderr, "trustfile: group writeable, group_gid: %ld\n",
518	(UID_CAST)grp);
519	#endif
520
521	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETGRGID_R)
522	sh_getgrgid_r(grp, &gr, buffer, sizeof(buffer), &g);
523	#else
524	g = sh_getgrgid(grp);
525	#endif
526
527	if (g == NULL)
528	{
529	#ifdef TRUST_DEBUG
530	fprintf(stderr,
531	"trustfile: group_gid: %ld, no such group --> ERROR\n",
532	(UID_CAST)grp);
533	#endif
534	SL_IRETURN(SL_FALSE, _("onlytrustedingrp") );
535	}
536
537	/* empty group -> no problem
538
539	if(g->gr_mem == NULL \|\| g->gr_mem[0] == NULL )
540	SL_IRETURN(SL_TRUE, _("onlytrustedingrp") );
541	*/
542
543	/* check for untrusted members of the group
544	*/
545	for(p = g->gr_mem; *p != NULL; p++)
546	{
547	flag = -1;
548	#ifdef TRUST_DEBUG
549	fprintf(stderr, "trustfile: group_member: %s\n", *p);
550	#endif
551	/* map user name to UID and compare
552	*/
553	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
554	sh_getpwnam_r(*p, &pw, pbuffer, sizeof(pbuffer), &w);
555	#else
556	w = sh_getpwnam(*p);
557	#endif
558
559	if (w == NULL) /* not a valid user, ignore */
560	{
561	flag = 0;
562	}
563	else /* check list of trusted users */
564	{
565	#ifdef TRUST_DEBUG
566	fprintf (stderr,
567	"trustfile: uid=%ld, checking whether it is trusted\n",
568	(UID_CAST)(w->pw_uid));
569	#endif
570	for(u = ulist; *u != tf_uid_neg; u++)
571	{
572	if (*u == (w->pw_uid) )
573	{
574	#ifdef TRUST_DEBUG
575	fprintf (stderr,
576	"trustfile: uid=%ld, trusted_uid=%ld, match found --> OK\n",
577	(UID_CAST)(w->pw_uid), (UID_CAST)*u);
578	#endif
579	flag = 0;
580	break;
581	}
582	else
583	{
584	#ifdef TRUST_DEBUG
585	fprintf (stderr,
586	"trustfile: uid=%ld, trusted_uid=%ld, no match\n",
587	(UID_CAST)(w->pw_uid), (UID_CAST)*u);
588	#endif
589	;
590	}
591	}
592	}
593	/* not found
594	*/
595	if (flag == -1)
596	{
597	#ifdef TRUST_DEBUG
598	fprintf (stderr,
599	"trustfile: user=%s (gid %ld), not a trusted user --> ERROR\n", *p, (UID_CAST)grp);
600	#endif
601	tf_baduid = w->pw_uid;
602	SL_IRETURN(SL_FALSE, _("onlytrustedingrp"));
603	}
604	}
605
606	#ifndef TEST_ONLY
607	#ifdef HAVE_GETPWENT
608	/* now check ALL users for their GID !!!
609	*/
610	SH_MUTEX_LOCK(mutex_pwent);
611
612	while (NULL != (w = sh_getpwent()))
613	{
614	if (grp == (gid_t)(w->pw_gid))
615	{
616	#ifdef TRUST_DEBUG
617	fprintf(stderr, "trustfile: checking group member %s, uid %ld\n",
618	w->pw_name, (UID_CAST)w->pw_uid);
619	#endif
620	/* is it a trusted user ?
621	*/
622	flag = -1;
623	for(u = ulist; *u != tf_uid_neg; u++)
624	{
625	if (*u == (uid_t)(w->pw_uid))
626	{
627	#ifdef TRUST_DEBUG
628	fprintf (stderr,
629	"trustfile: uid=%ld, trusted_uid=%ld, match found --> OK\n",
630	(UID_CAST)(w->pw_uid), (UID_CAST)(*u));
631	#endif
632	flag = 0;
633	break;
634	}
635	else
636	{
637	#ifdef TRUST_DEBUG
638	fprintf (stderr,
639	"trustfile: uid=%ld, trusted_uid=%ld, no match\n",
640	(UID_CAST)(w->pw_uid), (UID_CAST)*u);
641	#endif
642	;
643	}
644	}
645	/* not found */
646	if (flag == -1)
647	{
648	#ifdef TRUST_DEBUG
649	fprintf(stderr,"trustfile: group member %s not found in trusted users --> ERROR\n", w->pw_name);
650	#endif
651	tf_baduid = w->pw_uid;
652	retval = SL_FALSE;
653	goto out;
654	/* SL_IRETURN(SL_FALSE, _("onlytrustedingrp")); */
655	}
656	}
657	}
658	retval = SL_TRUE;
659
660	out:
661
662	#ifdef HAVE_ENDPWENT
663	sh_endpwent();
664	#endif
665
666	SH_MUTEX_UNLOCK(mutex_pwent);
667
668	/* TEST_ONLY */
669	#endif
670	/* #ifdef HAVE_GETPWENT */
671	#endif
672
673	#ifdef TRUST_DEBUG
674	if (retval == SL_TRUE)
675	fprintf(stderr,
676	"trustfile: group %ld: all members are trusted users --> OK\n",
677	(UID_CAST)grp);
678	#endif
679	/* all found
680	*/
681	SL_IRETURN(retval, _("onlytrustedingrp"));
682	}
683
684	int sl_trustfile(const char fname, uid_t okusers, uid_t *badusers)
685	{
686	char fexp[MAXFILENAME]; /* file name fully expanded */
687	register char p = fexp; / used to hold name to be checked */
688	struct stat stbuf; /* used to check file permissions */
689	char c; /* used to hold temp char */
690
691	SL_ENTER(_("sl_trustfile"));
692	if (fname == NULL)
693	SL_IRETURN(SL_EBADFILE, _("sl_trustfile"));
694
695	/*
696	* next expand to the full file name
697	* getfname sets sl_errno as appropriate
698	*/
699	#ifdef TRUST_MAIN
700	sl_errno = getfname(fname, fexp, MAXFILENAME);
701	if (sl_errno != 0)
702	return sl_errno;
703	#else
704	if (SL_ISERROR(getfname(fname, fexp, MAXFILENAME)))
705	SL_IRETURN(sl_errno, _("sl_trustfile"));
706	#endif
707
708	if (okusers == NULL && badusers == NULL)
709	{
710	okusers = rootonly;
711	rootonly[EUIDSLOT] = tf_euid;
712	}
713
714	/*
715	* now loop through the path a component at a time
716	* note we have to special-case root
717	*/
718	while(*p)
719	{
720	/*
721	* get next component
722	*/
723	while(p && p != '/')
724	p++;
725
726	/* save where you are
727	*/
728	if (p == fexp)
729	{
730	/* keep the / if it's the root dir
731	*/
732	c = p[1];
733	p[1] = '\0';
734	}
735	else
736	{
737	/* clobber the / if it isn't the root dir
738	*/
739	c = *p;
740	*p = '\0';
741	}
742
743	/*
744	* now get the information
745	*/
746	if (retry_lstat(FIL__, __LINE__, fexp, &stbuf) < 0)
747	{
748	(void) strncpy(tf_path, fexp, sizeof(tf_path));
749	tf_path[sizeof(tf_path)-1] = '\0';
750	#ifdef TRUST_MAIN
751	fprintf(stderr, "---------------------------------------------\n");
752	fprintf(stderr, "trustfile: ESTAT: stat(%s) failed,\n", fexp);
753	fprintf(stderr, "maybe the file does not exist\n");
754	fprintf(stderr, "---------------------------------------------\n");
755	#endif
756	SL_IRETURN(SL_ESTAT, _("sl_trustfile"));
757	}
758
759	#ifdef S_IFLNK
760	/*
761	* if it's a symbolic link, recurse
762	*/
763	if ((stbuf.st_mode & S_IFLNK) == S_IFLNK)
764	{
765	/*
766	* this is tricky
767	* if the symlink is to an absolute path
768	* name, just call trustfile on it; but
769	* if it's a relative path name, it's
770	* interpreted WRT the current working
771	* directory AND NOT THE FILE NAME!!!!!
772	* so, we simply put /../ at the end of
773	* the file name, then append the symlink
774	* contents; trustfile will canonicalize
775	* this, and the /../ we added "undoes"
776	* the name of the symlink to put us in
777	* the current working directory, at
778	* which point the symlink contents (appended
779	* to the CWD) are interpreted correctly.
780	* got it?
781	*/
782	char csym[MAXFILENAME]; /* contents of symlink file */
783	char full[MAXFILENAME]; /* "full" name of symlink */
784	register char b, t; /* used to copy stuff around */
785	register int lsym; /* num chars in symlink ref */
786	register int i; /* trustworthy or not? */
787	const char * t_const;
788	char *end;
789
790	/*
791	* get what the symbolic link points to
792	*
793	* The original code does not check the return code of readlink(),
794	* and has an off-by-one error
795	* (MAXFILENAME instead of MAXFILENAME-1)
796	* R.W. Tue May 29 22:05:16 CEST 2001
797	*/
798	lsym = readlink(fexp, csym, MAXFILENAME-1);
799	if (lsym >= 0)
800	csym[lsym] = '\0';
801	else
802	{
803	#ifdef TRUST_MAIN
804	fprintf(stderr, "---------------------------------------------\n");
805	fprintf(stderr, "trustfile: EBADNAME: readlink(%s) failed\n",
806	fexp);
807	fprintf(stderr, "---------------------------------------------\n");
808	#endif
809	SL_IRETURN(SL_EBADNAME, _("sl_trustfile"));
810	}
811
812	/*
813	* relative or absolute referent?
814	*/
815	if (csym[0] != '/')
816	{
817	/* pointer to one above last element
818	*/
819	end = &full[MAXFILENAME-1]; ++end;
820
821	/* initialize pointers
822	*/
823	b = full;
824
825	/* copy in base path
826	*/
827	t = fexp;
828	while(*t && b < end)
829	b++ = t++;
830
831	/* smack on the /../
832	*/
833	t_const = "/../"; t = (char *)t_const;
834	while(*t && b < end)
835	b++ = t++;
836
837	/* append the symlink referent
838	*/
839	t = csym;
840	while(*t && b < end)
841	b++ = t++;
842
843	/* see if we're too big
844	*/
845	if (*t \|\| b == end)
846	{
847	/* yes -- error
848	*/
849	(void) strncpy(tf_path, fexp, sizeof(tf_path));
850	tf_path[sizeof(tf_path)-1] = '\0';
851	#ifdef TRUST_MAIN
852	fprintf(stderr, "---------------------------------------------\n");
853	fprintf(stderr,
854	"trustfile: ETRUNC: normalized path too long (%s)\n",
855	fexp);
856	fprintf(stderr, "---------------------------------------------\n");
857	#endif
858	SL_IRETURN(SL_ETRUNC, _("sl_trustfile"));
859	}
860	*b = '\0';
861	}
862	else
863	{
864	/* absolute -- just copy */
865	/* overflow can't occur as the arrays */
866	/* are the same size */
867	(void) strcpy(full, csym); /* known to fit */
868	}
869	/*
870	* now check out this file and its ancestors
871	*/
872	if ((i = sl_trustfile(full, okusers, badusers)) != SL_ENONE)
873	SL_IRETURN(i, _("sl_trustfile"));
874
875	/*
876	* okay, this part is valid ... let's check the rest
877	* put the / back
878	*/
879	if (p == fexp)
880	{
881	/* special case for root */
882	p[1] = c;
883	p++;
884	}
885	else
886	{
887	/* ordinary case for everything else */
888	*p = c;
889	if (*p)
890	p++;
891	}
892	continue;
893	}
894	#endif
895
896
897	#ifdef TRUST_DEBUG
898	fprintf(stderr, "\ntrustfile: checking path=%s\n", fexp);
899	#endif
900	/*
901	* if the owner is not trusted then -- as the owner can
902	* change protection modes -- he/she can write to the
903	* file regardless of permissions, so bomb
904	*/
905	if (((okusers != NULL && SL_FALSE == isin((uid_t)stbuf.st_uid,okusers))\|\|
906	(badusers != NULL && SL_TRUE == isin((uid_t)stbuf.st_uid,badusers))))
907	{
908	#ifdef TRUST_DEBUG
909	fprintf(stderr, "---------------------------------------------\n");
910	fprintf(stderr, "trustfile: EBADUID %s (owner not trusted)\n",
911	fexp);
912	fprintf(stderr, "The owner of this file/directory is not in samhains\n");
913	fprintf(stderr, "list of trusted users.\n");
914	fprintf(stderr, "Please run ./configure again with the option\n");
915	fprintf(stderr, " ./configure [more options] --with-trusted=0,...,UID\n");
916	fprintf(stderr, "where UID is the UID of the (yet) untrusted user.\n");
917	fprintf(stderr, "---------------------------------------------\n");
918	#endif
919	(void) strncpy(tf_path, fexp, sizeof(tf_path));
920	tf_path[sizeof(tf_path)-1] = '\0';
921
922	tf_baduid = (uid_t) stbuf.st_uid;
923	SL_IRETURN(SL_EBADUID, _("sl_trustfile"));
924	}
925
926	/*
927	* if a group member can write but the
928	* member is not trusted, bomb; but if
929	* sticky bit semantics are honored, it's
930	* okay
931	*/
932	/* Thu Mar 29 21:10:28 CEST 2001 Rainer Wichmann
933	* replace !isingrp() with onlytrustedingrp(), as isingrp()
934	* will return at the first trusted user, even if there are additional
935	* (untrusted) users in the group
936	*/
937	if (((stbuf.st_mode & S_IWGRP) == S_IWGRP) &&
938	((okusers != NULL && !onlytrustedingrp((gid_t)stbuf.st_gid,okusers))\|\|
939	(badusers != NULL && isingrp((gid_t)stbuf.st_gid, badusers)))
940	#ifdef STICKY
941	&& ((stbuf.st_mode&S_IFDIR) != S_IFDIR \|\|
942	(stbuf.st_mode&S_ISVTX) != S_ISVTX)
943	#endif
944	)
945	{
946	#ifdef TRUST_DEBUG
947	fprintf(stderr, "---------------------------------------------\n");
948	fprintf(stderr,
949	"trustfile: EBADGID %ld %s (group member not trusted)\n",
950	(UID_CAST)stbuf.st_gid, fexp);
951	fprintf(stderr, "This file/directory is group writeable, and one of the group members\n");
952	fprintf(stderr, "is not in samhains list of trusted users.\n");
953	fprintf(stderr, "Please run ./configure again with the option\n");
954	fprintf(stderr, " ./configure [more options] --with-trusted=0,...,UID\n");
955	fprintf(stderr, "where UID is the UID of the (yet) untrusted user.\n");
956	fprintf(stderr, "---------------------------------------------\n");
957	#endif
958	(void) strncpy(tf_path, fexp, sizeof(tf_path));
959	tf_path[sizeof(tf_path)-1] = '\0';
960
961	tf_badgid = (gid_t) stbuf.st_gid;
962	SL_IRETURN(SL_EBADGID, _("sl_trustfile"));
963	}
964	/*
965	* if other can write, bomb; but if the sticky
966	* bit semantics are honored, it's okay
967	*/
968	if (((stbuf.st_mode & S_IWOTH) == S_IWOTH)
969	#ifdef STICKY
970	&& ((stbuf.st_mode&S_IFDIR) != S_IFDIR \|\|
971	(stbuf.st_mode&S_ISVTX) != S_ISVTX)
972	#endif
973	)
974	{
975	#ifdef TRUST_DEBUG
976	fprintf(stderr, "---------------------------------------------\n");
977	fprintf(stderr, "trustfile: EBADOTH (world writeable): %s\n",
978	fexp);
979	fprintf(stderr, "This file/directory is world writeable.\n");
980	fprintf(stderr, "---------------------------------------------\n");
981	#endif
982	(void) strncpy(tf_path, fexp, sizeof(tf_path));
983	tf_path[sizeof(tf_path)-1] = '\0';
984
985	SL_IRETURN(SL_EBADOTH, _("sl_trustfile"));
986	}
987	/*
988	* put the / back
989	*/
990	if (p == fexp)
991	{
992	/* special case for root */
993	p[1] = c;
994	p++;
995	}
996	else
997	{
998	/* ordinary case for everything else */
999	*p = c;
1000	if (*p)
1001	p++;
1002	}
1003	}
1004	/*
1005	* yes, it can be trusted
1006	*/
1007	(void) strncpy(tf_path, fexp, sizeof(tf_path));
1008	tf_path[sizeof(tf_path)-1] = '\0';
1009
1010	SL_IRETURN(SL_ENONE, _("sl_trustfile"));
1011	}
1012
1013	#ifdef TRUST_MAIN
1014
1015	#if defined(HOST_IS_CYGWIN) \|\| defined(__cygwin__) \|\| defined(__CYGWIN32__) \|\| defined(__CYGWIN__)
1016	int main()
1017	{
1018	return 0;
1019	}
1020	#else
1021	int main (int argc, char * argv[])
1022	{
1023	int status;
1024	#if defined(SH_WITH_SERVER)
1025	struct passwd * pass;
1026	#endif
1027
1028	if (argc < 2) {
1029	fprintf(stderr, "%s: Usage: %s <fullpath>\n", argv[0], argv[0]);
1030	return 1;
1031	}
1032
1033	tf_path[0] = '\0';
1034	#if defined(SH_WITH_SERVER)
1035	pass = sh_getpwnam(SH_IDENT); /* TESTONLY */
1036	if (pass != NULL)
1037	tf_euid = pass->pw_uid;
1038	else
1039	{
1040	fprintf(stderr, "trustfile: ERROR: getpwnam(%s) failed\n",
1041	SH_IDENT);
1042	return 1;
1043	}
1044	#else
1045	tf_euid = geteuid();
1046	#endif
1047
1048	status = sl_trustfile(argv[1], NULL, NULL);
1049	if (status != SL_ENONE)
1050	{
1051	fprintf(stderr, "trustfile: ERROR: not a trusted path: %s\n",
1052	argv[1]);
1053	return 1;
1054	}
1055	return 0;
1056	}
1057	#endif
1058	#endif
1059
1060
1061

Note: See TracBrowser for help on using the repository browser.

Download in other formats: