Changes in trunk/src/sh_suidchk.c [19:30]
- File:
-
- 1 edited
-
trunk/src/sh_suidchk.c (modified) (13 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/sh_suidchk.c
r19 r30 415 415 long sl_status = SL_ENONE; 416 416 struct stat fileInfo; 417 struct stat fileInfo_F; 418 int file_d; 417 419 418 420 file_type theFile; 419 421 char fileHash[2*(KEY_LEN + 1)]; 422 423 mode_t umask_old; 424 int cperm_status; 420 425 421 426 SL_ENTER(_("sh_suidchk_check_internal")); … … 519 524 */ 520 525 fs = filesystem_type (tmpcat, tmpcat, &buf); 521 if (fs != NULL && 526 if (fs != NULL 527 #ifndef SH_SUIDTESTDIR 528 && 529 0 != strncmp (_("afs"), fs, 3) && 530 0 != strncmp (_("devfs"), fs, 5) && 531 0 != strncmp (_("iso9660"), fs, 7) && 532 0 != strncmp (_("lustre"), fs, 6) && 533 0 != strncmp (_("mmfs"), fs, 4) && 534 0 != strncmp (_("msdos"), fs, 5) && 522 535 0 != strncmp (_("nfs"), fs, 3) && 536 0 != strncmp (_("nosuid"), fs, 6) && 523 537 0 != strncmp (_("proc"), fs, 4) && 524 0 != strncmp (_("iso9660"), fs, 7) && 525 0 != strncmp (_("vfat"), fs, 4) && 526 0 != strncmp (_("msdos"), fs, 5) && 527 0 != strncmp (_("devfs"), fs, 5) && 528 0 != strncmp (_("nosuid"), fs, 6) 538 0 != strncmp (_("vfat"), fs, 4) 539 #endif 529 540 ) 530 541 { … … 666 677 break; 667 678 case SH_Q_CHANGEPERM: 679 cperm_status = 0; 680 file_d = -1; 668 681 if (retry_lstat(FIL__, __LINE__, tmpcat, &fileInfo) == -1) 669 682 { … … 677 690 tmp ); 678 691 SH_FREE(msg); 692 cperm_status = -1; 679 693 } 680 else 694 695 if (cperm_status == 0) 681 696 { 682 697 if (0 != (caperr = sl_get_cap_qdel())) … … 686 701 sh_error_message (caperr), 687 702 _("sl_get_cap_qdel")); 703 cperm_status = -1; 688 704 } 689 690 if ((fileInfo.st_mode & S_ISUID) > 0) 691 fileInfo.st_mode -= S_ISUID; 692 if ((fileInfo.st_mode & S_ISGID) > 0) 693 fileInfo.st_mode -= S_ISGID; 694 if (chmod(tmpcat, fileInfo.st_mode) == -1) 705 } 706 707 if (cperm_status == 0) 708 { 709 file_d = aud_open (FIL__, __LINE__, SL_YESPRIV, 710 tmpcat, O_RDONLY, 0); 711 if (-1 == file_d) 712 { 713 status = errno; 714 msg = SH_ALLOC(SH_BUFSIZE); 715 (void) sl_snprintf(msg, SH_BUFSIZE, _("I/O error. errno = %ld"), status); 716 sh_error_handle (ShSuidchkSeverity, 717 FIL__, __LINE__, 718 status, 719 MSG_SUID_QREPORT, msg, 720 tmp ); 721 SH_FREE(msg); 722 cperm_status = -1; 723 } 724 } 725 726 if (cperm_status == 0) 727 { 728 if (retry_fstat(FIL__, __LINE__, file_d, &fileInfo_F) == -1) 729 { 730 status = errno; 731 msg = SH_ALLOC(SH_BUFSIZE); 732 (void) sl_snprintf(msg, SH_BUFSIZE, 733 _("I/O error. errno = %ld"), status); 734 sh_error_handle (ShSuidchkSeverity, 735 FIL__, __LINE__, 736 status, 737 MSG_SUID_QREPORT, msg, 738 tmp ); 739 SH_FREE(msg); 740 cperm_status = -1; 741 } 742 } 743 744 if (cperm_status == 0) 745 { 746 if (fileInfo_F.st_ino != fileInfo.st_ino || 747 fileInfo_F.st_dev != fileInfo.st_dev || 748 fileInfo_F.st_mode != fileInfo.st_mode) 749 { 750 status = errno; 751 msg = SH_ALLOC(SH_BUFSIZE); 752 (void) sl_snprintf(msg, SH_BUFSIZE, 753 _("Race detected. errno = %ld"), status); 754 sh_error_handle (ShSuidchkSeverity, 755 FIL__, __LINE__, 756 status, 757 MSG_SUID_QREPORT, msg, 758 tmp ); 759 SH_FREE(msg); 760 cperm_status = -1; 761 } 762 } 763 764 if ((fileInfo.st_mode & S_ISUID) > 0) 765 fileInfo.st_mode -= S_ISUID; 766 if ((fileInfo.st_mode & S_ISGID) > 0) 767 fileInfo.st_mode -= S_ISGID; 768 769 if (cperm_status == 0) 770 { 771 if (fchmod(file_d, fileInfo.st_mode) == -1) 695 772 { 696 773 status = errno; … … 713 790 tmp ); 714 791 } 715 if (0 != (caperr = sl_drop_cap_qdel())) 792 } 793 794 if (0 != (caperr = sl_drop_cap_qdel())) 795 { 796 sh_error_handle((-1), FIL__, __LINE__, 797 caperr, MSG_E_SUBGEN, 798 sh_error_message (caperr), 799 _("sl_drop_cap_qdel")); 800 } 801 802 if (file_d != -1) 803 { 804 do { 805 status = close (file_d); 806 } while (status == -1 && errno == EINTR); 807 808 if (-1 == status) 716 809 { 717 sh_error_handle((-1), FIL__, __LINE__, 718 caperr, MSG_E_SUBGEN, 719 sh_error_message (caperr), 720 _("sl_drop_cap_qdel")); 810 status = errno; 811 msg = SH_ALLOC(SH_BUFSIZE); 812 (void) sl_snprintf(msg, SH_BUFSIZE, 813 _("I/O error. errno = %ld"), status); 814 sh_error_handle (ShSuidchkSeverity, 815 FIL__, __LINE__, 816 status, 817 MSG_SUID_QREPORT, msg, 818 tmp ); 819 SH_FREE(msg); 820 cperm_status = -1; 721 821 } 722 822 } … … 725 825 dir = SH_ALLOC(PATH_MAX+1); 726 826 (void) sl_strlcpy (dir, DEFAULT_QDIR, PATH_MAX+1); 727 if ( access (dir, F_OK) != 0)827 if (retry_stat (FIL__, __LINE__, dir, &fileInfo) != 0) 728 828 { 729 829 status = errno; 730 830 msg = SH_ALLOC(SH_BUFSIZE); 731 (void) sl_snprintf(msg, SH_BUFSIZE, _("Problem quarantining file. File NOT quarantined. errno = %ld ( access)"), status);831 (void) sl_snprintf(msg, SH_BUFSIZE, _("Problem quarantining file. File NOT quarantined. errno = %ld (stat)"), status); 732 832 sh_error_handle (ShSuidchkSeverity, 733 833 FIL__, __LINE__, … … 815 915 DEFAULT_QDIR, 816 916 basename(theFile.fullpath)); 917 /* 918 * avoid chmod by setting umask 919 */ 920 umask_old = umask (0077); 817 921 filePtr = fopen (filetmp, "w+"); 818 922 /*@-usedef@*/ … … 828 932 } 829 933 /*@+usedef@*/ 934 umask (umask_old); 830 935 831 936 sh_error_handle (ShSuidchkSeverity, … … 834 939 _("Quarantine method applied"), 835 940 tmp ); 836 if (chmod(filetmp, S_IRUSR | S_IWUSR) == -1)837 {838 status = errno;839 msg = SH_ALLOC(SH_BUFSIZE);840 (void) sl_snprintf(msg, SH_BUFSIZE, _("Problem setting permissions on quarantined file. errno = %ld"), status);841 sh_error_handle (ShSuidchkSeverity,842 FIL__,__LINE__,843 status, MSG_SUID_QREPORT,844 msg, tmp );845 SH_FREE(msg);846 }847 941 } 848 942 SH_FREE(filetmp); … … 976 1070 FileLimTotal = 0; 977 1071 1072 #ifdef SH_SUIDTESTDIR 1073 status = sh_suidchk_check_internal (SH_SUIDTESTDIR); 1074 #else 978 1075 status = sh_suidchk_check_internal ("/"); 1076 #endif 979 1077 980 1078 sh_error_handle ((-1), FIL__, __LINE__, EINVAL, MSG_SUID_SUMMARY, … … 1169 1267 long val; 1170 1268 int ret = 0; 1269 struct stat buf; 1171 1270 1172 1271 SL_ENTER(_("sh_suidchk_set_qmethod")); … … 1190 1289 break; 1191 1290 case SH_Q_MOVE: 1192 if ( access (DEFAULT_QDIR, F_OK) != 0)1291 if (retry_stat (FIL__, __LINE__, DEFAULT_QDIR, &buf) != 0) 1193 1292 { 1194 1293 if (mkdir (DEFAULT_QDIR, 0750) == -1)
Note:
See TracChangeset
for help on using the changeset viewer.
