Changeset 347

Timestamp:

Jun 7, 2011, 9:41:30 PM (13 years ago)

Author:

katerina

Message:

Fix for ticket #255 (improve protection against 'intruder on server' scenario).

Location:

trunk

Files:

• configure.ac (modified) (1 diff)
• docs/Changelog (modified) (1 diff)
• include/sh_gpg.h (modified) (1 diff)
• src/sh_getopt.c (modified) (1 diff)
• src/sh_gpg.c (modified) (1 diff)
• src/sh_hash.c (modified) (3 diffs)
• src/sh_readconf.c (modified) (9 diffs)

trunk/configure.ac

@@ -788 +788 @@
         ],
         [AC_DEFINE(SH_WITH_MAIL)]
+)
+
+AC_ARG_ENABLE(shellexpand,
+        [  --disable-shellexpand                disable shell expansion in config file],
+        [
+        if test "x${enable_shellexpand}" = xno; then
+                :
+        else
+                AC_DEFINE(SH_EVAL_SHELL, [1], [Define if you want shell expansion in configuration file])
+        fi
+        ],
+        [AC_DEFINE(SH_EVAL_SHELL, [1], [Define if you want shell expansion in configuration file])]
 )
 

trunk/docs/Changelog

@@ +1 @@
+2.8.5:
+        * Better protection against the 'intruder on server' scenario
+          pointed out by xrx. Add option to disable shell expansion in
+          configuration files, and check gpg signature earlier.
+        * Support /opt/local/bin in the Unix entropy gatherer (suggestion
+          by Sean Chittenden)
+        * Cache timeserver response for one second (suggestion by
+          Sean Chittenden)
+
 2.8.4a:
         * Fix for compile error with --with-prelude 

trunk/include/sh_gpg.h

@@ -22 +22 @@
 #ifndef SH_GPG_H
 #define SH_GPG_H
+
+/* Top level function to verify file.
+ */
+SL_TICKET sh_gpg_extract_signed(SL_TICKET fd);
+
 /* this function exits if configuration file
  * and/or database cannot be verified; otherwise returns 0

trunk/src/sh_getopt.c

@@ -439 +439 @@
   printf (_("   -- Key fingerprint: %s"), SH_GPG_FP); ++num;
 #endif
+#endif
+
+#if defined(SH_SHELL_EVAL)
+  if (num > 0) fputc ('\n', stdout);
+  fputs (_(" shell expansion in configuration file supported"), stdout); ++num;
 #endif
 

trunk/src/sh_gpg.c

@@ -1202 +1202 @@
 }  
 
+#define FGETS_BUF 16384
+
+SL_TICKET sh_gpg_extract_signed(SL_TICKET fd)
+{
+  FILE * fin_cp = NULL;
+  char * buf    = NULL;
+  int    bufc;
+  int    flag_pgp    = S_FALSE;
+  int    flag_nohead = S_FALSE;
+  SL_TICKET fdTmp = (-1);
+  SL_TICKET open_tmp (void);
+
+  /* extract the data and copy to temporary file
+   */
+  fdTmp = open_tmp();
+
+  fin_cp = fdopen(dup(get_the_fd(fd)), "rb");
+  buf = SH_ALLOC(FGETS_BUF);
+
+  while (NULL != fgets(buf, FGETS_BUF, fin_cp))
+    {
+      bufc = 0; 
+      while (bufc < FGETS_BUF) { 
+        if (buf[bufc] == '\n') { ++bufc; break; }
+        ++bufc;
+      }
+
+      if (flag_pgp == S_FALSE &&
+          (0 == sl_strcmp(buf, _("-----BEGIN PGP SIGNED MESSAGE-----\n"))||
+           0 == sl_strcmp(buf, _("-----BEGIN PGP MESSAGE-----\n")))
+          )
+        {
+          flag_pgp = S_TRUE;
+          sl_write(fdTmp, buf, bufc);
+          continue;
+        }
+      
+      if (flag_pgp == S_TRUE && flag_nohead == S_FALSE)
+        {
+          if (buf[0] == '\n')
+            {
+              flag_nohead = S_TRUE;
+              sl_write(fdTmp, buf, 1);
+              continue;
+            }
+          else if (0 == sl_strncmp(buf, _("Hash:"), 5) ||
+                   0 == sl_strncmp(buf, _("NotDashEscaped:"), 15))
+            {
+              sl_write(fdTmp, buf, bufc);
+              continue;
+            }
+          else
+            continue;
+        }
+    
+      if (flag_pgp == S_TRUE && buf[0] == '\n')
+        {
+          sl_write(fdTmp, buf, 1);
+        }
+      else if (flag_pgp == S_TRUE)
+        {
+          /* sl_write_line(fdTmp, buf, bufc); */
+          sl_write(fdTmp, buf, bufc);
+        }
+      
+      if (flag_pgp == S_TRUE && 
+          0 == sl_strcmp(buf, _("-----END PGP SIGNATURE-----\n")))
+        break;
+    }
+  SH_FREE(buf);
+  sl_fclose(FIL__, __LINE__, fin_cp); /* fin_cp = fdopen(dup(), "rb"); */
+  sl_rewind (fdTmp);
+
+  return fdTmp;
+}
+
 /* #ifdef WITH_GPG */
 #endif

trunk/src/sh_hash.c

@@ -1295 +1295 @@
 #if defined(WITH_GPG) || defined(WITH_PGP)
   extern int get_the_fd (SL_TICKET ticket);
-  FILE *   fin_cp = NULL;
-
-  char * buf  = NULL;
-  int    bufc;
+
   int    flag_pgp;
   int    flag_nohead;
   SL_TICKET fdTmp = (-1);
-  SL_TICKET open_tmp (void);
 #endif
   char hashbuf[KEYBUF_SIZE];
@@ -1405 +1401 @@
 
 #if defined(WITH_GPG) || defined(WITH_PGP)
-  /* new 1.4.8: also checked for server data */
 
   /* extract the data and copy to temporary file
    */
-  fdTmp = open_tmp();
-
-  fin_cp = fdopen(dup(get_the_fd(fd)), "rb");
-  buf = SH_ALLOC(FGETS_BUF);
-
-  while (NULL != fgets(buf, FGETS_BUF, fin_cp))
-    {
-      bufc = 0; 
-      while (bufc < FGETS_BUF) { 
-        if (buf[bufc] == '\n') { ++bufc; break; }
-        ++bufc;
-      }
-
-      if (sig_termfast == 1)  /* SIGTERM */
-        {
-          TPT((0, FIL__, __LINE__, _("msg=<Terminate.>\n")));
-          --sig_raised; --sig_urgent;
-          retval = 1; exitval = EXIT_SUCCESS;
-          goto unlock_and_return;
-        }
-
-      if (flag_pgp == S_FALSE &&
-          (0 == sl_strcmp(buf, _("-----BEGIN PGP SIGNED MESSAGE-----\n"))||
-           0 == sl_strcmp(buf, _("-----BEGIN PGP MESSAGE-----\n")))
-          )
-        {
-          flag_pgp = S_TRUE;
-          sl_write(fdTmp, buf, bufc);
-          continue;
-        }
-      
-      if (flag_pgp == S_TRUE && flag_nohead == S_FALSE)
-        {
-          if (buf[0] == '\n')
-            {
-              flag_nohead = S_TRUE;
-              sl_write(fdTmp, buf, 1);
-              continue;
-            }
-          else if (0 == sl_strncmp(buf, _("Hash:"), 5) ||
-                   0 == sl_strncmp(buf, _("NotDashEscaped:"), 15))
-            {
-              sl_write(fdTmp, buf, bufc);
-              continue;
-            }
-          else
-            continue;
-        }
-    
-      if (flag_pgp == S_TRUE && buf[0] == '\n')
-        {
-          sl_write(fdTmp, buf, 1);
-        }
-      else if (flag_pgp == S_TRUE)
-        {
-          /* sl_write_line(fdTmp, buf, bufc); */
-          sl_write(fdTmp, buf, bufc);
-        }
-      
-      if (flag_pgp == S_TRUE && 
-          0 == sl_strcmp(buf, _("-----END PGP SIGNATURE-----\n")))
-        break;
-    }
-  SH_FREE(buf);
+  fdTmp = sh_gpg_extract_signed(fd);
+
+  if (sig_termfast == 1)  /* SIGTERM */
+    {
+      TPT((0, FIL__, __LINE__, _("msg=<Terminate.>\n")));
+      --sig_raised; --sig_urgent;
+      retval = 1; exitval = EXIT_SUCCESS;
+      goto unlock_and_return;
+    }
+
   sl_close(fd);
-  sl_fclose(FIL__, __LINE__, fin_cp); /* fin_cp = fdopen(dup(), "rb"); */
-
   fd = fdTmp;
-  sl_rewind (fd);
 
   /* Validate signature of open file.
@@ -1488 +1426 @@
   sl_rewind (fd);
 #endif
-  /* } new 1.4.8 check sig also for files downloaded from server */
 
   line = SH_ALLOC(MAX_PATH_STORE+2);

trunk/src/sh_readconf.c

@@ -136 +136 @@
 static char * sh_readconf_expand_value (const char * str)
 {
+#ifdef SH_EVAL_SHELL
   char * tmp = (char*)str;
   char * out;
@@ -152 +153 @@
         }
     }
+#endif
   return sh_util_strdup(str);
 }
@@ -161 +163 @@
   SH_RC_FILE       = 3,
   SH_RC_IFACE      = 4,
+#ifdef SH_EVAL_SHELL
   SH_RC_CMD        = 5
+#endif
 };
 
@@ -218 +222 @@
           p += 15; cond_type = SH_RC_SYSTEM;
         }
+#ifdef SH_EVAL_SHELL
       else if (0 == strncasecmp(p, _("command_succeeds "), 17))
         {
           p += 17; cond_type = SH_RC_CMD;
         }
+#endif
       else
         {
@@ -271 +277 @@
         match = negate;
       break;
+#ifdef SH_EVAL_SHELL
     case SH_RC_CMD:
       if (0 == sh_unix_run_command(p))
         match = negate;
       break;
+#endif
     default:
       match = 0;
@@ -337 +345 @@
 #if defined(SH_STEALTH) && !defined(SH_STEALTH_MICRO)
   SL_TICKET    fdTmp = -1;
-  SL_TICKET open_tmp (void);
+#endif
+#if defined(WITH_GPG) || defined(WITH_PGP)
+  SL_TICKET    fdGpg = -1;
 #endif
   char * tmp;
@@ -464 +474 @@
   sl_close(fd);
   fd = fdTmp;
+  sl_rewind (fd);
+#endif
+
+#if defined(WITH_GPG) || defined(WITH_PGP)
+
+  /* extract the data and copy to temporary file
+   */
+  fdGpg = sh_gpg_extract_signed(fd);
+
+  sl_close(fd);
+  fd = fdGpg;
+
+  /* Validate signature of open file.
+   */
+  if (0 != sh_gpg_check_sign (fd, 0, 1))
+    {
+      SH_FREE(line_in);
+      aud_exit (FIL__, __LINE__, EXIT_FAILURE);
+    }
   sl_rewind (fd);
 #endif
@@ -664 +693 @@
                      (long) conf_line);
 
-#if defined(WITH_GPG) || defined(WITH_PGP)
-  /* Validate signature of open file.
-   */
-  sl_rewind (fd);
-  if (0 != sh_gpg_check_sign (fd, 0, 1))
-    {
-      SH_FREE(line_in);
-      aud_exit (FIL__, __LINE__, EXIT_FAILURE);
-    }
-#endif
-
   sl_close (fd);
 
@@ -1358 +1376 @@
 
   /* Expand shell expressions. This return allocated memory which we must free.
+   * If !defined(SH_EVAL_SHELL), this will reduce to a strdup.
    */
   value = sh_readconf_expand_value(value);