Changeset 347


Ignore:
Timestamp:
Jun 7, 2011, 9:41:30 PM (14 years ago)
Author:
katerina
Message:

Fix for ticket #255 (improve protection against 'intruder on server' scenario).

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/configure.ac

    r346 r347  
    788788        ],
    789789        [AC_DEFINE(SH_WITH_MAIL)]
     790)
     791
     792AC_ARG_ENABLE(shellexpand,
     793        [  --disable-shellexpand                disable shell expansion in config file],
     794        [
     795        if test "x${enable_shellexpand}" = xno; then
     796                :
     797        else
     798                AC_DEFINE(SH_EVAL_SHELL, [1], [Define if you want shell expansion in configuration file])
     799        fi
     800        ],
     801        [AC_DEFINE(SH_EVAL_SHELL, [1], [Define if you want shell expansion in configuration file])]
    790802)
    791803
  • trunk/docs/Changelog

    r342 r347  
     12.8.5:
     2        * Better protection against the 'intruder on server' scenario
     3          pointed out by xrx. Add option to disable shell expansion in
     4          configuration files, and check gpg signature earlier.
     5        * Support /opt/local/bin in the Unix entropy gatherer (suggestion
     6          by Sean Chittenden)
     7        * Cache timeserver response for one second (suggestion by
     8          Sean Chittenden)
     9
    1102.8.4a:
    211        * Fix for compile error with --with-prelude
  • trunk/include/sh_gpg.h

    r170 r347  
    2222#ifndef SH_GPG_H
    2323#define SH_GPG_H
     24
     25/* Top level function to verify file.
     26 */
     27SL_TICKET sh_gpg_extract_signed(SL_TICKET fd);
     28
    2429/* this function exits if configuration file
    2530 * and/or database cannot be verified; otherwise returns 0
  • trunk/src/sh_getopt.c

    r295 r347  
    439439  printf (_("   -- Key fingerprint: %s"), SH_GPG_FP); ++num;
    440440#endif
     441#endif
     442
     443#if defined(SH_SHELL_EVAL)
     444  if (num > 0) fputc ('\n', stdout);
     445  fputs (_(" shell expansion in configuration file supported"), stdout); ++num;
    441446#endif
    442447
  • trunk/src/sh_gpg.c

    r252 r347  
    12021202
    12031203
     1204#define FGETS_BUF 16384
     1205
     1206SL_TICKET sh_gpg_extract_signed(SL_TICKET fd)
     1207{
     1208  FILE * fin_cp = NULL;
     1209  char * buf    = NULL;
     1210  int    bufc;
     1211  int    flag_pgp    = S_FALSE;
     1212  int    flag_nohead = S_FALSE;
     1213  SL_TICKET fdTmp = (-1);
     1214  SL_TICKET open_tmp (void);
     1215
     1216  /* extract the data and copy to temporary file
     1217   */
     1218  fdTmp = open_tmp();
     1219
     1220  fin_cp = fdopen(dup(get_the_fd(fd)), "rb");
     1221  buf = SH_ALLOC(FGETS_BUF);
     1222
     1223  while (NULL != fgets(buf, FGETS_BUF, fin_cp))
     1224    {
     1225      bufc = 0;
     1226      while (bufc < FGETS_BUF) {
     1227        if (buf[bufc] == '\n') { ++bufc; break; }
     1228        ++bufc;
     1229      }
     1230
     1231      if (flag_pgp == S_FALSE &&
     1232          (0 == sl_strcmp(buf, _("-----BEGIN PGP SIGNED MESSAGE-----\n"))||
     1233           0 == sl_strcmp(buf, _("-----BEGIN PGP MESSAGE-----\n")))
     1234          )
     1235        {
     1236          flag_pgp = S_TRUE;
     1237          sl_write(fdTmp, buf, bufc);
     1238          continue;
     1239        }
     1240     
     1241      if (flag_pgp == S_TRUE && flag_nohead == S_FALSE)
     1242        {
     1243          if (buf[0] == '\n')
     1244            {
     1245              flag_nohead = S_TRUE;
     1246              sl_write(fdTmp, buf, 1);
     1247              continue;
     1248            }
     1249          else if (0 == sl_strncmp(buf, _("Hash:"), 5) ||
     1250                   0 == sl_strncmp(buf, _("NotDashEscaped:"), 15))
     1251            {
     1252              sl_write(fdTmp, buf, bufc);
     1253              continue;
     1254            }
     1255          else
     1256            continue;
     1257        }
     1258   
     1259      if (flag_pgp == S_TRUE && buf[0] == '\n')
     1260        {
     1261          sl_write(fdTmp, buf, 1);
     1262        }
     1263      else if (flag_pgp == S_TRUE)
     1264        {
     1265          /* sl_write_line(fdTmp, buf, bufc); */
     1266          sl_write(fdTmp, buf, bufc);
     1267        }
     1268     
     1269      if (flag_pgp == S_TRUE &&
     1270          0 == sl_strcmp(buf, _("-----END PGP SIGNATURE-----\n")))
     1271        break;
     1272    }
     1273  SH_FREE(buf);
     1274  sl_fclose(FIL__, __LINE__, fin_cp); /* fin_cp = fdopen(dup(), "rb"); */
     1275  sl_rewind (fdTmp);
     1276
     1277  return fdTmp;
     1278}
     1279
    12041280/* #ifdef WITH_GPG */
    12051281#endif
  • trunk/src/sh_hash.c

    r320 r347  
    12951295#if defined(WITH_GPG) || defined(WITH_PGP)
    12961296  extern int get_the_fd (SL_TICKET ticket);
    1297   FILE *   fin_cp = NULL;
    1298 
    1299   char * buf  = NULL;
    1300   int    bufc;
     1297
    13011298  int    flag_pgp;
    13021299  int    flag_nohead;
    13031300  SL_TICKET fdTmp = (-1);
    1304   SL_TICKET open_tmp (void);
    13051301#endif
    13061302  char hashbuf[KEYBUF_SIZE];
     
    14051401
    14061402#if defined(WITH_GPG) || defined(WITH_PGP)
    1407   /* new 1.4.8: also checked for server data */
    14081403
    14091404  /* extract the data and copy to temporary file
    14101405   */
    1411   fdTmp = open_tmp();
    1412 
    1413   fin_cp = fdopen(dup(get_the_fd(fd)), "rb");
    1414   buf = SH_ALLOC(FGETS_BUF);
    1415 
    1416   while (NULL != fgets(buf, FGETS_BUF, fin_cp))
    1417     {
    1418       bufc = 0;
    1419       while (bufc < FGETS_BUF) {
    1420         if (buf[bufc] == '\n') { ++bufc; break; }
    1421         ++bufc;
    1422       }
    1423 
    1424       if (sig_termfast == 1)  /* SIGTERM */
    1425         {
    1426           TPT((0, FIL__, __LINE__, _("msg=<Terminate.>\n")));
    1427           --sig_raised; --sig_urgent;
    1428           retval = 1; exitval = EXIT_SUCCESS;
    1429           goto unlock_and_return;
    1430         }
    1431 
    1432       if (flag_pgp == S_FALSE &&
    1433           (0 == sl_strcmp(buf, _("-----BEGIN PGP SIGNED MESSAGE-----\n"))||
    1434            0 == sl_strcmp(buf, _("-----BEGIN PGP MESSAGE-----\n")))
    1435           )
    1436         {
    1437           flag_pgp = S_TRUE;
    1438           sl_write(fdTmp, buf, bufc);
    1439           continue;
    1440         }
    1441      
    1442       if (flag_pgp == S_TRUE && flag_nohead == S_FALSE)
    1443         {
    1444           if (buf[0] == '\n')
    1445             {
    1446               flag_nohead = S_TRUE;
    1447               sl_write(fdTmp, buf, 1);
    1448               continue;
    1449             }
    1450           else if (0 == sl_strncmp(buf, _("Hash:"), 5) ||
    1451                    0 == sl_strncmp(buf, _("NotDashEscaped:"), 15))
    1452             {
    1453               sl_write(fdTmp, buf, bufc);
    1454               continue;
    1455             }
    1456           else
    1457             continue;
    1458         }
    1459    
    1460       if (flag_pgp == S_TRUE && buf[0] == '\n')
    1461         {
    1462           sl_write(fdTmp, buf, 1);
    1463         }
    1464       else if (flag_pgp == S_TRUE)
    1465         {
    1466           /* sl_write_line(fdTmp, buf, bufc); */
    1467           sl_write(fdTmp, buf, bufc);
    1468         }
    1469      
    1470       if (flag_pgp == S_TRUE &&
    1471           0 == sl_strcmp(buf, _("-----END PGP SIGNATURE-----\n")))
    1472         break;
    1473     }
    1474   SH_FREE(buf);
     1406  fdTmp = sh_gpg_extract_signed(fd);
     1407
     1408  if (sig_termfast == 1)  /* SIGTERM */
     1409    {
     1410      TPT((0, FIL__, __LINE__, _("msg=<Terminate.>\n")));
     1411      --sig_raised; --sig_urgent;
     1412      retval = 1; exitval = EXIT_SUCCESS;
     1413      goto unlock_and_return;
     1414    }
     1415
    14751416  sl_close(fd);
    1476   sl_fclose(FIL__, __LINE__, fin_cp); /* fin_cp = fdopen(dup(), "rb"); */
    1477 
    14781417  fd = fdTmp;
    1479   sl_rewind (fd);
    14801418
    14811419  /* Validate signature of open file.
     
    14881426  sl_rewind (fd);
    14891427#endif
    1490   /* } new 1.4.8 check sig also for files downloaded from server */
    14911428
    14921429  line = SH_ALLOC(MAX_PATH_STORE+2);
  • trunk/src/sh_readconf.c

    r315 r347  
    136136static char * sh_readconf_expand_value (const char * str)
    137137{
     138#ifdef SH_EVAL_SHELL
    138139  char * tmp = (char*)str;
    139140  char * out;
     
    152153        }
    153154    }
     155#endif
    154156  return sh_util_strdup(str);
    155157}
     
    161163  SH_RC_FILE       = 3,
    162164  SH_RC_IFACE      = 4,
     165#ifdef SH_EVAL_SHELL
    163166  SH_RC_CMD        = 5
     167#endif
    164168};
    165169
     
    218222          p += 15; cond_type = SH_RC_SYSTEM;
    219223        }
     224#ifdef SH_EVAL_SHELL
    220225      else if (0 == strncasecmp(p, _("command_succeeds "), 17))
    221226        {
    222227          p += 17; cond_type = SH_RC_CMD;
    223228        }
     229#endif
    224230      else
    225231        {
     
    271277        match = negate;
    272278      break;
     279#ifdef SH_EVAL_SHELL
    273280    case SH_RC_CMD:
    274281      if (0 == sh_unix_run_command(p))
    275282        match = negate;
    276283      break;
     284#endif
    277285    default:
    278286      match = 0;
     
    337345#if defined(SH_STEALTH) && !defined(SH_STEALTH_MICRO)
    338346  SL_TICKET    fdTmp = -1;
    339   SL_TICKET open_tmp (void);
     347#endif
     348#if defined(WITH_GPG) || defined(WITH_PGP)
     349  SL_TICKET    fdGpg = -1;
    340350#endif
    341351  char * tmp;
     
    464474  sl_close(fd);
    465475  fd = fdTmp;
     476  sl_rewind (fd);
     477#endif
     478
     479#if defined(WITH_GPG) || defined(WITH_PGP)
     480
     481  /* extract the data and copy to temporary file
     482   */
     483  fdGpg = sh_gpg_extract_signed(fd);
     484
     485  sl_close(fd);
     486  fd = fdGpg;
     487
     488  /* Validate signature of open file.
     489   */
     490  if (0 != sh_gpg_check_sign (fd, 0, 1))
     491    {
     492      SH_FREE(line_in);
     493      aud_exit (FIL__, __LINE__, EXIT_FAILURE);
     494    }
    466495  sl_rewind (fd);
    467496#endif
     
    664693                     (long) conf_line);
    665694
    666 #if defined(WITH_GPG) || defined(WITH_PGP)
    667   /* Validate signature of open file.
    668    */
    669   sl_rewind (fd);
    670   if (0 != sh_gpg_check_sign (fd, 0, 1))
    671     {
    672       SH_FREE(line_in);
    673       aud_exit (FIL__, __LINE__, EXIT_FAILURE);
    674     }
    675 #endif
    676 
    677695  sl_close (fd);
    678696
     
    13581376
    13591377  /* Expand shell expressions. This return allocated memory which we must free.
     1378   * If !defined(SH_EVAL_SHELL), this will reduce to a strdup.
    13601379   */
    13611380  value = sh_readconf_expand_value(value);
Note: See TracChangeset for help on using the changeset viewer.