diff options
Diffstat (limited to 'lib/util/secure_path.c')
-rw-r--r-- | lib/util/secure_path.c | 107 |
1 files changed, 86 insertions, 21 deletions
diff --git a/lib/util/secure_path.c b/lib/util/secure_path.c index 9f84de8e9..89d21deee 100644 --- a/lib/util/secure_path.c +++ b/lib/util/secure_path.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2012, 2014-2016 Todd C. Miller <Todd.Miller@sudo.ws> + * Copyright (c) 2012, 2014-2022 Todd C. Miller <Todd.Miller@sudo.ws> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -24,7 +24,9 @@ #include <config.h> #include <sys/stat.h> +#include <fcntl.h> #include <string.h> +#include <unistd.h> #include "sudo_compat.h" #include "sudo_util.h" @@ -34,47 +36,110 @@ * Verify that path is the right type and not writable by other users. */ static int -sudo_secure_path(const char *path, unsigned int type, uid_t uid, gid_t gid, struct stat *sb) +sudo_check_secure(struct stat *sb, unsigned int type, uid_t uid, gid_t gid) +{ + int ret = SUDO_PATH_SECURE; + debug_decl(sudo_check_secure, SUDO_DEBUG_UTIL); + + if ((sb->st_mode & S_IFMT) != type) { + ret = SUDO_PATH_BAD_TYPE; + } else if (uid != (uid_t)-1 && sb->st_uid != uid) { + ret = SUDO_PATH_WRONG_OWNER; + } else if (sb->st_mode & S_IWOTH) { + ret = SUDO_PATH_WORLD_WRITABLE; + } else if (ISSET(sb->st_mode, S_IWGRP) && + (gid == (gid_t)-1 || sb->st_gid != gid)) { + ret = SUDO_PATH_GROUP_WRITABLE; + } + + debug_return_int(ret); +} + +/* + * Verify that path is the right type and not writable by other users. + */ +static int +sudo_secure_path(const char *path, unsigned int type, uid_t uid, gid_t gid, + struct stat *sb) { - struct stat stat_buf; int ret = SUDO_PATH_MISSING; + struct stat stat_buf; debug_decl(sudo_secure_path, SUDO_DEBUG_UTIL); if (sb == NULL) sb = &stat_buf; - if (path != NULL && stat(path, sb) == 0) { - if ((sb->st_mode & S_IFMT) != type) { - ret = SUDO_PATH_BAD_TYPE; - } else if (uid != (uid_t)-1 && sb->st_uid != uid) { - ret = SUDO_PATH_WRONG_OWNER; - } else if (sb->st_mode & S_IWOTH) { - ret = SUDO_PATH_WORLD_WRITABLE; - } else if (ISSET(sb->st_mode, S_IWGRP) && - (gid == (gid_t)-1 || sb->st_gid != gid)) { - ret = SUDO_PATH_GROUP_WRITABLE; - } else { - ret = SUDO_PATH_SECURE; - } - } + if (path != NULL && stat(path, sb) == 0) + ret = sudo_check_secure(sb, type, uid, gid); debug_return_int(ret); } /* * Verify that path is a regular file and not writable by other users. + * Not currently used. */ int -sudo_secure_file_v1(const char *path, uid_t uid, gid_t gid, struct stat *st) +sudo_secure_file_v1(const char *path, uid_t uid, gid_t gid, struct stat *sb) { - return sudo_secure_path(path, S_IFREG, uid, gid, st); + return sudo_secure_path(path, S_IFREG, uid, gid, sb); } /* * Verify that path is a directory and not writable by other users. */ int -sudo_secure_dir_v1(const char *path, uid_t uid, gid_t gid, struct stat *st) +sudo_secure_dir_v1(const char *path, uid_t uid, gid_t gid, struct stat *sb) +{ + return sudo_secure_path(path, S_IFDIR, uid, gid, sb); +} + +/* + * Open path read-only as long as it is not writable by other users. + * Returns an open file descriptor on success, else -1. + * Sets error to SUDO_PATH_SECURE on success, and a value < 0 on failure. + */ +static int +sudo_secure_open(const char *path, int type, uid_t uid, gid_t gid, + struct stat *sb, int *error) +{ + struct stat stat_buf; + int fd; + debug_decl(sudo_secure_open, SUDO_DEBUG_UTIL); + + if (sb == NULL) + sb = &stat_buf; + + fd = open(path, O_RDONLY|O_NONBLOCK); + if (fd == -1 || fstat(fd, sb) != 0) { + if (fd != -1) + close(fd); + *error = SUDO_PATH_MISSING; + debug_return_int(-1); + } + + *error = sudo_check_secure(sb, type, uid, gid); + if (*error == SUDO_PATH_SECURE) { + (void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + } else { + /* Not secure, caller can check error flag. */ + close(fd); + fd = -1; + } + + debug_return_int(fd); +} + +int +sudo_secure_open_file_v1(const char *path, uid_t uid, gid_t gid, + struct stat *sb, int *error) +{ + return sudo_secure_open(path, S_IFREG, uid, gid, sb, error); +} + +int +sudo_secure_open_dir_v1(const char *path, uid_t uid, gid_t gid, + struct stat *sb, int *error) { - return sudo_secure_path(path, S_IFDIR, uid, gid, st); + return sudo_secure_open(path, S_IFDIR, uid, gid, sb, error); } |