3 * $Id: checkpath.c,v 1.6 2004/04/08 01:36:22 mdw Exp $
5 * Check a path for safety
7 * (c) 1999 Mark Wooding
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of chkpath.
14 * chkpath is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * chkpath is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with chkpath; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Header files ------------------------------------------------------*/
37 #include <sys/types.h>
44 #include <mLib/alloc.h>
45 #include <mLib/dstr.h>
47 #include "checkpath.h"
49 /*----- Data structures ---------------------------------------------------*/
51 /* --- An item in the directory list --- *
53 * Each directory becomes an element on a list which is manipulated in a
58 struct elt
*e_link
; /* Pointer to the next one along */
59 size_t e_offset
; /* Offset of name in path string */
60 unsigned e_flags
; /* Various useful flags */
61 char e_name
[1]; /* Name of the directory */
64 #define f_sticky 1u /* Directory has sticky bit set */
66 #define f_last 1u /* This is the final item to check */
68 /*----- Static variables --------------------------------------------------*/
70 static struct elt rootnode
= { 0, 0, 0 }; /* Root of the list */
71 static struct elt
*sp
; /* Stack pointer for list */
72 static dstr d
= DSTR_INIT
; /* Current path string */
74 /*----- Main code ---------------------------------------------------------*/
76 /* --- @splitpath@ --- *
78 * Arguments: @const char *path@ = path string to break apart
79 * @struct elt *tail@ = tail block to attach to end of list
81 * Returns: Pointer to the new list head.
83 * Use: Breaks a path string into directories and adds each one
84 * as a node on the list, in the right order. These can then
85 * be pushed onto the directory stack as required.
88 static struct elt
*splitpath(const char *path
, struct elt
*tail
)
90 struct elt
*head
, **ee
= &head
, *e
;
95 /* --- Either a leading `/', or a doubled one --- *
97 * Either way, ignore it.
105 /* --- Skip to the next directory separator --- *
107 * Build a list element for it, and link it on.
110 n
= strcspn(path
, "/");
111 e
= xmalloc(sizeof(struct elt
) + n
+ 1);
112 memcpy(e
->e_name
, path
, n
);
132 * Use: Removes the top item from the directory stack.
135 static void pop(void)
138 struct elt
*e
= sp
->e_link
;
139 d
.len
= sp
->e_offset
;
145 /* --- @popall@ --- *
151 * Use: Removes all the items from the directory stack.
154 static void popall(void)
162 * Arguments: @struct elt *e@ = pointer to directory element
166 * Use: Pushes a new subdirectory onto the stack.
169 static void push(struct elt
*e
)
174 DPUTS(&d
, e
->e_name
);
178 /* --- @report@ --- *
180 * Arguments: @const struct checkpath *cp@ = pointer to context
181 * @unsigned what@ = what sort of report is this?
182 * @int verbose@ = how verbose is this?
183 * @const char *p@ = what path does it refer to?
184 * @const char *msg@ = the message to give to the user
188 * Use: Formats and presents messages to the client.
191 static void report(const struct checkpath
*cp
, unsigned what
, int verbose
,
192 const char *p
, const char *msg
, ...)
194 /* --- Decide whether to bin this message --- */
196 if (!cp
->cp_report
|| verbose
> cp
->cp_verbose
|| !(cp
->cp_what
& what
))
199 /* --- Format the message nicely --- */
201 if (cp
->cp_what
& CP_REPORT
) {
212 dstr_putf(&d
, "Path: %s: ", p
);
218 dstr_puts(&d
, strerror(e
));
221 uid_t u
= (uid_t
)va_arg(ap
, int);
222 struct passwd
*pw
= getpwuid(u
);
224 dstr_putf(&d
, "`%s'", pw
->pw_name
);
226 dstr_putf(&d
, "%i", (int)u
);
229 gid_t g
= (gid_t
)va_arg(ap
, int);
230 struct group
*gr
= getgrgid(g
);
232 dstr_putf(&d
, "`%s'", gr
->gr_name
);
234 dstr_putf(&d
, "%i", (int)g
);
237 const char *s
= va_arg(ap
, const char *);
258 cp
->cp_report(what
, verbose
, p
, d
.buf
, cp
->cp_arg
);
262 cp
->cp_report(what
, verbose
, p
, 0, cp
->cp_arg
);
265 /* --- @sanity@ --- *
267 * Arguments: @const char *p@ = name of directory to check
268 * @struct stat *st@ = pointer to @stat@(2) block for it
269 * @const struct checkpath *cp@ = pointer to caller parameters
270 * @unsigned f@ = various flags
272 * Returns: Zero if everything's OK, else bitmask of problems.
274 * Use: Performs the main load of sanity-checking on a directory.
277 static unsigned sanity(const char *p
, struct stat
*st
,
278 const struct checkpath
*cp
, unsigned f
)
283 if (S_ISDIR(st
->st_mode
) &&
284 (!(f
& f_last
) || (cp
->cp_what
& CP_STICKYOK
)))
287 /* --- Check for world-writability --- */
289 if ((cp
->cp_what
& CP_WRWORLD
) &&
290 (st
->st_mode
& (0002 | stickyok
)) == 0002) {
292 report(cp
, CP_WRWORLD
, 1, p
, "** world writable **");
295 /* --- Check for group-writability --- */
297 if ((cp
->cp_what
& (CP_WRGRP
| CP_WROTHGRP
)) &&
298 (st
->st_mode
& (0020 | stickyok
)) == 0020) {
300 unsigned b
= CP_WRGRP
;
302 if (cp
->cp_what
& CP_WROTHGRP
) {
304 for (i
= 0; i
< cp
->cp_gids
; i
++) {
305 if (st
->st_gid
== cp
->cp_gid
[i
])
306 b
= cp
->cp_what
& CP_WRGRP
;
311 report(cp
, b
, 1, p
, "writable by %sgroup %g",
312 (b
== CP_WROTHGRP
) ?
"other " : "", st
->st_gid
);
316 /* --- Check for user-writability --- */
318 if ((cp
->cp_what
& CP_WROTHUSR
) &&
319 st
->st_uid
!= cp
->cp_uid
&&
322 report(cp
, CP_WROTHUSR
, 1, p
, "owner is user %u", st
->st_uid
);
325 /* --- Done sanity check --- */
330 /* --- @checkpath@ --- *
332 * Arguments: @const char *p@ = directory name which needs checking
333 * @const struct checkpath *cp@ = parameters for the check
335 * Returns: Zero if all is well, otherwise bitmask of problems.
337 * Use: Scrutinises a directory path to see what evil things other
338 * users could do to it.
341 unsigned checkpath(const char *p
, const struct checkpath
*cp
)
348 /* --- Initialize stack pointer and path string --- */
353 /* --- Try to find the current directory --- */
355 if (!getcwd(cwd
, sizeof(cwd
))) {
356 report(cp
, CP_ERROR
, 0, 0, "can't find current directory: %e");
360 /* --- Check that the root directory is OK --- */
362 if (stat("/", &st
)) {
363 report(cp
, CP_ERROR
, 0, 0, "can't stat root directory: %e");
367 report(cp
, CP_REPORT
, 3, p
, "begin scan");
368 bad
|= sanity("/", &st
, cp
, 0);
370 /* --- Get the initial list of things to process --- */
372 ee
= splitpath(p
, 0);
374 ee
= splitpath(cwd
, ee
);
376 /* --- While there are list items which still need doing --- */
381 /* --- Strip off simple `.' elements --- */
383 if (strcmp(ee
->e_name
, ".") == 0) {
389 /* --- Backtrack on `..' elements --- */
391 else if (strcmp(ee
->e_name
, "..") == 0) {
398 /* --- Everything else gets pushed on the end --- */
403 /* --- Find out what sort of a thing this is --- */
405 if (lstat(d
.buf
, &st
)) {
406 report(cp
, CP_ERROR
, 0, d
.buf
, "can't stat: %e");
411 /* --- Handle symbolic links specially --- */
413 if (S_ISLNK(st
.st_mode
)) {
414 dstr buf
= DSTR_INIT
;
417 /* --- Resolve the link --- */
419 dstr_ensure(&buf
, st
.st_size
+ 1);
420 if ((i
= readlink(d
.buf
, buf
.buf
, buf
.sz
)) < 0) {
421 report(cp
, CP_ERROR
, 0, d
.buf
, "can't readlink: %e");
426 report(cp
, CP_SYMLINK
, 2, d
.buf
, "symlink -> `%s'", buf
.buf
);
428 /* --- Handle sticky parents --- *
430 * If I make a symlink in a sticky directory, I can later modify it.
431 * However, nobody else can (except the owner of the directory, and
432 * we'll already have noticed that if we care).
435 if ((cp
->cp_what
& CP_WROTHUSR
) &&
436 (sp
->e_link
->e_flags
& f_sticky
) &&
437 st
.st_uid
!= cp
->cp_uid
&& st
.st_uid
!= 0) {
439 report(cp
, CP_WROTHUSR
, 1, d
.buf
,
440 "symlink modifiable by user %u", st
.st_uid
);
443 /* --- Sort out what to do from here --- */
445 if (buf
.buf
[0] == '/')
449 ee
= splitpath(buf
.buf
, ee
);
454 /* --- Run the sanity check on this path element --- */
456 bad
|= sanity(d
.buf
, &st
, cp
, ee ?
0 : f_last
);
458 if (S_ISDIR(st
.st_mode
)) {
459 if (st
.st_mode
& 01000)
460 sp
->e_flags
|= f_sticky
;
461 report(cp
, CP_REPORT
, 4, d
.buf
, "directory");
465 /* --- Something else I don't understand --- */
470 /* --- Check for leftover junk --- */
473 if (!(bad
& CP_ERROR
))
474 report(cp
, CP_ERROR
, 0, 0, "junk left over after reaching leaf");
486 /* --- @checkpath_setids@ --- *
488 * Arguments: @struct checkpath *cp@ = pointer to block to fill in
492 * Use: Fills in the user ids and things in the structure.
495 void checkpath_setids(struct checkpath
*cp
)
500 cp
->cp_uid
= getuid();
501 n
= getgroups(sizeof(cp
->cp_gid
) / sizeof(cp
->cp_gid
[0]), cp
->cp_gid
);
503 for (i
= 0; i
< n
; i
++) {
504 if (cp
->cp_gid
[i
] == g
)
512 /*----- That's all, folks -------------------------------------------------*/