diff options
Diffstat (limited to 'misc.c')
| -rw-r--r-- | misc.c | 58 |
1 files changed, 53 insertions, 5 deletions
| @@ -58,8 +58,9 @@ | |||
| 58 | #include <netdb.h> | 58 | #include <netdb.h> |
| 59 | #ifdef HAVE_PATHS_H | 59 | #ifdef HAVE_PATHS_H |
| 60 | # include <paths.h> | 60 | # include <paths.h> |
| 61 | #include <pwd.h> | ||
| 62 | #endif | 61 | #endif |
| 62 | #include <pwd.h> | ||
| 63 | #include <grp.h> | ||
| 63 | #ifdef SSH_TUN_OPENBSD | 64 | #ifdef SSH_TUN_OPENBSD |
| 64 | #include <net/if.h> | 65 | #include <net/if.h> |
| 65 | #endif | 66 | #endif |
| @@ -1029,6 +1030,55 @@ percent_expand(const char *string, ...) | |||
| 1029 | } | 1030 | } |
| 1030 | 1031 | ||
| 1031 | int | 1032 | int |
| 1033 | secure_permissions(struct stat *st, uid_t uid) | ||
| 1034 | { | ||
| 1035 | if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid) | ||
| 1036 | return 0; | ||
| 1037 | if ((st->st_mode & 002) != 0) | ||
| 1038 | return 0; | ||
| 1039 | if ((st->st_mode & 020) != 0) { | ||
| 1040 | /* If the file is group-writable, the group in question must | ||
| 1041 | * have exactly one member, namely the file's owner. | ||
| 1042 | * (Zero-member groups are typically used by setgid | ||
| 1043 | * binaries, and are unlikely to be suitable.) | ||
| 1044 | */ | ||
| 1045 | struct passwd *pw; | ||
| 1046 | struct group *gr; | ||
| 1047 | int members = 0; | ||
| 1048 | |||
| 1049 | gr = getgrgid(st->st_gid); | ||
| 1050 | if (!gr) | ||
| 1051 | return 0; | ||
| 1052 | |||
| 1053 | /* Check primary group memberships. */ | ||
| 1054 | while ((pw = getpwent()) != NULL) { | ||
| 1055 | if (pw->pw_gid == gr->gr_gid) { | ||
| 1056 | ++members; | ||
| 1057 | if (pw->pw_uid != uid) | ||
| 1058 | return 0; | ||
| 1059 | } | ||
| 1060 | } | ||
| 1061 | endpwent(); | ||
| 1062 | |||
| 1063 | pw = getpwuid(st->st_uid); | ||
| 1064 | if (!pw) | ||
| 1065 | return 0; | ||
| 1066 | |||
| 1067 | /* Check supplementary group memberships. */ | ||
| 1068 | if (gr->gr_mem[0]) { | ||
| 1069 | ++members; | ||
| 1070 | if (strcmp(pw->pw_name, gr->gr_mem[0]) || | ||
| 1071 | gr->gr_mem[1]) | ||
| 1072 | return 0; | ||
| 1073 | } | ||
| 1074 | |||
| 1075 | if (!members) | ||
| 1076 | return 0; | ||
| 1077 | } | ||
| 1078 | return 1; | ||
| 1079 | } | ||
| 1080 | |||
| 1081 | int | ||
| 1032 | tun_open(int tun, int mode, char **ifname) | 1082 | tun_open(int tun, int mode, char **ifname) |
| 1033 | { | 1083 | { |
| 1034 | #if defined(CUSTOM_SYS_TUN_OPEN) | 1084 | #if defined(CUSTOM_SYS_TUN_OPEN) |
| @@ -1786,8 +1836,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, | |||
| 1786 | snprintf(err, errlen, "%s is not a regular file", buf); | 1836 | snprintf(err, errlen, "%s is not a regular file", buf); |
| 1787 | return -1; | 1837 | return -1; |
| 1788 | } | 1838 | } |
| 1789 | if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) || | 1839 | if (!secure_permissions(stp, uid)) { |
| 1790 | (stp->st_mode & 022) != 0) { | ||
| 1791 | snprintf(err, errlen, "bad ownership or modes for file %s", | 1840 | snprintf(err, errlen, "bad ownership or modes for file %s", |
| 1792 | buf); | 1841 | buf); |
| 1793 | return -1; | 1842 | return -1; |
| @@ -1802,8 +1851,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, | |||
| 1802 | strlcpy(buf, cp, sizeof(buf)); | 1851 | strlcpy(buf, cp, sizeof(buf)); |
| 1803 | 1852 | ||
| 1804 | if (stat(buf, &st) < 0 || | 1853 | if (stat(buf, &st) < 0 || |
| 1805 | (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || | 1854 | !secure_permissions(&st, uid)) { |
| 1806 | (st.st_mode & 022) != 0) { | ||
| 1807 | snprintf(err, errlen, | 1855 | snprintf(err, errlen, |
| 1808 | "bad ownership or modes for directory %s", buf); | 1856 | "bad ownership or modes for directory %s", buf); |
| 1809 | return -1; | 1857 | return -1; |