sudo_secure_open_{file,dir}: always check thatreturn value is not -1.

Avoids false positives from static analyzers that can't figure out
that the fd is always valid when error is SUDO_PATH_SECURE.

lib/util/sudo_conf.c

@@ -681,30 +681,31 @@ sudo_conf_read_v1(const char *conf_file, int conf_types)
 	int error;
 	conf_file = _PATH_SUDO_CONF;
 	fd = sudo_secure_open_file(conf_file, ROOT_UID, -1, &sb, &error);
+	if (fd == -1) {
 	    switch (error) {
-	case SUDO_PATH_SECURE:
-	    break;
 	    case SUDO_PATH_MISSING:
 		/* Root should always be able to read sudo.conf. */
 		if (errno != ENOENT && geteuid() == ROOT_UID)
 		    sudo_warn(U_("unable to open %s"), conf_file);
-	    goto done;
+		break;
 	    case SUDO_PATH_BAD_TYPE:
 		sudo_warnx(U_("%s is not a regular file"), conf_file);
-	    goto done;
+		break;
 	    case SUDO_PATH_WRONG_OWNER:
 		sudo_warnx(U_("%s is owned by uid %u, should be %u"),
 		    conf_file, (unsigned int) sb.st_uid, ROOT_UID);
-	    goto done;
+		break;
 	    case SUDO_PATH_WORLD_WRITABLE:
 		sudo_warnx(U_("%s is world writable"), conf_file);
-	    goto done;
+		break;
 	    case SUDO_PATH_GROUP_WRITABLE:
 		sudo_warnx(U_("%s is group writable"), conf_file);
-	    goto done;
+		break;
 	    default:
 		sudo_warnx("%s: internal error, unexpected error %d",
 		    __func__, error);
+		break;
+	    }
 	    goto done;
 	}
     }

plugins/sudoers/sudoers.c

@@ -1104,8 +1104,7 @@ open_sudoers(const char *file, bool doedit, bool *keepopen)
 
 again:
     fd = sudo_secure_open_file(file, sudoers_uid, sudoers_gid, &sb, &error);
-    switch (error) {
+    if (fd != -1) {
-	case SUDO_PATH_SECURE:
 	/*
 	 * Make sure we can read the file so we can present the
 	 * user with a reasonable error message (unlike the lexer).
@@ -1125,7 +1124,8 @@ again:
 		(void) fcntl(fileno(fp), F_SETFD, 1);
 	    }
 	}
-	    break;
+    } else {
+	switch (error) {
 	case SUDO_PATH_MISSING:
 	    /*
 	     * If we tried to open sudoers as non-root but got EACCES,
@@ -1160,9 +1160,11 @@ again:
 		(unsigned int) sb.st_gid, (unsigned int) sudoers_gid);
 	    break;
 	default:
-	    /* NOTREACHED */
+	    sudo_warnx("%s: internal error, unexpected error %d",
+		__func__, error);
 	    break;
 	}
+    }
 
     if (!restore_perms()) {
 	/* unable to change back to root */

plugins/sudoers/testsudoers.c

@@ -448,11 +448,13 @@ open_sudoers(const char *file, bool doedit, bool *keepopen)
     /* Report errors using the basename for consistent test output. */
     base = sudo_basename(file);
     fd = sudo_secure_open_file(file, sudoers_uid, sudoers_gid, &sb, &error);
-    switch (error) {
+    if (fd != -1) {
-    case SUDO_PATH_SECURE:
+	if ((fp = fdopen(fd, "r")) == NULL) {
-	if ((fp = fdopen(fd, "r")) == NULL)
+	    sudo_warn("unable to open %s", base);
 	    close(fd);
-	break;
+	}
+    } else {
+	switch (error) {
 	case SUDO_PATH_MISSING:
 	    sudo_warn("unable to open %s", base);
 	    break;
@@ -471,9 +473,11 @@ open_sudoers(const char *file, bool doedit, bool *keepopen)
 		base, (unsigned int) sudoers_gid);
 	    break;
 	default:
-	/* NOTREACHED */
+	    sudo_warnx("%s: internal error, unexpected error %d",
+		__func__, error);
 	    break;
 	}
+    }
 
     debug_return_ptr(fp);
 }

plugins/sudoers/timestamp.c

@@ -235,15 +235,14 @@ ts_mkdirs(const char *path, uid_t owner, gid_t group, mode_t mode,
 static int
 ts_secure_opendir(const char *path, bool make_it, bool quiet)
 {
-    int error, fd = -1;
+    int error, fd;
     struct stat sb;
     debug_decl(ts_secure_opendir, SUDOERS_DEBUG_AUTH);
 
     sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "checking %s", path);
     fd = sudo_secure_open_dir(path, timestamp_uid, timestamp_gid, &sb, &error);
+    if (fd == -1) {
 	switch (error) {
-    case SUDO_PATH_SECURE:
-	break;
 	case SUDO_PATH_MISSING:
 	    if (make_it) {
 		fd = ts_mkdirs(path, timestamp_uid, timestamp_gid, S_IRWXU,
@@ -286,6 +285,7 @@ ts_secure_opendir(const char *path, bool make_it, bool quiet)
 	    }
 	    break;
 	}
+    }
 
     debug_return_int(fd);
 }