Use sys/stat.h defines instead of bare octal values.
This commit is contained in:
Todd C. Miller
@@ -173,6 +173,19 @@
|
|||||||
#ifndef S_ISLNK
|
#ifndef S_ISLNK
|
||||||
# define S_ISLNK(m) (((m) & _S_IFMT) == _S_IFLNK)
|
# define S_ISLNK(m) (((m) & _S_IFMT) == _S_IFLNK)
|
||||||
#endif /* S_ISLNK */
|
#endif /* S_ISLNK */
|
||||||
|
#ifndef S_ISTXT
|
||||||
|
# define S_ISTXT 0001000
|
||||||
|
#endif /* S_ISTXT */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* ACCESSPERMS (00777) and ALLPERMS (07777) are handy BSDisms
|
||||||
|
*/
|
||||||
|
#ifndef ACCESSPERMS
|
||||||
|
# define ACCESSPERMS (S_IRWXU|S_IRWXG|S_IRWXO)
|
||||||
|
#endif /* ACCESSPERMS */
|
||||||
|
#ifndef ALLPERMS
|
||||||
|
# define ALLPERMS (S_ISUID|S_ISGID|S_ISTXT|S_IRWXU|S_IRWXG|S_IRWXO)
|
||||||
|
#endif /* ALLPERMS */
|
||||||
|
|
||||||
/* For futimens() and utimensat() emulation. */
|
/* For futimens() and utimensat() emulation. */
|
||||||
#if !defined(HAVE_FUTIMENS) && !defined(HAVE_UTIMENSAT)
|
#if !defined(HAVE_FUTIMENS) && !defined(HAVE_UTIMENSAT)
|
||||||
|
|||||||
@@ -17,6 +17,7 @@
|
|||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
@@ -49,7 +50,7 @@ sudo_strtomode_v1(const char *cp, const char **errstr)
|
|||||||
errno = EINVAL;
|
errno = EINVAL;
|
||||||
debug_return_int(0);
|
debug_return_int(0);
|
||||||
}
|
}
|
||||||
if (lval < 0 || lval > 0777) {
|
if (lval < 0 || lval > ACCESSPERMS) {
|
||||||
if (errstr != NULL)
|
if (errstr != NULL)
|
||||||
*errstr = lval < 0 ? N_("value too small") : N_("value too large");
|
*errstr = lval < 0 ? N_("value too small") : N_("value too large");
|
||||||
errno = ERANGE;
|
errno = ERANGE;
|
||||||
|
|||||||
@@ -535,7 +535,7 @@ init_defaults(void)
|
|||||||
#ifdef SUDO_UMASK
|
#ifdef SUDO_UMASK
|
||||||
def_umask = SUDO_UMASK;
|
def_umask = SUDO_UMASK;
|
||||||
#else
|
#else
|
||||||
def_umask = 0777;
|
def_umask = ACCESSPERMS;
|
||||||
#endif
|
#endif
|
||||||
def_loglinelen = MAXLOGFILELEN;
|
def_loglinelen = MAXLOGFILELEN;
|
||||||
def_timestamp_timeout = TIMEOUT;
|
def_timestamp_timeout = TIMEOUT;
|
||||||
@@ -955,7 +955,7 @@ store_mode(const char *str, union sudo_defs_val *sd_un)
|
|||||||
debug_decl(store_mode, SUDOERS_DEBUG_DEFAULTS)
|
debug_decl(store_mode, SUDOERS_DEBUG_DEFAULTS)
|
||||||
|
|
||||||
if (str == NULL) {
|
if (str == NULL) {
|
||||||
sd_un->mode = 0777;
|
sd_un->mode = ACCESSPERMS;
|
||||||
} else {
|
} else {
|
||||||
mode = sudo_strtomode(str, &errstr);
|
mode = sudo_strtomode(str, &errstr);
|
||||||
if (errstr != NULL) {
|
if (errstr != NULL) {
|
||||||
|
|||||||
@@ -52,7 +52,7 @@ sudo_goodpath(const char *path, struct stat *sbp)
|
|||||||
|
|
||||||
if (stat(path, sbp) == 0) {
|
if (stat(path, sbp) == 0) {
|
||||||
/* Make sure path describes an executable regular file. */
|
/* Make sure path describes an executable regular file. */
|
||||||
if (S_ISREG(sbp->st_mode) && ISSET(sbp->st_mode, 0111))
|
if (S_ISREG(sbp->st_mode) && ISSET(sbp->st_mode, S_IXUSR|S_IXGRP|S_IXOTH))
|
||||||
ret = true;
|
ret = true;
|
||||||
else
|
else
|
||||||
errno = EACCES;
|
errno = EACCES;
|
||||||
|
|||||||
@@ -150,7 +150,7 @@ do_logfile(const char *msg)
|
|||||||
|
|
||||||
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
|
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
|
||||||
|
|
||||||
oldmask = umask(077);
|
oldmask = umask(S_IRWXG|S_IRWXO);
|
||||||
fp = fopen(def_logfile, "a");
|
fp = fopen(def_logfile, "a");
|
||||||
(void) umask(oldmask);
|
(void) umask(oldmask);
|
||||||
if (fp == NULL) {
|
if (fp == NULL) {
|
||||||
@@ -627,7 +627,8 @@ send_mail(const char *fmt, ...)
|
|||||||
sudo_warn("setsid");
|
sudo_warn("setsid");
|
||||||
if (chdir("/") == -1)
|
if (chdir("/") == -1)
|
||||||
sudo_warn("chdir(/)");
|
sudo_warn("chdir(/)");
|
||||||
if ((fd = open(_PATH_DEVNULL, O_RDWR, 0644)) != -1) {
|
fd = open(_PATH_DEVNULL, O_RDWR, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
||||||
|
if (fd != -1) {
|
||||||
(void) dup2(fd, STDIN_FILENO);
|
(void) dup2(fd, STDIN_FILENO);
|
||||||
(void) dup2(fd, STDOUT_FILENO);
|
(void) dup2(fd, STDOUT_FILENO);
|
||||||
(void) dup2(fd, STDERR_FILENO);
|
(void) dup2(fd, STDERR_FILENO);
|
||||||
|
|||||||
@@ -568,7 +568,7 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
|
|||||||
if ((command_info[info_len++] = sudo_new_key_val("iolog_group", def_iolog_group)) == NULL)
|
if ((command_info[info_len++] = sudo_new_key_val("iolog_group", def_iolog_group)) == NULL)
|
||||||
goto oom;
|
goto oom;
|
||||||
}
|
}
|
||||||
if (cmnd_umask != 0777) {
|
if (cmnd_umask != ACCESSPERMS) {
|
||||||
if (asprintf(&command_info[info_len++], "umask=0%o", (unsigned int)cmnd_umask) == -1)
|
if (asprintf(&command_info[info_len++], "umask=0%o", (unsigned int)cmnd_umask) == -1)
|
||||||
goto oom;
|
goto oom;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -225,7 +225,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
|
|||||||
{
|
{
|
||||||
char **edit_argv = NULL;
|
char **edit_argv = NULL;
|
||||||
char *iolog_path = NULL;
|
char *iolog_path = NULL;
|
||||||
mode_t cmnd_umask = 0777;
|
mode_t cmnd_umask = ACCESSPERMS;
|
||||||
struct sudo_nss *nss;
|
struct sudo_nss *nss;
|
||||||
bool nopass = false;
|
bool nopass = false;
|
||||||
int cmnd_status = -1, oldlocale, validated;
|
int cmnd_status = -1, oldlocale, validated;
|
||||||
@@ -538,7 +538,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
|
|||||||
* If user's umask is more restrictive, OR in those bits too
|
* If user's umask is more restrictive, OR in those bits too
|
||||||
* unless umask_override is set.
|
* unless umask_override is set.
|
||||||
*/
|
*/
|
||||||
if (def_umask != 0777) {
|
if (def_umask != ACCESSPERMS) {
|
||||||
cmnd_umask = def_umask;
|
cmnd_umask = def_umask;
|
||||||
if (!def_umask_override)
|
if (!def_umask_override)
|
||||||
cmnd_umask |= user_umask;
|
cmnd_umask |= user_umask;
|
||||||
|
|||||||
@@ -192,7 +192,8 @@ ts_secure_dir(char *path, bool make_it, bool quiet)
|
|||||||
ret = true;
|
ret = true;
|
||||||
break;
|
break;
|
||||||
case SUDO_PATH_MISSING:
|
case SUDO_PATH_MISSING:
|
||||||
if (make_it && ts_mkdirs(path, timestamp_uid, 0700, 0711, quiet)) {
|
if (make_it && ts_mkdirs(path, timestamp_uid, S_IRWXU,
|
||||||
|
S_IRWXU|S_IXGRP|S_IXOTH, quiet)) {
|
||||||
ret = true;
|
ret = true;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -235,7 +236,7 @@ ts_open(const char *path, int flags)
|
|||||||
|
|
||||||
if (timestamp_uid != 0)
|
if (timestamp_uid != 0)
|
||||||
uid_changed = set_perms(PERM_TIMESTAMP);
|
uid_changed = set_perms(PERM_TIMESTAMP);
|
||||||
fd = open(path, flags, 0600);
|
fd = open(path, flags, S_IRUSR|S_IWUSR);
|
||||||
if (uid_changed && !restore_perms()) {
|
if (uid_changed && !restore_perms()) {
|
||||||
/* Unable to restore permissions, should not happen. */
|
/* Unable to restore permissions, should not happen. */
|
||||||
if (fd != -1) {
|
if (fd != -1) {
|
||||||
|
|||||||
@@ -443,7 +443,7 @@ edit_sudoers(struct sudoersfile *sp, char *editor, int editor_argc,
|
|||||||
if (sp->tpath == NULL) {
|
if (sp->tpath == NULL) {
|
||||||
if (asprintf(&sp->tpath, "%s.tmp", sp->path) == -1)
|
if (asprintf(&sp->tpath, "%s.tmp", sp->path) == -1)
|
||||||
sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
||||||
tfd = open(sp->tpath, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
tfd = open(sp->tpath, O_WRONLY|O_CREAT|O_TRUNC, S_IRWXU|S_IRUSR);
|
||||||
if (tfd < 0)
|
if (tfd < 0)
|
||||||
sudo_fatal("%s", sp->tpath);
|
sudo_fatal("%s", sp->tpath);
|
||||||
|
|
||||||
@@ -669,7 +669,7 @@ install_sudoers(struct sudoersfile *sp, bool oldperms)
|
|||||||
if (!oldperms && fstat(sp->fd, &sb) != -1) {
|
if (!oldperms && fstat(sp->fd, &sb) != -1) {
|
||||||
if (sb.st_uid != sudoers_uid || sb.st_gid != sudoers_gid)
|
if (sb.st_uid != sudoers_uid || sb.st_gid != sudoers_gid)
|
||||||
ignore_result(chown(sp->path, sudoers_uid, sudoers_gid));
|
ignore_result(chown(sp->path, sudoers_uid, sudoers_gid));
|
||||||
if ((sb.st_mode & 0777) != sudoers_mode)
|
if ((sb.st_mode & ACCESSPERMS) != sudoers_mode)
|
||||||
ignore_result(chmod(sp->path, sudoers_mode));
|
ignore_result(chmod(sp->path, sudoers_mode));
|
||||||
}
|
}
|
||||||
ret = true;
|
ret = true;
|
||||||
@@ -688,9 +688,9 @@ install_sudoers(struct sudoersfile *sp, bool oldperms)
|
|||||||
sudo_warn(U_("unable to set (uid, gid) of %s to (%u, %u)"),
|
sudo_warn(U_("unable to set (uid, gid) of %s to (%u, %u)"),
|
||||||
sp->tpath, (unsigned int)sb.st_uid, (unsigned int)sb.st_gid);
|
sp->tpath, (unsigned int)sb.st_uid, (unsigned int)sb.st_gid);
|
||||||
}
|
}
|
||||||
if (chmod(sp->tpath, sb.st_mode & 0777) != 0) {
|
if (chmod(sp->tpath, sb.st_mode & ACCESSPERMS) != 0) {
|
||||||
sudo_warn(U_("unable to change mode of %s to 0%o"), sp->tpath,
|
sudo_warn(U_("unable to change mode of %s to 0%o"), sp->tpath,
|
||||||
(unsigned int)(sb.st_mode & 0777));
|
(unsigned int)(sb.st_mode & ACCESSPERMS));
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (chown(sp->tpath, sudoers_uid, sudoers_gid) != 0) {
|
if (chown(sp->tpath, sudoers_uid, sudoers_gid) != 0) {
|
||||||
@@ -896,7 +896,7 @@ check_owner(const char *path, bool quiet)
|
|||||||
path, sudoers_uid, sudoers_gid);
|
path, sudoers_uid, sudoers_gid);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ((sb.st_mode & 07777) != sudoers_mode) {
|
if ((sb.st_mode & ALLPERMS) != sudoers_mode) {
|
||||||
ok = false;
|
ok = false;
|
||||||
if (!quiet) {
|
if (!quiet) {
|
||||||
fprintf(stderr, _("%s: bad permissions, should be mode 0%o\n"),
|
fprintf(stderr, _("%s: bad permissions, should be mode 0%o\n"),
|
||||||
|
|||||||
@@ -189,7 +189,7 @@ sesh_sudoedit(int argc, char *argv[])
|
|||||||
* doesn't exist, that's OK, we'll create an empty
|
* doesn't exist, that's OK, we'll create an empty
|
||||||
* destination file.
|
* destination file.
|
||||||
*/
|
*/
|
||||||
if ((fd_src = open(path_src, O_RDONLY|follow, 0600)) < 0) {
|
if ((fd_src = open(path_src, O_RDONLY|follow, S_IRUSR|S_IWUSR)) < 0) {
|
||||||
if (errno != ENOENT) {
|
if (errno != ENOENT) {
|
||||||
sudo_warn("%s", path_src);
|
sudo_warn("%s", path_src);
|
||||||
if (post) {
|
if (post) {
|
||||||
@@ -200,7 +200,8 @@ sesh_sudoedit(int argc, char *argv[])
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((fd_dst = open(path_dst, oflags_dst, post ? 0644 : 0600)) < 0) {
|
if ((fd_dst = open(path_dst, oflags_dst, post ?
|
||||||
|
(S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) : (S_IRUSR|S_IWUSR))) < 0) {
|
||||||
/* error - cleanup */
|
/* error - cleanup */
|
||||||
sudo_warn("%s", path_dst);
|
sudo_warn("%s", path_dst);
|
||||||
if (post) {
|
if (post) {
|
||||||
|
|||||||
@@ -364,7 +364,8 @@ fix_fds(void)
|
|||||||
miss[STDOUT_FILENO] = fcntl(STDOUT_FILENO, F_GETFL, 0) == -1;
|
miss[STDOUT_FILENO] = fcntl(STDOUT_FILENO, F_GETFL, 0) == -1;
|
||||||
miss[STDERR_FILENO] = fcntl(STDERR_FILENO, F_GETFL, 0) == -1;
|
miss[STDERR_FILENO] = fcntl(STDERR_FILENO, F_GETFL, 0) == -1;
|
||||||
if (miss[STDIN_FILENO] || miss[STDOUT_FILENO] || miss[STDERR_FILENO]) {
|
if (miss[STDIN_FILENO] || miss[STDOUT_FILENO] || miss[STDERR_FILENO]) {
|
||||||
if ((devnull = open(_PATH_DEVNULL, O_RDWR, 0644)) == -1)
|
devnull = open(_PATH_DEVNULL, O_RDWR, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
||||||
|
if (devnull == -1)
|
||||||
sudo_fatal(U_("unable to open %s"), _PATH_DEVNULL);
|
sudo_fatal(U_("unable to open %s"), _PATH_DEVNULL);
|
||||||
if (miss[STDIN_FILENO] && dup2(devnull, STDIN_FILENO) == -1)
|
if (miss[STDIN_FILENO] && dup2(devnull, STDIN_FILENO) == -1)
|
||||||
sudo_fatal("dup2");
|
sudo_fatal("dup2");
|
||||||
|
|||||||
@@ -548,7 +548,8 @@ sudo_edit_create_tfiles(struct command_details *command_details,
|
|||||||
rc = -1;
|
rc = -1;
|
||||||
switch_user(command_details->euid, command_details->egid,
|
switch_user(command_details->euid, command_details->egid,
|
||||||
command_details->ngroups, command_details->groups);
|
command_details->ngroups, command_details->groups);
|
||||||
ofd = sudo_edit_open(files[i], O_RDONLY, 0644, command_details);
|
ofd = sudo_edit_open(files[i], O_RDONLY,
|
||||||
|
S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
|
||||||
if (ofd != -1 || errno == ENOENT) {
|
if (ofd != -1 || errno == ENOENT) {
|
||||||
if (ofd == -1) {
|
if (ofd == -1) {
|
||||||
/* New file, verify parent dir exists unless in cwd. */
|
/* New file, verify parent dir exists unless in cwd. */
|
||||||
@@ -673,7 +674,8 @@ sudo_edit_copy_tfiles(struct command_details *command_details,
|
|||||||
"seteuid(%u)", user_details.uid);
|
"seteuid(%u)", user_details.uid);
|
||||||
if (seteuid(user_details.uid) != 0)
|
if (seteuid(user_details.uid) != 0)
|
||||||
sudo_fatal("seteuid(%d)", (int)user_details.uid);
|
sudo_fatal("seteuid(%d)", (int)user_details.uid);
|
||||||
tfd = sudo_edit_open(tf[i].tfile, O_RDONLY, 0644, NULL);
|
tfd = sudo_edit_open(tf[i].tfile, O_RDONLY,
|
||||||
|
S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, NULL);
|
||||||
if (tfd != -1)
|
if (tfd != -1)
|
||||||
rc = fstat(tfd, &sb);
|
rc = fstat(tfd, &sb);
|
||||||
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
|
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
|
||||||
@@ -707,8 +709,8 @@ sudo_edit_copy_tfiles(struct command_details *command_details,
|
|||||||
}
|
}
|
||||||
switch_user(command_details->euid, command_details->egid,
|
switch_user(command_details->euid, command_details->egid,
|
||||||
command_details->ngroups, command_details->groups);
|
command_details->ngroups, command_details->groups);
|
||||||
ofd = sudo_edit_open(tf[i].ofile, O_WRONLY|O_TRUNC|O_CREAT, 0644,
|
ofd = sudo_edit_open(tf[i].ofile, O_WRONLY|O_TRUNC|O_CREAT,
|
||||||
command_details);
|
S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
|
||||||
switch_user(ROOT_UID, user_details.egid,
|
switch_user(ROOT_UID, user_details.egid,
|
||||||
user_details.ngroups, user_details.groups);
|
user_details.ngroups, user_details.groups);
|
||||||
if (ofd == -1) {
|
if (ofd == -1) {
|
||||||
|
|||||||
Reference in New Issue
Block a user