Fix potential TOCTOU when creating time stamp directory and file.
This commit is contained in:
Todd C. Miller
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
* SPDX-License-Identifier: ISC
|
||||
*
|
||||
* Copyright (c) 2012, 2014-2016 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
* Copyright (c) 2012, 2014-2022 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -24,7 +24,9 @@
|
||||
#include <config.h>
|
||||
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sudo_compat.h"
|
||||
#include "sudo_util.h"
|
||||
@@ -34,29 +36,41 @@
|
||||
* Verify that path is the right type and not writable by other users.
|
||||
*/
|
||||
static int
|
||||
sudo_secure_path(const char *path, unsigned int type, uid_t uid, gid_t gid, struct stat *sb)
|
||||
sudo_check_secure(struct stat *sb, unsigned int type, uid_t uid, gid_t gid)
|
||||
{
|
||||
int ret = SUDO_PATH_SECURE;
|
||||
debug_decl(sudo_check_secure, SUDO_DEBUG_UTIL);
|
||||
|
||||
if ((sb->st_mode & S_IFMT) != type) {
|
||||
ret = SUDO_PATH_BAD_TYPE;
|
||||
} else if (uid != (uid_t)-1 && sb->st_uid != uid) {
|
||||
ret = SUDO_PATH_WRONG_OWNER;
|
||||
} else if (sb->st_mode & S_IWOTH) {
|
||||
ret = SUDO_PATH_WORLD_WRITABLE;
|
||||
} else if (ISSET(sb->st_mode, S_IWGRP) &&
|
||||
(gid == (gid_t)-1 || sb->st_gid != gid)) {
|
||||
ret = SUDO_PATH_GROUP_WRITABLE;
|
||||
}
|
||||
|
||||
debug_return_int(ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify that path is the right type and not writable by other users.
|
||||
*/
|
||||
static int
|
||||
sudo_secure_path(const char *path, unsigned int type, uid_t uid, gid_t gid,
|
||||
struct stat *sb)
|
||||
{
|
||||
struct stat stat_buf;
|
||||
int ret = SUDO_PATH_MISSING;
|
||||
struct stat stat_buf;
|
||||
debug_decl(sudo_secure_path, SUDO_DEBUG_UTIL);
|
||||
|
||||
if (sb == NULL)
|
||||
sb = &stat_buf;
|
||||
|
||||
if (path != NULL && stat(path, sb) == 0) {
|
||||
if ((sb->st_mode & S_IFMT) != type) {
|
||||
ret = SUDO_PATH_BAD_TYPE;
|
||||
} else if (uid != (uid_t)-1 && sb->st_uid != uid) {
|
||||
ret = SUDO_PATH_WRONG_OWNER;
|
||||
} else if (sb->st_mode & S_IWOTH) {
|
||||
ret = SUDO_PATH_WORLD_WRITABLE;
|
||||
} else if (ISSET(sb->st_mode, S_IWGRP) &&
|
||||
(gid == (gid_t)-1 || sb->st_gid != gid)) {
|
||||
ret = SUDO_PATH_GROUP_WRITABLE;
|
||||
} else {
|
||||
ret = SUDO_PATH_SECURE;
|
||||
}
|
||||
}
|
||||
if (path != NULL && stat(path, sb) == 0)
|
||||
ret = sudo_check_secure(sb, type, uid, gid);
|
||||
|
||||
debug_return_int(ret);
|
||||
}
|
||||
@@ -65,16 +79,60 @@ sudo_secure_path(const char *path, unsigned int type, uid_t uid, gid_t gid, stru
|
||||
* Verify that path is a regular file and not writable by other users.
|
||||
*/
|
||||
int
|
||||
sudo_secure_file_v1(const char *path, uid_t uid, gid_t gid, struct stat *st)
|
||||
sudo_secure_file_v1(const char *path, uid_t uid, gid_t gid, struct stat *sb)
|
||||
{
|
||||
return sudo_secure_path(path, S_IFREG, uid, gid, st);
|
||||
return sudo_secure_path(path, S_IFREG, uid, gid, sb);
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify that path is a directory and not writable by other users.
|
||||
*/
|
||||
int
|
||||
sudo_secure_dir_v1(const char *path, uid_t uid, gid_t gid, struct stat *st)
|
||||
sudo_secure_dir_v1(const char *path, uid_t uid, gid_t gid, struct stat *sb)
|
||||
{
|
||||
return sudo_secure_path(path, S_IFDIR, uid, gid, st);
|
||||
return sudo_secure_path(path, S_IFDIR, uid, gid, sb);
|
||||
}
|
||||
|
||||
/*
|
||||
* Open path read-only as long as it is not writable by other users.
|
||||
* Returns an open file descriptor on success, else -1.
|
||||
* Sets error to SUDO_PATH_SECURE on success, and a value < 0 on failure.
|
||||
*/
|
||||
static int
|
||||
sudo_secure_open(const char *path, int type, uid_t uid, gid_t gid, int *error)
|
||||
{
|
||||
struct stat sb;
|
||||
int fd;
|
||||
debug_decl(sudo_secure_open, SUDO_DEBUG_UTIL);
|
||||
|
||||
fd = open(path, O_RDONLY|O_NONBLOCK);
|
||||
if (fd == -1 || fstat(fd, &sb) != 0) {
|
||||
if (fd != -1)
|
||||
close(fd);
|
||||
*error = SUDO_PATH_MISSING;
|
||||
debug_return_int(-1);
|
||||
}
|
||||
|
||||
*error = sudo_check_secure(&sb, type, uid, gid);
|
||||
if (*error == SUDO_PATH_SECURE) {
|
||||
(void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
|
||||
} else {
|
||||
/* Not secure, caller can check error flag. */
|
||||
close(fd);
|
||||
fd = -1;
|
||||
}
|
||||
|
||||
debug_return_int(fd);
|
||||
}
|
||||
|
||||
int
|
||||
sudo_secure_open_file_v1(const char *path, uid_t uid, gid_t gid, int *error)
|
||||
{
|
||||
return sudo_secure_open(path, S_IFREG, uid, gid, error);
|
||||
}
|
||||
|
||||
int
|
||||
sudo_secure_open_dir_v1(const char *path, uid_t uid, gid_t gid, int *error)
|
||||
{
|
||||
return sudo_secure_open(path, S_IFDIR, uid, gid, error);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user