/src/sudo/lib/util/secure_path.c

Source (jump to first uncovered line)
/*
 * SPDX-License-Identifier: ISC
 *
 * Copyright (c) 2012, 2014-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

/*
 * This is an open source non-commercial project. Dear PVS-Studio, please check it.
 * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
 */

#include <config.h>

#include <sys/stat.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>

#include "sudo_compat.h"
#include "sudo_util.h"
#include "sudo_debug.h"

/*
 * Verify that path is the right type and not writable by other users.
 */
static int
sudo_check_secure(struct stat *sb, unsigned int type, uid_t uid, gid_t gid)
{
    int ret = SUDO_PATH_SECURE;
    debug_decl(sudo_check_secure, SUDO_DEBUG_UTIL);

    if ((sb->st_mode & S_IFMT) != type) {
  ret = SUDO_PATH_BAD_TYPE;
    } else if (uid != (uid_t)-1 && sb->st_uid != uid) {
  ret = SUDO_PATH_WRONG_OWNER;
    } else if (sb->st_mode & S_IWOTH) {
  ret = SUDO_PATH_WORLD_WRITABLE;
    } else if (ISSET(sb->st_mode, S_IWGRP) &&
  (gid == (gid_t)-1 || sb->st_gid != gid)) {
  ret = SUDO_PATH_GROUP_WRITABLE;
    }

    debug_return_int(ret);
}

/*
 * Verify that path is the right type and not writable by other users.
 */
static int
sudo_secure_path(const char *path, unsigned int type, uid_t uid, gid_t gid,
     struct stat *sb)
{
    int ret = SUDO_PATH_MISSING;
    struct stat stat_buf;
    debug_decl(sudo_secure_path, SUDO_DEBUG_UTIL);

    if (sb == NULL)
  sb = &stat_buf;

    if (path != NULL && stat(path, sb) == 0)
  ret = sudo_check_secure(sb, type, uid, gid);

    debug_return_int(ret);
}

/*
 * Verify that path is a regular file and not writable by other users.
 * Not currently used.
 */
int
sudo_secure_file_v1(const char *path, uid_t uid, gid_t gid, struct stat *sb)
{
    return sudo_secure_path(path, S_IFREG, uid, gid, sb);
}

/*
 * Verify that path is a directory and not writable by other users.
 */
int
sudo_secure_dir_v1(const char *path, uid_t uid, gid_t gid, struct stat *sb)
{
    return sudo_secure_path(path, S_IFDIR, uid, gid, sb);
}

/*
 * Verify that fd matches type and not writable by other users.
 */
int
sudo_secure_fd_v1(int fd, unsigned int type, uid_t uid, gid_t gid,
    struct stat *sb)
{
    int ret = SUDO_PATH_MISSING;
    debug_decl(sudo_secure_fd, SUDO_DEBUG_UTIL);

    if (fd != -1 && fstat(fd, sb) == 0)
  ret = sudo_check_secure(sb, type, uid, gid);
    debug_return_int(ret);
}

/*
 * Open path read-only as long as it is not writable by other users.
 * Returns an open file descriptor on success, else -1.
 * Sets error to SUDO_PATH_SECURE on success, and a value < 0 on failure.
 */
static int
sudo_secure_open(const char *path, int type, uid_t uid, gid_t gid,
    struct stat *sb, int *error)
{
    struct stat stat_buf;
    int fd;
    debug_decl(sudo_secure_open, SUDO_DEBUG_UTIL);

    if (sb == NULL)
  sb = &stat_buf;

    fd = open(path, O_RDONLY|O_NONBLOCK);
    if (fd == -1 || fstat(fd, sb) != 0) {
  if (fd != -1)
      close(fd);
  *error = SUDO_PATH_MISSING;
  debug_return_int(-1);
    }

    *error = sudo_check_secure(sb, type, uid, gid);
    if (*error == SUDO_PATH_SECURE) {
  (void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
    } else {
  /* Not secure, caller can check error flag. */
  close(fd);
  fd = -1;
    }

    debug_return_int(fd);
}

int
sudo_secure_open_file_v1(const char *path, uid_t uid, gid_t gid,
    struct stat *sb, int *error)
{
    return sudo_secure_open(path, S_IFREG, uid, gid, sb, error);
}

int
sudo_secure_open_dir_v1(const char *path, uid_t uid, gid_t gid,
    struct stat *sb, int *error)
{
    return sudo_secure_open(path, S_IFDIR, uid, gid, sb, error);
}

/*
 * Open the first file found in a colon-separated list of paths.
 * Subsequent files in the path are only attempted if the
 * previous file does not exist.  Errors other than ENOENT are
 * considered fatal and will stop processing the path.
 * Sets name based on the last file it tried to open, even on error.
 */
int
sudo_open_conf_path_v1(const char *path, char *name, size_t namesize,
    int (*fn)(const char *, int))
{
    const char *cp, *ep, *path_end;
    int fd = -1;
    debug_decl(sudo_open_conf_path, SUDO_DEBUG_UTIL);

    path_end = path + strlen(path);
    for (cp = sudo_strsplit(path, path_end, ":", &ep);
  cp != NULL; cp = sudo_strsplit(NULL, path_end, ":", &ep)) {

  const size_t len = ep - cp;
  if (len >= namesize) {
      /* We always set name, even on error. */
      memcpy(name, cp, namesize - 1);
      name[namesize - 1] = '\0';
      errno = ENAMETOOLONG;
      break;
  }
  memcpy(name, cp, len);
  name[len] = '\0';

  fd = fn ?
      fn(name, O_RDONLY|O_NONBLOCK) : open(name, O_RDONLY|O_NONBLOCK);
  if (fd != -1) {
      (void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
      break;
  }
  if (errno != ENOENT)
      break;
    }
    debug_return_int(fd);
}

Coverage Report

Created: 2023-06-07 06:47

Line	Count	Source (jump to first uncovered line)
1		/*
2		* SPDX-License-Identifier: ISC
3		*
4		* Copyright (c) 2012, 2014-2022 Todd C. Miller <Todd.Miller@sudo.ws>
5		*
6		* Permission to use, copy, modify, and distribute this software for any
7		* purpose with or without fee is hereby granted, provided that the above
8		* copyright notice and this permission notice appear in all copies.
9		*
10		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13		* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15		* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16		* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17		*/
18
19		/*
20		* This is an open source non-commercial project. Dear PVS-Studio, please check it.
21		* PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
22		*/
23
24		#include <config.h>
25
26		#include <sys/stat.h>
27		#include <errno.h>
28		#include <fcntl.h>
29		#include <string.h>
30		#include <unistd.h>
31
32		#include "sudo_compat.h"
33		#include "sudo_util.h"
34		#include "sudo_debug.h"
35
36		/*
37		* Verify that path is the right type and not writable by other users.
38		*/
39		static int
40		sudo_check_secure(struct stat *sb, unsigned int type, uid_t uid, gid_t gid)
41	0	{
42	0	int ret = SUDO_PATH_SECURE;
43	0	debug_decl(sudo_check_secure, SUDO_DEBUG_UTIL);
44
45	0	if ((sb->st_mode & S_IFMT) != type) {
46	0	ret = SUDO_PATH_BAD_TYPE;
47	0	} else if (uid != (uid_t)-1 && sb->st_uid != uid) {
48	0	ret = SUDO_PATH_WRONG_OWNER;
49	0	} else if (sb->st_mode & S_IWOTH) {
50	0	ret = SUDO_PATH_WORLD_WRITABLE;
51	0	} else if (ISSET(sb->st_mode, S_IWGRP) &&
52	0	(gid == (gid_t)-1 \|\| sb->st_gid != gid)) {
53	0	ret = SUDO_PATH_GROUP_WRITABLE;
54	0	}
55
56	0	debug_return_int(ret);
57	0	}
58
59		/*
60		* Verify that path is the right type and not writable by other users.
61		*/
62		static int
63		sudo_secure_path(const char *path, unsigned int type, uid_t uid, gid_t gid,
64		struct stat *sb)
65	0	{
66	0	int ret = SUDO_PATH_MISSING;
67	0	struct stat stat_buf;
68	0	debug_decl(sudo_secure_path, SUDO_DEBUG_UTIL);
69
70	0	if (sb == NULL)
71	0	sb = &stat_buf;
72
73	0	if (path != NULL && stat(path, sb) == 0)
74	0	ret = sudo_check_secure(sb, type, uid, gid);
75
76	0	debug_return_int(ret);
77	0	}
78
79		/*
80		* Verify that path is a regular file and not writable by other users.
81		* Not currently used.
82		*/
83		int
84		sudo_secure_file_v1(const char path, uid_t uid, gid_t gid, struct stat sb)
85	0	{
86	0	return sudo_secure_path(path, S_IFREG, uid, gid, sb);
87	0	}
88
89		/*
90		* Verify that path is a directory and not writable by other users.
91		*/
92		int
93		sudo_secure_dir_v1(const char path, uid_t uid, gid_t gid, struct stat sb)
94	0	{
95	0	return sudo_secure_path(path, S_IFDIR, uid, gid, sb);
96	0	}
97
98		/*
99		* Verify that fd matches type and not writable by other users.
100		*/
101		int
102		sudo_secure_fd_v1(int fd, unsigned int type, uid_t uid, gid_t gid,
103		struct stat *sb)
104	0	{
105	0	int ret = SUDO_PATH_MISSING;
106	0	debug_decl(sudo_secure_fd, SUDO_DEBUG_UTIL);
107
108	0	if (fd != -1 && fstat(fd, sb) == 0)
109	0	ret = sudo_check_secure(sb, type, uid, gid);
110	0	debug_return_int(ret);
111	0	}
112
113		/*
114		* Open path read-only as long as it is not writable by other users.
115		* Returns an open file descriptor on success, else -1.
116		* Sets error to SUDO_PATH_SECURE on success, and a value < 0 on failure.
117		*/
118		static int
119		sudo_secure_open(const char *path, int type, uid_t uid, gid_t gid,
120		struct stat sb, int error)
121	0	{
122	0	struct stat stat_buf;
123	0	int fd;
124	0	debug_decl(sudo_secure_open, SUDO_DEBUG_UTIL);
125
126	0	if (sb == NULL)
127	0	sb = &stat_buf;
128
129	0	fd = open(path, O_RDONLY\|O_NONBLOCK);
130	0	if (fd == -1 \|\| fstat(fd, sb) != 0) {
131	0	if (fd != -1)
132	0	close(fd);
133	0	*error = SUDO_PATH_MISSING;
134	0	debug_return_int(-1);
135	0	}
136
137	0	*error = sudo_check_secure(sb, type, uid, gid);
138	0	if (*error == SUDO_PATH_SECURE) {
139	0	(void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
140	0	} else {
141		/* Not secure, caller can check error flag. */
142	0	close(fd);
143	0	fd = -1;
144	0	}
145
146	0	debug_return_int(fd);
147	0	}
148
149		int
150		sudo_secure_open_file_v1(const char *path, uid_t uid, gid_t gid,
151		struct stat sb, int error)
152	0	{
153	0	return sudo_secure_open(path, S_IFREG, uid, gid, sb, error);
154	0	}
155
156		int
157		sudo_secure_open_dir_v1(const char *path, uid_t uid, gid_t gid,
158		struct stat sb, int error)
159	0	{
160	0	return sudo_secure_open(path, S_IFDIR, uid, gid, sb, error);
161	0	}
162
163		/*
164		* Open the first file found in a colon-separated list of paths.
165		* Subsequent files in the path are only attempted if the
166		* previous file does not exist. Errors other than ENOENT are
167		* considered fatal and will stop processing the path.
168		* Sets name based on the last file it tried to open, even on error.
169		*/
170		int
171		sudo_open_conf_path_v1(const char path, char name, size_t namesize,
172		int (fn)(const char , int))
173	0	{
174	0	const char cp, ep, *path_end;
175	0	int fd = -1;
176	0	debug_decl(sudo_open_conf_path, SUDO_DEBUG_UTIL);
177
178	0	path_end = path + strlen(path);
179	0	for (cp = sudo_strsplit(path, path_end, ":", &ep);
180	0	cp != NULL; cp = sudo_strsplit(NULL, path_end, ":", &ep)) {
181
182	0	const size_t len = ep - cp;
183	0	if (len >= namesize) {
184		/* We always set name, even on error. */
185	0	memcpy(name, cp, namesize - 1);
186	0	name[namesize - 1] = '\0';
187	0	errno = ENAMETOOLONG;
188	0	break;
189	0	}
190	0	memcpy(name, cp, len);
191	0	name[len] = '\0';
192
193	0	fd = fn ?
194	0	fn(name, O_RDONLY\|O_NONBLOCK) : open(name, O_RDONLY\|O_NONBLOCK);
195	0	if (fd != -1) {
196	0	(void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
197	0	break;
198	0	}
199	0	if (errno != ENOENT)
200	0	break;
201	0	}
202	0	debug_return_int(fd);
203	0	}