/src/sudo/lib/util/secure_path.c

Source
/*
 * SPDX-License-Identifier: ISC
 *
 * Copyright (c) 2012, 2014-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <config.h>

#include <sys/stat.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>

#include <sudo_compat.h>
#include <sudo_util.h>
#include <sudo_debug.h>

/*
 * Verify that path is the right type and not writable by other users.
 */
static int
sudo_check_secure(struct stat *sb, unsigned int type, uid_t uid, gid_t gid)
{
    int ret = SUDO_PATH_SECURE;
    debug_decl(sudo_check_secure, SUDO_DEBUG_UTIL);

    if ((sb->st_mode & S_IFMT) != type) {
  ret = SUDO_PATH_BAD_TYPE;
    } else if (uid != (uid_t)-1 && sb->st_uid != uid) {
  ret = SUDO_PATH_WRONG_OWNER;
    } else if (sb->st_mode & S_IWOTH) {
  ret = SUDO_PATH_WORLD_WRITABLE;
    } else if (ISSET(sb->st_mode, S_IWGRP) &&
  (gid == (gid_t)-1 || sb->st_gid != gid)) {
  ret = SUDO_PATH_GROUP_WRITABLE;
    }

    debug_return_int(ret);
}

/*
 * Verify that path is the right type and not writable by other users.
 */
static int
sudo_secure_path(const char *path, unsigned int type, uid_t uid, gid_t gid,
     struct stat *sb)
{
    int ret = SUDO_PATH_MISSING;
    struct stat stat_buf;
    debug_decl(sudo_secure_path, SUDO_DEBUG_UTIL);

    if (sb == NULL)
  sb = &stat_buf;

    if (path != NULL && stat(path, sb) == 0)
  ret = sudo_check_secure(sb, type, uid, gid);

    debug_return_int(ret);
}

/*
 * Verify that path is a regular file and not writable by other users.
 * Not currently used.
 */
int
sudo_secure_file_v1(const char *path, uid_t uid, gid_t gid, struct stat *sb)
{
    return sudo_secure_path(path, S_IFREG, uid, gid, sb);
}

/*
 * Verify that path is a directory and not writable by other users.
 */
int
sudo_secure_dir_v1(const char *path, uid_t uid, gid_t gid, struct stat *sb)
{
    return sudo_secure_path(path, S_IFDIR, uid, gid, sb);
}

/*
 * Verify that fd matches type and not writable by other users.
 */
int
sudo_secure_fd_v1(int fd, unsigned int type, uid_t uid, gid_t gid,
    struct stat *sb)
{
    int ret = SUDO_PATH_MISSING;
    debug_decl(sudo_secure_fd, SUDO_DEBUG_UTIL);

    if (fd != -1 && fstat(fd, sb) == 0)
  ret = sudo_check_secure(sb, type, uid, gid);
    debug_return_int(ret);
}

/*
 * Open path read-only as long as it is not writable by other users.
 * Returns an open file descriptor on success, else -1.
 * Sets error to SUDO_PATH_SECURE on success, and a value < 0 on failure.
 */
static int
sudo_secure_open(const char *path, unsigned int type, uid_t uid, gid_t gid,
    struct stat *sb, int *error)
{
    struct stat stat_buf;
    int fd, flags = O_RDONLY|O_NONBLOCK;
    debug_decl(sudo_secure_open, SUDO_DEBUG_UTIL);

    if (sb == NULL)
  sb = &stat_buf;

    if (type == S_IFDIR)
  flags |= O_DIRECTORY;
    fd = open(path, flags);
    if (fd == -1 || fstat(fd, sb) != 0) {
  if (fd != -1)
      close(fd);
  *error = SUDO_PATH_MISSING;
  debug_return_int(-1);
    }

    *error = sudo_check_secure(sb, type, uid, gid);
    if (*error == SUDO_PATH_SECURE) {
  (void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
    } else {
  /* Not secure, caller can check error flag. */
  close(fd);
  fd = -1;
    }

    debug_return_int(fd);
}

int
sudo_secure_open_file_v1(const char *path, uid_t uid, gid_t gid,
    struct stat *sb, int *error)
{
    return sudo_secure_open(path, S_IFREG, uid, gid, sb, error);
}

int
sudo_secure_open_dir_v1(const char *path, uid_t uid, gid_t gid,
    struct stat *sb, int *error)
{
    return sudo_secure_open(path, S_IFDIR, uid, gid, sb, error);
}

/*
 * Open the first file found in a colon-separated list of paths.
 * Subsequent files in the path are only attempted if the
 * previous file does not exist.  Errors other than ENOENT are
 * considered fatal and will stop processing the path.
 * Sets name based on the last file it tried to open, even on error.
 */
int
sudo_open_conf_path_v1(const char *path, char *name, size_t namesize,
    int (*fn)(const char *, int))
{
    const char *cp, *ep, *path_end;
    int fd = -1;
    debug_decl(sudo_open_conf_path, SUDO_DEBUG_UTIL);

    path_end = path + strlen(path);
    for (cp = sudo_strsplit(path, path_end, ":", &ep);
  cp != NULL; cp = sudo_strsplit(NULL, path_end, ":", &ep)) {

  const size_t len = (size_t)(ep - cp);
  if (len >= namesize) {
      /* We always set name, even on error. */
      memcpy(name, cp, namesize - 1);
      name[namesize - 1] = '\0';
      errno = ENAMETOOLONG;
      break;
  }
  memcpy(name, cp, len);
  name[len] = '\0';

  fd = fn ?
      fn(name, O_RDONLY|O_NONBLOCK) : open(name, O_RDONLY|O_NONBLOCK);
  if (fd != -1) {
      (void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
      break;
  }
  if (errno != ENOENT)
      break;
    }
    debug_return_int(fd);
}

Coverage Report

Created: 2025-10-28 06:14

Line	Count	Source
1		/*
2		* SPDX-License-Identifier: ISC
3		*
4		* Copyright (c) 2012, 2014-2022 Todd C. Miller <Todd.Miller@sudo.ws>
5		*
6		* Permission to use, copy, modify, and distribute this software for any
7		* purpose with or without fee is hereby granted, provided that the above
8		* copyright notice and this permission notice appear in all copies.
9		*
10		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13		* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15		* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16		* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17		*/
18
19		#include <config.h>
20
21		#include <sys/stat.h>
22		#include <errno.h>
23		#include <fcntl.h>
24		#include <string.h>
25		#include <unistd.h>
26
27		#include <sudo_compat.h>
28		#include <sudo_util.h>
29		#include <sudo_debug.h>
30
31		/*
32		* Verify that path is the right type and not writable by other users.
33		*/
34		static int
35		sudo_check_secure(struct stat *sb, unsigned int type, uid_t uid, gid_t gid)
36	0	{
37	0	int ret = SUDO_PATH_SECURE;
38	0	debug_decl(sudo_check_secure, SUDO_DEBUG_UTIL);
39
40	0	if ((sb->st_mode & S_IFMT) != type) {
41	0	ret = SUDO_PATH_BAD_TYPE;
42	0	} else if (uid != (uid_t)-1 && sb->st_uid != uid) {
43	0	ret = SUDO_PATH_WRONG_OWNER;
44	0	} else if (sb->st_mode & S_IWOTH) {
45	0	ret = SUDO_PATH_WORLD_WRITABLE;
46	0	} else if (ISSET(sb->st_mode, S_IWGRP) &&
47	0	(gid == (gid_t)-1 \|\| sb->st_gid != gid)) {
48	0	ret = SUDO_PATH_GROUP_WRITABLE;
49	0	}
50
51	0	debug_return_int(ret);
52	0	}
53
54		/*
55		* Verify that path is the right type and not writable by other users.
56		*/
57		static int
58		sudo_secure_path(const char *path, unsigned int type, uid_t uid, gid_t gid,
59		struct stat *sb)
60	0	{
61	0	int ret = SUDO_PATH_MISSING;
62	0	struct stat stat_buf;
63	0	debug_decl(sudo_secure_path, SUDO_DEBUG_UTIL);
64
65	0	if (sb == NULL)
66	0	sb = &stat_buf;
67
68	0	if (path != NULL && stat(path, sb) == 0)
69	0	ret = sudo_check_secure(sb, type, uid, gid);
70
71	0	debug_return_int(ret);
72	0	}
73
74		/*
75		* Verify that path is a regular file and not writable by other users.
76		* Not currently used.
77		*/
78		int
79		sudo_secure_file_v1(const char path, uid_t uid, gid_t gid, struct stat sb)
80	0	{
81	0	return sudo_secure_path(path, S_IFREG, uid, gid, sb);
82	0	}
83
84		/*
85		* Verify that path is a directory and not writable by other users.
86		*/
87		int
88		sudo_secure_dir_v1(const char path, uid_t uid, gid_t gid, struct stat sb)
89	0	{
90	0	return sudo_secure_path(path, S_IFDIR, uid, gid, sb);
91	0	}
92
93		/*
94		* Verify that fd matches type and not writable by other users.
95		*/
96		int
97		sudo_secure_fd_v1(int fd, unsigned int type, uid_t uid, gid_t gid,
98		struct stat *sb)
99	0	{
100	0	int ret = SUDO_PATH_MISSING;
101	0	debug_decl(sudo_secure_fd, SUDO_DEBUG_UTIL);
102
103	0	if (fd != -1 && fstat(fd, sb) == 0)
104	0	ret = sudo_check_secure(sb, type, uid, gid);
105	0	debug_return_int(ret);
106	0	}
107
108		/*
109		* Open path read-only as long as it is not writable by other users.
110		* Returns an open file descriptor on success, else -1.
111		* Sets error to SUDO_PATH_SECURE on success, and a value < 0 on failure.
112		*/
113		static int
114		sudo_secure_open(const char *path, unsigned int type, uid_t uid, gid_t gid,
115		struct stat sb, int error)
116	0	{
117	0	struct stat stat_buf;
118	0	int fd, flags = O_RDONLY\|O_NONBLOCK;
119	0	debug_decl(sudo_secure_open, SUDO_DEBUG_UTIL);
120
121	0	if (sb == NULL)
122	0	sb = &stat_buf;
123
124	0	if (type == S_IFDIR)
125	0	flags \|= O_DIRECTORY;
126	0	fd = open(path, flags);
127	0	if (fd == -1 \|\| fstat(fd, sb) != 0) {
128	0	if (fd != -1)
129	0	close(fd);
130	0	*error = SUDO_PATH_MISSING;
131	0	debug_return_int(-1);
132	0	}
133
134	0	*error = sudo_check_secure(sb, type, uid, gid);
135	0	if (*error == SUDO_PATH_SECURE) {
136	0	(void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
137	0	} else {
138		/* Not secure, caller can check error flag. */
139	0	close(fd);
140	0	fd = -1;
141	0	}
142
143	0	debug_return_int(fd);
144	0	}
145
146		int
147		sudo_secure_open_file_v1(const char *path, uid_t uid, gid_t gid,
148		struct stat sb, int error)
149	0	{
150	0	return sudo_secure_open(path, S_IFREG, uid, gid, sb, error);
151	0	}
152
153		int
154		sudo_secure_open_dir_v1(const char *path, uid_t uid, gid_t gid,
155		struct stat sb, int error)
156	0	{
157	0	return sudo_secure_open(path, S_IFDIR, uid, gid, sb, error);
158	0	}
159
160		/*
161		* Open the first file found in a colon-separated list of paths.
162		* Subsequent files in the path are only attempted if the
163		* previous file does not exist. Errors other than ENOENT are
164		* considered fatal and will stop processing the path.
165		* Sets name based on the last file it tried to open, even on error.
166		*/
167		int
168		sudo_open_conf_path_v1(const char path, char name, size_t namesize,
169		int (fn)(const char , int))
170	0	{
171	0	const char cp, ep, *path_end;
172	0	int fd = -1;
173	0	debug_decl(sudo_open_conf_path, SUDO_DEBUG_UTIL);
174
175	0	path_end = path + strlen(path);
176	0	for (cp = sudo_strsplit(path, path_end, ":", &ep);
177	0	cp != NULL; cp = sudo_strsplit(NULL, path_end, ":", &ep)) {
178
179	0	const size_t len = (size_t)(ep - cp);
180	0	if (len >= namesize) {
181		/* We always set name, even on error. */
182	0	memcpy(name, cp, namesize - 1);
183	0	name[namesize - 1] = '\0';
184	0	errno = ENAMETOOLONG;
185	0	break;
186	0	}
187	0	memcpy(name, cp, len);
188	0	name[len] = '\0';
189
190	0	fd = fn ?
191	0	fn(name, O_RDONLY\|O_NONBLOCK) : open(name, O_RDONLY\|O_NONBLOCK);
192	0	if (fd != -1) {
193	0	(void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
194	0	break;
195	0	}
196	0	if (errno != ENOENT)
197	0	break;
198	0	}
199	0	debug_return_int(fd);
200	0	}