From dd7f348fc2e98fd7b6e2b329441aeb428fc424f3 Mon Sep 17 00:00:00 2001 From: Benno Schulenberg Date: Sun, 28 Apr 2024 10:51:52 +0200 Subject: files: run `chmod` and `chown` on the descriptor, not on the filename This closes a window of opportunity where the emergency file could be replaced by a malicious symlink. The issue was reported by `MartinJM` and `InvisibleMeerkat`. Problem existed since version 2.2.0, commit 123110c5, when chmodding and chowning of the emergency .save file was added. --- src/definitions.h | 2 +- src/files.c | 13 ++++++++++++- src/nano.c | 12 +----------- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/src/definitions.h b/src/definitions.h index b79a6218..4889ab03 100644 --- a/src/definitions.h +++ b/src/definitions.h @@ -141,7 +141,7 @@ typedef enum { } message_type; typedef enum { - OVERWRITE, APPEND, PREPEND + OVERWRITE, APPEND, PREPEND, EMERGENCY } kind_of_writing_type; typedef enum { diff --git a/src/files.c b/src/files.c index ab9957c9..53e148d1 100644 --- a/src/files.c +++ b/src/files.c @@ -1732,6 +1732,8 @@ bool write_file(const char *name, FILE *thefile, bool tmp, #endif char *realname = real_dir_from_tilde(name); /* The filename after tilde expansion. */ + int fd = 0; + /* The descriptor that is assigned when opening the file. */ char *tempname = NULL; /* The name of the temporary file we use when prepending. */ linestruct *line = openfile->filetop; @@ -1810,7 +1812,6 @@ bool write_file(const char *name, FILE *thefile, bool tmp, * For an emergency file, access is restricted to just the owner. */ if (thefile == NULL) { mode_t permissions = (tmp ? S_IRUSR|S_IWUSR : RW_FOR_ALL); - int fd; #ifndef NANO_TINY block_sigwinch(TRUE); @@ -1937,6 +1938,16 @@ bool write_file(const char *name, FILE *thefile, bool tmp, } #endif +#ifndef NANO_TINY + /* Change permissions and owner of an emergency save file to the values + * of the original file, but ignore any failure as we are in a hurry. */ + if (method == EMERGENCY && fd && openfile->statinfo) { + IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode)); + IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid, + openfile->statinfo->st_gid)); + } +#endif + if (fclose(thefile) != 0) { statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno)); goto cleanup_and_exit; diff --git a/src/nano.c b/src/nano.c index 521c4a03..76f0f879 100644 --- a/src/nano.c +++ b/src/nano.c @@ -328,7 +328,7 @@ void emergency_save(const char *plainname) targetname = get_next_filename(plainname, ".save"); if (*targetname != '\0') - failed = !write_file(targetname, NULL, TRUE, OVERWRITE, FALSE); + failed = !write_file(targetname, NULL, TRUE, EMERGENCY, FALSE); if (!failed) fprintf(stderr, _("\nBuffer written to %s\n"), targetname); @@ -338,16 +338,6 @@ void emergency_save(const char *plainname) else fprintf(stderr, _("\nToo many .save files")); -#ifndef NANO_TINY - /* Try to chmod/chown the saved file to the values of the original file, - * but ignore any failure as we are in a hurry to get out. */ - if (openfile->statinfo) { - IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode)); - IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid, - openfile->statinfo->st_gid)); - } -#endif - free(targetname); } -- 2.30.2