1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
|
/*
* safefile package http://www.cs.wisc.edu/~kupsch/safefile
*
* Copyright 2007-2008 James A. Kupsch
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <unistd.h>
#include <sys/types.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <limits.h>
#include "safe_id_range_list.h"
#include "safe_is_path_trusted.h"
#ifndef PATH_MAX
#define PATH_MAX 4096
#endif
/***********************************************************************
*
* Functions to check the safety of the directory or path
*
***********************************************************************/
/*
* is_mode_trusted
* Returns trustedness of mode
* parameters
* stat_buf
* the result of the stat system call on the entry in question
* safe_uids
* list of safe user ids
* safe_gids
* list of safe group ids
* returns
* 0 SAFE_PATH_UNTRUSTED
* 1 SAFE_PATH_TRUSTED_STICKY_DIR
* 2 SAFE_PATH_TRUSTED
* 3 SAFE_PATH_TRUSTED_CONFIDENTIAL
*/
static int is_mode_trusted(struct stat *stat_buf, safe_id_range_list *trusted_uids, safe_id_range_list *trusted_gids)
{
mode_t mode = stat_buf->st_mode;
uid_t uid = stat_buf->st_uid;
gid_t gid = stat_buf->st_gid;
int is_untrusted_uid = (uid != 0 && !safe_is_id_in_list(trusted_uids, uid));
int is_dir = S_ISDIR(mode);
int is_untrusted_group = !safe_is_id_in_list(trusted_gids, gid);
int is_untrusted_group_writable
= is_untrusted_group && (mode & S_IWGRP);
mode_t is_other_writable = (mode & S_IWOTH);
int is_trusted = SAFE_PATH_UNTRUSTED;
if (!(is_untrusted_uid || is_untrusted_group_writable || is_other_writable)) {
int other_read_mask = is_dir ? S_IXOTH : S_IROTH;
mode_t is_other_readable = (mode & other_read_mask);
int group_read_mask = is_dir ? S_IXGRP : S_IRGRP;
int is_untrusted_group_readable = is_untrusted_group && (mode & group_read_mask);
if (is_other_readable || is_untrusted_group_readable) {
is_trusted = SAFE_PATH_TRUSTED;
} else {
is_trusted = SAFE_PATH_TRUSTED_CONFIDENTIAL;
}
} else if (S_ISLNK(mode)) {
is_trusted = SAFE_PATH_TRUSTED;
} else {
int is_sticky_dir = is_dir && (mode & S_ISVTX);
if (is_sticky_dir && !is_untrusted_uid) {
is_trusted = SAFE_PATH_TRUSTED_STICKY_DIR;
}
}
return is_trusted;
}
/* abbreviations to make trust_matrix initialization easier to read */
enum { PATH_U = SAFE_PATH_UNTRUSTED,
PATH_S = SAFE_PATH_TRUSTED_STICKY_DIR,
PATH_T = SAFE_PATH_TRUSTED,
PATH_C = SAFE_PATH_TRUSTED_CONFIDENTIAL
};
/* trust composition table, given the trust of the parent directory and the child
* this is only valid for directories. is_component_in_dir_trusted() modifies it
* slightly for other file system types
*/
static int trust_matrix[][4] = {
/* parent\child | PATH_U PATH_U PATH_U PATH_U */
/* ------ ------------------------------ */
/* PATH_U */ { PATH_U, PATH_U, PATH_U, PATH_U },
/* PATH_S */ { PATH_U, PATH_S, PATH_T, PATH_C },
/* PATH_T */ { PATH_U, PATH_S, PATH_T, PATH_C },
/* PATH_C */ { PATH_U, PATH_S, PATH_T, PATH_C }
};
/*
* is_component_in_dir_trusted
* Returns trustedness of mode. See trust_matrix above, plus if the
* parent directory is a stick bit directory everything that can be
* hard linked (everyting except directories) is SAFE_PATH_UNTRUSTED.
* parameters
* parent_dir_trust
* trust level of parent directory
* child_stat_buf
* the result of the stat system call on the entry in question
* safe_uids
* list of safe user ids
* safe_gids
* list of safe group ids
* returns
* 0 SAFE_PATH_UNTRUSTED
* 1 SAFE_PATH_TRUSTED_STICKY_DIR
* 2 SAFE_PATH_TRUSTED
* 3 SAFE_PATH_TRUSTED_CONFIDENTIAL
*/
static int is_component_in_dir_trusted(
int parent_dir_trust,
struct stat *child_stat_buf,
safe_id_range_list *trusted_uids,
safe_id_range_list *trusted_gids
)
{
int child_trust = is_mode_trusted(child_stat_buf, trusted_uids, trusted_gids);
int status = trust_matrix[parent_dir_trust][child_trust];
int is_dir = S_ISDIR(child_stat_buf->st_mode);
if (parent_dir_trust == SAFE_PATH_TRUSTED_STICKY_DIR && !is_dir) {
/* anything in a sticky bit directory is untrusted, except a directory */
status = SAFE_PATH_UNTRUSTED;
}
return status;
}
/*
* is_current_working_directory_trusted
* Returns the trustedness of the current working directory. If any
* directory from here to the root is untrusted the path is untrusted,
* otherwise it returns the trustedness of the current working directory.
*
* This function is not thread safe if other threads depend on the value
* of the current working directory as it changes the current working
* directory while checking the path and restores it on exit.
* parameters
* safe_uids
* list of safe user ids
* safe_gids
* list of safe group ids
* returns
* <0 on error
* 0 SAFE_PATH_UNTRUSTED
* 1 SAFE_PATH_TRUSTED_STICKY_DIR
* 2 SAFE_PATH_TRUSTED
* 3 SAFE_PATH_TRUSTED_CONFIDENTIAL
*/
static int is_current_working_directory_trusted(safe_id_range_list *trusted_uids, safe_id_range_list *trusted_gids)
{
int saved_dir = -1;
int parent_dir_fd = -1;
int r;
int status = SAFE_PATH_UNTRUSTED; /* trust of cwd or error value */
int cur_status; /* trust of current directory being checked */
struct stat cur_stat;
struct stat prev_stat;
int not_at_root;
/* save the cwd, so it can be restored */
saved_dir = open(".", O_RDONLY);
if (saved_dir == -1) {
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
r = fstat(saved_dir, &cur_stat);
if (r == -1) {
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
/* Walk the directory tree, from the directory given to the root.
*
* If there is a directory that is_trusted_mode returns SAFE_PATH_UNTRUSTED
* exit immediately with that value
*
* Assumes no hard links to directories.
*/
do {
cur_status = is_mode_trusted(&cur_stat, trusted_uids, trusted_gids);
if (status == SAFE_PATH_UNTRUSTED) {
/* this is true only the first time through the loop (the cwd).
* The return result is the value of the cwd.
*/
status = cur_status;
}
if (cur_status == SAFE_PATH_UNTRUSTED) {
/* untrusted directory persmissions */
status = SAFE_PATH_UNTRUSTED;
goto restore_dir_and_exit;
}
prev_stat = cur_stat;
/* get handle to parent directory */
parent_dir_fd = open("..", O_RDONLY);
if (parent_dir_fd == -1) {
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
/* get the parent directory stat buffer */
r = fstat(parent_dir_fd, &cur_stat);
if (r == -1) {
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
/* check if we are at the root directory */
not_at_root = cur_stat.st_dev != prev_stat.st_dev || cur_stat.st_ino != prev_stat.st_ino;
if (not_at_root) {
/* not at root, change directory to parent */
r = fchdir(parent_dir_fd);
if (r == -1) {
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
}
/* done with parent directory handle, close it */
r = close(parent_dir_fd);
if (r == -1) {
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
parent_dir_fd = -1;
} while (not_at_root);
restore_dir_and_exit:
/* restore the old working directory & close open file descriptors if needed
* and return value
*/
if (saved_dir != -1) {
r = fchdir(saved_dir);
if (r == -1) {
status = SAFE_PATH_ERROR;
}
r = close(saved_dir);
if (r == -1) {
status = SAFE_PATH_ERROR;
}
}
if (parent_dir_fd != -1) {
r = close(parent_dir_fd);
if (r == -1) {
status = SAFE_PATH_ERROR;
}
}
return status;
}
/*
* is_current_working_directory_trusted_r
* Returns the trustedness of the current working directory. If any
* directory from here to the root is untrusted the path is untrusted,
* otherwise it returns the trustedness of the current working directory.
* parameters
* safe_uids
* list of safe user ids
* safe_gids
* list of safe group ids
* returns
* <0 on error
* 0 SAFE_PATH_UNTRUSTED
* 1 SAFE_PATH_TRUSTED_STICKY_DIR
* 2 SAFE_PATH_TRUSTED
* 3 SAFE_PATH_TRUSTED_CONFIDENTIAL
*/
static int is_current_working_directory_trusted_r(safe_id_range_list *trusted_uids, safe_id_range_list *trusted_gids)
{
int r;
int status = SAFE_PATH_UNTRUSTED; /* trust of cwd or error value */
int cur_status; /* trust of current directory being checked */
struct stat cur_stat;
struct stat prev_stat;
int not_at_root;
char path[PATH_MAX] = ".";
char *path_end = &path[0];
r = lstat(path, &cur_stat);
if (r == -1) {
return SAFE_PATH_ERROR;
}
/* Walk the directory tree, from the directory given to the root.
*
* If there is a directory that is_trusted_mode returns SAFE_PATH_UNTRUSTED
* exit immediately with that value
*
* Assumes no hard links to directories.
*/
do {
cur_status = is_mode_trusted(&cur_stat, trusted_uids, trusted_gids);
if (status == SAFE_PATH_UNTRUSTED) {
/* this is true only the first time through the loop (the cwd).
* The return result is the value of the cwd.
*/
status = cur_status;
}
if (cur_status == SAFE_PATH_UNTRUSTED) {
/* untrusted directory persmissions */
return SAFE_PATH_UNTRUSTED;
}
prev_stat = cur_stat;
if (path_end != path) {
/* if not the first time through, append a directory separator */
if ((size_t)(path_end - path + 1) > sizeof(path)) {
errno = ENAMETOOLONG;
return SAFE_PATH_ERROR;
}
*path_end++ = '/';
*path_end = '\0';
}
/* append a parent directory, .. */
if ((size_t)(path_end - path + 1) > sizeof(path)) {
errno = ENAMETOOLONG;
return SAFE_PATH_ERROR;
}
*path_end++ = '.';
*path_end++ = '.';
*path_end = '\0';
/* get the parent directory stat buffer */
r = lstat(path, &cur_stat);
if (r == -1) {
return SAFE_PATH_ERROR;
}
/* check if we are at the root directory */
not_at_root = cur_stat.st_dev != prev_stat.st_dev || cur_stat.st_ino != prev_stat.st_ino;
} while (not_at_root);
return status;
}
#ifdef SYMLOOP_MAX
#define MAX_SYMLINK_DEPTH SYMLOOP_MAX
#else
#define MAX_SYMLINK_DEPTH 32
#endif
typedef struct dir_stack {
struct dir_path {
char *original_ptr;
char *cur_position;
} stack[MAX_SYMLINK_DEPTH];
int count;
} dir_stack;
/*
* init_dir_stack
* Initialize a dir_stack data structure
* parameters
* stack
* pointer to a dir_stack to initialize
* returns
* Nothing
*/
static void init_dir_stack(dir_stack* stack)
{
stack->count = 0;
}
/*
* destroy_dir_stack
* Destroy a dir_stack data structure, free's unfreed paths that have
* been pushed onto the stack
* parameters
* stack
* pointer to a dir_stack to destroy
* returns
* Nothing
*/
static void destroy_dir_stack(dir_stack* stack)
{
while (stack->count > 0) {
free(stack->stack[--stack->count].original_ptr);
}
}
/*
* push_path_on_stack
* Pushes a copy of the path onto the directory stack
* parameters
* stack
* pointer to a dir_stack to get pushed
* path
* path to push on the stack. A copy is made.
* returns
* 0 on sucess
* <0 on error (if the stack if contains MAX_SYMLINK_DEPTH directories
* errno = ELOOP for detecting symbolic link loops
*/
static int push_path_on_stack(dir_stack* stack, const char* path)
{
char *new_path;
if (stack->count >= MAX_SYMLINK_DEPTH) {
/* return potential symbolic link loop */
errno = ELOOP;
return -1;
}
new_path = strdup(path);
if (new_path == NULL) {
return -1;
}
stack->stack[stack->count].original_ptr = new_path;
stack->stack[stack->count].cur_position = new_path;
++stack->count;
return 0;
}
/*
* get_next_component
* Returns the next directory component that was pushed on the stack.
* This value is always a local entry in the current directory (contains
* no "/"), unless this is the first call to get_next_component after
* an absolute path name was pushed on the stack, in which case the root
* directory path ("/") is returned.
*
* The pointer to path is valid until the next call to get_next_component,
* or destroy_dir_stack is called. The dir_stack owns the memory pointed
* by *path.
* parameters
* stack
* pointer to a dir_stack to get the next component
* path
* pointer to a pointer to store the next component
* returns
* 0 on sucess
* <0 on stack empty
*/
static int get_next_component(dir_stack* stack, const char **path)
{
while (stack->count > 0) {
if (!*stack->stack[stack->count - 1].cur_position) {
/* current top is now empty, delete it, and try again */
--stack->count;
free(stack->stack[stack->count].original_ptr);
} else {
/* get beginning of the path */
char *cur_path = stack->stack[stack->count - 1].cur_position;
/* find the end */
char *dir_sep_pos = strchr(cur_path, '/');
*path = cur_path;
if (dir_sep_pos) {
if (dir_sep_pos == stack->stack[stack->count - 1].original_ptr) {
/* at the beginning of an absolute path, return root directory */
*path = "/";
} else {
/* terminate the path returned just after the end of the component */
*dir_sep_pos = '\0';
}
/* set the pointer for the next call */
stack->stack[stack->count - 1].cur_position = dir_sep_pos + 1;
} else {
/* at the last component, set the pointer to the end of the string */
stack->stack[stack->count - 1].cur_position += strlen(cur_path);
}
/* return success */
return 0;
}
}
/* return stack was empty */
return -1;
}
/*
* is_stack_empty
* Returns true if the stack is empty, false otherwise.
* parameters
* stack
* pointer to a dir_stack to get the next component
* returns
* 0 if stack is not empty
* 1 is stack is empty
*/
static int is_stack_empty(dir_stack* stack)
{
/* since the empty items are not removed until the next call to
* get_next_component(), we need to check all the items on the stack
* and if any of them are not empty, return false, otherwise it truely
* is empty.
*/
int cur_head = stack->count - 1;
while (cur_head >= 0) {
if (*stack->stack[cur_head--].cur_position != '\0') {
return 0;
}
}
return 1;
}
/*
* safe_is_path_trusted
*
* Returns the trustedness of the path.
*
* If the path is relative the path from the current working directory to
* the root must be trusted as defined in
* is_current_working_directory_trusted().
*
* This checks directory entry by directory entry for trustedness,
* following symbolic links as discovered. Non-directory entries in a
* sticky bit directory are not trusted as untrusted users could have
* hard linked an old file at that name.
*
* SAFE_PATH_UNTRUSTED is returned if the path is not trusted somewhere.
* SAFE_PATH_TRUSTED_STICKY_DIR is returned if the path is trusted but ends
* in a stick bit directory. This path should only be used to
* make a true temporaray file (opened using mkstemp(), and
* the pathname returned never used again except to remove the
* file in the same process), or to create a directory.
* SAFE_PATH_TRUSTED is returned only if the path given always referes to
* the same object and the object referred can not be modified.
* SAFE_PATH_TRUSTED_CONFIDENTIAL is returned if the path is
* SAFE_PATH_TRUSTED and the object referred to can not be read by
* untrusted users. This assumes the permissions on the object
* were always strong enough to return this during the life of the
* object. This confidentiality is only based on the the actual
* object, not the containing directories (for example a file with
* weak permissions in a confidential directory is not
* confidential).
*
* This function is not thread safe if other threads depend on the value
* of the current working directory as it changes the current working
* directory while checking the path and restores it on exit.
* parameters
* pathname
* name of path to check
* safe_uids
* list of safe user ids
* safe_gids
* list of safe group ids
* returns
* <0 on error
* 0 SAFE_PATH_UNTRUSTED
* 1 SAFE_PATH_TRUSTED_STICKY_DIR
* 2 SAFE_PATH_TRUSTED
* 3 SAFE_PATH_TRUSTED_CONFIDENTIAL
*/
int safe_is_path_trusted(const char *pathname, safe_id_range_list *trusted_uids, safe_id_range_list *trusted_gids)
{
int r;
int status = SAFE_PATH_UNTRUSTED;
int previous_status;
int num_tries;
int saved_dir;
dir_stack paths;
const char *path;
if (!pathname || !trusted_uids || !trusted_gids) {
errno = EINVAL;
return SAFE_PATH_ERROR;
}
init_dir_stack(&paths);
saved_dir = open(".", O_RDONLY);
if (saved_dir == -1) {
goto restore_dir_and_exit;
}
/*
* If the path is relative, check that the current working directory is a
* trusted file system object. If it is not then the path is not trusted
*/
if (*pathname != '/') {
/* relative path */
status = is_current_working_directory_trusted(trusted_uids, trusted_gids);
if (status <= SAFE_PATH_UNTRUSTED) {
/* an error or untrusted current working directory */
goto restore_dir_and_exit;
}
}
/* start the stack with the pathname given */
if (push_path_on_stack(&paths, pathname)) {
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
while (!get_next_component(&paths, &path)) {
struct stat stat_buf;
mode_t m;
int prev_status;
if (*path == '\0' || !strcmp(path, ".")) {
/* current directory, already checked */
continue;
}
if (!strcmp(path, "/")) {
/* restarting at root, trust what is above root */
status = SAFE_PATH_TRUSTED;
}
prev_status = status;
/*
* At this point if the directory component is '..', then the status
* should be set to be that of the grandparent directory, '../..',
* for the code below to work, which would require either recomputing
* the value, or keeping a cache of the value (which could then be used
* to get the trust level of '..' directly).
*
* This is not necessary at this point in the processing as we know that
* 1) '..' is a directory
* 2) '../..' trust was not SAFE_PATH_UNTRUSTED
* 3) the current trust level (status) is not SAFE_PATH_UNTRUSTED
* 4) the trust matrix rows are the same, when the parent is not
* SAFE_PATH_UNTRUSTED
* So not chnaging status will still result in the correct value
*
* WARNING: If any of these assumptions change, this will need to change.
*/
previous_status = status;
num_tries = 0;
try_lstat_again:
if (++num_tries > SAFE_IS_PATH_TRUSTED_RETRY_MAX) {
/* let the user decide what to do */
status = SAFE_PATH_ERROR;
errno = EAGAIN;
goto restore_dir_and_exit;
}
/* check the next component in the path */
r = lstat(path, &stat_buf);
if (r == -1) {
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
/* compute the new trust, from the parent trust and the current directory */
status = is_component_in_dir_trusted(status, &stat_buf, trusted_uids, trusted_gids);
if (status <= SAFE_PATH_UNTRUSTED) {
goto restore_dir_and_exit;
}
m = stat_buf.st_mode;
if (S_ISLNK(m)) {
/* symbolic link found */
size_t link_path_len = (size_t)stat_buf.st_size;
int readlink_len;
char *link_path = 0;
link_path = (char*)malloc(link_path_len + 1);
if (link_path == 0) {
status = SAFE_PATH_ERROR;
errno = ENOMEM;
goto restore_dir_and_exit;
}
/* Get the link's referent. readlink does not null terminate.
* Let it read one more than the size it is supposed to be to
* detect truncation.
*/
readlink_len = readlink(path, link_path, link_path_len + 1);
if (readlink_len == -1) {
free(link_path);
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
/* check for truncation of value */
if ((size_t)readlink_len > link_path_len) {
free(link_path);
status = previous_status;
goto try_lstat_again;
}
/* null terminate referent from readlink */
link_path[readlink_len] = '\0';
/* add the path of the referent to the stack */
if (push_path_on_stack(&paths, link_path)) {
free(link_path);
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
/* restore value to that of containing directory */
status = prev_status;
free(link_path);
continue;
} else if (!is_stack_empty(&paths)) {
/* more components remaining, change directory
* it is not a sym link, so it must be a directory, or an error
*/
r = chdir(path);
if (r == -1) {
status = SAFE_PATH_ERROR;
goto restore_dir_and_exit;
}
}
}
restore_dir_and_exit:
/* restore original directory if needed and return value */
destroy_dir_stack(&paths);
if (saved_dir != -1) {
r = fchdir(saved_dir);
if (r == -1) {
status = SAFE_PATH_ERROR;
}
r = close(saved_dir);
if (r == -1) {
status = SAFE_PATH_ERROR;
}
}
return status;
}
/*
* safe_is_path_trusted_fork
*
* Returns the trustedness of the path.
*
* This functino is thread/signal handler safe in that it does not change
* the current working directory. It does fork the process to return do
* the check, which changes the new process's current working directory as
* it does the checks by calling safe_is_path_trusted().
*
* If the path is relative the path from the current working directory to
* the root must be trusted as defined in
* is_current_working_directory_trusted().
*
* This checks directory entry by directory entry for trustedness,
* following symbolic links as discovered. Non-directory entries in a
* sticky bit directory are not trusted as untrusted users could have
* hard linked an old file at that name.
*
* SAFE_PATH_UNTRUSTED is returned if the path is not trusted somewhere.
* SAFE_PATH_TRUSTED_STICKY_DIR is returned if the path is trusted but ends
* in a stick bit directory. This path should only be used to
* make a true temporaray file (opened using mkstemp(), and
* the pathname returned never used again except to remove the
* file in the same process), or to create a directory.
* SAFE_PATH_TRUSTED is returned only if the path given always referes to
* the same object and the object referred can not be modified.
* SAFE_PATH_TRUSTED_CONFIDENTIAL is returned if the path is
* SAFE_PATH_TRUSTED and the object referred to can not be read by
* untrusted users. This assumes the permissions on the object
* were always strong enough to return this during the life of the
* object. This confidentiality is only based on the the actual
* object, not the containing directories (for example a file with
* weak permissions in a confidential directory is not
* confidential).
*
* parameters
* pathname
* name of path to check
* safe_uids
* list of safe user ids
* safe_gids
* list of safe group ids
* returns
* <0 on error
* 0 SAFE_PATH_UNTRUSTED
* 1 SAFE_PATH_TRUSTED_STICKY_DIR
* 2 SAFE_PATH_TRUSTED
* 3 SAFE_PATH_TRUSTED_CONFIDENTIAL
*/
int safe_is_path_trusted_fork(const char *pathname, safe_id_range_list *trusted_uids, safe_id_range_list *trusted_gids)
{
int r;
int status = 0;
pid_t pid;
int fd[2];
sigset_t no_sigchld_mask;
sigset_t save_mask;
sigset_t all_signals_mask;
struct result_struct {
int status;
int err;
};
struct result_struct result;
if (!pathname || !trusted_uids || !trusted_gids) {
errno = EINVAL;
return SAFE_PATH_ERROR;
}
/* create a mask to block all signals */
r = sigfillset(&all_signals_mask);
if (r < 0) {
return SAFE_PATH_ERROR;
}
/* set no_sigchld_mask to current mask with SIGCHLD */
#ifdef HAVE_PTHREAD_SIGMASK
r = pthread_sigmask(SIG_BLOCK, NULL, &no_sigchld_mask);
#else
r = sigprocmask(SIG_BLOCK, NULL, &no_sigchld_mask);
#endif
if (r < 0) {
return SAFE_PATH_ERROR;
}
r = sigaddset(&no_sigchld_mask, SIGCHLD);
if (r < 0) {
return SAFE_PATH_ERROR;
}
/* block all signals to prevent a signal handler from running in our
* child */
#ifdef HAVE_PTHREAD_SIGMASK
r = pthread_sigmask(SIG_SETMASK, &all_signals_mask, &save_mask);
#else
r = sigprocmask(SIG_SETMASK, &all_signals_mask, &save_mask);
#endif
if (r < 0) {
return SAFE_PATH_ERROR;
}
/* create a pipe to communicate the results back */
r = pipe(fd);
if (r < 0) {
goto restore_mask_and_exit;
}
pid = fork();
if (pid < 0) {
status = SAFE_PATH_ERROR;
goto restore_mask_and_exit;
} else if (pid == 0) {
/* in the child process
*
* SIGPIPE should be set to SIG_IGN if signal handling is ever
* unblocked in the child, so the child is not killed by SIGPIPE if the
* parent exits before the write. Since all signals are blocked in the
* child and only the child writes to the pipe, it is ok.
*/
char *buf = (char*)&result;
ssize_t bytes_to_send = sizeof result;
/* close the read end of the pipe */
r = close(fd[0]);
result.status = safe_is_path_trusted(pathname, trusted_uids, trusted_gids);
result.err = errno;
/* send the result and errno back, handle EINTR and partial writes */
while (bytes_to_send > 0) {
ssize_t bytes_sent = write(fd[1], buf, (size_t)bytes_to_send);
if (bytes_sent != bytes_to_send && errno != EINTR) {
status = SAFE_PATH_ERROR;
break;
} else if (bytes_sent > 0) {
buf += bytes_sent;
bytes_to_send -= bytes_sent;
}
}
r = close(fd[1]);
if (r < 0) {
status = SAFE_PATH_ERROR;
}
/* do not do any cleanup (atexit, etc) leave it to the parent */
_exit(status);
} else {
/* in the parent process */
char *buf = (char*)&result;
ssize_t bytes_to_read = sizeof result;
int child_status;
/* allow all signals except SIGCHLD from being sent,
* so the application does not see our child die */
#ifdef HAVE_PTHREAD_SIGMASK
r = pthread_sigmask(SIG_SETMASK, &no_sigchld_mask, NULL);
#else
r = sigprocmask(SIG_SETMASK, &no_sigchld_mask, NULL);
#endif
if (r < 0) {
status = SAFE_PATH_ERROR;
}
/* close the write end of the pipe */
r = close(fd[1]);
if (r < 0) {
status = SAFE_PATH_ERROR;
}
result.err = 0;
/* read the result and errno, handle EINTR and partial reads */
while (status != SAFE_PATH_ERROR && bytes_to_read > 0) {
ssize_t bytes_read = read(fd[0], buf, (size_t)bytes_to_read);
if (bytes_read != bytes_to_read && errno != EINTR) {
status = SAFE_PATH_ERROR;
} else if (bytes_read > 0) {
buf += bytes_read;
bytes_to_read -= bytes_read;
} else if (bytes_read == 0) {
/* EOF - pipe was closed before all the data was written */
status = SAFE_PATH_ERROR;
}
}
if (status == 0) {
/* successfully got result and errno from child set them */
status = result.status;
errno = result.err;
}
r = close(fd[0]);
if (r < 0) {
status = SAFE_PATH_ERROR;
}
while (waitpid(pid, &child_status, 0) < 0) {
if (errno != EINTR) {
status = SAFE_PATH_ERROR;
goto restore_mask_and_exit;
}
}
if (!WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0) {
status = SAFE_PATH_ERROR;
}
}
restore_mask_and_exit:
#ifdef HAVE_PTHREAD_SIGMASK
r = pthread_sigmask(SIG_SETMASK, &save_mask, NULL);
#else
r = sigprocmask(SIG_SETMASK, &save_mask, NULL);
#endif
if (r < 0) {
status = r;
}
return status;
}
/*
* append_dir_entry_to_path
*
* Creates a new path that starts in "path" and moves to "name". Path are
* name are both assumed to contain no symbolic links.
*
* If name is "/", path is set to "/". If name is "" or ".", path is
* unchanged. If name is "..", the last component of path is removed if
* it exists and is not "", ".", or "..". Otherwise, "/name" is appended
* to the path. If path exceed the path buffer, ENAMETOOLONG is returned
* and path is left unchanged.
*
* parameters
* path
* a pointer to the beginning of the path buffer, that is the
* current directory to which name is relative. Path contains no
* symbolic links.
* path_end
* a pointer to a pointer to the current end of the path. Updated
* to reflect the new end of path on success.
* buf_end
* a pointer to one past the end of the path buffer
* name
* the new path component to traverse relative to path. It is
* assumed to be a single directory name (no directory separators,
* "/", in name), or the root directory "/"; and the name is not
* a symbolic link.
* returns
* 0 on success
* -1 on error
*/
static int append_dir_entry_to_path(char *path, char **path_end, char *buf_end, const char *name)
{
char *old_path_end = *path_end;
if (*name == '\0' || !strcmp(name, ".")) {
/* current working directory name, skip */
return 0;
}
if (!strcmp(name, "/")) {
/* reset the path, if name is the root directory */
*path_end = path;
}
if (!strcmp(name, "..")) {
/* if path is empty, skip and append ".." later */
if (path != *path_end) {
/* find the beginning of the last component */
char *last_comp = *path_end;
while (last_comp > path && last_comp[-1] != '/') {
--last_comp;
}
if (strcmp(last_comp, "") && strcmp(last_comp, ".") && strcmp(last_comp, "..")) {
/* if not current or parent directory, remove component */
*path_end = last_comp;
if (last_comp > path) {
--*path_end;
}
**path_end = '\0';
}
return 0;
}
}
if (*path_end != path && (*path_end)[-1] != '/') {
if (*path_end + 1 >= buf_end) {
errno = ENAMETOOLONG;
return -1;
}
*(*path_end)++ = '/';
*(*path_end) = '\0';
}
/* copy component name to the end, except null */
while (*path_end < buf_end && *name) {
*(*path_end)++ = *name++;
}
if (*name) {
/* not enough room for path, return error */
errno = ENAMETOOLONG;
*old_path_end = '\0';
return -1;
}
/* null terminate the path */
**path_end = '\0';
return 0;
}
/*
* safe_is_path_trusted_r
*
* Returns the trustedness of the path.
*
* If the path is relative the path from the current working directory to
* the root must be trusted as defined in
* is_current_working_directory_trusted().
*
* This checks directory entry by directory entry for trustedness,
* following symbolic links as discovered. Non-directory entries in a
* sticky bit directory are not trusted as untrusted users could have
* hard linked an old file at that name.
*
* SAFE_PATH_UNTRUSTED is returned if the path is not trusted somewhere.
* SAFE_PATH_TRUSTED_STICKY_DIR is returned if the path is trusted but ends
* in a stick bit directory. This path should only be used to
* make a true temporaray file (opened using mkstemp(), and
* the pathname returned never used again except to remove the
* file in the same process), or to create a directory.
* SAFE_PATH_TRUSTED is returned only if the path given always referes to
* the same object and the object referred can not be modified.
* SAFE_PATH_TRUSTED_CONFIDENTIAL is returned if the path is
* SAFE_PATH_TRUSTED and the object referred to can not be read by
* untrusted users. This assumes the permissions on the object
* were always strong enough to return this during the life of the
* object. This confidentiality is only based on the the actual
* object, not the containing directories (for example a file with
* weak permissions in a confidential directory is not
* confidential).
* parameters
* pathname
* name of path to check
* safe_uids
* list of safe user ids
* safe_gids
* list of safe group ids
* returns
* <0 on error
* 0 SAFE_PATH_UNTRUSTED
* 1 SAFE_PATH_TRUSTED_STICKY_DIR
* 2 SAFE_PATH_TRUSTED
* 3 SAFE_PATH_TRUSTED_CONFIDENTIAL
*/
int safe_is_path_trusted_r(const char *pathname, safe_id_range_list *trusted_uids, safe_id_range_list *trusted_gids)
{
int r;
int status = SAFE_PATH_UNTRUSTED;
int previous_status;
int num_tries;
dir_stack paths;
const char *comp_name;
char path[PATH_MAX];
char *path_end = path;
char *prev_path_end;
if (!pathname || !trusted_uids || !trusted_gids) {
errno = EINVAL;
return SAFE_PATH_ERROR;
}
init_dir_stack(&paths);
if (*pathname != '/') {
/* relative path */
status = is_current_working_directory_trusted_r(trusted_uids, trusted_gids);
if (status <= SAFE_PATH_UNTRUSTED) {
/* an error or untrusted current working directory */
goto cleanup_and_exit;
}
}
/* start the stack with the pathname given */
if (push_path_on_stack(&paths, pathname)) {
status = SAFE_PATH_ERROR;
goto cleanup_and_exit;
}
while (!get_next_component(&paths, &comp_name)) {
struct stat stat_buf;
mode_t m;
int prev_status;
if (*comp_name == '\0' || !strcmp(comp_name, ".")) {
/* current directory, already checked */
continue;
}
if (!strcmp(comp_name, "/")) {
/* restarting at root, trust what is above root */
status = SAFE_PATH_TRUSTED;
}
prev_path_end = path_end;
prev_status = status;
r = append_dir_entry_to_path(path, &path_end, path + sizeof(path), comp_name);
if (r == -1) {
status = SAFE_PATH_ERROR;
goto cleanup_and_exit;
}
/*
* At this point if the directory component is '..', then the status
* should be set to be that of the grandparent directory, '../..',
* for the code below to work, which would require either recomputing
* the value, or keeping a cache of the value (which could then be used
* to get the trust level of '..' directly).
*
* This is not necessary at this point in the processing as we know that
* 1) '..' is a directory
* 2) '../..' trust was not SAFE_PATH_UNTRUSTED
* 3) the current trust level (status) is not SAFE_PATH_UNTRUSTED
* 4) the trust matrix rows are the same, when the parent is not
* SAFE_PATH_UNTRUSTED
* So not chnaging status will still result in the correct value
*
* WARNING: If any of these assumptions change, this will need to change.
*/
previous_status = status;
num_tries = 0;
try_lstat_again:
if (++num_tries > SAFE_IS_PATH_TRUSTED_RETRY_MAX) {
/* let the user decide what to do */
status = SAFE_PATH_ERROR;
errno = EAGAIN;
goto cleanup_and_exit;
}
/* check the next component in the path */
r = lstat(path, &stat_buf);
if (r == -1) {
status = SAFE_PATH_ERROR;
goto cleanup_and_exit;
}
/* compute the new trust, from the parent trust and the current directory */
status = is_component_in_dir_trusted(status, &stat_buf, trusted_uids, trusted_gids);
if (status <= SAFE_PATH_UNTRUSTED) {
goto cleanup_and_exit;
}
m = stat_buf.st_mode;
if (S_ISLNK(m)) {
/* symbolic link found */
size_t link_path_len = (size_t)stat_buf.st_size;
int readlink_len;
char *link_path = (char*)malloc(link_path_len + 1);
if (link_path == 0) {
status = SAFE_PATH_ERROR;
errno = ENOMEM;
goto cleanup_and_exit;
}
/* Get the link's referent. readlink does not null terminate.
* Let it read on emore that the size it is supposed to be to
* detect truncation.
*/
readlink_len = readlink(path, link_path, link_path_len + 1);
if (readlink_len == -1) {
free(link_path);
status = SAFE_PATH_ERROR;
goto cleanup_and_exit;
}
if ((size_t)readlink_len > link_path_len) {
free(link_path);
status = previous_status;
goto try_lstat_again;
}
/* null terminate referent from readlink */
link_path[readlink_len] = '\0';
/* add path to the stack */
if (push_path_on_stack(&paths, link_path)) {
free(link_path);
status = SAFE_PATH_ERROR;
goto cleanup_and_exit;
}
free(link_path);
/* restore values to the containing directory */
status = prev_status;
path_end = prev_path_end;
*path_end = '\0';
} else {
if (!is_stack_empty(&paths) && !S_ISDIR(stat_buf.st_mode)) {
status = SAFE_PATH_ERROR;
errno = ENOTDIR;
goto cleanup_and_exit;
}
}
}
cleanup_and_exit:
/* restore original directory if needed and return value */
destroy_dir_stack(&paths);
/* if this algorithm failed because the pathname was too long,
* try the fork version on the same pathname as it can handle all valid paths
*/
if (status == SAFE_PATH_ERROR && errno == ENAMETOOLONG) {
status = safe_is_path_trusted_fork(pathname, trusted_uids, trusted_gids);
}
return status;
}
|
