X-Git-Url: http://gitweb.michael.orlitzky.com/?a=blobdiff_plain;f=src%2Fapply-default-acl.c;h=3cf3060a115e2be50f75822d13319e5362684a82;hb=f0970d1193ebddbfcd2ba9523a0f956aed2bd4cc;hp=c4d0c3b9b4871094edf9f08a5053c0bf083cf653;hpb=df929bebddb9852c8e50481169e2fd1b5a01faf6;p=apply-default-acl.git

diff --git a/src/apply-default-acl.c b/src/apply-default-acl.c
index c4d0c3b..3cf3060 100644
--- a/src/apply-default-acl.c
+++ b/src/apply-default-acl.c
@@ -14,6 +14,7 @@
 #include <ftw.h>    /* nftw() et al. */
 #include <getopt.h>
 #include <libgen.h> /* basename(), dirname() */
+#include <limits.h> /* PATH_MAX */
 #include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -32,6 +33,145 @@
 #define ACL_FAILURE 0
 #define ACL_SUCCESS 1
 
+/* Even though most other library functions reliably return -1 for
+ * error, it feels a little wrong to re-use the ACL_ERROR constant.
+ */
+#define CLOSE_ERROR -1
+#define NFTW_ERROR -1
+#define OPEN_ERROR -1
+#define SNPRINTF_ERROR -1
+#define STAT_ERROR -1
+
+
+/**
+ * @brief The recursive portion of the @c safe_open function, used to
+ *   open a file descriptor in a symlink-safe way when combined with
+ *   the @c O_NOFOLLOW flag.
+ *
+ * @param at_fd
+ *   A file descriptor relative to which @c pathname will be opened.
+ *
+ * @param pathname
+ *   The path to the file/directory/whatever whose descriptor you want.
+ *
+ * @return a file descriptor for @c pathname if everything goes well,
+ *   and @c OPEN_ERROR if not.
+ */
+int safe_open_ex(int at_fd, char* pathname, int flags) {
+  if (pathname != NULL && strlen(pathname) == 0) {
+    /* Oops, went one level to deep with nothing to do. */
+    return at_fd;
+  }
+
+  char* firstslash = strchr(pathname, '/');
+  if (firstslash == NULL) {
+    /* No more slashes, this is the base case. */
+    int r = openat(at_fd, pathname, flags);
+    return r;
+  }
+
+  /* Temporarily disable the slash, so that the subsequent call to
+     openat() opens only the next directory (and doesn't recurse). */
+   *firstslash = '\0';
+   int fd = safe_open_ex(at_fd, pathname, flags);
+   if (fd == OPEN_ERROR) {
+     if (errno != ELOOP) {
+       /* Don't output anything if we ignore a symlink */
+       perror("safe_open_ex (safe_open_ex)");
+     }
+     return OPEN_ERROR;
+   }
+
+   /* The ++ is safe because there needs to be at least a null byte
+      after the first slash, even if it's the last real character in
+      the string. */
+   int result = safe_open_ex(fd, firstslash+1, flags);
+   if (close(fd) == CLOSE_ERROR) {
+      perror("safe_open_ex (close)");
+      return OPEN_ERROR;
+    }
+   return result;
+}
+
+
+/**
+ * @brief A version of @c open that is completely symlink-safe when
+ *   used with the @c O_NOFOLLOW flag.
+ *
+ * The @c openat function exists to ensure that you can anchor one
+ * path to a particular directory while opening it; however, if you
+ * open "b/c/d" relative to "/a", then even the @c openat function will
+ * still follow symlinks in the "b" component. This can be exploited
+ * by an attacker to make you open the wrong path.
+ *
+ * To avoid that problem, this function uses a recursive
+ * implementation that opens every path from the root, one level at a
+ * time. So "a" is opened relative to "/", and then "b" is opened
+ * relative to "/a", and then "c" is opened relative to "/a/b",
+ * etc. When the @c O_NOFOLLOW flag is used, this approach ensures
+ * that no symlinks in any component are followed.
+ *
+ * @param pathname
+ *   The path to the file/directory/whatever whose descriptor you want.
+ *
+ * @return a file descriptor for @c pathname if everything goes well,
+ *   and @c OPEN_ERROR if not.
+ */
+int safe_open(const char* pathname, int flags) {
+  if (pathname == NULL || strlen(pathname) == 0 || pathname[0] == '\0') {
+    /* error? */
+    return OPEN_ERROR;
+  }
+
+  char abspath[PATH_MAX];
+  int snprintf_result = 0;
+  if (strchr(pathname, '/') == pathname) {
+    /* pathname is already absolute; just copy it. */
+    snprintf_result = snprintf(abspath, PATH_MAX, "%s", pathname);
+  }
+  else {
+    /* Concatenate the current working directory and pathname into an
+     * absolute path. We use realpath() ONLY on the cwd part, and not
+     * on the pathname part, because realpath() resolves symlinks. And
+     * the whole point of all this crap is to avoid following symlinks
+     * in the pathname.
+     *
+     * Using realpath() on the cwd lets us operate on relative paths
+     * while we're sitting in a directory that happens to have a
+     * symlink in it; for example: cd /var/run && apply-default-acl foo.
+     */
+    char* cwd = get_current_dir_name();
+    if (cwd == NULL) {
+      perror("safe_open (get_current_dir_name)");
+      return OPEN_ERROR;
+    }
+
+    char abs_cwd[PATH_MAX];
+    if (realpath(cwd, abs_cwd) == NULL) {
+      perror("safe_open (realpath)");
+      free(cwd);
+      return OPEN_ERROR;
+    }
+    snprintf_result = snprintf(abspath, PATH_MAX, "%s/%s", abs_cwd, pathname);
+    free(cwd);
+  }
+  if (snprintf_result == SNPRINTF_ERROR || snprintf_result > PATH_MAX) {
+    perror("safe_open (snprintf)");
+    return OPEN_ERROR;
+  }
+
+  int fd = open("/", flags);
+  if (strcmp(abspath, "/") == 0) {
+    return fd;
+  }
+
+  int result = safe_open_ex(fd, abspath+1, flags);
+  if (close(fd) == CLOSE_ERROR) {
+    perror("safe_open (close)");
+    return OPEN_ERROR;
+  }
+  return result;
+}
 
 
 
@@ -69,31 +209,6 @@ bool path_accessible(const char* path) {
 
 
 
-/**
- * @brief Determine whether or not the given path is a directory.
- *
- * @param path
- *   The path to test.
- *
- * @return true if @c path is a directory, false otherwise.
- */
-bool is_path_directory(const char* path) {
-  if (path == NULL) {
-    return false;
-  }
-
-  struct stat s;
-  if (lstat(path, &s) == 0) {
-    return S_ISDIR(s.st_mode);
-  }
-  else {
-    return false;
-  }
-}
-
-
-
-
 /**
  * @brief Update (or create) an entry in an @b minimal ACL.
  *
@@ -351,12 +466,15 @@ int acl_execute_masked(acl_t acl) {
  * @param fd
  *   The file descriptor to check.
  *
+ * @param sp
+ *   A pointer to a stat structure for @c fd.
+ *
  * @return
  *   - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
  *   - @c ACL_FAILURE - Nobody can execute @c fd.
  *   - @c ACL_ERROR - Unexpected library error.
  */
-int any_can_execute(int fd) {
+int any_can_execute(int fd, const struct stat* sp) {
   acl_t acl = acl_get_fd(fd);
 
   if (acl == (acl_t)NULL) {
@@ -368,13 +486,7 @@ int any_can_execute(int fd) {
   int result = ACL_FAILURE;
 
   if (acl_is_minimal(acl)) {
-    struct stat s;
-    if (fstat(fd, &s) == -1) {
-      perror("any_can_execute (fstat)");
-      result = ACL_ERROR;
-      goto cleanup;
-    }
-    if (s.st_mode & (S_IXUSR | S_IXOTH | S_IXGRP)) {
+    if (sp->st_mode & (S_IXUSR | S_IXOTH | S_IXGRP)) {
       result = ACL_SUCCESS;
       goto cleanup;
     }
@@ -444,11 +556,10 @@ int any_can_execute(int fd) {
 
 
 /**
- * @brief Set @c acl as the default ACL on @c path if it's a directory.
+ * @brief Set @c acl as the default ACL on @c path.
  *
- * This overwrites any existing default ACL on @c path. If no default
- * ACL exists, then one is created. If @c path is not a directory, we
- * return ACL_FAILURE but no error is raised.
+ * This overwrites any existing default ACL on @c path. If @c path is
+ * not a directory, we return ACL_ERROR and @c errno is set.
  *
  * @param path
  *   The target directory whose ACL we wish to replace or create.
@@ -458,7 +569,6 @@ int any_can_execute(int fd) {
  *
  * @return
  *   - @c ACL_SUCCESS - The default ACL was assigned successfully.
- *   - @c ACL_FAILURE - If @c path is not a directory.
  *   - @c ACL_ERROR - Unexpected library error.
  */
 int assign_default_acl(const char* path, acl_t acl) {
@@ -469,11 +579,7 @@ int assign_default_acl(const char* path, acl_t acl) {
     return ACL_ERROR;
   }
 
-  if (!is_path_directory(path)) {
-    return ACL_FAILURE;
-  }
-
-    /* Our return value; success unless something bad happens. */
+  /* Our return value; success unless something bad happens. */
   int result = ACL_SUCCESS;
   acl_t path_acl = acl_dup(acl);
 
@@ -570,9 +676,8 @@ int apply_default_acl(const char* path,
   /* The file descriptor corresponding to "path" */
   int fd = 0;
 
-  /* Split "path" into base/dirname parts to be used with openat().
-   * We duplicate the strings involved because dirname/basename mangle
-   * their arguments.
+  /* Get the parent directory of "path" with dirname(), which happens
+   * to murder its argument and necessitates a path_copy.
    */
   char* path_copy = strdup(path);
   if (path_copy == NULL) {
@@ -581,8 +686,8 @@ int apply_default_acl(const char* path,
   }
   char* parent = dirname(path_copy);
 
-  fd = open(path, O_NOFOLLOW);
-  if (fd == -1) {
+  fd = safe_open(path, O_NOFOLLOW);
+  if (fd == OPEN_ERROR) {
     if (errno == ELOOP) {
       result = ACL_FAILURE; /* hit a symlink */
       goto cleanup;
@@ -607,7 +712,7 @@ int apply_default_acl(const char* path,
   */
   if (sp == NULL) {
     struct stat s;
-    if (fstat(fd, &s) == -1) {
+    if (fstat(fd, &s) == STAT_ERROR) {
       perror("apply_default_acl (fstat)");
       goto cleanup;
     }
@@ -633,7 +738,7 @@ int apply_default_acl(const char* path,
 
   if (!no_exec_mask) {
     /* Never mask the execute bit on directories. */
-    int ace_result = any_can_execute(fd) || S_ISDIR(sp->st_mode);
+    int ace_result = any_can_execute(fd,sp) || S_ISDIR(sp->st_mode);
 
     if (ace_result == ACL_ERROR) {
       perror("apply_default_acl (any_can_execute)");
@@ -667,8 +772,13 @@ int apply_default_acl(const char* path,
     goto cleanup;
   }
 
-  /* If it's a directory, inherit the parent's default. */
-  if (assign_default_acl(path, defacl) == ACL_ERROR) {
+  /* If it's a directory, inherit the parent's default. We sure hope
+   * that "path" still points to the same thing that "fd" and this
+   * "sp" describe. If not, we may wind up trying to set a default ACL
+   * on a file, and this will throw an error. I guess that's what we
+   * want to do?
+   */
+  if (S_ISDIR(sp->st_mode) && assign_default_acl(path, defacl) == ACL_ERROR) {
     perror("apply_default_acl (assign_default_acl)");
     result = ACL_ERROR;
     goto cleanup;
@@ -763,7 +873,7 @@ int apply_default_acl(const char* path,
   if (defacl != (acl_t)NULL) {
     acl_free(defacl);
   }
-  if (fd >= 0 && close(fd) == -1) {
+  if (fd >= 0 && close(fd) == CLOSE_ERROR) {
     perror("apply_default_acl (close)");
     result = ACL_ERROR;
   }
@@ -866,11 +976,6 @@ int apply_default_acl_nftw_x(const char *target,
  *   we still return @c false.
  */
 bool apply_default_acl_recursive(const char *target, bool no_exec_mask) {
-
-  if (!is_path_directory(target)) {
-    return apply_default_acl(target, NULL, no_exec_mask);
-  }
-
   int max_levels = 256;
   int flags = FTW_PHYS; /* Don't follow links. */
 
@@ -889,11 +994,11 @@ bool apply_default_acl_recursive(const char *target, bool no_exec_mask) {
     return true;
   }
 
-  /* nftw will return -1 on error, or if the supplied function
+  /* nftw will return NFTW_ERROR on error, or if the supplied function
    * (apply_default_acl_nftw) returns a non-zero result, nftw will
    * return that.
    */
-  if (nftw_result == -1) {
+  if (nftw_result == NFTW_ERROR) {
     perror("apply_default_acl_recursive (nftw)");
   }