X-Git-Url: http://gitweb.michael.orlitzky.com/?a=blobdiff_plain;f=src%2Fapply-default-acl.c;h=a4961957b7487fa10591f87e93ee54f41d3d2d31;hb=f0c1a9ee7c7a6acbfc0c4270f9167022504a6a45;hp=0c43af7d975088c06019c8a44e69b66f14cdf63a;hpb=a605ae954b9b9c378d6a0b21058f4b4b410f8ab7;p=apply-default-acl.git diff --git a/src/apply-default-acl.c b/src/apply-default-acl.c index 0c43af7..a496195 100644 --- a/src/apply-default-acl.c +++ b/src/apply-default-acl.c @@ -51,19 +51,44 @@ mode_t get_mode(const char* path) { } struct stat s; - int result = stat(path, &s); + int result = lstat(path, &s); if (result == 0) { return s.st_mode; } else { - /* errno will be set already by stat() */ + /* errno will be set already by lstat() */ return result; } } +/** + * @brief Determine if the given path might refer to an (unsafe) hard link. + * + * @param path + * The path to test. + * + * @return true if we are certain that @c path does not refer to a hard + * link, and false otherwise. In case of error, false is returned, + * because we are not sure that @c path is not a hard link. + */ +bool is_hardlink_safe(const char* path) { + if (path == NULL) { + return false; + } + struct stat s; + int result = lstat(path, &s); + if (result == 0) { + return (s.st_nlink == 1 || S_ISDIR(s.st_mode)); + } + else { + return false; + } +} + + /** * @brief Determine whether or not the given path is a regular file. * @@ -78,7 +103,7 @@ bool is_regular_file(const char* path) { } struct stat s; - int result = stat(path, &s); + int result = lstat(path, &s); if (result == 0) { return S_ISREG(s.st_mode); } @@ -139,7 +164,7 @@ bool is_directory(const char* path) { } struct stat s; - int result = stat(path, &s); + int result = lstat(path, &s); if (result == 0) { return S_ISDIR(s.st_mode); } @@ -531,59 +556,49 @@ int any_can_execute_or_dir(const char* path) { /** - * @brief Inherit the default ACL from @c parent to @c path. - * - * The @c parent parameter does not necessarily need to be the parent - * of @c path, although that will usually be the case. This overwrites - * any existing default ACL on @c path. + * @brief Set @c acl as the default ACL on @c path if it's a directory. * - * @param parent - * The parent directory whose ACL we want to inherit. + * This overwrites any existing default ACL on @c path. If no default + * ACL exists, then one is created. If @c path is not a directory, we + * return ACL_FAILURE but no error is raised. * * @param path - * The target directory whose ACL we wish to overwrite (or create). + * The target directory whose ACL we wish to replace or create. + * + * @param acl + * The ACL to set as default on @c path. * * @return - * - @c ACL_SUCCESS - The default ACL was inherited successfully. - * - @c ACL_FAILURE - Either @c parent or @c path is not a directory. + * - @c ACL_SUCCESS - The default ACL was assigned successfully. + * - @c ACL_FAILURE - If @c path is not a directory. * - @c ACL_ERROR - Unexpected library error. */ -int inherit_default_acl(const char* path, const char* parent) { - - /* Our return value. */ - int result = ACL_SUCCESS; +int assign_default_acl(const char* path, acl_t acl) { if (path == NULL) { errno = ENOENT; return ACL_ERROR; } - if (!is_directory(path) || !is_directory(parent)) { + if (!is_directory(path)) { return ACL_FAILURE; } - acl_t parent_acl = acl_get_file(parent, ACL_TYPE_DEFAULT); - if (parent_acl == (acl_t)NULL) { - perror("inherit_default_acl (acl_get_file)"); - return ACL_ERROR; - } - - acl_t path_acl = acl_dup(parent_acl); + /* Our return value; success unless something bad happens. */ + int result = ACL_SUCCESS; + acl_t path_acl = acl_dup(acl); if (path_acl == (acl_t)NULL) { perror("inherit_default_acl (acl_dup)"); - acl_free(parent_acl); - return ACL_ERROR; + return ACL_ERROR; /* Nothing to clean up in this case. */ } int sf_result = acl_set_file(path, ACL_TYPE_DEFAULT, path_acl); if (sf_result == -1) { perror("inherit_default_acl (acl_set_file)"); result = ACL_ERROR; - goto cleanup; } - cleanup: acl_free(path_acl); return result; } @@ -678,6 +693,32 @@ int apply_default_acl(const char* path, bool no_exec_mask) { return ACL_ERROR; } + /* Refuse to operate on hard links, which can be abused by an + * attacker to trick us into changing the ACL on a file we didn't + * intend to; namely the "target" of the hard link. To truly prevent + * that sort of mischief, we should be using file descriptors for + * the target and its parent directory. Then modulo a tiny race + * condition, we would be sure that "path" and "parent" don't change + * their nature between the time that we test them and when we + * utilize them. For contrast, the same attacker is free to replace + * "path" with a hard link after is_hardlink_safe() has returned + * "true" below. + * + * Unfortunately, our API is lacking in this area. For example, + * acl_set_fd() is only capable of setting the ACL_TYPE_ACCESS list, + * and not the ACL_TYPE_DEFAULT. Apparently the only way to operate + * on default ACLs is through the path name, which is inherently + * unreliable since the acl_*_file() calls themselves might follow + * links (both hard and symbolic). + * + * Some improvement could still be made by using descriptors where + * possible -- this would shrink the exploit window -- but for now + * we use a naive implementation that only keeps honest men honest. + */ + if (!is_hardlink_safe(path)) { + return ACL_FAILURE; + } + if (!is_regular_file(path) && !is_directory(path)) { return ACL_FAILURE; } @@ -735,7 +776,7 @@ int apply_default_acl(const char* path, bool no_exec_mask) { } /* If it's a directory, inherit the parent's default. */ - int inherit_result = inherit_default_acl(path, parent); + int inherit_result = assign_default_acl(path, defacl); if (inherit_result == ACL_ERROR) { perror("apply_default_acl (inherit_acls)"); result = ACL_ERROR; @@ -1014,7 +1055,7 @@ int main(int argc, char* argv[]) { * typos, too. */ if (!path_accessible(target)) { - fprintf(stderr, "%s: %s: no such file or directory\n", argv[0], target); + fprintf(stderr, "%s: %s: No such file or directory\n", argv[0], target); result = EXIT_FAILURE; continue; }