[apple/libutil.git] / _secure_path.c

/*-
 * Based on code copyright (c) 1995,1997 by
 * Berkeley Software Design, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, is permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice immediately at the beginning of the file, without modification,
 *    this list of conditions, and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. This work was done expressly for inclusion into FreeBSD.  Other use
 *    is permitted provided this notation is included.
 * 4. Absolutely no warranty of function or purpose is made by the authors.
 * 5. Modifications may be freely made to this file providing the above
 *    conditions are met.
 */

#include <sys/cdefs.h>

#include <sys/types.h>
#include <sys/stat.h>

#include <errno.h>
#include <libutil.h>
#include <stddef.h>
#include <syslog.h>

/*
 * Check for common security problems on a given path
 * It must be:
 * 1. A regular file, and exists
 * 2. Owned and writable only by root (or given owner)
 * 3. Group ownership is given group or is non-group writable
 *
 * Returns:	-2 if file does not exist,
 *		-1 if security test failure
 *		0  otherwise
 */

int
_secure_path(const char *path, uid_t uid, gid_t gid)
{
    int		r = -1;
    struct stat	sb;
    const char	*msg = NULL;

    if (lstat(path, &sb) < 0) {
	if (errno == ENOENT) /* special case */
	    r = -2;  /* if it is just missing, skip the log entry */
	else
	    msg = "%s: cannot stat %s: %m";
    }
    else if (!S_ISREG(sb.st_mode))
    	msg = "%s: %s is not a regular file";
    else if (sb.st_mode & S_IWOTH)
    	msg = "%s: %s is world writable";
    else if ((int)uid != -1 && sb.st_uid != uid && sb.st_uid != 0) {
    	if (uid == 0)
    		msg = "%s: %s is not owned by root";
    	else
    		msg = "%s: %s is not owned by uid %d";
    } else if ((int)gid != -1 && sb.st_gid != gid && (sb.st_mode & S_IWGRP))
    	msg = "%s: %s is group writeable by non-authorised groups";
    else
    	r = 0;
    if (msg != NULL)
	syslog(LOG_ERR, msg, "_secure_path", path, uid);
    return r;
}
Commit	Line	Data
3f2457aa A	1	/*-
	2	* Based on code copyright (c) 1995,1997 by
	3	* Berkeley Software Design, Inc.
	4	* All rights reserved.
	5	*
	6	* Redistribution and use in source and binary forms, with or without
	7	* modification, is permitted provided that the following conditions
	8	* are met:
	9	* 1. Redistributions of source code must retain the above copyright
	10	* notice immediately at the beginning of the file, without modification,
	11	* this list of conditions, and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. This work was done expressly for inclusion into FreeBSD. Other use
	16	* is permitted provided this notation is included.
	17	* 4. Absolutely no warranty of function or purpose is made by the authors.
	18	* 5. Modifications may be freely made to this file providing the above
	19	* conditions are met.
	20	*/
	21
	22	#include <sys/cdefs.h>
	23
	24	#include <sys/types.h>
	25	#include <sys/stat.h>
	26
	27	#include <errno.h>
	28	#include <libutil.h>
	29	#include <stddef.h>
	30	#include <syslog.h>
	31
	32	/*
	33	* Check for common security problems on a given path
	34	* It must be:
	35	* 1. A regular file, and exists
	36	* 2. Owned and writable only by root (or given owner)
	37	* 3. Group ownership is given group or is non-group writable
	38	*
	39	* Returns: -2 if file does not exist,
	40	* -1 if security test failure
	41	* 0 otherwise
	42	*/
	43
	44	int
	45	_secure_path(const char *path, uid_t uid, gid_t gid)
	46	{
	47	int r = -1;
	48	struct stat sb;
	49	const char *msg = NULL;
	50
	51	if (lstat(path, &sb) < 0) {
	52	if (errno == ENOENT) /* special case */
	53	r = -2; /* if it is just missing, skip the log entry */
	54	else
	55	msg = "%s: cannot stat %s: %m";
	56	}
	57	else if (!S_ISREG(sb.st_mode))
	58	msg = "%s: %s is not a regular file";
	59	else if (sb.st_mode & S_IWOTH)
	60	msg = "%s: %s is world writable";
	61	else if ((int)uid != -1 && sb.st_uid != uid && sb.st_uid != 0) {
	62	if (uid == 0)
	63	msg = "%s: %s is not owned by root";
	64	else
65	msg = "%s: %s is not owned by uid %d";
66	} else if ((int)gid != -1 && sb.st_gid != gid && (sb.st_mode & S_IWGRP))
67	msg = "%s: %s is group writeable by non-authorised groups";
68	else
69	r = 0;
70	if (msg != NULL)
71	syslog(LOG_ERR, msg, "_secure_path", path, uid);
72	return r;
73	}