| blob | d7bcbc41a832b35077f99528e93a9ac1263dc092 |
1 /*
2 * Copyright (c) 2020 Duncan Overbruck <mail@duncano.de>
3 * Copyright (c) 2021-2022 Sergey Sushilin <sergeysushilin@protonmail.com>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
18 /*
19 * 1) Timestamp files and directories
20 *
21 * Timestamp files MUST NOT be accessible to users other than root,
22 * this includes the name, metadata and the content of timestamp files
23 * and directories.
24 *
25 * Symlinks can be used to create, manipulate or delete wrong files
26 * and directories. The Implementation MUST reject any symlinks for
27 * timestamp files or directories.
28 *
29 * To avoid race conditions the implementation MUST use the same
30 * file descriptor for permission checks and do read or write
31 * write operations after the permission checks.
32 *
33 * The timestamp files MUST be opened with openat(2) using the
34 * timestamp directory file descriptor. Permissions of the directory
35 * MUST be checked before opening the timestamp file descriptor.
36 *
37 * 2) Clock sources for timestamps
38 *
39 * Timestamp files MUST NOT rely on only one clock source, using the
40 * wall clock would allow to reset the clock to an earlier point in
41 * time to reuse a timestamp.
42 *
43 * The timestamp MUST consist of multiple clocks and MUST reject the
44 * timestamp if there is a change to any clock because there is no way
45 * to differentiate between malicious and legitimate clock changes.
46 *
47 * 3) Timestamp lifetime
48 *
49 * The implementation MUST NOT use the user controlled stdin, stdout
50 * and stderr file descriptors to determine the controlling terminal.
51 * On linux the /proc/$pid/stat file MUST be used to get the terminal
52 * number.
53 *
54 * There is no reliable way to determine the lifetime of a tty/pty.
55 * The start time of the session leader MUST be used as part of the
56 * timestamp to determine if the tty is still the same.
57 * If the start time of the session leader changed the timestamp MUST
58 * be rejected.
59 */
61 #include <sys/ioctl.h>
62 #include <sys/stat.h>
63 #include <sys/vfs.h>
65 #if !defined(timespecisset) || !defined(timespeccmp) || !defined(timespecadd)
67 #endif
69 #include <ctype.h>
70 #include <dirent.h>
71 #include <err.h>
72 #include <errno.h>
73 #include <fcntl.h>
74 #include <limits.h>
75 #include <stdio.h>
76 #include <stdlib.h>
77 #include <string.h>
78 #include <time.h>
79 #include <unistd.h>
85 #if !defined(TIMESTAMP_DIR)
87 #endif
89 #if defined(__linux__)
91 # define TTY_NUMBER_FIELD_NUMBER 7
92 # define START_TIME_FIELD_NUMBER 22
93 #elif defined(__FreeBSD__)
95 # define TTY_NUMBER_FIELD_NUMBER 6
96 # define START_TIME_FIELD_NUMBER 8
97 #endif
99 #define TTY_NUMBER_SIZE 32
101 #if defined(__linux__) || defined(__FreeBSD__)
102 /* Use tty_nr from /proc/self/stat instead of using
103 * ttyname(3), stdin, stdout and stderr are user
104 * controllable and would allow to reuse timestamps
105 * from another writable terminal.
106 * See https://www.sudo.ws/alerts/tty_tickets.html
107 */
109 {
118 }
128 }
137 }
143 }
147 /* Error if it contains NULL bytes. */
151 }
155 #if defined(__linux__)
156 /*
157 * Get the 7th field, 5 fields after the last ')',
158 * (2th field) because the 5th field 'comm' can include
159 * spaces and closing paranthesis too.
160 * See https://www.sudo.ws/alerts/linux_tty.html
161 */
162 /* Be careful: program name may include ')' character,
163 so we find the last ')' entry searching from the end. */
168 #elif defined(__FreeBSD__)
170 #endif
180 }
184 }
188 }
189 }
192 }
193 #else
194 /* proc_info not implemented. */
195 static int proc_info(pid_t pid __unused, int *ttynr __unused, unsigned long long int *starttime __unused)
196 {
199 }
200 #endif
203 {
221 }
224 {
235 }
237 /* Returns true if the timestamp is valid, false if it is invalid. */
239 {
246 }
251 }
256 }
258 /* This timestamp was created, but never set.
259 Invalid, but no error. */
268 }
270 /* Check if timestamp is too old. */
275 /* Check if timestamp is too far in the future. */
283 }
286 }
289 {
298 }
315 }
323 }
325 /* If directory exists make sure that it has required mode and owner. */
331 }
344 }
354 }
363 }
366 }
369 }
372 {
386 }