lib/libutil/_secure_path.c

   1 /*-
   2  * Based on code copyright (c) 1995,1997 by
   3  * Berkeley Software Design, Inc.
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, is permitted provided that the following conditions
   8  * are met:
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice immediately at the beginning of the file, without modification,
  11  *    this list of conditions, and the following disclaimer.
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  * 3. This work was done expressly for inclusion into FreeBSD.  Other use
  16  *    is permitted provided this notation is included.
  17  * 4. Absolutely no warranty of function or purpose is made by the authors.
  18  * 5. Modifications may be freely made to this file providing the above
  19  *    conditions are met.
  20  *
  21  * $FreeBSD: src/lib/libutil/_secure_path.c,v 1.5 1999/08/28 00:05:42 peter Exp $
  22  * $DragonFly: src/lib/libutil/_secure_path.c,v 1.3 2005/03/04 04:31:11 cpressey Exp $
  23  */
  24
  25
  26 #include <sys/types.h>
  27 #include <sys/stat.h>
  28
  29 #include <errno.h>
  30 #include <syslog.h>
  31
  32 #include "libutil.h"
  33
  34 /*
  35  * Check for common security problems on a given path
  36  * It must be:
  37  * 1. A regular file, and exists
  38  * 2. Owned and writaable only by root (or given owner)
  39  * 3. Group ownership is given group or is non-group writable
  40  *
  41  * Returns:     -2 if file does not exist,
  42  *              -1 if security test failure
  43  *              0  otherwise
  44  */
  45
  46 int
  47 _secure_path(const char *path, uid_t uid, gid_t gid)
  48 {
  49     int         r = -1;
  50     struct stat sb;
  51     const char  *msg = NULL;
  52
  53     if (lstat(path, &sb) < 0) {
  54         if (errno == ENOENT) /* special case */
  55             r = -2;  /* if it is just missing, skip the log entry */
  56         else
  57             msg = "%s: cannot stat %s: %m";
  58     }
  59     else if (!S_ISREG(sb.st_mode))
  60         msg = "%s: %s is not a regular file";
  61     else if (sb.st_mode & S_IWOTH)
  62         msg = "%s: %s is world writable";
  63     else if (uid != -1 && sb.st_uid != uid && sb.st_uid != 0) {
  64         if (uid == 0)
  65                 msg = "%s: %s is not owned by root";
  66         else
  67                 msg = "%s: %s is not owned by uid %d";
  68     } else if (gid != -1 && sb.st_gid != gid && (sb.st_mode & S_IWGRP))
  69         msg = "%s: %s is group writeable by non-authorised groups";
  70     else
  71         r = 0;
  72     if (msg != NULL)
  73         syslog(LOG_ERR, msg, "_secure_path", path, uid);
  74     return r;
  75 }