aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWilliam Hubbs <w.d.hubbs@gmail.com>2015-02-19 12:44:21 -0600
committerWilliam Hubbs <w.d.hubbs@gmail.com>2015-02-19 14:39:04 -0600
commita0378f38713e630e1af9101c2ece5d27ca2130fe (patch)
tree317ba48a430f3c91a7627da67b6f9f153654374c
parent423f82bae9f91f1f5a27d30a2542d8884c6f757a (diff)
checkpath: do not chown or chmod symbolic links
This is another security fix. If you use chown() or chmod() on a symbolic link, it affects the referenced file, not the symbolic link itself. X-Gentoo-Bug: 540006 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006
-rw-r--r--src/rc/checkpath.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c
index 4e362420..87115a4b 100644
--- a/src/rc/checkpath.c
+++ b/src/rc/checkpath.c
@@ -68,7 +68,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
int u;
memset(&st, 0, sizeof(st));
- if (stat(path, &st) || trunc) {
+ if (lstat(path, &st) || trunc) {
if (type == inode_file) {
einfo("%s: creating file", path);
if (!mode) /* 664 */
@@ -133,10 +133,14 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
}
if (mode && (st.st_mode & 0777) != mode) {
- if ((type != inode_dir) && (st.st_nlink != 1)) {
+ if ((type != inode_dir) && (st.st_nlink > 1)) {
eerror("%s: chmod: %s %s", applet, "Too many hard links to", path);
return -1;
}
+ if (S_ISLNK(st.st_mode)) {
+ eerror("%s: chmod: %s %s", applet, path, " is a symbolic link");
+ return -1;
+ }
einfo("%s: correcting mode", path);
if (chmod(path, mode)) {
eerror("%s: chmod: %s", applet, strerror(errno));
@@ -145,10 +149,14 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
}
if (chowner && (st.st_uid != uid || st.st_gid != gid)) {
- if ((type != inode_dir) && (st.st_nlink != 1)) {
+ if ((type != inode_dir) && (st.st_nlink > 1)) {
eerror("%s: chown: %s %s", applet, "Too many hard links to", path);
return -1;
}
+ if (S_ISLNK(st.st_mode)) {
+ eerror("%s: chown: %s %s", applet, path, " is a symbolic link");
+ return -1;
+ }
einfo("%s: correcting owner", path);
if (chown(path, uid, gid)) {
eerror("%s: chown: %s", applet, strerror(errno));