aboutsummaryrefslogtreecommitdiff
path: root/src/rc/checkpath.c
AgeCommit message (Collapse)Author
2021-04-13style fixWilliam Hubbs
2020-11-27src/rc/checkpath.c: replace mkdir() with mkdirat().Michael Orlitzky
The do_check() function recently gained some defenses against symlink replacement attacks that involve the use of *at functions in place of their vanilla counterparts; openat() instead of open(), for example. One opportunity to replace mkdir() with mkdirat() was missed, however, and this commit replaces it. This fixes #386.
2020-11-27src/rc/checkpath.c: fix typo "synbolic" -> "symbolic".Michael Orlitzky
2020-11-20checkpath: fix CVE-2018-21269William Hubbs
This walks the directory path to the file we are going to manipulate to make sure that when we create the file and change the ownership and permissions we are working on the same file. Also, all non-terminal symbolic links must be owned by root. This will keep a non-root user from making a symbolic link as described in the bug. If root creates the symbolic link, it is assumed to be trusted. On non-linux platforms, we no longer follow non-terminal symbolic links by default. If you need to do that, add the -s option on the checkpath command line, but keep in mind that this is not secure. This fixes #201.
2018-12-02Revert "checkpath: use O_PATH when available"William Hubbs
This reverts commit 2af0cedd5952d7da71681b7a636dff3540e4295d. After speaking with Luis Ressel on the Gentoo selinux team, I am reverting this commit for the following reasons: - Luis told me that he feels this is not the solution we need to address the concern with checkpath; I will be working with him on another solution. - There are concerns about the way the path variable was handled and the assert() call. The path variable should be dynamically allocated using xasprintf instead of defining a length at compile time. This would eliminate the need for the assert() call. - It introduces the definition of _GNU_SOURCE which makes it easier to introduce portability concerns in the future (see #262).
2018-12-01checkpath: use O_PATH when availableMike Gilbert
This avoids opening directories/files with read permission, which is sometimes rejected by selinux policy. Bug: https://bugs.gentoo.org/667122
2018-06-19checkpath: fix gcc 7 warningsWilliam Hubbs
2018-01-24typo fixWilliam Hubbs
2018-01-23checkpath: use fchown and fchmod to handle ownership and mode changesWilliam Hubbs
This is related to #195. This is an attempt to shorten the window for the first two issues discussed by using a file descriptor which does not follow symbolic links and using the fchmod and fchown calls instead of chown and chmod. with.
2018-01-16checkpath: fix lchown error messageWilliam Hubbs
X-Gentoo-Bug: 643084 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=643084
2018-01-09checkpath: use lchown instead of chownWilliam Hubbs
Checkpath should never follow symbolic links when changing ownership of a file. This is for https://github.com/openrc/openrc/issues/195.
2016-01-14include rc.h properly in source filesWilliam Hubbs
We were attempting to include rc.h in rc-misc.h instead of the source files where it should be included.
2016-01-12Remove multicall binary structure from OpenRCWilliam Hubbs
This eliminates the need for the selinux-specific wrapper scrript we were installing in /lib*/rc/{bin,sbin}.
2015-12-21Convert OpenRC to a centralized copyright/license structureWilliam Hubbs
In the past, OpenRC was a hybrid of a centralized and file-scope license/copyright structure. I followed the instructions from the Software Freedom Law Center [1] to convert to a Centralized structure where possible, for easier future maintenance. [1] https://softwarefreedom.org/resources/2012/ManagingCopyrightInformation.html
2015-03-25checkpath: Remove the last HAVE_SELINUX testWilliam Hubbs
2015-03-25selinux: unconditionally include the header and provide stub methodsWilliam Hubbs
If selinux is disabled, then stub methods will be provided instead of calling the real methods. This removes some warnings about unused parameters which used to be covered up with #ifdef HAVE_SELINUX. Signed-off-by: Jason Zaman <jason@perfinion.com>
2015-03-24checkpath: fix warning about selinux_on being unusedWilliam Hubbs
2015-02-19checkpath: do not chown or chmod symbolic linksWilliam Hubbs
This is another security fix. If you use chown() or chmod() on a symbolic link, it affects the referenced file, not the symbolic link itself. X-Gentoo-Bug: 540006 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006
2015-02-15typo fixWilliam Hubbs
2015-02-15checkpath: security fix for -m and -o optionsWilliam Hubbs
Do not change permissions on the target if it is a file and has multiple hard links. This is necessary because a hard link can be an attack vector to gain privilege escalation. X-Gentoo-Bug: 540006 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006
2014-07-28checkpath: apply ownership to all paths given on command lineWilliam Hubbs
The stat structure was not being initialized correctly in do_check. This was causing the owner adjustment to be skipped if the first path had the correct owner. Also, the "correcting owner" message should always be printed when the owner is being changed. X-Gentoo-Bug: 518042 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=518042
2014-07-25checkpath: style fixWilliam Hubbs
2014-07-16checkpath: style fixesWilliam Hubbs
2014-07-16Rename SELinux source filesWilliam Hubbs
The name rc-selinux-util.* is a bit long, so I renamed the source files to rc-selinux.* X-Gentoo-Bug: 516956 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=516956
2014-07-16checkpath: restore the SELinux contextJason Zaman
X-Gentoo-Bug: 516956 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=516956
2014-07-13checkpath: fix logic for the writable optionWilliam Hubbs
The -W option does not need an argument of its own; it can take the first path after all other options are processed on the command line. Also, move the processing for the -W option out of the switch so it will be in the same loop as the other processing.
2014-07-11checkpath: fix error message in previous commitWilliam Hubbs
2014-07-11checkpath: report an error if required options were not specifiedWilliam Hubbs
Before this commit, not specifying -d, -f, -p or -W in a checkpath command meant the command exited successfully but actually did nothing. This is an error condition, so report it as such.
2012-10-27Checkpath: print the path when correcting the ownerWilliam Hubbs
Checkpath was printing the path it was working with unless it was correcting the owner. In this case, it was printing "checkpath", which is not very useful. Reported-by: <devurandom@gmx.net> X-Gentoo-Bug: 439014 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=439014
2012-10-09checkpath: fix bool valuesWilliam Hubbs
Use true/false for bool values instead of 0/1. Reported-by: <vapier@gentoo.org>
2012-10-09checkpath: change the owner/group only when requested to do soWilliam Hubbs
Fix checkpath so that it only changes the owner/group if -o is on the command line. Reported-by: <flameeyes@gentoo.org> X-Gentoo-Bug: 437560 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=437560
2012-01-26Add -W/--writable function to checkpathChristian Ruppert
Checkpath -W will use access(3p) to determine whether or not a path is writable. This is more accurate than test(1p) because it also takes into account whether or not the filesystem is mounted read-only. Modified by William Hubbs to add the man page update.
2012-01-23Per the systemd tmpfiles implementation, we need to watch out for umask ↵Robin H. Johnson
during initial creation of files as well as potentially changing permissions later. Also do not abort if the items exist already, per truncate rules in tmpfiles. Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
2012-01-23Ensure that when -F is passed, existing files are truncated properly.Robin H. Johnson
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
2012-01-23Respin features.h usage so that we correctly test for features before we use ↵Robin H. Johnson
them. Some BSD libc implementations may have one or the other flag, but not both. Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
2012-01-23Revert "Drop include for features.h"Robin H. Johnson
This reverts commit 30a565f80d6056ccabadf77e347cf17067133f7e.
2012-01-22Drop include for features.hWilliam Hubbs
The following information is taken from the feature_test_macros man page: <features.h> is a Linux/glibc-specific header file. Other systems have an analogous file, but typically with a different name. This header file is automatically included by other header files as required: it is not necessary to explicitly include it in order to employ feature test macros. Reported-by: Tibor Vago <tibor.vago@gmail.com> X-Gentoo-Bug: 399635 X-Gentoo-Bug-URL: http://bugs.gentoo.org/show_bug.cgi?id=399635
2012-01-09rc/checkpath: tmpfiles.d backend creation codeRobin H. Johnson
This commit provides the checkpath applet with feature parity to systemd's tmpfiles.c create_item function. Very similarly to the systemd function, it does NOT do any of the cleanup work in this function. Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
2011-11-19rc: fix style around case_RC_COMMON_GETOPTMike Frysinger
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2011-06-29drop useless "All rights reserved" noticeMike Frysinger
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2009-05-01Add (c) to CopyrightRoy Marples
2009-04-23Improve style for KNFRoy Marples
2008-09-18Clean up some compile warnings.Roy Marples
2008-08-20Add -k,--umask option, Gentoo #232455.Roy Marples
2008-06-17open should use 3 args when using O_CREAT.Roy Marples
2008-03-26Add license blurb to a few files and append my email to my name.Roy Marples
2008-03-16Remove null terminated char ** lists in favour of RC_STRINGLIST, using TAILQ ↵Roy Marples
from queue(3). Refactor code style around the BSD KNF.
2008-02-22Welcome to 2008.Roy Marples
2008-02-11Just use the extern applet var.Roy Marples
2008-02-01Constantise as much as possible so that it reduces COW usage.Roy Marples