...
The path name passed to this function must be absolute, but it does not need to be canonical. (See recommendation FIO02-C. Canonicalize path names originating from untrusted sources.) If the path contains a symbolic link, this routine will recursively invoke itself on the linked-to directory and ensure it is also secure. A symlinked directory may be secure if both its source and linked-to directory are secure. The function checks every directory in the canonical path, ensuring that every directory is owned by the current user or by root, that the leaf directory disallows write access to everyone but the owner, and that all other directories in the path forbid other users from deleting or renaming files (either by turning off group write access and world write access, or by turning on the sticky bit).
Note that this function is only effective on filesystems that are fully compatible with UNIX permissions, and it may not behave normally for filesystems with other permission mechanisms, such as AFS.
| Code Block | ||
|---|---|---|
| ||
#include <stdlib.h>
#include <unistd.h>
#include <limits.h>
#include <libgen.h>
#include <sys/stat.h>
#include <string.h>
/* Returns nonzero if directory is secure, zero otherwise */
int secure_dir(const char *fullpath) {
char *path_copy = NULL;
char **dirs = NULL;
int num_of_dirs = 1;
int secure = 1;
int i;
struct stat buf;
uid_t my_uid = geteuid();
size_t linksize;
char* link;
if (!(path_copy = strdup(fullpath))) {
/* Handle error */
}
/* Figure out how far it is to the root */
for (; ((strcmp(path_copy, "/") != 0) &&
(strcmp(path_copy, "//") != 0));
path_copy = dirname(path_copy)) {
num_of_dirs++;
} // now num_of_dirs indicates # of dirs we must check
free(path_copy);
path_copy = NULL;
if (!(dirs = (char **)malloc(num_of_dirs*sizeof(*dirs)))) {
/* Handle error */
}
if (!(dirs[num_of_dirs - 1] = strdup(fullpath))) {
/* Handle error */
}
if (!(path_copy = strdup(fullpath))) {
/* Handle error */
}
/* Now fill the dirs array */
for (i = num_of_dirs - 2; i >= 0; i--) {
path_copy = dirname(path_copy);
if (!(dirs[i] = strdup(path_copy))) {
/* handle error */
}
}
free(path_copy);
path_copy = NULL;
/* Traverse from the root to the fullpath,
* checking permissions along the way */
for (i = 0; i < num_of_dirs; i++) {
if (lstat(dirs[i], &buf) != 0) {
/* Handle error */
}
if (S_ISLNK(buf.st_mode)) { // symlink, test linked-to file
linksize = buf.st_size+1;
if (!(link = (char *)malloc(linksize))) {
/* Handle error */
}
if (readlink( dirs[i], link, linksize) == -1) {
/* Handle error */
}
link[linksize-1] = '\0';
if (!secure_dir(link)) {
secure = 0;
}
free(link);
link = NULL;
break;
}
if (!S_ISDIR( buf.st_mode)) { // not a directory
secure = 0;
break;
}
if ((buf.st_uid != my_uid) && (buf.st_uid != 0)) {
/* Directory is owned by someone besides user or root */
secure = 0;
break;
}
if (i == num_of_dirs - 1) { /* leaf dir */
if (buf.st_mode & (S_IWGRP | S_IWOTH)) { /* dir is writable by others */
secure = 0;
break;
}
} else { /* parent dirs */
if ((buf.st_mode & (S_IWGRP | S_IWOTH)) ||
(buf.st_mode & S_ISVTX)) { /* dir has sticky bit off */
secure = 0;
break;
}
}
free(dirs[i]);
dirs[i] = NULL;
}
free(dirs);
dirs = NULL;
return secure;
}
|
...