/[pdpsoft]/trunk/grid-mw-security/cgul/fileutil/fileutil.c

Diff of /trunk/grid-mw-security/cgul/fileutil/fileutil.c

Parent Directory | Revision Log | View Patch Patch

-revision 1509 by msalle,
Wed Feb 10 23:32:47 2010 UTC
+revision 1510 by msalle,
Sun Feb 14 12:31:32 2010 UTC
 Line 59 
 int priv_drop(int unpriv_uid,int unpriv_
      /* Anything to be done? */
      rc=( target_uid==0 || target_uid==euid ? 0 : seteuid(target_uid) );
      /* Error: try to restore */
-     if (rc!=0) setegid(egid); /* ignore rc of THIS process, it's damage control */
+     if (rc!=0) setegid(egid); /* ignore rc of THIS process: damage control */
      return 0;
  }
 Line 94 
 int raise_priv(uid_t euid, gid_t egid) {
   *  LCK_READ    - set shared read lock
   *  LCK_WRITE   - set exclusive write lock
   *  LCK_UNLOCK  - unset lock
-  * Locks are exclusive for writing and shared for reading: multiple processes can
+  * Locks are exclusive for writing and shared for reading: multiple processes
-  * read simultaneously, but writing is exclusive, both for reading and writing.
+  * can read simultaneously, but writing is exclusive, both for reading and
+  * writing.
   * Returns -1 on error, 0 on success.
   */
  int cgul_filelock(int fd, int lock_type, int action) {
-Line 148 
 int cgul_filelock(int fd, int lock_type,
+Line 149 
 int cgul_filelock(int fd, int lock_type,
   * -3: permissions error
   * -4: memory error
   * -5: too many retries needed during reading
+  * -6: locking failed
   */
  int cgul_read_proxy(const char *path, int lock_type, char **proxy)  {
      const int tries=10; /* max number of retries for reading a changing file */
-Line 155 
 int cgul_read_proxy(const char *path, in
+Line 157 
 int cgul_read_proxy(const char *path, in
      struct stat st1,st2,*sptr1,*sptr2,*sptr3;
      uid_t uid=getuid(),euid=geteuid();
      gid_t gid=getgid(),egid=getegid();
-     char *buf,*buf_new;/* *proxy will be updated when we know everything is ok */
+     char *buf,*buf_new; /* *proxy will be updated when everything is ok */
      ssize_t size;
      /* Drop privilege to real uid and real gid, only when we can and are
-Line 168 
 int cgul_read_proxy(const char *path, in
+Line 170 
 int cgul_read_proxy(const char *path, in
      }
      /* Lock file */
      if (cgul_filelock(fd,lock_type,LCK_READ))    {
-         close(fd); raise_priv(euid,egid); return -1;
+         close(fd); raise_priv(euid,egid); return -6;
      }
      /* Stat the file before reading:
       * Need ownership and mode for allowed values, size for malloc */
      if (fstat(fd,&st1)) {
          close(fd); raise_priv(euid,egid); return -1;
      }
-     /* Check we own it (only uid) and is unreadable/unwriteable for anyone else
+     /* Check we own it (only uid) and it is unreadable/unwriteable for anyone
-      * */
+      * else */
      if ( st1.st_uid!=uid ||
           st1.st_mode & S_IRGRP || st1.st_mode & S_IWGRP ||
           st1.st_mode & S_IROTH || st1.st_mode & S_IWOTH )   {
-Line 254 
 int cgul_read_proxy(const char *path, in
+Line 256 
 int cgul_read_proxy(const char *path, in
   *                group={root,trust_gid}
   * Return values:
   *  0: succes
-  *  -1: I/O error
+  *  -1: I/O error, including when file changed during reading in any way other
+  *      than access time.
   *  -2: privilege-drop error
   *  -3: permission error (untrusted path)
   *  -4: memory error
-Line 266 
 int cgul_read_config(const char *path, c
+Line 269 
 int cgul_read_config(const char *path, c
      uid_t euid=geteuid(),uid=getuid(),target_uid;
      gid_t egid=getegid(),gid=getgid(),target_gid;
      struct safe_id_range_list ulist,glist;
-     struct stat st;
+     struct stat st_before,st_after;
      char *buf;
      /* Expected level of trust depends on mode: user switching or not */
-Line 283 
 int cgul_read_config(const char *path, c
+Line 286 
 int cgul_read_config(const char *path, c
          /* Nothing to switch, trust_uid/trust_gid will be used to check the file
           * permissions only. */
          target_uid=0; /* target_uid is also added to the safe id list */
-         target_gid=0; /* just in case target_gid would be added to the safe id list */
+         target_gid=0; /* just in case target_gid would be added to the safe id
+                          list */
          switching=0;
      }
-Line 297 
 int cgul_read_config(const char *path, c
+Line 301 
 int cgul_read_config(const char *path, c
           safe_add_id_to_list(&glist,trust_gid) )    {
          raise_priv(euid,egid); return -4;
      }
+     /* Do an lstat so that we can compare modes etc. before/after */
+     if (lstat(path,&st_before)) {
+         raise_priv(euid,egid); return -2;
+     }
      /* Check trust */
      trust=safe_is_path_trusted_r(path,&ulist,&glist);
      /* free the range lists */
-Line 326 
 int cgul_read_config(const char *path, c
+Line 335 
 int cgul_read_config(const char *path, c
              raise_priv(euid,egid); return -5;
      }
      /* Open file and stat the file (latter for size) */
-     if ((fd=open(path,O_RDONLY))==-1 || fstat(fd,&st))  {
+     if ((fd=open(path,O_RDONLY))==-1)   {
          raise_priv(euid,egid); return -1;
      }
      /* Get expected space, don't forget trailing '\0' */
-     if ( (buf=(char *)malloc((size_t)(st.st_size+sizeof(char))))==NULL)   {
+     if ( (buf=(char *)malloc((size_t)(st_before.st_size+sizeof(char))))==NULL)
+     {
          close(fd); raise_priv(euid,egid); return -4;
      }
      /* Read the file, check we get right size */
-     if (read(fd,buf,st.st_size)!=(ssize_t)st.st_size)
+     if ( read(fd,buf,st_before.st_size)!=(ssize_t)st_before.st_size ||
-         /* read error, but don't return yet, we want to free the memory
+          fstat(fd,&st_after) ||                     /* Do stat fd           */
-          * centrally */
+          st_before.st_dev   !=st_after.st_dev ||    /* device               */
+          st_before.st_ino   !=st_after.st_ino ||    /* inode                */
+          st_before.st_size  !=st_after.st_size ||   /* size                 */
+          st_before.st_mode  !=st_after.st_mode ||   /* mode                 */
+          st_before.st_uid   !=st_after.st_uid ||    /* uid                  */
+          st_before.st_gid   !=st_after.st_gid ||    /* gid                  */
+          st_before.st_mtime !=st_after.st_mtime ||  /* modification time    */
+          st_before.st_ctime !=st_after.st_ctime )   /* creation time        */
+         /* something changed or went wrong: classify all as I/O error, because
+          * we were reading a trusted or confidential file.
+          * Don't return yet, we want to free the memory centrally */
          rc=-1;
      else    {
          /* add trailing '\0' */
-         buf[st.st_size]='\0';
+         buf[st_after.st_size]='\0';
          rc=0;
      }
      /* Close file */
-Line 366 
 int cgul_read_config(const char *path, c
+Line 386 
 int cgul_read_config(const char *path, c
   * -2: privilege-drop error
   * -3: permissions error, including file directly in / or not absolute
   * -4: memory error
+  * -6: locking failed
   */
  int cgul_write_proxy(const char *path, int lock_type, const char *proxy,
                       int write_uid, int write_gid) {
-Line 381 
 int cgul_write_proxy(const char *path, i
+Line 402 
 int cgul_write_proxy(const char *path, i
      if (write_uid>=0)
          target_uid=write_uid;
      else
-         target_uid=(uid==0 ? euid : uid); /* when real==root -> stay effective */
+         target_uid=(uid==0 ? euid : uid); /* when real==root: stay effective */
      /* Set write gid */
      if (write_gid>=0)
          target_gid=write_gid;
      else
-         target_gid=(gid==0 ? egid : gid); /* when real==root -> stay effective */
+         target_gid=(gid==0 ? egid : gid); /* when real==root: stay effective */
      /* Drop privilege when (e)uid == 0 */
      if ( (euid==0 || uid==0) && priv_drop(target_uid,target_gid))
-Line 412 
 int cgul_write_proxy(const char *path, i
+Line 433 
 int cgul_write_proxy(const char *path, i
      }
      /* Lock the file */
      if ( cgul_filelock(fd,lock_type,LCK_WRITE) ) {
-         close(fd); raise_priv(euid,egid); return -1;
+         close(fd); raise_priv(euid,egid); return -6;
      }
      /* Do a chmod and chown, in case it already existed. If this fails, the file
       * has the wrong permissions.
-Line 425 
 int cgul_write_proxy(const char *path, i
+Line 446 
 int cgul_write_proxy(const char *path, i
           write(fd,proxy,expsize)!=(ssize_t)expsize )    {
          close(fd); raise_priv(euid,egid); return -1; /* write error */
      }
-     /* unlock */
+     /* unlock: ignore the exit code */
      cgul_filelock(fd,lock_type,LCK_UNLOCK);
      /* close the file, don't ignore exit values: might have write error */
      if (close(fd))
-Line 456 
 int cgul_write_proxy(const char *path, i
+Line 477 
 int cgul_write_proxy(const char *path, i
   *  -5: invalid template: it MUST end with 6 X's
   */
  int cgul_write_uniq_proxy(char *path_template, const char *proxy,
                            int write_uid, int write_gid) {
      const mode_t filemode=S_IRUSR | S_IWUSR;
      const mode_t dirmode=S_IRUSR | S_IWUSR | S_IXUSR;
      int fd,rc;
-Line 474 
 int cgul_write_uniq_proxy(char *path_tem
+Line 495 
 int cgul_write_uniq_proxy(char *path_tem
      if (write_uid>=0)
          target_uid=write_uid;
      else
-         target_uid=(uid==0 ? euid : uid); /* when real==root -> stay effective */
+         target_uid=(uid==0 ? euid : uid); /* when real==root: stay effective */
      /* Set write gid */
      if (write_gid>=0)
          target_gid=write_gid;
      else
-         target_gid=(gid==0 ? egid : gid); /* when real==root -> stay effective */
+         target_gid=(gid==0 ? egid : gid); /* when real==root: stay effective */
      /* Drop privilege when (e)uid == 0 */
      if ( (euid==0 || uid==0) && priv_drop(target_uid,target_gid))

 Legend:



Removed from v.1509
 


changed lines


 
Added in v.1510
 Legend:



Removed from v.1509
 


changed lines


 
Added in v.1510
-Removed from v.1509
+Added in v.1510

grid.support@nikhef.nl	ViewVC Help
Powered by ViewVC 1.1.28