1*10b5fe87SSascha Wildner /*-
2*10b5fe87SSascha Wildner * Copyright (c) 2011 Dag-Erling Smørgrav
3*10b5fe87SSascha Wildner * All rights reserved.
4*10b5fe87SSascha Wildner *
5*10b5fe87SSascha Wildner * Redistribution and use in source and binary forms, with or without
6*10b5fe87SSascha Wildner * modification, are permitted provided that the following conditions
7*10b5fe87SSascha Wildner * are met:
8*10b5fe87SSascha Wildner * 1. Redistributions of source code must retain the above copyright
9*10b5fe87SSascha Wildner * notice, this list of conditions and the following disclaimer.
10*10b5fe87SSascha Wildner * 2. Redistributions in binary form must reproduce the above copyright
11*10b5fe87SSascha Wildner * notice, this list of conditions and the following disclaimer in the
12*10b5fe87SSascha Wildner * documentation and/or other materials provided with the distribution.
13*10b5fe87SSascha Wildner * 3. The name of the author may not be used to endorse or promote
14*10b5fe87SSascha Wildner * products derived from this software without specific prior written
15*10b5fe87SSascha Wildner * permission.
16*10b5fe87SSascha Wildner *
17*10b5fe87SSascha Wildner * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18*10b5fe87SSascha Wildner * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19*10b5fe87SSascha Wildner * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20*10b5fe87SSascha Wildner * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21*10b5fe87SSascha Wildner * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22*10b5fe87SSascha Wildner * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23*10b5fe87SSascha Wildner * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24*10b5fe87SSascha Wildner * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25*10b5fe87SSascha Wildner * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26*10b5fe87SSascha Wildner * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27*10b5fe87SSascha Wildner * SUCH DAMAGE.
28*10b5fe87SSascha Wildner *
29*10b5fe87SSascha Wildner * $OpenPAM: openpam_check_owner_perms.c 938 2017-04-30 21:34:42Z des $
30*10b5fe87SSascha Wildner */
31*10b5fe87SSascha Wildner
32*10b5fe87SSascha Wildner #ifdef HAVE_CONFIG_H
33*10b5fe87SSascha Wildner # include "config.h"
34*10b5fe87SSascha Wildner #endif
35*10b5fe87SSascha Wildner
36*10b5fe87SSascha Wildner #include <sys/types.h>
37*10b5fe87SSascha Wildner #include <sys/stat.h>
38*10b5fe87SSascha Wildner
39*10b5fe87SSascha Wildner #include <errno.h>
40*10b5fe87SSascha Wildner #include <limits.h>
41*10b5fe87SSascha Wildner #include <stdlib.h>
42*10b5fe87SSascha Wildner #include <string.h>
43*10b5fe87SSascha Wildner #include <unistd.h>
44*10b5fe87SSascha Wildner
45*10b5fe87SSascha Wildner #include <security/pam_appl.h>
46*10b5fe87SSascha Wildner
47*10b5fe87SSascha Wildner #include "openpam_impl.h"
48*10b5fe87SSascha Wildner
49*10b5fe87SSascha Wildner /*
50*10b5fe87SSascha Wildner * OpenPAM internal
51*10b5fe87SSascha Wildner *
52*10b5fe87SSascha Wildner * Verify that the file or directory referenced by the given descriptor is
53*10b5fe87SSascha Wildner * owned by either root or the arbitrator and that it is not writable by
54*10b5fe87SSascha Wildner * group or other.
55*10b5fe87SSascha Wildner */
56*10b5fe87SSascha Wildner
57*10b5fe87SSascha Wildner int
openpam_check_desc_owner_perms(const char * name,int fd)58*10b5fe87SSascha Wildner openpam_check_desc_owner_perms(const char *name, int fd)
59*10b5fe87SSascha Wildner {
60*10b5fe87SSascha Wildner uid_t root, arbitrator;
61*10b5fe87SSascha Wildner struct stat sb;
62*10b5fe87SSascha Wildner int serrno;
63*10b5fe87SSascha Wildner
64*10b5fe87SSascha Wildner root = 0;
65*10b5fe87SSascha Wildner arbitrator = geteuid();
66*10b5fe87SSascha Wildner if (fstat(fd, &sb) != 0) {
67*10b5fe87SSascha Wildner serrno = errno;
68*10b5fe87SSascha Wildner openpam_log(PAM_LOG_ERROR, "%s: %m", name);
69*10b5fe87SSascha Wildner errno = serrno;
70*10b5fe87SSascha Wildner return (-1);
71*10b5fe87SSascha Wildner }
72*10b5fe87SSascha Wildner if (!S_ISREG(sb.st_mode)) {
73*10b5fe87SSascha Wildner openpam_log(PAM_LOG_ERROR,
74*10b5fe87SSascha Wildner "%s: not a regular file", name);
75*10b5fe87SSascha Wildner errno = EINVAL;
76*10b5fe87SSascha Wildner return (-1);
77*10b5fe87SSascha Wildner }
78*10b5fe87SSascha Wildner if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
79*10b5fe87SSascha Wildner (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
80*10b5fe87SSascha Wildner openpam_log(PAM_LOG_ERROR,
81*10b5fe87SSascha Wildner "%s: insecure ownership or permissions", name);
82*10b5fe87SSascha Wildner errno = EPERM;
83*10b5fe87SSascha Wildner return (-1);
84*10b5fe87SSascha Wildner }
85*10b5fe87SSascha Wildner return (0);
86*10b5fe87SSascha Wildner }
87*10b5fe87SSascha Wildner
88*10b5fe87SSascha Wildner /*
89*10b5fe87SSascha Wildner * OpenPAM internal
90*10b5fe87SSascha Wildner *
91*10b5fe87SSascha Wildner * Verify that a file or directory and all components of the path leading
92*10b5fe87SSascha Wildner * up to it are owned by either root or the arbitrator and that they are
93*10b5fe87SSascha Wildner * not writable by group or other.
94*10b5fe87SSascha Wildner *
95*10b5fe87SSascha Wildner * Note that openpam_check_desc_owner_perms() should be used instead if
96*10b5fe87SSascha Wildner * possible to avoid a race between the ownership / permission check and
97*10b5fe87SSascha Wildner * the actual open().
98*10b5fe87SSascha Wildner */
99*10b5fe87SSascha Wildner
100*10b5fe87SSascha Wildner int
openpam_check_path_owner_perms(const char * path)101*10b5fe87SSascha Wildner openpam_check_path_owner_perms(const char *path)
102*10b5fe87SSascha Wildner {
103*10b5fe87SSascha Wildner uid_t root, arbitrator;
104*10b5fe87SSascha Wildner char pathbuf[PATH_MAX];
105*10b5fe87SSascha Wildner struct stat sb;
106*10b5fe87SSascha Wildner int len, serrno, tip;
107*10b5fe87SSascha Wildner
108*10b5fe87SSascha Wildner tip = 1;
109*10b5fe87SSascha Wildner root = 0;
110*10b5fe87SSascha Wildner arbitrator = geteuid();
111*10b5fe87SSascha Wildner if (realpath(path, pathbuf) == NULL)
112*10b5fe87SSascha Wildner return (-1);
113*10b5fe87SSascha Wildner len = strlen(pathbuf);
114*10b5fe87SSascha Wildner while (len > 0) {
115*10b5fe87SSascha Wildner if (stat(pathbuf, &sb) != 0) {
116*10b5fe87SSascha Wildner if (errno != ENOENT) {
117*10b5fe87SSascha Wildner serrno = errno;
118*10b5fe87SSascha Wildner openpam_log(PAM_LOG_ERROR, "%s: %m", pathbuf);
119*10b5fe87SSascha Wildner errno = serrno;
120*10b5fe87SSascha Wildner }
121*10b5fe87SSascha Wildner return (-1);
122*10b5fe87SSascha Wildner }
123*10b5fe87SSascha Wildner if (tip && !S_ISREG(sb.st_mode)) {
124*10b5fe87SSascha Wildner openpam_log(PAM_LOG_ERROR,
125*10b5fe87SSascha Wildner "%s: not a regular file", pathbuf);
126*10b5fe87SSascha Wildner errno = EINVAL;
127*10b5fe87SSascha Wildner return (-1);
128*10b5fe87SSascha Wildner }
129*10b5fe87SSascha Wildner if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
130*10b5fe87SSascha Wildner (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
131*10b5fe87SSascha Wildner openpam_log(PAM_LOG_ERROR,
132*10b5fe87SSascha Wildner "%s: insecure ownership or permissions", pathbuf);
133*10b5fe87SSascha Wildner errno = EPERM;
134*10b5fe87SSascha Wildner return (-1);
135*10b5fe87SSascha Wildner }
136*10b5fe87SSascha Wildner while (--len > 0 && pathbuf[len] != '/')
137*10b5fe87SSascha Wildner pathbuf[len] = '\0';
138*10b5fe87SSascha Wildner tip = 0;
139*10b5fe87SSascha Wildner }
140*10b5fe87SSascha Wildner return (0);
141*10b5fe87SSascha Wildner }
142*10b5fe87SSascha Wildner
143*10b5fe87SSascha Wildner /*
144*10b5fe87SSascha Wildner * NOPARSE
145*10b5fe87SSascha Wildner */
146