1 /* $OpenBSD: ex_init.c,v 1.8 2002/12/15 13:30:17 henning Exp $ */ 2 3 /*- 4 * Copyright (c) 1992, 1993, 1994 5 * The Regents of the University of California. All rights reserved. 6 * Copyright (c) 1992, 1993, 1994, 1995, 1996 7 * Keith Bostic. All rights reserved. 8 * 9 * See the LICENSE file for redistribution information. 10 */ 11 12 #include "config.h" 13 14 #ifndef lint 15 static const char sccsid[] = "@(#)ex_init.c 10.26 (Berkeley) 8/12/96"; 16 #endif /* not lint */ 17 18 #include <sys/param.h> 19 #include <sys/types.h> /* XXX: param.h may not have included types.h */ 20 #include <sys/queue.h> 21 #include <sys/stat.h> 22 23 #include <bitstring.h> 24 #include <fcntl.h> 25 #include <limits.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <unistd.h> 30 31 #include "../common/common.h" 32 #include "tag.h" 33 #include "pathnames.h" 34 35 enum rc { NOEXIST, NOPERM, RCOK }; 36 static enum rc exrc_isok(SCR *, struct stat *, char *, int, int); 37 38 static int ex_run_file(SCR *, char *); 39 40 /* 41 * ex_screen_copy -- 42 * Copy ex screen. 43 * 44 * PUBLIC: int ex_screen_copy(SCR *, SCR *); 45 */ 46 int 47 ex_screen_copy(orig, sp) 48 SCR *orig, *sp; 49 { 50 EX_PRIVATE *oexp, *nexp; 51 52 /* Create the private ex structure. */ 53 CALLOC_RET(orig, nexp, EX_PRIVATE *, 1, sizeof(EX_PRIVATE)); 54 sp->ex_private = nexp; 55 56 /* Initialize queues. */ 57 CIRCLEQ_INIT(&nexp->tq); 58 TAILQ_INIT(&nexp->tagfq); 59 LIST_INIT(&nexp->cscq); 60 61 if (orig == NULL) { 62 } else { 63 oexp = EXP(orig); 64 65 if (oexp->lastbcomm != NULL && 66 (nexp->lastbcomm = strdup(oexp->lastbcomm)) == NULL) { 67 msgq(sp, M_SYSERR, NULL); 68 return(1); 69 } 70 if (ex_tag_copy(orig, sp)) 71 return (1); 72 } 73 return (0); 74 } 75 76 /* 77 * ex_screen_end -- 78 * End a vi screen. 79 * 80 * PUBLIC: int ex_screen_end(SCR *); 81 */ 82 int 83 ex_screen_end(sp) 84 SCR *sp; 85 { 86 EX_PRIVATE *exp; 87 int rval; 88 89 if ((exp = EXP(sp)) == NULL) 90 return (0); 91 92 rval = 0; 93 94 /* Close down script connections. */ 95 if (F_ISSET(sp, SC_SCRIPT) && sscr_end(sp)) 96 rval = 1; 97 98 if (argv_free(sp)) 99 rval = 1; 100 101 if (exp->ibp != NULL) 102 free(exp->ibp); 103 104 if (exp->lastbcomm != NULL) 105 free(exp->lastbcomm); 106 107 if (ex_tag_free(sp)) 108 rval = 1; 109 110 /* Free private memory. */ 111 free(exp); 112 sp->ex_private = NULL; 113 114 return (rval); 115 } 116 117 /* 118 * ex_optchange -- 119 * Handle change of options for ex. 120 * 121 * PUBLIC: int ex_optchange(SCR *, int, char *, u_long *); 122 */ 123 int 124 ex_optchange(sp, offset, str, valp) 125 SCR *sp; 126 int offset; 127 char *str; 128 u_long *valp; 129 { 130 switch (offset) { 131 case O_TAGS: 132 return (ex_tagf_alloc(sp, str)); 133 } 134 return (0); 135 } 136 137 /* 138 * ex_exrc -- 139 * Read the EXINIT environment variable and the startup exrc files, 140 * and execute their commands. 141 * 142 * PUBLIC: int ex_exrc(SCR *); 143 */ 144 int 145 ex_exrc(sp) 146 SCR *sp; 147 { 148 struct stat hsb, lsb; 149 char *p, path[MAXPATHLEN]; 150 151 /* 152 * Source the system, environment, $HOME and local .exrc values. 153 * Vi historically didn't check $HOME/.exrc if the environment 154 * variable EXINIT was set. This is all done before the file is 155 * read in, because things in the .exrc information can set, for 156 * example, the recovery directory. 157 * 158 * !!! 159 * While nvi can handle any of the options settings of historic vi, 160 * the converse is not true. Since users are going to have to have 161 * files and environmental variables that work with both, we use nvi 162 * versions of both the $HOME and local startup files if they exist, 163 * otherwise the historic ones. 164 * 165 * !!! 166 * For a discussion of permissions and when what .exrc files are 167 * read, see the comment above the exrc_isok() function below. 168 * 169 * !!! 170 * If the user started the historic of vi in $HOME, vi read the user's 171 * .exrc file twice, as $HOME/.exrc and as ./.exrc. We avoid this, as 172 * it's going to make some commands behave oddly, and I can't imagine 173 * anyone depending on it. 174 */ 175 switch (exrc_isok(sp, &hsb, _PATH_SYSEXRC, 1, 0)) { 176 case NOEXIST: 177 case NOPERM: 178 break; 179 case RCOK: 180 if (ex_run_file(sp, _PATH_SYSEXRC)) 181 return (1); 182 break; 183 } 184 185 /* Run the commands. */ 186 if (EXCMD_RUNNING(sp->gp)) 187 (void)ex_cmd(sp); 188 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 189 return (0); 190 191 if ((p = getenv("NEXINIT")) != NULL) { 192 if (ex_run_str(sp, "NEXINIT", p, strlen(p), 1, 0)) 193 return (1); 194 } else if ((p = getenv("EXINIT")) != NULL) { 195 if (ex_run_str(sp, "EXINIT", p, strlen(p), 1, 0)) 196 return (1); 197 } else if ((p = getenv("HOME")) != NULL && *p) { 198 (void)snprintf(path, sizeof(path), "%s/%s", p, _PATH_NEXRC); 199 switch (exrc_isok(sp, &hsb, path, 0, 1)) { 200 case NOEXIST: 201 (void)snprintf(path, 202 sizeof(path), "%s/%s", p, _PATH_EXRC); 203 if (exrc_isok(sp, 204 &hsb, path, 0, 1) == RCOK && ex_run_file(sp, path)) 205 return (1); 206 break; 207 case NOPERM: 208 break; 209 case RCOK: 210 if (ex_run_file(sp, path)) 211 return (1); 212 break; 213 } 214 } 215 216 /* Run the commands. */ 217 if (EXCMD_RUNNING(sp->gp)) 218 (void)ex_cmd(sp); 219 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 220 return (0); 221 222 /* Previous commands may have set the exrc option. */ 223 if (O_ISSET(sp, O_EXRC)) { 224 switch (exrc_isok(sp, &lsb, _PATH_NEXRC, 0, 0)) { 225 case NOEXIST: 226 if (exrc_isok(sp, &lsb, _PATH_EXRC, 0, 0) == RCOK && 227 (lsb.st_dev != hsb.st_dev || 228 lsb.st_ino != hsb.st_ino) && 229 ex_run_file(sp, _PATH_EXRC)) 230 return (1); 231 break; 232 case NOPERM: 233 break; 234 case RCOK: 235 if ((lsb.st_dev != hsb.st_dev || 236 lsb.st_ino != hsb.st_ino) && 237 ex_run_file(sp, _PATH_NEXRC)) 238 return (1); 239 break; 240 } 241 /* Run the commands. */ 242 if (EXCMD_RUNNING(sp->gp)) 243 (void)ex_cmd(sp); 244 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 245 return (0); 246 } 247 248 return (0); 249 } 250 251 /* 252 * ex_run_file -- 253 * Set up a file of ex commands to run. 254 */ 255 static int 256 ex_run_file(sp, name) 257 SCR *sp; 258 char *name; 259 { 260 ARGS *ap[2], a; 261 EXCMD cmd; 262 263 ex_cinit(&cmd, C_SOURCE, 0, OOBLNO, OOBLNO, 0, ap); 264 ex_cadd(&cmd, &a, name, strlen(name)); 265 return (ex_source(sp, &cmd)); 266 } 267 268 /* 269 * ex_run_str -- 270 * Set up a string of ex commands to run. 271 * 272 * PUBLIC: int ex_run_str(SCR *, char *, char *, size_t, int, int); 273 */ 274 int 275 ex_run_str(sp, name, str, len, ex_flags, nocopy) 276 SCR *sp; 277 char *name, *str; 278 size_t len; 279 int ex_flags, nocopy; 280 { 281 GS *gp; 282 EXCMD *ecp; 283 284 gp = sp->gp; 285 if (EXCMD_RUNNING(gp)) { 286 CALLOC_RET(sp, ecp, EXCMD *, 1, sizeof(EXCMD)); 287 LIST_INSERT_HEAD(&gp->ecq, ecp, q); 288 } else 289 ecp = &gp->excmd; 290 291 F_INIT(ecp, 292 ex_flags ? E_BLIGNORE | E_NOAUTO | E_NOPRDEF | E_VLITONLY : 0); 293 294 if (nocopy) 295 ecp->cp = str; 296 else 297 if ((ecp->cp = v_strdup(sp, str, len)) == NULL) 298 return (1); 299 ecp->clen = len; 300 301 if (name == NULL) 302 ecp->if_name = NULL; 303 else { 304 if ((ecp->if_name = v_strdup(sp, name, strlen(name))) == NULL) 305 return (1); 306 ecp->if_lno = 1; 307 F_SET(ecp, E_NAMEDISCARD); 308 } 309 310 return (0); 311 } 312 313 /* 314 * exrc_isok -- 315 * Check a .exrc file for source-ability. 316 * 317 * !!! 318 * Historically, vi read the $HOME and local .exrc files if they were owned 319 * by the user's real ID, or the "sourceany" option was set, regardless of 320 * any other considerations. We no longer support the sourceany option as 321 * it's a security problem of mammoth proportions. We require the system 322 * .exrc file to be owned by root, the $HOME .exrc file to be owned by the 323 * user's effective ID (or that the user's effective ID be root) and the 324 * local .exrc files to be owned by the user's effective ID. In all cases, 325 * the file cannot be writeable by anyone other than its owner. 326 * 327 * In O'Reilly ("Learning the VI Editor", Fifth Ed., May 1992, page 106), 328 * it notes that System V release 3.2 and later has an option "[no]exrc". 329 * The behavior is that local .exrc files are read only if the exrc option 330 * is set. The default for the exrc option was off, so, by default, local 331 * .exrc files were not read. The problem this was intended to solve was 332 * that System V permitted users to give away files, so there's no possible 333 * ownership or writeability test to ensure that the file is safe. 334 * 335 * POSIX 1003.2-1992 standardized exrc as an option. It required the exrc 336 * option to be off by default, thus local .exrc files are not to be read 337 * by default. The Rationale noted (incorrectly) that this was a change 338 * to historic practice, but correctly noted that a default of off improves 339 * system security. POSIX also required that vi check the effective user 340 * ID instead of the real user ID, which is why we've switched from historic 341 * practice. 342 * 343 * We initialize the exrc variable to off. If it's turned on by the system 344 * or $HOME .exrc files, and the local .exrc file passes the ownership and 345 * writeability tests, then we read it. This breaks historic 4BSD practice, 346 * but it gives us a measure of security on systems where users can give away 347 * files. 348 */ 349 static enum rc 350 exrc_isok(sp, sbp, path, rootown, rootid) 351 SCR *sp; 352 struct stat *sbp; 353 char *path; 354 int rootown, rootid; 355 { 356 enum { ROOTOWN, OWN, WRITER } etype; 357 uid_t euid; 358 int nf1, nf2; 359 char *a, *b, buf[MAXPATHLEN]; 360 361 /* Check for the file's existence. */ 362 if (stat(path, sbp)) 363 return (NOEXIST); 364 365 /* Check ownership permissions. */ 366 euid = geteuid(); 367 if (!(rootown && sbp->st_uid == 0) && 368 !(rootid && euid == 0) && sbp->st_uid != euid) { 369 etype = rootown ? ROOTOWN : OWN; 370 goto denied; 371 } 372 373 /* Check writeability. */ 374 if (sbp->st_mode & (S_IWGRP | S_IWOTH)) { 375 etype = WRITER; 376 goto denied; 377 } 378 return (RCOK); 379 380 denied: a = msg_print(sp, path, &nf1); 381 if (strchr(path, '/') == NULL && getcwd(buf, sizeof(buf)) != NULL) { 382 b = msg_print(sp, buf, &nf2); 383 switch (etype) { 384 case ROOTOWN: 385 msgq(sp, M_ERR, 386 "125|%s/%s: not sourced: not owned by you or root", 387 b, a); 388 break; 389 case OWN: 390 msgq(sp, M_ERR, 391 "126|%s/%s: not sourced: not owned by you", b, a); 392 break; 393 case WRITER: 394 msgq(sp, M_ERR, 395 "127|%s/%s: not sourced: writable by a user other than the owner", b, a); 396 break; 397 } 398 if (nf2) 399 FREE_SPACE(sp, b, 0); 400 } else 401 switch (etype) { 402 case ROOTOWN: 403 msgq(sp, M_ERR, 404 "128|%s: not sourced: not owned by you or root", a); 405 break; 406 case OWN: 407 msgq(sp, M_ERR, 408 "129|%s: not sourced: not owned by you", a); 409 break; 410 case WRITER: 411 msgq(sp, M_ERR, 412 "130|%s: not sourced: writable by a user other than the owner", a); 413 break; 414 } 415 416 if (nf1) 417 FREE_SPACE(sp, a, 0); 418 return (NOPERM); 419 } 420