1 /* $OpenBSD: ex_init.c,v 1.17 2016/01/06 22:28:52 millert Exp $ */ 2 3 /*- 4 * Copyright (c) 1992, 1993, 1994 5 * The Regents of the University of California. All rights reserved. 6 * Copyright (c) 1992, 1993, 1994, 1995, 1996 7 * Keith Bostic. All rights reserved. 8 * 9 * See the LICENSE file for redistribution information. 10 */ 11 12 #include "config.h" 13 14 #include <sys/queue.h> 15 #include <sys/stat.h> 16 17 #include <bitstring.h> 18 #include <errno.h> 19 #include <fcntl.h> 20 #include <limits.h> 21 #include <stdio.h> 22 #include <stdlib.h> 23 #include <string.h> 24 #include <unistd.h> 25 26 #include "../common/common.h" 27 #include "tag.h" 28 #include "pathnames.h" 29 30 enum rc { NOEXIST, NOPERM, RCOK }; 31 static enum rc exrc_isok(SCR *, struct stat *, int *, char *, int, int); 32 33 static int ex_run_file(SCR *, int, char *); 34 35 /* 36 * ex_screen_copy -- 37 * Copy ex screen. 38 * 39 * PUBLIC: int ex_screen_copy(SCR *, SCR *); 40 */ 41 int 42 ex_screen_copy(SCR *orig, SCR *sp) 43 { 44 EX_PRIVATE *oexp, *nexp; 45 46 /* Create the private ex structure. */ 47 CALLOC_RET(orig, nexp, 1, sizeof(EX_PRIVATE)); 48 sp->ex_private = nexp; 49 50 /* Initialize queues. */ 51 TAILQ_INIT(&nexp->tq); 52 TAILQ_INIT(&nexp->tagfq); 53 54 if (orig == NULL) { 55 } else { 56 oexp = EXP(orig); 57 58 if (oexp->lastbcomm != NULL && 59 (nexp->lastbcomm = strdup(oexp->lastbcomm)) == NULL) { 60 msgq(sp, M_SYSERR, NULL); 61 return(1); 62 } 63 if (ex_tag_copy(orig, sp)) 64 return (1); 65 } 66 return (0); 67 } 68 69 /* 70 * ex_screen_end -- 71 * End a vi screen. 72 * 73 * PUBLIC: int ex_screen_end(SCR *); 74 */ 75 int 76 ex_screen_end(SCR *sp) 77 { 78 EX_PRIVATE *exp; 79 int rval; 80 81 if ((exp = EXP(sp)) == NULL) 82 return (0); 83 84 rval = 0; 85 86 /* Close down script connections. */ 87 if (F_ISSET(sp, SC_SCRIPT) && sscr_end(sp)) 88 rval = 1; 89 90 if (argv_free(sp)) 91 rval = 1; 92 93 if (exp->ibp != NULL) 94 free(exp->ibp); 95 96 if (exp->lastbcomm != NULL) 97 free(exp->lastbcomm); 98 99 if (ex_tag_free(sp)) 100 rval = 1; 101 102 /* Free private memory. */ 103 free(exp); 104 sp->ex_private = NULL; 105 106 return (rval); 107 } 108 109 /* 110 * ex_optchange -- 111 * Handle change of options for ex. 112 * 113 * PUBLIC: int ex_optchange(SCR *, int, char *, u_long *); 114 */ 115 int 116 ex_optchange(SCR *sp, int offset, char *str, u_long *valp) 117 { 118 switch (offset) { 119 case O_TAGS: 120 return (ex_tagf_alloc(sp, str)); 121 } 122 return (0); 123 } 124 125 /* 126 * ex_exrc -- 127 * Read the EXINIT environment variable and the startup exrc files, 128 * and execute their commands. 129 * 130 * PUBLIC: int ex_exrc(SCR *); 131 */ 132 int 133 ex_exrc(SCR *sp) 134 { 135 struct stat hsb, lsb; 136 char *p, path[PATH_MAX]; 137 int fd; 138 139 /* 140 * Source the system, environment, $HOME and local .exrc values. 141 * Vi historically didn't check $HOME/.exrc if the environment 142 * variable EXINIT was set. This is all done before the file is 143 * read in, because things in the .exrc information can set, for 144 * example, the recovery directory. 145 * 146 * !!! 147 * While nvi can handle any of the options settings of historic vi, 148 * the converse is not true. Since users are going to have to have 149 * files and environmental variables that work with both, we use nvi 150 * versions of both the $HOME and local startup files if they exist, 151 * otherwise the historic ones. 152 * 153 * !!! 154 * For a discussion of permissions and when what .exrc files are 155 * read, see the comment above the exrc_isok() function below. 156 * 157 * !!! 158 * If the user started the historic of vi in $HOME, vi read the user's 159 * .exrc file twice, as $HOME/.exrc and as ./.exrc. We avoid this, as 160 * it's going to make some commands behave oddly, and I can't imagine 161 * anyone depending on it. 162 */ 163 switch (exrc_isok(sp, &hsb, &fd, _PATH_SYSEXRC, 1, 0)) { 164 case NOEXIST: 165 case NOPERM: 166 break; 167 case RCOK: 168 if (ex_run_file(sp, fd, _PATH_SYSEXRC)) 169 return (1); 170 break; 171 } 172 173 /* Run the commands. */ 174 if (EXCMD_RUNNING(sp->gp)) 175 (void)ex_cmd(sp); 176 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 177 return (0); 178 179 if ((p = getenv("NEXINIT")) != NULL) { 180 if (ex_run_str(sp, "NEXINIT", p, strlen(p), 1, 0)) 181 return (1); 182 } else if ((p = getenv("EXINIT")) != NULL) { 183 if (ex_run_str(sp, "EXINIT", p, strlen(p), 1, 0)) 184 return (1); 185 } else if ((p = getenv("HOME")) != NULL && *p) { 186 (void)snprintf(path, sizeof(path), "%s/%s", p, _PATH_NEXRC); 187 switch (exrc_isok(sp, &hsb, &fd, path, 0, 1)) { 188 case NOEXIST: 189 (void)snprintf(path, 190 sizeof(path), "%s/%s", p, _PATH_EXRC); 191 if (exrc_isok(sp, &hsb, &fd, path, 0, 1) == RCOK && 192 ex_run_file(sp, fd, path)) 193 return (1); 194 break; 195 case NOPERM: 196 break; 197 case RCOK: 198 if (ex_run_file(sp, fd, path)) 199 return (1); 200 break; 201 } 202 } 203 204 /* Run the commands. */ 205 if (EXCMD_RUNNING(sp->gp)) 206 (void)ex_cmd(sp); 207 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 208 return (0); 209 210 /* Previous commands may have set the exrc option. */ 211 if (O_ISSET(sp, O_EXRC)) { 212 switch (exrc_isok(sp, &lsb, &fd, _PATH_NEXRC, 0, 0)) { 213 case NOEXIST: 214 if (exrc_isok(sp, &lsb, &fd, _PATH_EXRC, 0, 0) 215 == RCOK) { 216 if (lsb.st_dev != hsb.st_dev || 217 lsb.st_ino != hsb.st_ino) { 218 if (ex_run_file(sp, fd, _PATH_EXRC)) 219 return (1); 220 } else 221 close(fd); 222 } 223 break; 224 case NOPERM: 225 break; 226 case RCOK: 227 if (lsb.st_dev != hsb.st_dev || 228 lsb.st_ino != hsb.st_ino) { 229 if (ex_run_file(sp, fd, _PATH_NEXRC)) 230 return (1); 231 } else 232 close(fd); 233 break; 234 } 235 /* Run the commands. */ 236 if (EXCMD_RUNNING(sp->gp)) 237 (void)ex_cmd(sp); 238 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 239 return (0); 240 } 241 242 return (0); 243 } 244 245 /* 246 * ex_run_file -- 247 * Set up a file of ex commands to run. 248 */ 249 static int 250 ex_run_file(SCR *sp, int fd, char *name) 251 { 252 ARGS *ap[2], a; 253 EXCMD cmd; 254 255 ex_cinit(&cmd, C_SOURCE, 0, OOBLNO, OOBLNO, 0, ap); 256 ex_cadd(&cmd, &a, name, strlen(name)); 257 return (ex_sourcefd(sp, &cmd, fd)); 258 } 259 260 /* 261 * ex_run_str -- 262 * Set up a string of ex commands to run. 263 * 264 * PUBLIC: int ex_run_str(SCR *, char *, char *, size_t, int, int); 265 */ 266 int 267 ex_run_str(SCR *sp, char *name, char *str, size_t len, int ex_flags, 268 int nocopy) 269 { 270 GS *gp; 271 EXCMD *ecp; 272 273 gp = sp->gp; 274 if (EXCMD_RUNNING(gp)) { 275 CALLOC_RET(sp, ecp, 1, sizeof(EXCMD)); 276 LIST_INSERT_HEAD(&gp->ecq, ecp, q); 277 } else 278 ecp = &gp->excmd; 279 280 F_INIT(ecp, 281 ex_flags ? E_BLIGNORE | E_NOAUTO | E_NOPRDEF | E_VLITONLY : 0); 282 283 if (nocopy) 284 ecp->cp = str; 285 else 286 if ((ecp->cp = v_strdup(sp, str, len)) == NULL) 287 return (1); 288 ecp->clen = len; 289 290 if (name == NULL) 291 ecp->if_name = NULL; 292 else { 293 if ((ecp->if_name = v_strdup(sp, name, strlen(name))) == NULL) 294 return (1); 295 ecp->if_lno = 1; 296 F_SET(ecp, E_NAMEDISCARD); 297 } 298 299 return (0); 300 } 301 302 /* 303 * exrc_isok -- 304 * Open and check a .exrc file for source-ability. 305 * 306 * !!! 307 * Historically, vi read the $HOME and local .exrc files if they were owned 308 * by the user's real ID, or the "sourceany" option was set, regardless of 309 * any other considerations. We no longer support the sourceany option as 310 * it's a security problem of mammoth proportions. We require the system 311 * .exrc file to be owned by root, the $HOME .exrc file to be owned by the 312 * user's effective ID (or that the user's effective ID be root) and the 313 * local .exrc files to be owned by the user's effective ID. In all cases, 314 * the file cannot be writeable by anyone other than its owner. 315 * 316 * In O'Reilly ("Learning the VI Editor", Fifth Ed., May 1992, page 106), 317 * it notes that System V release 3.2 and later has an option "[no]exrc". 318 * The behavior is that local .exrc files are read only if the exrc option 319 * is set. The default for the exrc option was off, so, by default, local 320 * .exrc files were not read. The problem this was intended to solve was 321 * that System V permitted users to give away files, so there's no possible 322 * ownership or writeability test to ensure that the file is safe. 323 * 324 * POSIX 1003.2-1992 standardized exrc as an option. It required the exrc 325 * option to be off by default, thus local .exrc files are not to be read 326 * by default. The Rationale noted (incorrectly) that this was a change 327 * to historic practice, but correctly noted that a default of off improves 328 * system security. POSIX also required that vi check the effective user 329 * ID instead of the real user ID, which is why we've switched from historic 330 * practice. 331 * 332 * We initialize the exrc variable to off. If it's turned on by the system 333 * or $HOME .exrc files, and the local .exrc file passes the ownership and 334 * writeability tests, then we read it. This breaks historic 4BSD practice, 335 * but it gives us a measure of security on systems where users can give away 336 * files. 337 */ 338 static enum rc 339 exrc_isok(SCR *sp, struct stat *sbp, int *fdp, char *path, int rootown, 340 int rootid) 341 { 342 enum { ROOTOWN, OWN, WRITER } etype; 343 uid_t euid; 344 int nf1, nf2; 345 char *a, *b, buf[PATH_MAX]; 346 347 if ((*fdp = open(path, O_RDONLY, 0)) < 0) { 348 if (errno == ENOENT) 349 /* This is the only case where ex_exrc() 350 * should silently try the next file, for 351 * example .exrc after .nexrc. 352 */ 353 return (NOEXIST); 354 355 msgq_str(sp, M_SYSERR, path, "%s"); 356 return (NOPERM); 357 } 358 359 if (fstat(*fdp, sbp)) { 360 msgq_str(sp, M_SYSERR, path, "%s"); 361 close(*fdp); 362 return (NOPERM); 363 } 364 365 /* Check ownership permissions. */ 366 euid = geteuid(); 367 if (!(rootown && sbp->st_uid == 0) && 368 !(rootid && euid == 0) && sbp->st_uid != euid) { 369 etype = rootown ? ROOTOWN : OWN; 370 goto denied; 371 } 372 373 /* Check writeability. */ 374 if (sbp->st_mode & (S_IWGRP | S_IWOTH)) { 375 etype = WRITER; 376 goto denied; 377 } 378 return (RCOK); 379 380 denied: a = msg_print(sp, path, &nf1); 381 if (strchr(path, '/') == NULL && getcwd(buf, sizeof(buf)) != NULL) { 382 b = msg_print(sp, buf, &nf2); 383 switch (etype) { 384 case ROOTOWN: 385 msgq(sp, M_ERR, 386 "%s/%s: not sourced: not owned by you or root", 387 b, a); 388 break; 389 case OWN: 390 msgq(sp, M_ERR, 391 "%s/%s: not sourced: not owned by you", b, a); 392 break; 393 case WRITER: 394 msgq(sp, M_ERR, 395 "%s/%s: not sourced: writable by a user other than the owner", b, a); 396 break; 397 } 398 if (nf2) 399 FREE_SPACE(sp, b, 0); 400 } else 401 switch (etype) { 402 case ROOTOWN: 403 msgq(sp, M_ERR, 404 "%s: not sourced: not owned by you or root", a); 405 break; 406 case OWN: 407 msgq(sp, M_ERR, 408 "%s: not sourced: not owned by you", a); 409 break; 410 case WRITER: 411 msgq(sp, M_ERR, 412 "%s: not sourced: writable by a user other than the owner", a); 413 break; 414 } 415 416 if (nf1) 417 FREE_SPACE(sp, a, 0); 418 close(*fdp); 419 return (NOPERM); 420 } 421