regress/check-perm.c - third_party/openssh-portable - Git at Google

 /*
  * Placed in the public domain
  */

 /* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */

 #include "includes.h"

 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <errno.h>
 #include <pwd.h>
 #ifdef HAVE_LIBGEN_H
 #include <libgen.h>
 #endif

 static void
 fatal(const char *fmt, ...)
 {
 	va_list args;

 	va_start(args, fmt);
 	vfprintf(stderr, fmt, args);
 	fputc('\n', stderr);
 	va_end(args);
 	exit(1);
 }
 /* Based on session.c. NB. keep tests in sync */
 static void
 safely_chroot(const char *path, uid_t uid)
 {
 	const char *cp;
 	char component[PATH_MAX];
 	struct stat st;

 	if (*path != '/')
 		fatal("chroot path does not begin at root");
 	if (strlen(path) >= sizeof(component))
 		fatal("chroot path too long");

 	/*
 	 * Descend the path, checking that each component is a
 	 * root-owned directory with strict permissions.
 	 */
 	for (cp = path; cp != NULL;) {
 		if ((cp = strchr(cp, '/')) == NULL)
 			strlcpy(component, path, sizeof(component));
 		else {
 			cp++;
 			memcpy(component, path, cp - path);
 			component[cp - path] = '\0';
 		}

 		/* debug3("%s: checking '%s'", __func__, component); */

 		if (stat(component, &st) != 0)
 			fatal("%s: stat(\"%s\"): %s", __func__,
 			    component, strerror(errno));
 		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
 			fatal("bad ownership or modes for chroot "
 			    "directory %s\"%s\"",
 			    cp == NULL ? "" : "component ", component);
 		if (!S_ISDIR(st.st_mode))
 			fatal("chroot path %s\"%s\" is not a directory",
 			    cp == NULL ? "" : "component ", component);

 	}

 	if (chdir(path) == -1)
 		fatal("Unable to chdir to chroot path \"%s\": "
 		    "%s", path, strerror(errno));
 }

 /* from platform.c */
 int
 platform_sys_dir_uid(uid_t uid)
 {
 	if (uid == 0)
 		return 1;
 #ifdef PLATFORM_SYS_DIR_UID
 	if (uid == PLATFORM_SYS_DIR_UID)
 		return 1;
 #endif
 	return 0;
 }

 /* from auth.c */
 int
 auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
     uid_t uid, char *err, size_t errlen)
 {
 	char buf[PATH_MAX], homedir[PATH_MAX];
 	char *cp;
 	int comparehome = 0;
 	struct stat st;

 	if (realpath(name, buf) == NULL) {
 		snprintf(err, errlen, "realpath %s failed: %s", name,
 		    strerror(errno));
 		return -1;
 	}
 	if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
 		comparehome = 1;

 	if (!S_ISREG(stp->st_mode)) {
 		snprintf(err, errlen, "%s is not a regular file", buf);
 		return -1;
 	}
 	if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
 	    (stp->st_mode & 022) != 0) {
 		snprintf(err, errlen, "bad ownership or modes for file %s",
 		    buf);
 		return -1;
 	}

 	/* for each component of the canonical path, walking upwards */
 	for (;;) {
 		if ((cp = dirname(buf)) == NULL) {
 			snprintf(err, errlen, "dirname() failed");
 			return -1;
 		}
 		strlcpy(buf, cp, sizeof(buf));

 		if (stat(buf, &st) < 0 ||
 		    (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
 		    (st.st_mode & 022) != 0) {
 			snprintf(err, errlen,
 			    "bad ownership or modes for directory %s", buf);
 			return -1;
 		}

 		/* If are past the homedir then we can stop */
 		if (comparehome && strcmp(homedir, buf) == 0)
 			break;

 		/*
 		 * dirname should always complete with a "/" path,
 		 * but we can be paranoid and check for "." too
 		 */
 		if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
 			break;
 	}
 	return 0;
 }

 static void
 usage(void)
 {
 	fprintf(stderr, "check-perm -m [chroot | keys-command] [path]\n");
 	exit(1);
 }

 int
 main(int argc, char **argv)
 {
 	const char *path = ".";
 	char errmsg[256];
 	int ch, mode = -1;
 	extern char *optarg;
 	extern int optind;
 	struct stat st;

 	while ((ch = getopt(argc, argv, "hm:")) != -1) {
 		switch (ch) {
 		case 'm':
 			if (strcasecmp(optarg, "chroot") == 0)
 				mode = 1;
 			else if (strcasecmp(optarg, "keys-command") == 0)
 				mode = 2;
 			else {
 				fprintf(stderr, "Invalid -m option\n"),
 				usage();
 			}
 			break;
 		default:
 			usage();
 		}
 	}
 	argc -= optind;
 	argv += optind;

 	if (argc > 1)
 		usage();
 	else if (argc == 1)
 		path = argv[0];

 	if (mode == 1)
 		safely_chroot(path, getuid());
 	else if (mode == 2) {
 		if (stat(path, &st) < 0)
 			fatal("Could not stat %s: %s", path, strerror(errno));
 		if (auth_secure_path(path, &st, NULL, 0,
 		    errmsg, sizeof(errmsg)) != 0)
 			fatal("Unsafe %s: %s", path, errmsg);
 	} else {
 		fprintf(stderr, "Invalid mode\n");
 		usage();
 	}
 	return 0;
 }
	/*
	* Placed in the public domain
	*/

	/* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */

	#include "includes.h"

	#include <sys/types.h>
	#include <sys/stat.h>
	#include <unistd.h>
	#include <stdio.h>
	#include <string.h>
	#include <stdarg.h>
	#include <stdlib.h>
	#include <errno.h>
	#include <pwd.h>
	#ifdef HAVE_LIBGEN_H
	#include <libgen.h>
	#endif

	static void
	fatal(const char *fmt, ...)
	{
	va_list args;

	va_start(args, fmt);
	vfprintf(stderr, fmt, args);
	fputc('\n', stderr);
	va_end(args);
	exit(1);
	}
	/* Based on session.c. NB. keep tests in sync */
	static void
	safely_chroot(const char *path, uid_t uid)
	{
	const char *cp;
	char component[PATH_MAX];
	struct stat st;

	if (*path != '/')
	fatal("chroot path does not begin at root");
	if (strlen(path) >= sizeof(component))
	fatal("chroot path too long");

	/*
	* Descend the path, checking that each component is a
	* root-owned directory with strict permissions.
	*/
	for (cp = path; cp != NULL;) {
	if ((cp = strchr(cp, '/')) == NULL)
	strlcpy(component, path, sizeof(component));
	else {
	cp++;
	memcpy(component, path, cp - path);
	component[cp - path] = '\0';
	}

	/* debug3("%s: checking '%s'", __func__, component); */

	if (stat(component, &st) != 0)
	fatal("%s: stat(\"%s\"): %s", __func__,
	component, strerror(errno));
	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0)
	fatal("bad ownership or modes for chroot "
	"directory %s\"%s\"",
	cp == NULL ? "" : "component ", component);
	if (!S_ISDIR(st.st_mode))
	fatal("chroot path %s\"%s\" is not a directory",
	cp == NULL ? "" : "component ", component);

	}

	if (chdir(path) == -1)
	fatal("Unable to chdir to chroot path \"%s\": "
	"%s", path, strerror(errno));
	}

	/* from platform.c */
	int
	platform_sys_dir_uid(uid_t uid)
	{
	if (uid == 0)
	return 1;
	#ifdef PLATFORM_SYS_DIR_UID
	if (uid == PLATFORM_SYS_DIR_UID)
	return 1;
	#endif
	return 0;
	}

	/* from auth.c */
	int
	auth_secure_path(const char name, struct stat stp, const char *pw_dir,
	uid_t uid, char *err, size_t errlen)
	{
	char buf[PATH_MAX], homedir[PATH_MAX];
	char *cp;
	int comparehome = 0;
	struct stat st;

	if (realpath(name, buf) == NULL) {
	snprintf(err, errlen, "realpath %s failed: %s", name,
	strerror(errno));
	return -1;
	}
	if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
	comparehome = 1;

	if (!S_ISREG(stp->st_mode)) {
	snprintf(err, errlen, "%s is not a regular file", buf);
	return -1;
	}
	if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) \|\|
	(stp->st_mode & 022) != 0) {
	snprintf(err, errlen, "bad ownership or modes for file %s",
	buf);
	return -1;
	}

	/* for each component of the canonical path, walking upwards */
	for (;;) {
	if ((cp = dirname(buf)) == NULL) {
	snprintf(err, errlen, "dirname() failed");
	return -1;
	}
	strlcpy(buf, cp, sizeof(buf));

	if (stat(buf, &st) < 0 \|\|
	(!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) \|\|
	(st.st_mode & 022) != 0) {
	snprintf(err, errlen,
	"bad ownership or modes for directory %s", buf);
	return -1;
	}

	/* If are past the homedir then we can stop */
	if (comparehome && strcmp(homedir, buf) == 0)
	break;

	/*
	* dirname should always complete with a "/" path,
	* but we can be paranoid and check for "." too
	*/
	if ((strcmp("/", buf) == 0) \|\| (strcmp(".", buf) == 0))
	break;
	}
	return 0;
	}

	static void
	usage(void)
	{
	fprintf(stderr, "check-perm -m [chroot \| keys-command] [path]\n");
	exit(1);
	}

	int
	main(int argc, char **argv)
	{
	const char *path = ".";
	char errmsg[256];
	int ch, mode = -1;
	extern char *optarg;
	extern int optind;
	struct stat st;

	while ((ch = getopt(argc, argv, "hm:")) != -1) {
	switch (ch) {
	case 'm':
	if (strcasecmp(optarg, "chroot") == 0)
	mode = 1;
	else if (strcasecmp(optarg, "keys-command") == 0)
	mode = 2;
	else {
	fprintf(stderr, "Invalid -m option\n"),
	usage();
	}
	break;
	default:
	usage();
	}
	}
	argc -= optind;
	argv += optind;

	if (argc > 1)
	usage();
	else if (argc == 1)
	path = argv[0];

	if (mode == 1)
	safely_chroot(path, getuid());
	else if (mode == 2) {
	if (stat(path, &st) < 0)
	fatal("Could not stat %s: %s", path, strerror(errno));
	if (auth_secure_path(path, &st, NULL, 0,
	errmsg, sizeof(errmsg)) != 0)
	fatal("Unsafe %s: %s", path, errmsg);
	} else {
	fprintf(stderr, "Invalid mode\n");
	usage();
	}
	return 0;
	}