|
Lines 46-51
Link Here
|
| 46 |
# include <paths.h> |
46 |
# include <paths.h> |
| 47 |
#include <pwd.h> |
47 |
#include <pwd.h> |
| 48 |
#endif |
48 |
#endif |
|
|
49 |
#ifdef HAVE_LIBGEN_H |
| 50 |
#include <libgen.h> |
| 51 |
#endif |
| 49 |
#ifdef SSH_TUN_OPENBSD |
52 |
#ifdef SSH_TUN_OPENBSD |
| 50 |
#include <net/if.h> |
53 |
#include <net/if.h> |
| 51 |
#endif |
54 |
#endif |
|
Lines 608-613
Link Here
|
| 608 |
} |
611 |
} |
| 609 |
|
612 |
|
| 610 |
/* |
613 |
/* |
|
|
614 |
* Check a given file for security. This is defined as all components |
| 615 |
* of the path to the file must be owned by either the owner of |
| 616 |
* of the file or root and no directories must be group or world writable. |
| 617 |
* |
| 618 |
* XXX Should any specific check be done for sym links ? |
| 619 |
* |
| 620 |
* Takes an open file descriptor, the file name, a uid and and |
| 621 |
* error buffer plus max size as arguments. |
| 622 |
* |
| 623 |
* Returns 0 on success and -1 on failure |
| 624 |
*/ |
| 625 |
static int |
| 626 |
secure_filename(FILE *f, const char *file, struct passwd *pw, |
| 627 |
char *err, size_t errlen) |
| 628 |
{ |
| 629 |
uid_t uid = pw->pw_uid; |
| 630 |
char buf[MAXPATHLEN], homedir[MAXPATHLEN]; |
| 631 |
char *cp; |
| 632 |
int comparehome = 0; |
| 633 |
struct stat st; |
| 634 |
|
| 635 |
if (realpath(file, buf) == NULL) { |
| 636 |
snprintf(err, errlen, "realpath %s failed: %s", file, |
| 637 |
strerror(errno)); |
| 638 |
return -1; |
| 639 |
} |
| 640 |
if (realpath(pw->pw_dir, homedir) != NULL) |
| 641 |
comparehome = 1; |
| 642 |
|
| 643 |
/* check the open file to avoid races */ |
| 644 |
if (fstat(fileno(f), &st) < 0 || |
| 645 |
(st.st_uid != 0 && st.st_uid != uid) || |
| 646 |
(st.st_mode & 022) != 0) { |
| 647 |
snprintf(err, errlen, "bad ownership or modes for file %s", |
| 648 |
buf); |
| 649 |
return -1; |
| 650 |
} |
| 651 |
|
| 652 |
/* for each component of the canonical path, walking upwards */ |
| 653 |
for (;;) { |
| 654 |
if ((cp = dirname(buf)) == NULL) { |
| 655 |
snprintf(err, errlen, "dirname() failed"); |
| 656 |
return -1; |
| 657 |
} |
| 658 |
strlcpy(buf, cp, sizeof(buf)); |
| 659 |
|
| 660 |
debug3("secure_filename: checking '%s'", buf); |
| 661 |
if (stat(buf, &st) < 0 || |
| 662 |
(st.st_uid != 0 && st.st_uid != uid) || |
| 663 |
(st.st_mode & 022) != 0) { |
| 664 |
snprintf(err, errlen, |
| 665 |
"bad ownership or modes for directory %s", buf); |
| 666 |
return -1; |
| 667 |
} |
| 668 |
|
| 669 |
/* If are passed the homedir then we can stop */ |
| 670 |
if (comparehome && strcmp(homedir, buf) == 0) { |
| 671 |
debug3("secure_filename: terminating check at '%s'", |
| 672 |
buf); |
| 673 |
break; |
| 674 |
} |
| 675 |
/* |
| 676 |
* dirname should always complete with a "/" path, |
| 677 |
* but we can be paranoid and check for "." too |
| 678 |
*/ |
| 679 |
if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0)) |
| 680 |
break; |
| 681 |
} |
| 682 |
return 0; |
| 683 |
} |
| 684 |
|
| 685 |
FILE * |
| 686 |
open_keyfile(const char *filename, struct passwd *pw, int strict_modes) |
| 687 |
{ |
| 688 |
char err[1024]; |
| 689 |
struct stat st; |
| 690 |
FILE *f; |
| 691 |
|
| 692 |
if (stat(filename, &st) < 0) |
| 693 |
return NULL; |
| 694 |
|
| 695 |
f = fopen(filename, "r"); |
| 696 |
if (!f) |
| 697 |
return NULL; |
| 698 |
|
| 699 |
if (strict_modes && |
| 700 |
secure_filename(f, filename, pw, err, sizeof(err)) != 0) { |
| 701 |
fclose(f); |
| 702 |
logit("Authentication refused: %s", err); |
| 703 |
return NULL; |
| 704 |
} |
| 705 |
|
| 706 |
return f; |
| 707 |
} |
| 708 |
|
| 709 |
/* |
| 611 |
* Read an entire line from a public key file into a static buffer, discarding |
710 |
* Read an entire line from a public key file into a static buffer, discarding |
| 612 |
* lines that exceed the buffer size. Returns 0 on success, -1 on failure. |
711 |
* lines that exceed the buffer size. Returns 0 on success, -1 on failure. |
| 613 |
*/ |
712 |
*/ |