Lines Matching +full:user +full:- +full:level
2 * Copyright (c) 1998-2004 Proofpoint, Inc. and its suppliers.
4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
9 * forth in the LICENSE file which can be found at the top level of
18 SM_RCSID("@(#)$Id: safefile.c,v 8.130 2013-11-22 20:51:50 ca Exp $")
22 ** SAFEFILE -- return 0 if a file exists and is safe for a user.
25 ** fn -- filename to check.
26 ** uid -- user id to compare against.
27 ** gid -- group id to compare against.
28 ** user -- user name to compare against (used for group sets).
29 ** flags -- modifiers:
30 ** SFF_MUSTOWN -- "uid" must own this file.
31 ** SFF_NOSLINK -- file cannot be a symbolic link.
32 ** mode -- mode bits that must match.
33 ** st -- if set, points to a stat structure that will
45 safefile(fn, uid, gid, user, flags, mode, st)
49 char *user; variable
91 !bitset(S_IXUSR|S_IXGRP|S_IXOTH, st->st_mode) &&
92 S_ISREG(st->st_mode))
95 ** If final file is set-user-ID, run as the owner of that
101 if (bitset(S_ISUID, st->st_mode))
103 if (bitset(S_ISUID, st->st_mode) && st->st_uid != 0 &&
104 st->st_uid != TrustedUid)
107 uid = st->st_uid;
108 user = NULL;
111 if (bitset(S_ISGID, st->st_mode))
113 if (bitset(S_ISGID, st->st_mode) && st->st_gid != 0)
115 gid = st->st_gid;
128 ret = safedirpath(".", uid, gid, user,
134 ret = safedirpath(fn, uid, gid, user,
167 ret = safedirpath(".", uid, gid, user, flags, 0, 0);
172 ret = safedirpath(fn, uid, gid, user, flags, 0, 0);
181 ** ensure that it is writable by this user.
222 else if (user != NULL && !DontInitGroups &&
224 gr->gr_gid == stbuf.st_gid) ||
229 for (gp = gr->gr_mem; *gp != NULL; gp++)
230 if (strcmp(*gp, user) == 0)
251 st->st_mode = ST_MODE_NOFILE;
256 if (bitset(SFF_NOSLINK, flags) && S_ISLNK(st->st_mode))
260 (unsigned long) st->st_mode);
264 if (bitset(SFF_REGONLY, flags) && !S_ISREG(st->st_mode))
267 sm_dprintf("\t[non-reg mode %lo]\tE_SM_REGONLY\n",
268 (unsigned long) st->st_mode);
272 bitset(S_IWGRP, st->st_mode))
276 (unsigned long) st->st_mode);
280 bitset(S_IWOTH, st->st_mode))
284 (unsigned long) st->st_mode);
287 if (bitset(SFF_NOGRFILES, flags) && bitset(S_IRGRP, st->st_mode))
291 (unsigned long) st->st_mode);
294 if (bitset(SFF_NOWRFILES, flags) && bitset(S_IROTH, st->st_mode))
298 (unsigned long) st->st_mode);
303 bitset(S_IXUSR|S_IXGRP|S_IXOTH, st->st_mode))
307 (unsigned long) st->st_mode);
310 if (bitset(SFF_NOHLINK, flags) && st->st_nlink != 1)
314 (int) st->st_nlink);
323 else if (st->st_uid == uid)
326 else if (uid == 0 && st->st_uid == TrustedUid)
332 if (st->st_gid == gid)
336 else if (user != NULL && !DontInitGroups &&
337 ((gr != NULL && gr->gr_gid == st->st_gid) ||
338 (gr = getgrgid(st->st_gid)) != NULL))
342 for (gp = gr->gr_mem; *gp != NULL; gp++)
343 if (strcmp(*gp, user) == 0)
354 (int) st->st_uid, (int) st->st_nlink,
355 (unsigned long) st->st_mode, (unsigned long) mode);
356 if ((st->st_uid == uid || st->st_uid == 0 ||
357 st->st_uid == TrustedUid ||
359 (st->st_mode & mode) == mode)
370 ** SAFEDIRPATH -- check to make sure a path to a directory is safe
375 ** fn -- filename to check.
376 ** uid -- user id to compare against.
377 ** gid -- group id to compare against.
378 ** user -- user name to compare against (used for group
380 ** flags -- modifiers:
381 ** SFF_ROOTOK -- ok to use root permissions to open.
382 ** SFF_SAFEDIRPATH -- writable directories are considered
384 ** level -- symlink recursive level.
385 ** offset -- offset into fn to start checking from.
388 ** 0 -- if the directory path is "safe".
389 ** else -- an error number associated with the path.
393 safedirpath(fn, uid, gid, user, flags, level, offset) in safedirpath() argument
397 char *user;
399 int level;
412 if (level > MAXSYMLINKS)
415 if (level < 0 || offset < 0 || offset > strlen(fn))
423 sm_dprintf("safedirpath(%s, uid=%ld, gid=%ld, flags=%lx, level=%d, offset=%d):\n",
424 fn, (long) uid, (long) gid, flags, level, offset);
525 offset--;
534 offset--;
552 offset = sptr + 1 - s;
578 ret = safedirpath(target, uid, gid, user, flags,
579 level + 1, offset);
627 ** running as a privileged user. This allows ACLs
641 if (user != NULL && !DontInitGroups &&
642 ((gr != NULL && gr->gr_gid == stbuf.st_gid) ||
647 for (gp = gr->gr_mem; gp != NULL && *gp != NULL; gp++)
648 if (strcmp(*gp, user) == 0)
667 ** SAFEOPEN -- do a file open with extra checking
670 ** fn -- the file name to open.
671 ** omode -- the open-style mode flags.
672 ** cmode -- the create-style mode flags.
673 ** sff -- safefile flags.
728 return -1;
736 return -1;
753 return -1;
767 return -1;
774 ** SAFEFOPEN -- do a file open with extra checking
777 ** fn -- the file name to open.
778 ** omode -- the open-style mode flags.
779 ** cmode -- the create-style mode flags.
780 ** sff -- safefile flags.
850 ** FILECHANGED -- check to see if file changed after being opened
853 ** fn -- pathname of file to check.
854 ** fd -- file descriptor to check.
855 ** stb -- stat structure from before open.
858 ** true -- if a problem was detected.
859 ** false -- if this file is still the same.
870 if (stb->st_mode == ST_MODE_NOFILE)
874 if (lstat(fn, stb) < 0 || stb->st_nlink != 1)
883 if (sta.st_nlink != stb->st_nlink ||
884 sta.st_dev != stb->st_dev ||
885 sta.st_ino != stb->st_ino ||
887 sta.st_gen != stb->st_gen ||
889 sta.st_uid != stb->st_uid ||
890 sta.st_gid != stb->st_gid)
896 (long) stb->st_nlink, (long) sta.st_nlink);
898 (long) stb->st_dev, (long) sta.st_dev);
900 (ULONGLONG_T) stb->st_ino,
904 (long) stb->st_gen, (long) sta.st_gen);
907 (long) stb->st_uid, (long) sta.st_uid);
909 (long) stb->st_gid, (long) sta.st_gid);
917 ** DFOPEN -- determined file open
933 int fd = -1;
974 fd = -1;