1 /*- 2 * Copyright (c) 1992, 1993, 1994 3 * The Regents of the University of California. All rights reserved. 4 * Copyright (c) 1992, 1993, 1994, 1995, 1996 5 * Keith Bostic. All rights reserved. 6 * 7 * See the LICENSE file for redistribution information. 8 */ 9 10 #include "config.h" 11 12 #include <sys/types.h> 13 #include <sys/queue.h> 14 #include <sys/stat.h> 15 16 #include <bitstring.h> 17 #include <fcntl.h> 18 #include <limits.h> 19 #include <stdio.h> 20 #include <stdlib.h> 21 #include <string.h> 22 #include <unistd.h> 23 24 #include "../common/common.h" 25 #include "tag.h" 26 #include "pathnames.h" 27 28 enum rc { NOEXIST, NOPERM, RCOK }; 29 static enum rc exrc_isok(SCR *, struct stat *, char *, int, int); 30 31 static int ex_run_file(SCR *, char *); 32 33 /* 34 * ex_screen_copy -- 35 * Copy ex screen. 36 * 37 * PUBLIC: int ex_screen_copy(SCR *, SCR *); 38 */ 39 int 40 ex_screen_copy(SCR *orig, SCR *sp) 41 { 42 EX_PRIVATE *oexp, *nexp; 43 44 /* Create the private ex structure. */ 45 CALLOC_RET(orig, nexp, 1, sizeof(EX_PRIVATE)); 46 sp->ex_private = nexp; 47 48 /* Initialize queues. */ 49 TAILQ_INIT(nexp->tq); 50 TAILQ_INIT(nexp->tagfq); 51 SLIST_INIT(nexp->cscq); 52 53 if (orig == NULL) { 54 } else { 55 oexp = EXP(orig); 56 57 if (oexp->lastbcomm != NULL && 58 (nexp->lastbcomm = v_wstrdup(sp, oexp->lastbcomm, 59 STRLEN(oexp->lastbcomm))) == NULL) { 60 msgq(sp, M_SYSERR, NULL); 61 return(1); 62 } 63 if (ex_tag_copy(orig, sp)) 64 return (1); 65 } 66 return (0); 67 } 68 69 /* 70 * ex_screen_end -- 71 * End a vi screen. 72 * 73 * PUBLIC: int ex_screen_end(SCR *); 74 */ 75 int 76 ex_screen_end(SCR *sp) 77 { 78 EX_PRIVATE *exp; 79 int rval; 80 81 if ((exp = EXP(sp)) == NULL) 82 return (0); 83 84 rval = 0; 85 86 /* Close down script connections. */ 87 if (F_ISSET(sp, SC_SCRIPT) && sscr_end(sp)) 88 rval = 1; 89 90 if (argv_free(sp)) 91 rval = 1; 92 93 free(exp->ibp); 94 95 free(exp->lastbcomm); 96 97 free(exp->ibcw.bp1.c); 98 99 if (ex_tag_free(sp)) 100 rval = 1; 101 102 if (cscope_end(sp)) 103 rval = 1; 104 105 /* Free private memory. */ 106 free(exp); 107 sp->ex_private = NULL; 108 109 return (rval); 110 } 111 112 /* 113 * ex_optchange -- 114 * Handle change of options for ex. 115 * 116 * PUBLIC: int ex_optchange(SCR *, int, char *, u_long *); 117 */ 118 int 119 ex_optchange(SCR *sp, int offset, char *str, u_long *valp) 120 { 121 switch (offset) { 122 case O_TAGS: 123 return (ex_tagf_alloc(sp, str)); 124 } 125 return (0); 126 } 127 128 /* 129 * ex_exrc -- 130 * Read the EXINIT environment variable and the startup exrc files, 131 * and execute their commands. 132 * 133 * PUBLIC: int ex_exrc(SCR *); 134 */ 135 int 136 ex_exrc(SCR *sp) 137 { 138 struct stat hsb, lsb; 139 char *p, *path; 140 CHAR_T *wp; 141 size_t wlen; 142 143 /* 144 * Source the system, environment, $HOME and local .exrc values. 145 * Vi historically didn't check $HOME/.exrc if the environment 146 * variable EXINIT was set. This is all done before the file is 147 * read in, because things in the .exrc information can set, for 148 * example, the recovery directory. 149 * 150 * !!! 151 * While nvi can handle any of the options settings of historic vi, 152 * the converse is not true. Since users are going to have to have 153 * files and environmental variables that work with both, we use nvi 154 * versions of both the $HOME and local startup files if they exist, 155 * otherwise the historic ones. 156 * 157 * !!! 158 * For a discussion of permissions and when what .exrc files are 159 * read, see the comment above the exrc_isok() function below. 160 * 161 * !!! 162 * If the user started the historic of vi in $HOME, vi read the user's 163 * .exrc file twice, as $HOME/.exrc and as ./.exrc. We avoid this, as 164 * it's going to make some commands behave oddly, and I can't imagine 165 * anyone depending on it. 166 */ 167 switch (exrc_isok(sp, &hsb, _PATH_SYSEXRC, 1, 0)) { 168 case NOEXIST: 169 case NOPERM: 170 break; 171 case RCOK: 172 if (ex_run_file(sp, _PATH_SYSEXRC)) 173 return (1); 174 break; 175 } 176 177 /* Run the commands. */ 178 if (EXCMD_RUNNING(sp->gp)) 179 (void)ex_cmd(sp); 180 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 181 return (0); 182 183 if ((p = getenv("NEXINIT")) != NULL) { 184 CHAR2INT(sp, p, strlen(p) + 1, wp, wlen); 185 if (ex_run_str(sp, "NEXINIT", wp, wlen - 1, 1, 0)) 186 return (1); 187 } else if ((p = getenv("EXINIT")) != NULL) { 188 CHAR2INT(sp, p, strlen(p) + 1, wp, wlen); 189 if (ex_run_str(sp, "EXINIT", wp, wlen - 1, 1, 0)) 190 return (1); 191 } else if ((p = getenv("HOME")) != NULL && *p) { 192 int st = 0; 193 194 if ((path = join(p, _PATH_NEXRC)) == NULL) { 195 msgq(sp, M_SYSERR, NULL); 196 return (1); 197 } 198 switch (exrc_isok(sp, &hsb, path, 0, 1)) { 199 case NOEXIST: 200 free(path); 201 if ((path = join(p, _PATH_EXRC)) == NULL) { 202 msgq(sp, M_SYSERR, NULL); 203 return (1); 204 } 205 if (exrc_isok(sp, 206 &hsb, path, 0, 1) == RCOK && ex_run_file(sp, path)) 207 st = 1; 208 break; 209 case NOPERM: 210 break; 211 case RCOK: 212 if (ex_run_file(sp, path)) 213 st = 1; 214 break; 215 } 216 free(path); 217 if (st) 218 return st; 219 } 220 221 /* Run the commands. */ 222 if (EXCMD_RUNNING(sp->gp)) 223 (void)ex_cmd(sp); 224 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 225 return (0); 226 227 /* Previous commands may have set the exrc option. */ 228 if (O_ISSET(sp, O_EXRC)) { 229 switch (exrc_isok(sp, &lsb, _PATH_NEXRC, 0, 0)) { 230 case NOEXIST: 231 if (exrc_isok(sp, &lsb, _PATH_EXRC, 0, 0) == RCOK && 232 (lsb.st_dev != hsb.st_dev || 233 lsb.st_ino != hsb.st_ino) && 234 ex_run_file(sp, _PATH_EXRC)) 235 return (1); 236 break; 237 case NOPERM: 238 break; 239 case RCOK: 240 if ((lsb.st_dev != hsb.st_dev || 241 lsb.st_ino != hsb.st_ino) && 242 ex_run_file(sp, _PATH_NEXRC)) 243 return (1); 244 break; 245 } 246 /* Run the commands. */ 247 if (EXCMD_RUNNING(sp->gp)) 248 (void)ex_cmd(sp); 249 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 250 return (0); 251 } 252 253 return (0); 254 } 255 256 /* 257 * ex_run_file -- 258 * Set up a file of ex commands to run. 259 */ 260 static int 261 ex_run_file(SCR *sp, char *name) 262 { 263 EXCMD cmd; 264 CHAR_T *wp; 265 size_t wlen; 266 267 ex_cinit(sp, &cmd, C_SOURCE, 0, OOBLNO, OOBLNO, 0); 268 CHAR2INT(sp, name, strlen(name)+1, wp, wlen); 269 argv_exp0(sp, &cmd, wp, wlen - 1); 270 return (ex_source(sp, &cmd)); 271 } 272 273 /* 274 * ex_run_str -- 275 * Set up a string of ex commands to run. 276 * 277 * PUBLIC: int ex_run_str(SCR *, char *, CHAR_T *, size_t, int, int); 278 */ 279 int 280 ex_run_str(SCR *sp, char *name, CHAR_T *str, size_t len, int ex_flags, int nocopy) 281 { 282 GS *gp; 283 EXCMD *ecp; 284 285 gp = sp->gp; 286 if (EXCMD_RUNNING(gp)) { 287 CALLOC_RET(sp, ecp, 1, sizeof(EXCMD)); 288 SLIST_INSERT_HEAD(gp->ecq, ecp, q); 289 } else 290 ecp = &gp->excmd; 291 292 F_INIT(ecp, 293 ex_flags ? E_BLIGNORE | E_NOAUTO | E_NOPRDEF | E_VLITONLY : 0); 294 295 if (nocopy) 296 ecp->cp = str; 297 else 298 if ((ecp->cp = v_wstrdup(sp, str, len)) == NULL) 299 return (1); 300 ecp->clen = len; 301 302 if (name == NULL) 303 ecp->if_name = NULL; 304 else { 305 if ((ecp->if_name = v_strdup(sp, name, strlen(name))) == NULL) 306 return (1); 307 ecp->if_lno = 1; 308 F_SET(ecp, E_NAMEDISCARD); 309 } 310 311 return (0); 312 } 313 314 /* 315 * exrc_isok -- 316 * Check a .exrc file for source-ability. 317 * 318 * !!! 319 * Historically, vi read the $HOME and local .exrc files if they were owned 320 * by the user's real ID, or the "sourceany" option was set, regardless of 321 * any other considerations. We no longer support the sourceany option as 322 * it's a security problem of mammoth proportions. We require the system 323 * .exrc file to be owned by root, the $HOME .exrc file to be owned by the 324 * user's effective ID (or that the user's effective ID be root) and the 325 * local .exrc files to be owned by the user's effective ID. In all cases, 326 * the file cannot be writeable by anyone other than its owner. 327 * 328 * In O'Reilly ("Learning the VI Editor", Fifth Ed., May 1992, page 106), 329 * it notes that System V release 3.2 and later has an option "[no]exrc". 330 * The behavior is that local .exrc files are read only if the exrc option 331 * is set. The default for the exrc option was off, so, by default, local 332 * .exrc files were not read. The problem this was intended to solve was 333 * that System V permitted users to give away files, so there's no possible 334 * ownership or writeability test to ensure that the file is safe. 335 * 336 * POSIX 1003.2-1992 standardized exrc as an option. It required the exrc 337 * option to be off by default, thus local .exrc files are not to be read 338 * by default. The Rationale noted (incorrectly) that this was a change 339 * to historic practice, but correctly noted that a default of off improves 340 * system security. POSIX also required that vi check the effective user 341 * ID instead of the real user ID, which is why we've switched from historic 342 * practice. 343 * 344 * We initialize the exrc variable to off. If it's turned on by the system 345 * or $HOME .exrc files, and the local .exrc file passes the ownership and 346 * writeability tests, then we read it. This breaks historic 4BSD practice, 347 * but it gives us a measure of security on systems where users can give away 348 * files. 349 */ 350 static enum rc 351 exrc_isok(SCR *sp, struct stat *sbp, char *path, int rootown, int rootid) 352 { 353 enum { ROOTOWN, OWN, WRITER } etype; 354 uid_t euid; 355 int nf1, nf2; 356 char *a, *b, *buf; 357 358 /* Check for the file's existence. */ 359 if (stat(path, sbp)) 360 return (NOEXIST); 361 362 /* Check ownership permissions. */ 363 euid = geteuid(); 364 if (!(rootown && sbp->st_uid == 0) && 365 !(rootid && euid == 0) && sbp->st_uid != euid) { 366 etype = rootown ? ROOTOWN : OWN; 367 goto denied; 368 } 369 370 /* Check writeability. */ 371 if (sbp->st_mode & (S_IWGRP | S_IWOTH)) { 372 etype = WRITER; 373 goto denied; 374 } 375 return (RCOK); 376 377 denied: a = msg_print(sp, path, &nf1); 378 if (strchr(path, '/') == NULL && (buf = getcwd(NULL, 0)) != NULL) { 379 char *p; 380 381 b = msg_print(sp, buf, &nf2); 382 if ((p = join(b, a)) == NULL) { 383 msgq(sp, M_SYSERR, NULL); 384 goto err; 385 } 386 switch (etype) { 387 case ROOTOWN: 388 msgq(sp, M_ERR, 389 "128|%s: not sourced: not owned by you or root", p); 390 break; 391 case OWN: 392 msgq(sp, M_ERR, 393 "129|%s: not sourced: not owned by you", p); 394 break; 395 case WRITER: 396 msgq(sp, M_ERR, 397 "130|%s: not sourced: writeable by a user other than the owner", p); 398 break; 399 } 400 free(p); 401 err: free(buf); 402 if (nf2) 403 FREE_SPACE(sp, b, 0); 404 } else 405 switch (etype) { 406 case ROOTOWN: 407 msgq(sp, M_ERR, 408 "128|%s: not sourced: not owned by you or root", a); 409 break; 410 case OWN: 411 msgq(sp, M_ERR, 412 "129|%s: not sourced: not owned by you", a); 413 break; 414 case WRITER: 415 msgq(sp, M_ERR, 416 "130|%s: not sourced: writeable by a user other than the owner", a); 417 break; 418 } 419 420 if (nf1) 421 FREE_SPACE(sp, a, 0); 422 return (NOPERM); 423 } 424