xref: /freebsd/contrib/nvi/ex/ex_init.c (revision 95ee2897e98f5d444f26ed2334cc7c439f9c16c6)
1 /*-
2  * Copyright (c) 1992, 1993, 1994
3  *	The Regents of the University of California.  All rights reserved.
4  * Copyright (c) 1992, 1993, 1994, 1995, 1996
5  *	Keith Bostic.  All rights reserved.
6  *
7  * See the LICENSE file for redistribution information.
8  */
9 
10 #include "config.h"
11 
12 #include <sys/types.h>
13 #include <sys/queue.h>
14 #include <sys/stat.h>
15 
16 #include <bitstring.h>
17 #include <fcntl.h>
18 #include <limits.h>
19 #include <stdio.h>
20 #include <stdlib.h>
21 #include <string.h>
22 #include <unistd.h>
23 
24 #include "../common/common.h"
25 #include "tag.h"
26 #include "pathnames.h"
27 
28 enum rc { NOEXIST, NOPERM, RCOK };
29 static enum rc	exrc_isok(SCR *, struct stat *, char *, int, int);
30 
31 static int ex_run_file(SCR *, char *);
32 
33 /*
34  * ex_screen_copy --
35  *	Copy ex screen.
36  *
37  * PUBLIC: int ex_screen_copy(SCR *, SCR *);
38  */
39 int
40 ex_screen_copy(SCR *orig, SCR *sp)
41 {
42 	EX_PRIVATE *oexp, *nexp;
43 
44 	/* Create the private ex structure. */
45 	CALLOC_RET(orig, nexp, 1, sizeof(EX_PRIVATE));
46 	sp->ex_private = nexp;
47 
48 	/* Initialize queues. */
49 	TAILQ_INIT(nexp->tq);
50 	TAILQ_INIT(nexp->tagfq);
51 	SLIST_INIT(nexp->cscq);
52 
53 	if (orig == NULL) {
54 	} else {
55 		oexp = EXP(orig);
56 
57 		if (oexp->lastbcomm != NULL &&
58 		    (nexp->lastbcomm = v_wstrdup(sp, oexp->lastbcomm,
59 				     STRLEN(oexp->lastbcomm))) == NULL) {
60 			msgq(sp, M_SYSERR, NULL);
61 			return(1);
62 		}
63 		if (ex_tag_copy(orig, sp))
64 			return (1);
65 	}
66 	return (0);
67 }
68 
69 /*
70  * ex_screen_end --
71  *	End a vi screen.
72  *
73  * PUBLIC: int ex_screen_end(SCR *);
74  */
75 int
76 ex_screen_end(SCR *sp)
77 {
78 	EX_PRIVATE *exp;
79 	int rval;
80 
81 	if ((exp = EXP(sp)) == NULL)
82 		return (0);
83 
84 	rval = 0;
85 
86 	/* Close down script connections. */
87 	if (F_ISSET(sp, SC_SCRIPT) && sscr_end(sp))
88 		rval = 1;
89 
90 	if (argv_free(sp))
91 		rval = 1;
92 
93 	free(exp->ibp);
94 
95 	free(exp->lastbcomm);
96 
97 	free(exp->ibcw.bp1.c);
98 
99 	if (ex_tag_free(sp))
100 		rval = 1;
101 
102 	if (cscope_end(sp))
103 		rval = 1;
104 
105 	/* Free private memory. */
106 	free(exp);
107 	sp->ex_private = NULL;
108 
109 	return (rval);
110 }
111 
112 /*
113  * ex_optchange --
114  *	Handle change of options for ex.
115  *
116  * PUBLIC: int ex_optchange(SCR *, int, char *, u_long *);
117  */
118 int
119 ex_optchange(SCR *sp, int offset, char *str, u_long *valp)
120 {
121 	switch (offset) {
122 	case O_TAGS:
123 		return (ex_tagf_alloc(sp, str));
124 	}
125 	return (0);
126 }
127 
128 /*
129  * ex_exrc --
130  *	Read the EXINIT environment variable and the startup exrc files,
131  *	and execute their commands.
132  *
133  * PUBLIC: int ex_exrc(SCR *);
134  */
135 int
136 ex_exrc(SCR *sp)
137 {
138 	struct stat hsb, lsb;
139 	char *p, *path;
140 	CHAR_T *wp;
141 	size_t wlen;
142 
143 	/*
144 	 * Source the system, environment, $HOME and local .exrc values.
145 	 * Vi historically didn't check $HOME/.exrc if the environment
146 	 * variable EXINIT was set.  This is all done before the file is
147 	 * read in, because things in the .exrc information can set, for
148 	 * example, the recovery directory.
149 	 *
150 	 * !!!
151 	 * While nvi can handle any of the options settings of historic vi,
152 	 * the converse is not true.  Since users are going to have to have
153 	 * files and environmental variables that work with both, we use nvi
154 	 * versions of both the $HOME and local startup files if they exist,
155 	 * otherwise the historic ones.
156 	 *
157 	 * !!!
158 	 * For a discussion of permissions and when what .exrc files are
159 	 * read, see the comment above the exrc_isok() function below.
160 	 *
161 	 * !!!
162 	 * If the user started the historic of vi in $HOME, vi read the user's
163 	 * .exrc file twice, as $HOME/.exrc and as ./.exrc.  We avoid this, as
164 	 * it's going to make some commands behave oddly, and I can't imagine
165 	 * anyone depending on it.
166 	 */
167 	switch (exrc_isok(sp, &hsb, _PATH_SYSEXRC, 1, 0)) {
168 	case NOEXIST:
169 	case NOPERM:
170 		break;
171 	case RCOK:
172 		if (ex_run_file(sp, _PATH_SYSEXRC))
173 			return (1);
174 		break;
175 	}
176 
177 	/* Run the commands. */
178 	if (EXCMD_RUNNING(sp->gp))
179 		(void)ex_cmd(sp);
180 	if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE))
181 		return (0);
182 
183 	if ((p = getenv("NEXINIT")) != NULL) {
184 		CHAR2INT(sp, p, strlen(p) + 1, wp, wlen);
185 		if (ex_run_str(sp, "NEXINIT", wp, wlen - 1, 1, 0))
186 			return (1);
187 	} else if ((p = getenv("EXINIT")) != NULL) {
188 		CHAR2INT(sp, p, strlen(p) + 1, wp, wlen);
189 		if (ex_run_str(sp, "EXINIT", wp, wlen - 1, 1, 0))
190 			return (1);
191 	} else if ((p = getenv("HOME")) != NULL && *p) {
192 		int st = 0;
193 
194 		if ((path = join(p, _PATH_NEXRC)) == NULL) {
195 			msgq(sp, M_SYSERR, NULL);
196 			return (1);
197 		}
198 		switch (exrc_isok(sp, &hsb, path, 0, 1)) {
199 		case NOEXIST:
200 			free(path);
201 			if ((path = join(p, _PATH_EXRC)) == NULL) {
202 				msgq(sp, M_SYSERR, NULL);
203 				return (1);
204 			}
205 			if (exrc_isok(sp,
206 			    &hsb, path, 0, 1) == RCOK && ex_run_file(sp, path))
207 				st = 1;
208 			break;
209 		case NOPERM:
210 			break;
211 		case RCOK:
212 			if (ex_run_file(sp, path))
213 				st = 1;
214 			break;
215 		}
216 		free(path);
217 		if (st)
218 			return st;
219 	}
220 
221 	/* Run the commands. */
222 	if (EXCMD_RUNNING(sp->gp))
223 		(void)ex_cmd(sp);
224 	if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE))
225 		return (0);
226 
227 	/* Previous commands may have set the exrc option. */
228 	if (O_ISSET(sp, O_EXRC)) {
229 		switch (exrc_isok(sp, &lsb, _PATH_NEXRC, 0, 0)) {
230 		case NOEXIST:
231 			if (exrc_isok(sp, &lsb, _PATH_EXRC, 0, 0) == RCOK &&
232 			    (lsb.st_dev != hsb.st_dev ||
233 			    lsb.st_ino != hsb.st_ino) &&
234 			    ex_run_file(sp, _PATH_EXRC))
235 				return (1);
236 			break;
237 		case NOPERM:
238 			break;
239 		case RCOK:
240 			if ((lsb.st_dev != hsb.st_dev ||
241 			    lsb.st_ino != hsb.st_ino) &&
242 			    ex_run_file(sp, _PATH_NEXRC))
243 				return (1);
244 			break;
245 		}
246 		/* Run the commands. */
247 		if (EXCMD_RUNNING(sp->gp))
248 			(void)ex_cmd(sp);
249 		if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE))
250 			return (0);
251 	}
252 
253 	return (0);
254 }
255 
256 /*
257  * ex_run_file --
258  *	Set up a file of ex commands to run.
259  */
260 static int
261 ex_run_file(SCR *sp, char *name)
262 {
263 	EXCMD cmd;
264 	CHAR_T *wp;
265 	size_t wlen;
266 
267 	ex_cinit(sp, &cmd, C_SOURCE, 0, OOBLNO, OOBLNO, 0);
268 	CHAR2INT(sp, name, strlen(name)+1, wp, wlen);
269 	argv_exp0(sp, &cmd, wp, wlen - 1);
270 	return (ex_source(sp, &cmd));
271 }
272 
273 /*
274  * ex_run_str --
275  *	Set up a string of ex commands to run.
276  *
277  * PUBLIC: int ex_run_str(SCR *, char *, CHAR_T *, size_t, int, int);
278  */
279 int
280 ex_run_str(SCR *sp, char *name, CHAR_T *str, size_t len, int ex_flags, int nocopy)
281 {
282 	GS *gp;
283 	EXCMD *ecp;
284 
285 	gp = sp->gp;
286 	if (EXCMD_RUNNING(gp)) {
287 		CALLOC_RET(sp, ecp, 1, sizeof(EXCMD));
288 		SLIST_INSERT_HEAD(gp->ecq, ecp, q);
289 	} else
290 		ecp = &gp->excmd;
291 
292 	F_INIT(ecp,
293 	    ex_flags ? E_BLIGNORE | E_NOAUTO | E_NOPRDEF | E_VLITONLY : 0);
294 
295 	if (nocopy)
296 		ecp->cp = str;
297 	else
298 		if ((ecp->cp = v_wstrdup(sp, str, len)) == NULL)
299 			return (1);
300 	ecp->clen = len;
301 
302 	if (name == NULL)
303 		ecp->if_name = NULL;
304 	else {
305 		if ((ecp->if_name = v_strdup(sp, name, strlen(name))) == NULL)
306 			return (1);
307 		ecp->if_lno = 1;
308 		F_SET(ecp, E_NAMEDISCARD);
309 	}
310 
311 	return (0);
312 }
313 
314 /*
315  * exrc_isok --
316  *	Check a .exrc file for source-ability.
317  *
318  * !!!
319  * Historically, vi read the $HOME and local .exrc files if they were owned
320  * by the user's real ID, or the "sourceany" option was set, regardless of
321  * any other considerations.  We no longer support the sourceany option as
322  * it's a security problem of mammoth proportions.  We require the system
323  * .exrc file to be owned by root, the $HOME .exrc file to be owned by the
324  * user's effective ID (or that the user's effective ID be root) and the
325  * local .exrc files to be owned by the user's effective ID.  In all cases,
326  * the file cannot be writeable by anyone other than its owner.
327  *
328  * In O'Reilly ("Learning the VI Editor", Fifth Ed., May 1992, page 106),
329  * it notes that System V release 3.2 and later has an option "[no]exrc".
330  * The behavior is that local .exrc files are read only if the exrc option
331  * is set.  The default for the exrc option was off, so, by default, local
332  * .exrc files were not read.  The problem this was intended to solve was
333  * that System V permitted users to give away files, so there's no possible
334  * ownership or writeability test to ensure that the file is safe.
335  *
336  * POSIX 1003.2-1992 standardized exrc as an option.  It required the exrc
337  * option to be off by default, thus local .exrc files are not to be read
338  * by default.  The Rationale noted (incorrectly) that this was a change
339  * to historic practice, but correctly noted that a default of off improves
340  * system security.  POSIX also required that vi check the effective user
341  * ID instead of the real user ID, which is why we've switched from historic
342  * practice.
343  *
344  * We initialize the exrc variable to off.  If it's turned on by the system
345  * or $HOME .exrc files, and the local .exrc file passes the ownership and
346  * writeability tests, then we read it.  This breaks historic 4BSD practice,
347  * but it gives us a measure of security on systems where users can give away
348  * files.
349  */
350 static enum rc
351 exrc_isok(SCR *sp, struct stat *sbp, char *path, int rootown, int rootid)
352 {
353 	enum { ROOTOWN, OWN, WRITER } etype;
354 	uid_t euid;
355 	int nf1, nf2;
356 	char *a, *b, *buf;
357 
358 	/* Check for the file's existence. */
359 	if (stat(path, sbp))
360 		return (NOEXIST);
361 
362 	/* Check ownership permissions. */
363 	euid = geteuid();
364 	if (!(rootown && sbp->st_uid == 0) &&
365 	    !(rootid && euid == 0) && sbp->st_uid != euid) {
366 		etype = rootown ? ROOTOWN : OWN;
367 		goto denied;
368 	}
369 
370 	/* Check writeability. */
371 	if (sbp->st_mode & (S_IWGRP | S_IWOTH)) {
372 		etype = WRITER;
373 		goto denied;
374 	}
375 	return (RCOK);
376 
377 denied:	a = msg_print(sp, path, &nf1);
378 	if (strchr(path, '/') == NULL && (buf = getcwd(NULL, 0)) != NULL) {
379 		char *p;
380 
381 		b = msg_print(sp, buf, &nf2);
382 		if ((p = join(b, a)) == NULL) {
383 			msgq(sp, M_SYSERR, NULL);
384 			goto err;
385 		}
386 		switch (etype) {
387 		case ROOTOWN:
388 			msgq(sp, M_ERR,
389 			    "128|%s: not sourced: not owned by you or root", p);
390 			break;
391 		case OWN:
392 			msgq(sp, M_ERR,
393 			    "129|%s: not sourced: not owned by you", p);
394 			break;
395 		case WRITER:
396 			msgq(sp, M_ERR,
397     "130|%s: not sourced: writeable by a user other than the owner", p);
398 			break;
399 		}
400 		free(p);
401 err:		free(buf);
402 		if (nf2)
403 			FREE_SPACE(sp, b, 0);
404 	} else
405 		switch (etype) {
406 		case ROOTOWN:
407 			msgq(sp, M_ERR,
408 			    "128|%s: not sourced: not owned by you or root", a);
409 			break;
410 		case OWN:
411 			msgq(sp, M_ERR,
412 			    "129|%s: not sourced: not owned by you", a);
413 			break;
414 		case WRITER:
415 			msgq(sp, M_ERR,
416 	    "130|%s: not sourced: writeable by a user other than the owner", a);
417 			break;
418 		}
419 
420 	if (nf1)
421 		FREE_SPACE(sp, a, 0);
422 	return (NOPERM);
423 }
424