xref: /freebsd/contrib/openpam/lib/libpam/openpam_check_owner_perms.c (revision 7ef62cebc2f965b0f640263e179276928885e33d)
1 /*-
2  * Copyright (c) 2011 Dag-Erling Smørgrav
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. The name of the author may not be used to endorse or promote
14  *    products derived from this software without specific prior written
15  *    permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 # include "config.h"
32 #endif
33 
34 #include <sys/types.h>
35 #include <sys/stat.h>
36 
37 #include <errno.h>
38 #include <limits.h>
39 #include <stdlib.h>
40 #include <string.h>
41 #include <unistd.h>
42 
43 #include <security/pam_appl.h>
44 
45 #include "openpam_impl.h"
46 
47 /*
48  * OpenPAM internal
49  *
50  * Verify that the file or directory referenced by the given descriptor is
51  * owned by either root or the arbitrator and that it is not writable by
52  * group or other.
53  */
54 
55 int
56 openpam_check_desc_owner_perms(const char *name, int fd)
57 {
58 	uid_t root, arbitrator;
59 	struct stat sb;
60 	int serrno;
61 
62 	root = 0;
63 	arbitrator = geteuid();
64 	if (fstat(fd, &sb) != 0) {
65 		serrno = errno;
66 		openpam_log(PAM_LOG_ERROR, "%s: %m", name);
67 		errno = serrno;
68 		return (-1);
69 	}
70 	if (!S_ISREG(sb.st_mode)) {
71 		openpam_log(PAM_LOG_ERROR,
72 		    "%s: not a regular file", name);
73 		errno = EINVAL;
74 		return (-1);
75 	}
76 	if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
77 	    (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
78 		openpam_log(PAM_LOG_ERROR,
79 		    "%s: insecure ownership or permissions", name);
80 		errno = EPERM;
81 		return (-1);
82 	}
83 	return (0);
84 }
85 
86 /*
87  * OpenPAM internal
88  *
89  * Verify that a file or directory and all components of the path leading
90  * up to it are owned by either root or the arbitrator and that they are
91  * not writable by group or other.
92  *
93  * Note that openpam_check_desc_owner_perms() should be used instead if
94  * possible to avoid a race between the ownership / permission check and
95  * the actual open().
96  */
97 
98 int
99 openpam_check_path_owner_perms(const char *path)
100 {
101 	uid_t root, arbitrator;
102 	char pathbuf[PATH_MAX];
103 	struct stat sb;
104 	int len, serrno, tip;
105 
106 	tip = 1;
107 	root = 0;
108 	arbitrator = geteuid();
109 	if (realpath(path, pathbuf) == NULL)
110 		return (-1);
111 	len = strlen(pathbuf);
112 	while (len > 0) {
113 		if (stat(pathbuf, &sb) != 0) {
114 			if (errno != ENOENT) {
115 				serrno = errno;
116 				openpam_log(PAM_LOG_ERROR, "%s: %m", pathbuf);
117 				errno = serrno;
118 			}
119 			return (-1);
120 		}
121 		if (tip && !S_ISREG(sb.st_mode)) {
122 			openpam_log(PAM_LOG_ERROR,
123 			    "%s: not a regular file", pathbuf);
124 			errno = EINVAL;
125 			return (-1);
126 		}
127 		if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
128 		    (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
129 			openpam_log(PAM_LOG_ERROR,
130 			    "%s: insecure ownership or permissions", pathbuf);
131 			errno = EPERM;
132 			return (-1);
133 		}
134 		while (--len > 0 && pathbuf[len] != '/')
135 			pathbuf[len] = '\0';
136 		tip = 0;
137 	}
138 	return (0);
139 }
140 
141 /*
142  * NOPARSE
143  */
144