6543/davfs2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Check secrets file in check_dirs

Browse Source
This commit is contained in:
wbaumann 2012-01-28 16:48:02 +00:00
parent 9a04d29567
commit 0d03618d7e
2 changed files with 51 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -8,6 +8,8 @@ ChangeLog for davfs2
Use getgroups. Use getgroups.
* mount_davfs.c, check_permissions: * mount_davfs.c, check_permissions:
Use getgroups. Use getgroups.
* mount_davfs.c, check_dirs, read_secrets:
Check secrets file in check_dirs.


2012-01-25 Werner Baumann (werner.baumann@onlinehome.de) 2012-01-25 Werner Baumann (werner.baumann@onlinehome.de)
* mount_davfs.c, mount_davfs.h: * mount_davfs.c, mount_davfs.h:

85
src/mount_davfs.c
View File

@ -456,13 +456,14 @@ change_persona(dav_args *args)
- when invoked by non-root user: checks for configuration directory in the - when invoked by non-root user: checks for configuration directory in the
users homepage and creates missing directories and files users homepage and creates missing directories and files
- checks wether args->cache_dir is accessible. - checks wether args->cache_dir is accessible.
Requires: privileged, uid, ngroups, groups, home, dav_gid, sys_cache, Requires: privileged, uid, ngroups, groups, home, dav_gid, secrets,
cache_dir sys_cache, cache_dir
Provides: sys_cache, cache_dir. */ Provides: sys_cache, cache_dir. */
static void static void
check_dirs(dav_args *args) check_dirs(dav_args *args)
{ {
struct stat st; struct stat st;
char *fname;


if (stat(DAV_MOUNTS, &st) == 0) { if (stat(DAV_MOUNTS, &st) == 0) {
mounts = DAV_MOUNTS; mounts = DAV_MOUNTS;
@ -495,6 +496,17 @@ check_dirs(dav_args *args)
} }
release_privileges(args); release_privileges(args);


fname = ne_concat(DAV_SYS_CONF_DIR "/" DAV_SECRETS, NULL);
if (stat(fname, &st) == 0) {
if (st.st_uid != 0)
error(EXIT_FAILURE, 0, _("file %s has wrong owner"), fname);
if ((st.st_mode &
(S_IXUSR | S_IRWXG | S_IRWXO | S_ISUID | S_ISGID | S_ISVTX))
!= 0)
error(EXIT_FAILURE, 0, _("file %s has wrong permissions"), fname);
}
free(fname);

if (!args->privileged) { if (!args->privileged) {


char *path = ne_concat(args->home, "/.", PACKAGE, NULL); char *path = ne_concat(args->home, "/.", PACKAGE, NULL);
@ -502,47 +514,60 @@ check_dirs(dav_args *args)
mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);


if (stat(path, &st) == 0) { if (stat(path, &st) == 0) {
char *dir = ne_concat(path, "/", DAV_CACHE, NULL); fname = ne_concat(args->home, "/.", PACKAGE, "/", DAV_CACHE, NULL);
if (stat(dir, &st) != 0) if (stat(fname, &st) != 0)
mkdir(dir, S_IRWXU); mkdir(fname, S_IRWXU);
free(dir); free(fname);


dir = ne_concat(path, "/", DAV_CERTS_DIR, NULL); fname = ne_concat(args->home, "/.", PACKAGE, "/", DAV_CERTS_DIR,
if (stat(dir, &st) != 0) NULL);
mkdir(dir, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); if (stat(fname, &st) != 0)
free(dir); mkdir(fname, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
free(fname);


dir = ne_concat(path, "/", DAV_CERTS_DIR, "/", DAV_CLICERTS_DIR, fname = ne_concat(args->home, "/.", PACKAGE, "/", DAV_CERTS_DIR,
NULL); "/", DAV_CLICERTS_DIR, NULL);
if (stat(dir, &st) != 0) if (stat(fname, &st) != 0)
mkdir(dir, S_IRWXU); mkdir(fname, S_IRWXU);
free(dir); free(fname);


char *file_name = ne_concat(path, "/", DAV_CONFIG, NULL); fname = ne_concat(args->home, "/.", PACKAGE, "/", DAV_CONFIG, NULL);
if (stat(file_name, &st) != 0) { if (stat(fname, &st) != 0) {
char *template = ne_concat(DAV_DATA_DIR, "/", DAV_CONFIG, NULL); char *template = ne_concat(DAV_DATA_DIR, "/", DAV_CONFIG, NULL);
char *command = ne_concat("cp ", template, " ", file_name, char *command = ne_concat("cp ", template, " ", fname,
NULL); NULL);
if (system(command) != 0); if (system(command) != 0);
free(command); free(command);
free(template); free(template);
} }
free(file_name); free(fname);


file_name = ne_concat(path, "/", DAV_SECRETS, NULL); fname = ne_concat(args->home, "/.", PACKAGE, "/", DAV_SECRETS,
if (stat(file_name, &st) != 0) { NULL);
if (stat(fname, &st) != 0) {
char *template = ne_concat(DAV_DATA_DIR, "/", DAV_SECRETS, char *template = ne_concat(DAV_DATA_DIR, "/", DAV_SECRETS,
NULL); NULL);
char *command = ne_concat("cp ", template, " ", file_name, char *command = ne_concat("cp ", template, " ", fname,
NULL); NULL);
if (system(command) == 0) if (system(command) == 0)
chmod(file_name, S_IRUSR | S_IWUSR); chmod(fname, S_IRUSR | S_IWUSR);
free(command); free(command);
free(template); free(template);
} }
free(file_name); free(fname);
} }
free(path); free(path);

if (stat(args->secrets, &st) == 0) {
if (st.st_uid != args->uid)
error(EXIT_FAILURE, 0, _("file %s has wrong owner"),
args->secrets);
if ((st.st_mode &
(S_IXUSR | S_IRWXG | S_IRWXO | S_ISUID | S_ISGID | S_ISVTX))
!= 0)
error(EXIT_FAILURE, 0, _("file %s has wrong permissions"),
args->secrets);
}
} }


if (strcmp(args->cache_dir, args->sys_cache) == 0) { if (strcmp(args->cache_dir, args->sys_cache) == 0) {
@ -2275,18 +2300,6 @@ read_no_proxy_list(dav_args *args)
static void static void
read_secrets(dav_args *args, const char *filename) read_secrets(dav_args *args, const char *filename)
{ {
struct stat st;
if (stat(filename, &st) < 0) {
syslog(LOG_MAKEPRI(LOG_DAEMON, LOG_ERR),
_("opening %s failed"), filename);
return;
}
if (st.st_uid != geteuid())
error(EXIT_FAILURE, 0, _("file %s has wrong owner"), filename);
if ((st.st_mode &
(S_IXUSR | S_IRWXG | S_IRWXO | S_ISUID | S_ISGID | S_ISVTX)) != 0)
error(EXIT_FAILURE, 0, _("file %s has wrong permissions"), filename);

FILE *file = fopen(filename, "r"); FILE *file = fopen(filename, "r");
if (!file) { if (!file) {
syslog(LOG_MAKEPRI(LOG_DAEMON, LOG_ERR), syslog(LOG_MAKEPRI(LOG_DAEMON, LOG_ERR),