summaryrefslogtreecommitdiffstats
path: root/src/util/util.h
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-04-01 16:12:29 -0400
committerStephen Gallagher <sgallagh@redhat.com>2010-04-06 14:33:43 -0400
commit55a0f220ba8b35d7ea8e47ad19babdb05dd2bbe9 (patch)
tree0ad879883ea70686ca9a3caf012b29413b3315a5 /src/util/util.h
parent3bd250d73e7d77cf8ceb72133ce13059c52a70ed (diff)
downloadsssd-55a0f220ba8b35d7ea8e47ad19babdb05dd2bbe9.tar.gz
sssd-55a0f220ba8b35d7ea8e47ad19babdb05dd2bbe9.tar.xz
sssd-55a0f220ba8b35d7ea8e47ad19babdb05dd2bbe9.zip
Protect against check-and-open race conditions
There is a small window between running lstat() on a filename and opening it where it's possible for the file to have been modified. We were protecting against this by saving the stat data from the original file and verifying that it was the same file (by device and inode) when we opened it again, but this is an imperfect solution, as it is still possible for an attacker to modify the permissions during this window. It is much better to simply open the file and test on the active file descriptor. Resolves https://fedorahosted.org/sssd/ticket/425 incidentally, as without the initial lstat, we are implicitly accepting symlinks and only verifying the target file.
Diffstat (limited to 'src/util/util.h')
-rw-r--r--src/util/util.h29
1 files changed, 29 insertions, 0 deletions
diff --git a/src/util/util.h b/src/util/util.h
index db8e1ac33..fae8096a9 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -268,9 +268,38 @@ enum check_file_type {
CHECK_LNK,
CHECK_SOCK
};
+
+/* check_file()
+ * Verify that a file has certain permissions and/or is of a certain
+ * file type. This function can be used to determine if a file is a
+ * symlink.
+ * Warning: use of this function implies a potential race condition
+ * Opening a file before or after checking it does NOT guarantee that
+ * it is still the same file. Additional checks should be performed
+ * on the caller_stat_buf to ensure that it has the same device and
+ * inode to minimize impact. Permission changes may have occurred,
+ * however.
+ */
errno_t check_file(const char *filename, const int uid, const int gid,
const int mode, enum check_file_type type,
struct stat *caller_stat_buf);
+
+/* check_fd()
+ * Verify that an open file descriptor has certain permissions and/or
+ * is of a certain file type. This function CANNOT detect symlinks,
+ * as the file is already open and symlinks have been traversed. This
+ * is the safer way to perform file checks and should be preferred
+ * over check_file for nearly all situations.
+ */
+errno_t check_fd(int fd, const int uid, const int gid,
+ const int mode, enum check_file_type type,
+ struct stat *caller_stat_buf);
+
+/* check_and_open_readonly()
+ * Utility function to open a file and verify that it has certain
+ * permissions and is of a certain file type. This function wraps
+ * check_fd(), and is considered race-condition safe.
+ */
errno_t check_and_open_readonly(const char *filename, int *fd, const uid_t uid,
const gid_t gid, const mode_t mode,
enum check_file_type type);