putty-source/unix/utils/make_dir_and_check_ours.c

/*
 * Create a directory accessible only to us, and then check afterwards
 * that we really did end up with a directory with the right ownership
 * and permissions.
 *
 * The idea is that this is a directory in which we're about to create
 * something sensitive, like a listening Unix-domain socket for SSH
 * connection sharing or an SSH agent. We want to be protected against
 * somebody else previously having created the directory in a way
 * that's writable to us, and thus manipulating us into creating the
 * actual socket in a directory they can see so that they can connect
 * to it and (say) use our authenticated SSH sessions.
 *
 * NOTE: The strategy used in this function is not safe if the enemy
 * has unrestricted write access to the containing directory. In that
 * case, they could move our directory out of the way and make a new
 * one, after this function returns and before we create our socket
 * (or whatever) inside it.
 *
 * But this should be OK for temp directories (which modify the
 * default world-write behaviour by also setting the 't' bit,
 * preventing people from renaming or deleting things in there that
 * they don't own). And of course it's also safe if the directory is
 * writable only by our _own_ uid.
 */

#include <errno.h>
#include <string.h>

#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>

#include "putty.h"

char *make_dir_and_check_ours(const char *dirname)
{
    struct stat st;

    /*
     * Create the directory. We might have created it before, so
     * EEXIST is an OK error; but anything else is doom.
     */
    if (mkdir(dirname, 0700) < 0 && errno != EEXIST)
        return dupprintf("%s: mkdir: %s", dirname, strerror(errno));

    /*
     * Stat the directory and check its ownership and permissions.
     */
    if (stat(dirname, &st) < 0)
        return dupprintf("%s: stat: %s", dirname, strerror(errno));
    if (st.st_uid != getuid())
        return dupprintf("%s: directory owned by uid %d, not by us",
                         dirname, st.st_uid);
    if ((st.st_mode & 077) != 0)
        return dupprintf("%s: directory has overgenerous permissions %03o"
                         " (expected 700)", dirname, st.st_mode & 0777);

    return NULL;
}
New library-style 'utils' subdirectories. Now that the new CMake build system is encouraging us to lay out the code like a set of libraries, it seems like a good idea to make them look more _like_ libraries, by putting things into separate modules as far as possible. This fixes several previous annoyances in which you had to link against some object in order to get a function you needed, but that object also contained other functions you didn't need which included link-time symbol references you didn't want to have to deal with. The usual offender was subsidiary supporting programs including misc.c for some innocuous function and then finding they had to deal with the requirements of buildinfo(). This big reorganisation introduces three new subdirectories called 'utils', one at the top level and one in each platform subdir. In each case, the directory contains basically the same files that were previously placed in the 'utils' build-time library, except that the ones that were extremely miscellaneous (misc.c, utils.c, uxmisc.c, winmisc.c, winmiscs.c, winutils.c) have been split up into much smaller pieces. 2021-04-17 14:22:20 +00:00			`/*`
			`* Create a directory accessible only to us, and then check afterwards`
			`* that we really did end up with a directory with the right ownership`
			`* and permissions.`
			`*`
			`* The idea is that this is a directory in which we're about to create`
			`* something sensitive, like a listening Unix-domain socket for SSH`
			`* connection sharing or an SSH agent. We want to be protected against`
			`* somebody else previously having created the directory in a way`
			`* that's writable to us, and thus manipulating us into creating the`
			`* actual socket in a directory they can see so that they can connect`
			`* to it and (say) use our authenticated SSH sessions.`
			`*`
			`* NOTE: The strategy used in this function is not safe if the enemy`
			`* has unrestricted write access to the containing directory. In that`
			`* case, they could move our directory out of the way and make a new`
			`* one, after this function returns and before we create our socket`
			`* (or whatever) inside it.`
			`*`
			`* But this should be OK for temp directories (which modify the`
			`* default world-write behaviour by also setting the 't' bit,`
			`* preventing people from renaming or deleting things in there that`
			`* they don't own). And of course it's also safe if the directory is`
			`* writable only by our _own_ uid.`
			`*/`

			`#include <errno.h>`
			`#include <string.h>`

			`#include <unistd.h>`
			`#include <sys/types.h>`
			`#include <sys/stat.h>`

			`#include "putty.h"`

			`char make_dir_and_check_ours(const char dirname)`
			`{`
			`struct stat st;`

			`/*`
			`* Create the directory. We might have created it before, so`
			`* EEXIST is an OK error; but anything else is doom.`
			`*/`
			`if (mkdir(dirname, 0700) < 0 && errno != EEXIST)`
			`return dupprintf("%s: mkdir: %s", dirname, strerror(errno));`

			`/*`
			`* Stat the directory and check its ownership and permissions.`
			`*/`
			`if (stat(dirname, &st) < 0)`
			`return dupprintf("%s: stat: %s", dirname, strerror(errno));`
			`if (st.st_uid != getuid())`
			`return dupprintf("%s: directory owned by uid %d, not by us",`
			`dirname, st.st_uid);`
			`if ((st.st_mode & 077) != 0)`
			`return dupprintf("%s: directory has overgenerous permissions %03o"`
			`" (expected 700)", dirname, st.st_mode & 0777);`

			`return NULL;`
			`}`