nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-04-17 19:18:06 -05:00
Code Issues Projects Releases Wiki Activity

Move make_dir_and_check_ours() out into uxmisc.c.

Browse Source 
I'm going to want to use it for a second purpose in a minute.
This commit is contained in:
Simon Tatham 2015-05-05 20:16:22 +01:00
parent 7b6078533e
commit 76e2ffe49d
3 changed files with 33 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
unix/unix.h
View File

@ -157,6 +157,7 @@ void cloexec(int);
void noncloexec(int); void noncloexec(int);
int nonblock(int); int nonblock(int);
int no_nonblock(int); int no_nonblock(int);
char *make_dir_and_check_ours(const char *dirname);
/* /*
* Exports from unicode.c. * Exports from unicode.c.

32
unix/uxmisc.c
View File

@ -11,6 +11,7 @@
#include <time.h> #include <time.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h>
#include <pwd.h> #include <pwd.h>
#include "putty.h" #include "putty.h"
@ -281,3 +282,34 @@ FontSpec *fontspec_deserialise(void *vdata, int maxsize, int *used)
*used = end - data + 1; *used = end - data + 1;
return fontspec_new(data); return fontspec_new(data);
} }
char *make_dir_and_check_ours(const char *dirname)
{
struct stat st;
/*
* Create the directory. We might have created it before, so
* EEXIST is an OK error; but anything else is doom.
*/
if (mkdir(dirname, 0700) < 0 && errno != EEXIST)
return dupprintf("%s: mkdir: %s", dirname, strerror(errno));
/*
* Now check that that directory is _owned by us_ and not writable
* by anybody else. This protects us against somebody else
* previously having created the directory in a way that's
* writable to us, and thus manipulating us into creating the
* actual socket in a directory they can see so that they can
* connect to it and use our authenticated SSH sessions.
*/
if (stat(dirname, &st) < 0)
return dupprintf("%s: stat: %s", dirname, strerror(errno));
if (st.st_uid != getuid())
return dupprintf("%s: directory owned by uid %d, not by us",
dirname, st.st_uid);
if ((st.st_mode & 077) != 0)
return dupprintf("%s: directory has overgenerous permissions %03o"
" (expected 700)", dirname, st.st_mode & 0777);
return NULL;
}

31
unix/uxshare.c
View File

@ -42,37 +42,6 @@ static char *make_parentdir_name(void)
return parent; return parent;
} }
static char *make_dir_and_check_ours(const char *dirname)
{
struct stat st;
/*
* Create the directory. We might have created it before, so
* EEXIST is an OK error; but anything else is doom.
*/
if (mkdir(dirname, 0700) < 0 && errno != EEXIST)
return dupprintf("%s: mkdir: %s", dirname, strerror(errno));
/*
* Now check that that directory is _owned by us_ and not writable
* by anybody else. This protects us against somebody else
* previously having created the directory in a way that's
* writable to us, and thus manipulating us into creating the
* actual socket in a directory they can see so that they can
* connect to it and use our authenticated SSH sessions.
*/
if (stat(dirname, &st) < 0)
return dupprintf("%s: stat: %s", dirname, strerror(errno));
if (st.st_uid != getuid())
return dupprintf("%s: directory owned by uid %d, not by us",
dirname, st.st_uid);
if ((st.st_mode & 077) != 0)
return dupprintf("%s: directory has overgenerous permissions %03o"
" (expected 700)", dirname, st.st_mode & 0777);
return NULL;
}
static char *make_dirname(const char *pi_name, char **logtext) static char *make_dirname(const char *pi_name, char **logtext)
{ {
char *name, *parentdirname, *dirname, *err; char *name, *parentdirname, *dirname, *err;