|
version 1.1, 2013/07/22 00:51:38
|
version 1.1.1.3, 2014/06/15 16:12:54
|
|
Line 1
|
Line 1
|
| /* |
/* |
| * Copyright (c) 1993-1996,1998-2005, 2007-2013 | * Copyright (c) 2014 Todd C. Miller <Todd.Miller@courtesan.com> |
| * Todd C. Miller <Todd.Miller@courtesan.com> | |
| * |
* |
| * Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
| * purpose with or without fee is hereby granted, provided that the above |
* purpose with or without fee is hereby granted, provided that the above |
|
Line 13
|
Line 12
|
| * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| * |
|
| * Sponsored in part by the Defense Advanced Research Projects |
|
| * Agency (DARPA) and Air Force Research Laboratory, Air Force |
|
| * Materiel Command, USAF, under agreement number F39502-99-1-0512. |
|
| */ |
*/ |
| |
|
| #include <config.h> |
#include <config.h> |
|
Line 24
|
Line 19
|
| #include <sys/types.h> |
#include <sys/types.h> |
| #include <sys/time.h> |
#include <sys/time.h> |
| #include <sys/stat.h> |
#include <sys/stat.h> |
| #ifndef __TANDEM |
|
| # include <sys/file.h> |
|
| #endif |
|
| #include <stdio.h> |
#include <stdio.h> |
| #ifdef STDC_HEADERS |
#ifdef STDC_HEADERS |
| # include <stdlib.h> |
# include <stdlib.h> |
|
Line 45
|
Line 37
|
| #ifdef HAVE_UNISTD_H |
#ifdef HAVE_UNISTD_H |
| # include <unistd.h> |
# include <unistd.h> |
| #endif /* HAVE_UNISTD_H */ |
#endif /* HAVE_UNISTD_H */ |
| #if TIME_WITH_SYS_TIME | #ifdef TIME_WITH_SYS_TIME |
| # include <time.h> |
# include <time.h> |
| #endif |
#endif |
| |
#ifndef HAVE_STRUCT_TIMESPEC |
| |
# include "compat/timespec.h" |
| |
#endif |
| #include <errno.h> |
#include <errno.h> |
| #include <fcntl.h> |
#include <fcntl.h> |
| #include <signal.h> |
|
| #include <pwd.h> |
#include <pwd.h> |
| #include <grp.h> |
#include <grp.h> |
| |
|
| #include "sudoers.h" |
#include "sudoers.h" |
| |
#include "secure_path.h" |
| #include "check.h" |
#include "check.h" |
| |
|
| static struct sudo_tty_info tty_info; | /* On Linux, CLOCK_MONOTONIC does not run while suspended. */ |
| static char timestampdir[PATH_MAX]; | #if defined(CLOCK_BOOTTIME) |
| static char timestampfile[PATH_MAX]; | # define SUDO_CLOCK_MONOTONIC CLOCK_BOOTTIME |
| | #elif defined(CLOCK_MONOTONIC) |
| | # define SUDO_CLOCK_MONOTONIC CLOCK_MONOTONIC |
| | #else |
| | # define SUDO_CLOCK_MONOTONIC CLOCK_REALTIME |
| | #endif |
| |
|
| |
static char timestamp_file[PATH_MAX]; |
| |
static off_t timestamp_hint = (off_t)-1; |
| |
static struct timestamp_entry timestamp_key; |
| |
|
| /* |
/* |
| * Fills in timestampdir as well as timestampfile if using tty tickets. | * Returns true if entry matches key, else false. |
| */ |
*/ |
| int | static bool |
| build_timestamp(struct passwd *pw) | ts_match_record(struct timestamp_entry *key, struct timestamp_entry *entry) |
| { |
{ |
| char *dirparent; | debug_decl(ts_match_record, SUDO_DEBUG_AUTH) |
| struct stat sb; | |
| int len; | |
| debug_decl(build_timestamp, SUDO_DEBUG_AUTH) | |
| |
|
| /* Stash the tty's device, session ID and ctime for ticket comparison. */ | if (entry->version != key->version) |
| if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) { | debug_return_bool(false); |
| tty_info.dev = sb.st_dev; | if (!ISSET(key->flags, TS_ANYUID) && entry->auth_uid != key->auth_uid) |
| tty_info.ino = sb.st_ino; | debug_return_bool(false); |
| tty_info.rdev = sb.st_rdev; | if (entry->type != key->type) |
| tty_info.uid = sb.st_uid; | debug_return_bool(false); |
| tty_info.gid = sb.st_gid; | switch (entry->type) { |
| tty_info.sid = user_sid; | case TS_GLOBAL: |
| | /* no ppid or tty to match */ |
| | break; |
| | case TS_PPID: |
| | /* verify parent pid */ |
| | if (entry->u.ppid != key->u.ppid) |
| | debug_return_bool(false); |
| | break; |
| | case TS_TTY: |
| | if (entry->u.ttydev != key->u.ttydev) |
| | debug_return_bool(false); |
| | break; |
| | default: |
| | /* unknown record type, ignore it */ |
| | debug_return_bool(false); |
| } |
} |
| |
debug_return_bool(true); |
| |
} |
| |
|
| dirparent = def_timestampdir; | /* |
| timestampfile[0] = '\0'; | * Searches the time stamp file descriptor for a record that matches key. |
| len = snprintf(timestampdir, sizeof(timestampdir), "%s/%s", dirparent, | * On success, fills in entry with the matching record and returns true. |
| user_name); | * On failure, returns false. |
| if (len <= 0 || len >= sizeof(timestampdir)) | * |
| goto bad; | * Note that records are searched starting at the current file offset, |
| | * which may not be the beginning of the file. |
| | */ |
| | static bool |
| | ts_find_record(int fd, struct timestamp_entry *key, struct timestamp_entry *entry) |
| | { |
| | struct timestamp_entry cur; |
| | debug_decl(ts_find_record, SUDO_DEBUG_AUTH) |
| |
|
| /* |
/* |
| * Timestamp file may be a file in the directory or NUL to use | * Look for a matching record. |
| * the directory as the timestamp. | * We don't match on the sid or actual time stamp. |
| */ |
*/ |
| if (def_tty_tickets) { | while (read(fd, &cur, sizeof(cur)) == sizeof(cur)) { |
| char *p; | if (cur.size != sizeof(cur)) { |
| | /* wrong size, seek to start of next record */ |
| | sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, |
| | "wrong sized record, got %hu, expected %zu", |
| | cur.size, sizeof(cur)); |
| | lseek(fd, (off_t)cur.size - (off_t)sizeof(cur), SEEK_CUR); |
| | if (cur.size == 0) |
| | break; /* size must be non-zero */ |
| | continue; |
| | } |
| | if (ts_match_record(key, &cur)) { |
| | memcpy(entry, &cur, sizeof(struct timestamp_entry)); |
| | debug_return_bool(true); |
| | } |
| | } |
| | debug_return_bool(false); |
| | } |
| |
|
| if ((p = strrchr(user_tty, '/'))) | /* |
| p++; | * Find matching record to update or append a new one. |
| else | * Returns true if the entry was written successfully, else false. |
| p = user_tty; | */ |
| if (def_targetpw) | static bool |
| len = snprintf(timestampfile, sizeof(timestampfile), "%s/%s/%s:%s", | ts_update_record(int fd, struct timestamp_entry *entry, off_t timestamp_hint) |
| dirparent, user_name, p, runas_pw->pw_name); | { |
| else | struct timestamp_entry cur; |
| len = snprintf(timestampfile, sizeof(timestampfile), "%s/%s/%s", | ssize_t nwritten; |
| dirparent, user_name, p); | off_t old_eof = (off_t)-1; |
| if (len <= 0 || len >= sizeof(timestampfile)) | debug_decl(ts_update_record, SUDO_DEBUG_AUTH) |
| goto bad; | |
| } else if (def_targetpw) { | /* First try the hint if one is given. */ |
| len = snprintf(timestampfile, sizeof(timestampfile), "%s/%s/%s", | if (timestamp_hint != (off_t)-1) { |
| dirparent, user_name, runas_pw->pw_name); | if (lseek(fd, timestamp_hint, SEEK_SET) != -1) { |
| if (len <= 0 || len >= sizeof(timestampfile)) | if (read(fd, &cur, sizeof(cur)) == sizeof(cur)) { |
| goto bad; | if (ts_match_record(entry, &cur)) { |
| | sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, |
| | "found existing time stamp record using hint"); |
| | goto found_it; |
| | } |
| | } |
| | } |
| } |
} |
| sudo_debug_printf(SUDO_DEBUG_INFO, "using timestamp file %s", timestampfile); |
|
| |
|
| |
/* Search for matching record. */ |
| |
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, |
| |
"searching for time stamp record"); |
| |
lseek(fd, (off_t)0, SEEK_SET); |
| |
if (ts_find_record(fd, entry, &cur)) { |
| |
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, |
| |
"found existing time stamp record"); |
| |
found_it: |
| |
/* back up over old record */ |
| |
lseek(fd, (off_t)0 - (off_t)cur.size, SEEK_CUR); |
| |
} else { |
| |
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, |
| |
"appending new time stamp record"); |
| |
old_eof = lseek(fd, (off_t)0, SEEK_CUR); |
| |
} |
| |
|
| |
/* Overwrite existing record or append to end. */ |
| |
nwritten = write(fd, entry, sizeof(struct timestamp_entry)); |
| |
if ((size_t)nwritten == sizeof(struct timestamp_entry)) |
| |
debug_return_bool(true); |
| |
|
| |
log_warning(nwritten == -1 ? USE_ERRNO : 0, |
| |
N_("unable to write to %s"), timestamp_file); |
| |
|
| |
/* Truncate on partial write to be safe. */ |
| |
if (nwritten > 0 && old_eof != (off_t)-1) { |
| |
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, |
| |
"short write, truncating partial time stamp record"); |
| |
if (ftruncate(fd, old_eof) != 0) { |
| |
warning(U_("unable to truncate time stamp file to %lld bytes"), |
| |
(long long)old_eof); |
| |
} |
| |
} |
| |
|
| |
debug_return_bool(false); |
| |
} |
| |
|
| |
/* |
| |
* Create a directory and any missing parent directories with the |
| |
* specified mode. |
| |
* Returns true on success. |
| |
* Returns false on failure and displays a warning to stderr. |
| |
*/ |
| |
static bool |
| |
ts_mkdirs(char *path, uid_t owner, mode_t mode, mode_t parent_mode, bool quiet) |
| |
{ |
| |
struct stat sb; |
| |
gid_t parent_gid = 0; |
| |
char *slash = path; |
| |
bool rval = false; |
| |
debug_decl(ts_mkdirs, SUDO_DEBUG_AUTH) |
| |
|
| |
while ((slash = strchr(slash + 1, '/')) != NULL) { |
| |
*slash = '\0'; |
| |
if (stat(path, &sb) != 0) { |
| |
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, |
| |
"mkdir %s, mode 0%o", path, parent_mode); |
| |
if (mkdir(path, parent_mode) != 0) { |
| |
if (!quiet) |
| |
warning(U_("unable to mkdir %s"), path); |
| |
goto done; |
| |
} |
| |
ignore_result(chown(path, (uid_t)-1, parent_gid)); |
| |
} else if (!S_ISDIR(sb.st_mode)) { |
| |
if (!quiet) { |
| |
warningx(U_("%s exists but is not a directory (0%o)"), |
| |
path, (unsigned int) sb.st_mode); |
| |
} |
| |
goto done; |
| |
} else { |
| |
/* Inherit gid of parent dir for ownership. */ |
| |
parent_gid = sb.st_gid; |
| |
} |
| |
*slash = '/'; |
| |
} |
| |
/* Create final path component. */ |
| |
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, |
| |
"mkdir %s, mode 0%o", path, mode); |
| |
if (mkdir(path, mode) != 0 && errno != EEXIST) { |
| |
if (!quiet) |
| |
warning(U_("unable to mkdir %s"), path); |
| |
goto done; |
| |
} |
| |
ignore_result(chown(path, owner, parent_gid)); |
| |
rval = true; |
| |
done: |
| |
debug_return_bool(rval); |
| |
} |
| |
|
| |
/* |
| |
* Check that path is owned by timestamp_uid and not writable by |
| |
* group or other. If path is missing and make_it is true, create |
| |
* the directory and its parent dirs. |
| |
* Returns true on success or false on failure, setting errno. |
| |
*/ |
| |
static bool |
| |
ts_secure_dir(char *path, bool make_it, bool quiet) |
| |
{ |
| |
struct stat sb; |
| |
bool rval = false; |
| |
debug_decl(ts_secure_dir, SUDO_DEBUG_AUTH) |
| |
|
| |
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "checking %s", path); |
| |
switch (sudo_secure_dir(path, timestamp_uid, -1, &sb)) { |
| |
case SUDO_PATH_SECURE: |
| |
rval = true; |
| |
break; |
| |
case SUDO_PATH_MISSING: |
| |
if (make_it && ts_mkdirs(path, timestamp_uid, 0700, 0711, quiet)) { |
| |
rval = true; |
| |
break; |
| |
} |
| |
errno = ENOENT; |
| |
break; |
| |
case SUDO_PATH_BAD_TYPE: |
| |
errno = ENOTDIR; |
| |
if (!quiet) |
| |
warning("%s", path); |
| |
break; |
| |
case SUDO_PATH_WRONG_OWNER: |
| |
if (!quiet) { |
| |
warningx(U_("%s is owned by uid %u, should be %u"), |
| |
path, (unsigned int) sb.st_uid, |
| |
(unsigned int) timestamp_uid); |
| |
} |
| |
errno = EACCES; |
| |
break; |
| |
case SUDO_PATH_GROUP_WRITABLE: |
| |
if (!quiet) |
| |
warningx(U_("%s is group writable"), path); |
| |
errno = EACCES; |
| |
break; |
| |
} |
| |
debug_return_bool(rval); |
| |
} |
| |
|
| |
/* |
| |
* Fills in the timestamp_file[] global variable. |
| |
* Returns the length of timestamp_file. |
| |
*/ |
| |
int |
| |
build_timestamp(struct passwd *pw) |
| |
{ |
| |
int len; |
| |
debug_decl(build_timestamp, SUDO_DEBUG_AUTH) |
| |
|
| |
len = snprintf(timestamp_file, sizeof(timestamp_file), "%s/%s", |
| |
def_timestampdir, user_name); |
| |
if (len <= 0 || (size_t)len >= sizeof(timestamp_file)) { |
| |
log_fatal(0, N_("timestamp path too long: %s/%s"), |
| |
def_timestampdir, user_name); |
| |
} |
| |
|
| debug_return_int(len); |
debug_return_int(len); |
| bad: |
|
| log_fatal(0, N_("timestamp path too long: %s"), |
|
| *timestampfile ? timestampfile : timestampdir); |
|
| /* NOTREACHED */ |
|
| debug_return_int(-1); |
|
| } |
} |
| |
|
| /* |
/* |
| * Update the time on the timestamp file/dir or create it if necessary. |
* Update the time on the timestamp file/dir or create it if necessary. |
| |
* Returns true on success or false on failure. |
| */ |
*/ |
| bool |
bool |
| update_timestamp(struct passwd *pw) |
update_timestamp(struct passwd *pw) |
| { |
{ |
| |
struct timestamp_entry entry; |
| |
bool rval = false; |
| |
int fd; |
| debug_decl(update_timestamp, SUDO_DEBUG_AUTH) |
debug_decl(update_timestamp, SUDO_DEBUG_AUTH) |
| |
|
| /* If using tty timestamps but we have no tty there is nothing to do. */ | /* Zero timeout means don't update the time stamp file. */ |
| if (def_tty_tickets && !user_ttypath) | if (def_timestamp_timeout == 0) |
| debug_return_bool(false); | goto done; |
| |
|
| |
/* Check/create parent directories as needed. */ |
| |
if (!ts_secure_dir(def_timestampdir, true, false)) |
| |
goto done; |
| |
|
| |
/* Fill in time stamp. */ |
| |
memcpy(&entry, ×tamp_key, sizeof(struct timestamp_entry)); |
| |
clock_gettime(SUDO_CLOCK_MONOTONIC, &entry.ts); |
| |
|
| |
/* Open time stamp file and lock it for exclusive access. */ |
| if (timestamp_uid != 0) |
if (timestamp_uid != 0) |
| set_perms(PERM_TIMESTAMP); |
set_perms(PERM_TIMESTAMP); |
| if (*timestampfile) { | fd = open(timestamp_file, O_RDWR|O_CREAT, 0600); |
| /* | |
| * Store tty info in timestamp file | |
| */ | |
| int fd = open(timestampfile, O_WRONLY|O_CREAT, 0600); | |
| if (fd == -1) | |
| log_warning(USE_ERRNO, N_("unable to open %s"), timestampfile); | |
| else { | |
| lock_file(fd, SUDO_LOCK); | |
| if (write(fd, &tty_info, sizeof(tty_info)) != sizeof(tty_info)) | |
| log_warning(USE_ERRNO, N_("unable to write to %s"), timestampfile); | |
| close(fd); | |
| } | |
| } else { | |
| if (touch(-1, timestampdir, NULL) == -1) { | |
| if (mkdir(timestampdir, 0700) == -1) { | |
| log_warning(USE_ERRNO, N_("unable to mkdir %s"), | |
| timestampdir); | |
| } | |
| } | |
| } | |
| if (timestamp_uid != 0) |
if (timestamp_uid != 0) |
| restore_perms(); |
restore_perms(); |
| debug_return_bool(true); | if (fd == -1) { |
| | log_warning(USE_ERRNO, N_("unable to open %s"), timestamp_file); |
| | goto done; |
| | } |
| | |
| | /* Update record or append a new one. */ |
| | lock_file(fd, SUDO_LOCK); |
| | ts_update_record(fd, &entry, timestamp_hint); |
| | close(fd); |
| | |
| | rval = true; |
| | |
| | done: |
| | debug_return_bool(rval); |
| } |
} |
| |
|
| /* |
/* |
| * Check the timestamp file and directory and return their status. |
* Check the timestamp file and directory and return their status. |
| |
* Returns one of TS_CURRENT, TS_OLD, TS_MISSING, TS_NOFILE, TS_ERROR. |
| */ |
*/ |
| static int | int |
| timestamp_status_internal(bool removing) | timestamp_status(struct passwd *pw) |
| { |
{ |
| struct stat sb; | struct timestamp_entry entry; |
| struct timeval boottime, mtime; | struct timespec diff, timeout; |
| time_t now; | |
| char *dirparent = def_timestampdir; | |
| int status = TS_ERROR; /* assume the worst */ |
int status = TS_ERROR; /* assume the worst */ |
| debug_decl(timestamp_status_internal, SUDO_DEBUG_AUTH) | struct stat sb; |
| | int fd = -1; |
| | debug_decl(timestamp_status, SUDO_DEBUG_AUTH) |
| |
|
| if (timestamp_uid != 0) | /* Reset time stamp offset hint. */ |
| set_perms(PERM_TIMESTAMP); | timestamp_hint = (off_t)-1; |
| |
|
| |
/* Zero timeout means ignore time stamp files. */ |
| |
if (def_timestamp_timeout == 0) { |
| |
status = TS_OLD; /* XXX - could also be TS_MISSING */ |
| |
goto done; |
| |
} |
| |
|
| |
/* Ignore time stamp files in an insecure directory. */ |
| |
if (!ts_secure_dir(def_timestampdir, false, false)) { |
| |
if (errno != ENOENT) { |
| |
status = TS_ERROR; |
| |
goto done; |
| |
} |
| |
status = TS_MISSING; /* not insecure, just missing */ |
| |
} |
| |
|
| /* |
/* |
| * Sanity check dirparent and make it if it doesn't already exist. | * Create a key used for matching entries in the time stamp file. |
| * We start out assuming the worst (that the dir is not sane) and | * The actual time stamp in the key is used below as the time "now". |
| * if it is ok upgrade the status to ``no timestamp file''. | |
| * Note that we don't check the parent(s) of dirparent for | |
| * sanity since the sudo dir is often just located in /tmp. | |
| */ |
*/ |
| if (lstat(dirparent, &sb) == 0) { | memset(×tamp_key, 0, sizeof(timestamp_key)); |
| if (!S_ISDIR(sb.st_mode)) | timestamp_key.version = TS_VERSION; |
| log_warning(0, N_("%s exists but is not a directory (0%o)"), | timestamp_key.size = sizeof(timestamp_key); |
| dirparent, (unsigned int) sb.st_mode); | timestamp_key.type = TS_GLOBAL; /* may be overriden below */ |
| else if (sb.st_uid != timestamp_uid) | if (pw != NULL) { |
| log_warning(0, N_("%s owned by uid %u, should be uid %u"), | timestamp_key.auth_uid = pw->pw_uid; |
| dirparent, (unsigned int) sb.st_uid, | |
| (unsigned int) timestamp_uid); | |
| else if ((sb.st_mode & 0000022)) | |
| log_warning(0, | |
| N_("%s writable by non-owner (0%o), should be mode 0700"), | |
| dirparent, (unsigned int) sb.st_mode); | |
| else { | |
| if ((sb.st_mode & 0000777) != 0700) | |
| (void) chmod(dirparent, 0700); | |
| status = TS_MISSING; | |
| } | |
| } else if (errno != ENOENT) { | |
| log_warning(USE_ERRNO, N_("unable to stat %s"), dirparent); | |
| } else { |
} else { |
| /* No dirparent, try to make one. */ | timestamp_key.flags = TS_ANYUID; |
| if (!removing) { | } |
| if (mkdir(dirparent, S_IRWXU)) | timestamp_key.sid = user_sid; |
| log_warning(USE_ERRNO, N_("unable to mkdir %s"), | if (def_tty_tickets) { |
| dirparent); | if (user_ttypath != NULL && stat(user_ttypath, &sb) == 0) { |
| else | /* tty-based time stamp */ |
| status = TS_MISSING; | timestamp_key.type = TS_TTY; |
| | timestamp_key.u.ttydev = sb.st_rdev; |
| | } else { |
| | /* ppid-based time stamp */ |
| | timestamp_key.type = TS_PPID; |
| | timestamp_key.u.ppid = getppid(); |
| } |
} |
| } |
} |
| if (status == TS_ERROR) | clock_gettime(SUDO_CLOCK_MONOTONIC, ×tamp_key.ts); |
| | |
| | /* If the time stamp dir is missing there is nothing to do. */ |
| | if (status == TS_MISSING) |
| goto done; |
goto done; |
| |
|
| /* | /* Open time stamp file and lock it for exclusive access. */ |
| * Sanity check the user's ticket dir. We start by downgrading | if (timestamp_uid != 0) |
| * the status to TS_ERROR. If the ticket dir exists and is sane | set_perms(PERM_TIMESTAMP); |
| * this will be upgraded to TS_OLD. If the dir does not exist, | fd = open(timestamp_file, O_RDWR); |
| * it will be upgraded to TS_MISSING. | if (timestamp_uid != 0) |
| */ | restore_perms(); |
| status = TS_ERROR; /* downgrade status again */ | if (fd == -1) { |
| if (lstat(timestampdir, &sb) == 0) { | |
| if (!S_ISDIR(sb.st_mode)) { | |
| if (S_ISREG(sb.st_mode)) { | |
| /* convert from old style */ | |
| if (unlink(timestampdir) == 0) | |
| status = TS_MISSING; | |
| } else | |
| log_warning(0, N_("%s exists but is not a directory (0%o)"), | |
| timestampdir, (unsigned int) sb.st_mode); | |
| } else if (sb.st_uid != timestamp_uid) | |
| log_warning(0, N_("%s owned by uid %u, should be uid %u"), | |
| timestampdir, (unsigned int) sb.st_uid, | |
| (unsigned int) timestamp_uid); | |
| else if ((sb.st_mode & 0000022)) | |
| log_warning(0, | |
| N_("%s writable by non-owner (0%o), should be mode 0700"), | |
| timestampdir, (unsigned int) sb.st_mode); | |
| else { | |
| if ((sb.st_mode & 0000777) != 0700) | |
| (void) chmod(timestampdir, 0700); | |
| status = TS_OLD; /* do date check later */ | |
| } | |
| } else if (errno != ENOENT) { | |
| log_warning(USE_ERRNO, N_("unable to stat %s"), timestampdir); | |
| } else | |
| status = TS_MISSING; |
status = TS_MISSING; |
| |
goto done; |
| |
} |
| |
lock_file(fd, SUDO_LOCK); |
| |
|
| /* | /* Ignore and clear time stamp file if mtime predates boot time. */ |
| * If there is no user ticket dir, AND we are in tty ticket mode, | if (fstat(fd, &sb) == 0) { |
| * AND we are not just going to remove it, create the user ticket dir. | struct timeval boottime, mtime; |
| */ | |
| if (status == TS_MISSING && *timestampfile && !removing) { | mtim_get(&sb, &mtime); |
| if (mkdir(timestampdir, S_IRWXU) == -1) { | if (get_boottime(&boottime) && sudo_timevalcmp(&mtime, &boottime, <)) { |
| status = TS_ERROR; | ignore_result(ftruncate(fd, (off_t)0)); |
| log_warning(USE_ERRNO, N_("unable to mkdir %s"), timestampdir); | status = TS_MISSING; |
| | goto done; |
| } |
} |
| } |
} |
| |
|
| /* | /* Read existing record, if any. */ |
| * Sanity check the tty ticket file if it exists. | if (!ts_find_record(fd, ×tamp_key, &entry)) { |
| */ | status = TS_MISSING; |
| if (*timestampfile && status != TS_ERROR) { | goto done; |
| if (status != TS_MISSING) | } |
| status = TS_NOFILE; /* dir there, file missing */ | |
| if (def_tty_tickets && !user_ttypath) | |
| goto done; /* no tty, always prompt */ | |
| if (lstat(timestampfile, &sb) == 0) { | |
| if (!S_ISREG(sb.st_mode)) { | |
| status = TS_ERROR; | |
| log_warning(0, N_("%s exists but is not a regular file (0%o)"), | |
| timestampfile, (unsigned int) sb.st_mode); | |
| } else { | |
| /* If bad uid or file mode, complain and kill the bogus file. */ | |
| if (sb.st_uid != timestamp_uid) { | |
| log_warning(0, | |
| N_("%s owned by uid %u, should be uid %u"), | |
| timestampfile, (unsigned int) sb.st_uid, | |
| (unsigned int) timestamp_uid); | |
| (void) unlink(timestampfile); | |
| } else if ((sb.st_mode & 0000022)) { | |
| log_warning(0, | |
| N_("%s writable by non-owner (0%o), should be mode 0600"), | |
| timestampfile, (unsigned int) sb.st_mode); | |
| (void) unlink(timestampfile); | |
| } else { | |
| /* If not mode 0600, fix it. */ | |
| if ((sb.st_mode & 0000777) != 0600) | |
| (void) chmod(timestampfile, 0600); | |
| |
|
| /* | /* Set record position hint for use by update_timestamp() */ |
| * Check for stored tty info. If the file is zero-sized | timestamp_hint = lseek(fd, (off_t)0, SEEK_CUR); |
| * it is an old-style timestamp with no tty info in it. | if (timestamp_hint != (off_t)-1) |
| * If removing, we don't care about the contents. | timestamp_hint -= entry.size; |
| * The actual mtime check is done later. | |
| */ | if (ISSET(entry.flags, TS_DISABLED)) { |
| if (removing) { | status = TS_OLD; /* disabled via sudo -k */ |
| status = TS_OLD; | goto done; |
| } else if (sb.st_size != 0) { | |
| struct sudo_tty_info info; | |
| int fd = open(timestampfile, O_RDONLY, 0644); | |
| if (fd != -1) { | |
| if (read(fd, &info, sizeof(info)) == sizeof(info) && | |
| memcmp(&info, &tty_info, sizeof(info)) == 0) { | |
| status = TS_OLD; | |
| } | |
| close(fd); | |
| } | |
| } | |
| } | |
| } | |
| } else if (errno != ENOENT) { | |
| log_warning(USE_ERRNO, N_("unable to stat %s"), timestampfile); | |
| status = TS_ERROR; | |
| } | |
| } |
} |
| |
|
| /* | if (entry.type != TS_GLOBAL && entry.sid != timestamp_key.sid) { |
| * If the file/dir exists and we are not removing it, check its mtime. | status = TS_OLD; /* belongs to different session */ |
| */ | goto done; |
| if (status == TS_OLD && !removing) { | } |
| mtim_get(&sb, &mtime); | |
| if (timevalisset(&mtime)) { | /* Negative timeouts only expire manually (sudo -k). */ |
| /* Negative timeouts only expire manually (sudo -k). */ | if (def_timestamp_timeout < 0) { |
| if (def_timestamp_timeout < 0) { | status = TS_CURRENT; |
| status = TS_CURRENT; | goto done; |
| } else { | } |
| time(&now); | |
| if (def_timestamp_timeout && | /* Compare stored time stamp with current time. */ |
| now - mtime.tv_sec < 60 * def_timestamp_timeout) { | sudo_timespecsub(×tamp_key.ts, &entry.ts, &diff); |
| /* | timeout.tv_sec = 60 * def_timestamp_timeout; |
| * Check for bogus time on the stampfile. The clock may | timeout.tv_nsec = ((60.0 * def_timestamp_timeout) - (double)timeout.tv_sec) |
| * have been set back or user could be trying to spoof us. | * 1000000000.0; |
| */ | if (sudo_timespeccmp(&diff, &timeout, <)) { |
| if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) { | status = TS_CURRENT; |
| time_t tv_sec = (time_t)mtime.tv_sec; | #ifdef CLOCK_MONOTONIC |
| log_warning(0, | /* A monotonic clock should never run backwards. */ |
| N_("timestamp too far in the future: %20.20s"), | if (diff.tv_sec < 0) { |
| 4 + ctime(&tv_sec)); | log_warning(0, N_("ignoring time stamp from the future")); |
| if (*timestampfile) | status = TS_OLD; |
| (void) unlink(timestampfile); | SET(entry.flags, TS_DISABLED); |
| else | ts_update_record(fd, &entry, timestamp_hint); |
| (void) rmdir(timestampdir); | |
| status = TS_MISSING; | |
| } else if (get_boottime(&boottime) && | |
| timevalcmp(&mtime, &boottime, <)) { | |
| status = TS_OLD; | |
| } else { | |
| status = TS_CURRENT; | |
| } | |
| } | |
| } | |
| } |
} |
| |
#else |
| |
/* Check for bogus (future) time in the stampfile. */ |
| |
sudo_timespecsub(&entry.ts, ×tamp_key.ts, &diff); |
| |
timeout.tv_sec *= 2; |
| |
if (sudo_timespeccmp(&diff, &timeout, >)) { |
| |
time_t tv_sec = (time_t)entry.ts.tv_sec; |
| |
log_warning(0, |
| |
N_("time stamp too far in the future: %20.20s"), |
| |
4 + ctime(&tv_sec)); |
| |
status = TS_OLD; |
| |
SET(entry.flags, TS_DISABLED); |
| |
ts_update_record(fd, &entry, timestamp_hint); |
| |
} |
| |
#endif /* CLOCK_MONOTONIC */ |
| |
} else { |
| |
status = TS_OLD; |
| } |
} |
| |
|
| done: |
done: |
| if (timestamp_uid != 0) | if (fd != -1) |
| restore_perms(); | close(fd); |
| debug_return_int(status); |
debug_return_int(status); |
| } |
} |
| |
|
| int |
|
| timestamp_status(struct passwd *pw) |
|
| { |
|
| return timestamp_status_internal(false); |
|
| } |
|
| |
|
| /* |
/* |
| * Remove the timestamp ticket file/dir. | * Remove the timestamp entry or file if unlink_it is set. |
| */ |
*/ |
| void |
void |
| remove_timestamp(bool remove) | remove_timestamp(bool unlink_it) |
| { |
{ |
| struct timeval tv; | struct timestamp_entry entry; |
| char *path; | int fd = -1; |
| int status; | |
| debug_decl(remove_timestamp, SUDO_DEBUG_AUTH) |
debug_decl(remove_timestamp, SUDO_DEBUG_AUTH) |
| |
|
| if (build_timestamp(NULL) == -1) |
if (build_timestamp(NULL) == -1) |
| debug_return; |
debug_return; |
| |
|
| status = timestamp_status_internal(true); | /* For "sudo -K" simply unlink the time stamp file. */ |
| if (status != TS_MISSING && status != TS_ERROR) { | if (unlink_it) { |
| path = *timestampfile ? timestampfile : timestampdir; | (void) unlink(timestamp_file); |
| if (remove) { | debug_return; |
| if (*timestampfile) | } |
| status = unlink(timestampfile); | |
| else | /* |
| status = rmdir(timestampdir); | * Create a key used for matching entries in the time stamp file. |
| if (status == -1 && errno != ENOENT) { | */ |
| log_warning(0, | memset(×tamp_key, 0, sizeof(timestamp_key)); |
| N_("unable to remove %s, will reset to the epoch"), path); | timestamp_key.version = TS_VERSION; |
| remove = false; | timestamp_key.size = sizeof(timestamp_key); |
| } | timestamp_key.type = TS_GLOBAL; /* may be overriden below */ |
| | timestamp_key.flags = TS_ANYUID; |
| | if (def_tty_tickets) { |
| | struct stat sb; |
| | if (user_ttypath != NULL && stat(user_ttypath, &sb) == 0) { |
| | /* tty-based time stamp */ |
| | timestamp_key.type = TS_TTY; |
| | timestamp_key.u.ttydev = sb.st_rdev; |
| | } else { |
| | /* ppid-based time stamp */ |
| | timestamp_key.type = TS_PPID; |
| | timestamp_key.u.ppid = getppid(); |
| } |
} |
| if (!remove) { |
|
| timevalclear(&tv); |
|
| if (touch(-1, path, &tv) == -1 && errno != ENOENT) |
|
| fatal(_("unable to reset %s to the epoch"), path); |
|
| } |
|
| } |
} |
| |
|
| |
/* Open time stamp file and lock it for exclusive access. */ |
| |
if (timestamp_uid != 0) |
| |
set_perms(PERM_TIMESTAMP); |
| |
fd = open(timestamp_file, O_RDWR); |
| |
if (timestamp_uid != 0) |
| |
restore_perms(); |
| |
if (fd == -1) |
| |
goto done; |
| |
lock_file(fd, SUDO_LOCK); |
| |
|
| |
/* |
| |
* Find matching entries and invalidate them. |
| |
*/ |
| |
while (ts_find_record(fd, ×tamp_key, &entry)) { |
| |
/* Set record position hint for use by update_timestamp() */ |
| |
timestamp_hint = lseek(fd, (off_t)0, SEEK_CUR); |
| |
if (timestamp_hint != (off_t)-1) |
| |
timestamp_hint -= (off_t)entry.size; |
| |
/* Disable the entry. */ |
| |
SET(entry.flags, TS_DISABLED); |
| |
ts_update_record(fd, &entry, timestamp_hint); |
| |
} |
| |
close(fd); |
| |
|
| |
done: |
| debug_return; |
debug_return; |
| } |
} |
| |
|
| /* |
/* |
| * Lecture status is currently implied by the timestamp status but | * Returns true if the user has already been lectured. |
| * may be stored separately in a future release. | |
| */ |
*/ |
| bool |
bool |
| |
already_lectured(int unused) |
| |
{ |
| |
char status_file[PATH_MAX]; |
| |
struct stat sb; |
| |
int len; |
| |
debug_decl(already_lectured, SUDO_DEBUG_AUTH) |
| |
|
| |
if (ts_secure_dir(def_lecture_status_dir, false, true)) { |
| |
len = snprintf(status_file, sizeof(status_file), "%s/%s", |
| |
def_lecture_status_dir, user_name); |
| |
if (len <= 0 || (size_t)len >= sizeof(status_file)) { |
| |
log_fatal(0, N_("lecture status path too long: %s/%s"), |
| |
def_lecture_status_dir, user_name); |
| |
} |
| |
debug_return_bool(stat(status_file, &sb) == 0); |
| |
} |
| |
debug_return_bool(false); |
| |
} |
| |
|
| |
/* |
| |
* Create the lecture status file. |
| |
* Returns true on success or false on failure. |
| |
*/ |
| |
bool |
| set_lectured(void) |
set_lectured(void) |
| { |
{ |
| return true; | char lecture_status[PATH_MAX]; |
| | int len, fd = -1; |
| | debug_decl(set_lectured, SUDO_DEBUG_AUTH) |
| | |
| | len = snprintf(lecture_status, sizeof(lecture_status), "%s/%s", |
| | def_lecture_status_dir, user_name); |
| | if (len <= 0 || (size_t)len >= sizeof(lecture_status)) { |
| | log_fatal(0, N_("lecture status path too long: %s/%s"), |
| | def_lecture_status_dir, user_name); |
| | } |
| | |
| | /* Sanity check lecture dir and create if missing. */ |
| | if (!ts_secure_dir(def_lecture_status_dir, true, false)) |
| | goto done; |
| | |
| | /* Create lecture file. */ |
| | if (timestamp_uid != 0) |
| | set_perms(PERM_TIMESTAMP); |
| | fd = open(lecture_status, O_WRONLY|O_CREAT|O_TRUNC, 0600); |
| | if (timestamp_uid != 0) |
| | restore_perms(); |
| | if (fd != -1) |
| | close(fd); |
| | |
| | done: |
| | debug_return_bool(fd != -1 ? true : false); |
| } |
} |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to timestamp.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / plugins / sudoers