| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
* safepath.c (safepath_check): If we are checking a relative
directory, and an absolute symlink shows up, then we have
to check the root directory; we have not checked it before.
It could have bad permissions. We ensure we do this at most
once.
|
| |
|
|
|
| |
* README: There is an issue with the trust in the current
working direcory when relative paths are used.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* safepath.h (SAFEPATH_TOOLONG): New enum constant.
* safepath.c (safepatch_check): Don't ignore the truncation
situation from readlink. Use the full buffer length,
and if readlink returns 256, then diagnose overflow using the
new SAFEPATH_TOOLONG error code and bail.
(safepath_strerr): Map SAFEPATH_TOOLONG.
|
| |
|
|
|
|
|
|
| |
* safepath.h (SAFEPATH_NOTDIR): New enum.
* safepath.c (safepath_err, set_errno): Handle conversion
between SAFEPATH_NOTDIR and ENOTDIR.
(safepath_strerr): Map SAFEPATH_NOTDIR to message.
|
| |
|
|
|
| |
* Makefile (DIAG_FLAGS): Sanitize for memory misuse and
undefined behavior.
|
| |
|
|
|
|
|
| |
* safepath.[ch]: New function, safepath_strerr.
* testsp.c (main): Use new function to print message,
rather than integer code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't want to behave like the access function, which is
intended for use in setuid programs to determine what the
original user can access.
The purpose of safepath_check is to check whether the
filesystem can harm the caller. For that, the effective
identity that is being wielded should be used.
A setuid executable might have a real user ID bob,
but effective root. Root does not trust bob; root
doesn't want to follow a symlink controlled by bob.
* safepath.c (safe_group, tamper_proof): Replace getuid
calls with geteuid.
* README.md: Updated text.
|
| |
|
|
|
| |
* safepath.c (tamper_proof, safepath_check): Reword outdated
comments.
|
| | |
|
| |
|
