If a directory is world-writable or is not owned by root, skip it

and emit a warning. This is a security measure since ldconfig influences the shared libraries used by all programs. I think the check should be made even more stringent by also ignoring group-writable directories. I will make that change soon unless we encounter a good reason not to do it. Submitted by: Maxime Henrion <mhenrion@cybercable.fr>
svn path=/head/; revision=63872
2024-12-03 14:48:57 +00:00 · 2000-07-26 04:47:17 +00:00 · 2000-07-26 04:47:17 +00:00 · fa0c86aadc · 2020-12-20 02:59:44 +00:00
commit fa0c86aadc
parent dc2475c540
3 changed files with 35 additions and 5 deletions
--- a/sbin/ldconfig/elfhints.c
+++ b/sbin/ldconfig/elfhints.c
@ -57,7 +57,22 @@ static int		 ndirs;
 static void
 add_dir(const char *hintsfile, const char *name)
 {
-	int	i;
+	struct stat 	stbuf;
+	int		i;
+
+	/* Do some security checks */
+	if (stat(name, &stbuf) == -1) {
+		warn("%s", name);
+		return;
+	}
+	if (stbuf.st_uid != 0) {
+		warnx("%s: not owned by root", name);
+		return;
+	}
+	if ((stbuf.st_mode & S_IWOTH) != 0) {
+		warnx("%s: ignoring world-writable directory", name);
+        	return;
+	}

 	for (i = 0;  i < ndirs;  i++)
 		if (strcmp(dirs[i], name) == 0)
--- a/sbin/ldconfig/ldconfig.8
+++ b/sbin/ldconfig/ldconfig.8
@ -61,7 +61,10 @@ line.  Blank lines and lines starting with the comment character
 .Ql \&#
 are ignored.
 .Pp
-The shared libraries so found will be automatically available for loading
+For security reasons, directories which are world-writable or which
+are not owned by root produce warning messages and are skipped.
+.Pp
+The shared libraries which are found will be automatically available for loading
 if needed by the program being prepared for execution.
 This obviates the need
 for storing search paths within the executable.
@ -137,9 +140,6 @@ In
 addition to building a set of hints for quick lookup, it also serves to
 specify the trusted collection of directories from which shared objects can
 be safely loaded.
-It is presumed that the set of directories specified to
-.Nm ldconfig
-are under control of the system's administrator.
 .Sh ENVIRONMENT
 .Bl -tag -width OBJFORMATxxx -compact
 .It Ev OBJFORMAT
--- a/sbin/ldconfig/ldconfig.c
+++ b/sbin/ldconfig/ldconfig.c
@ -259,6 +259,7 @@ int	silent;
 {
 	DIR		*dd;
 	struct dirent	*dp;
+	struct stat	stbuf;
 	char		name[MAXPATHLEN];
 	int		dewey[MAXDEWEY], ndewey;

@ -269,6 +270,20 @@ int	silent;
 		return -1;
 	}

+	/* Do some security checks */
+	if (fstat(dirfd(dd), &stbuf) == -1) {
+		warn("%s", dir);
+		return -1;
+	}
+	if (stbuf.st_uid != 0) {
+		warnx("%s: not owned by root", dir);
+		return -1;
+	}
+	if ((stbuf.st_mode & S_IWOTH) != 0) {
+		warnx("%s: ignoring world-writable directory", dir);
+		return -1;
+	}
+
 	while ((dp = readdir(dd)) != NULL) {
 		register int n;
 		register char *cp;