diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2003-05-18 21:26:37 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2003-05-18 21:26:37 +0000 |
commit | b3377516b3c980db757772ff33b79cfb043e382e (patch) | |
tree | 9c3021fcdd88ec33640c7a158055e16cd7fc95dc | |
parent | 02bef16d7710238b22a5107c610266ef8b5e5c9b (diff) |
Add some path sanitation; only permit write operations to /tmp,
/var/tmp and /var/run. Opens in /etc/isakmpd/ are read-only. Any other
path is invalid. markus@ ok.
-rw-r--r-- | sbin/isakmpd/monitor.c | 51 |
1 files changed, 49 insertions, 2 deletions
diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c index a36a49c0a27..8cd79171cbd 100644 --- a/sbin/isakmpd/monitor.c +++ b/sbin/isakmpd/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.4 2003/05/18 19:37:46 ho Exp $ */ +/* $OpenBSD: monitor.c,v 1.5 2003/05/18 21:26:36 ho Exp $ */ /* * Copyright (c) 2003 Håkan Olsson. All rights reserved. @@ -76,6 +76,7 @@ void m_priv_getsocket (int); void m_priv_setsockopt (int); void m_priv_bind (int); void m_priv_mkfifo (int); +void m_priv_local_sanitize_path (char *, size_t, int); #if defined (USE_X509) void m_priv_rsa_getkey (int); @@ -639,7 +640,7 @@ m_priv_getfd (int s) goto errout; mode = (mode_t)v; - /* XXX Sanity checks */ + m_priv_local_sanitize_path (path, sizeof path, flags); v = (int32_t)open (path, flags, mode); if (mm_send_fd (s, v)) @@ -1171,3 +1172,49 @@ m_priv_local_deletekey (int32_t keyno) return; } #endif /* USE_X509 */ + +/* Check that path/mode is permitted. */ +void +m_priv_local_sanitize_path (char *path, size_t pmax, int flags) +{ + char *p; + + /* + * Basically, we only permit paths starting with + * /etc/isakmpd/ (read only) + * /var/run/ + * /var/tmp + * /tmp + * + * XXX This is an interim measure only. + */ + + if (strlen (path) < sizeof "/tmp") + goto bad_path; + + /* Any path containing '..' is invalid. */ + for (p = path; *p && (p - path) < pmax; p++) + if (*p == '.' && *(p + 1) == '.') + goto bad_path; + + /* For any write-mode, only a few paths are permitted. */ + if ((flags & O_ACCMODE) != O_RDONLY) + { + if (strncmp ("/var/run/", path, sizeof "/var/run") == 0 || + strncmp ("/var/tmp/", path, sizeof "/var/tmp") == 0 || + strncmp ("/tmp/", path, sizeof "/tmp") == 0) + return; + goto bad_path; + } + + /* Any other paths are read-only. */ + if (strncmp (ISAKMPD_ROOT, path, strlen (ISAKMPD_ROOT)) == 0) + return; + + bad_path: + log_print ("m_priv_local_sanitize_path: illegal path \"%.1024s\", " + "replaced with \"/dev/null\"", path); + strlcpy (path, "/dev/null", pmax); + return; +} + |