diff options
| -rw-r--r-- | usr.sbin/bgpd/bgpd.h | 5 | ||||
| -rw-r--r-- | usr.sbin/bgpd/config.c | 26 | ||||
| -rw-r--r-- | usr.sbin/bgpd/parse.y | 8 |
3 files changed, 36 insertions, 3 deletions
diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h index 6a0cdfc768c..9331768ddc4 100644 --- a/usr.sbin/bgpd/bgpd.h +++ b/usr.sbin/bgpd/bgpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpd.h,v 1.93 2004/02/09 01:46:34 henning Exp $ */ +/* $OpenBSD: bgpd.h,v 1.94 2004/02/10 23:10:23 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -386,6 +386,9 @@ const char *log_addr(const struct bgpd_addr *); /* parse.y */ int cmdline_symset(char *); +/* config.c */ +int check_file_secrecy(int fd, const char *fname); + /* imsg.c */ void imsg_init(struct imsgbuf *, int); int imsg_read(struct imsgbuf *); diff --git a/usr.sbin/bgpd/config.c b/usr.sbin/bgpd/config.c index e9fab2a4b4c..b96706ba913 100644 --- a/usr.sbin/bgpd/config.c +++ b/usr.sbin/bgpd/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.27 2004/02/03 22:28:05 henning Exp $ */ +/* $OpenBSD: config.c,v 1.28 2004/02/10 23:10:23 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -18,6 +18,7 @@ #include <sys/types.h> #include <sys/socket.h> +#include <sys/stat.h> #include <sys/mman.h> #include <errno.h> @@ -89,3 +90,26 @@ get_bgpid(void) return (ip); } + +int +check_file_secrecy(int fd, const char *fname) +{ + struct stat st; + + if (fstat(fd, &st)) { + log_warn("cannot stat %s", fname); + return (-1); + } + + if (st.st_uid != 0 && st.st_uid != getuid()) { + log_warnx("%s: owner not root or current user", fname); + return (-1); + } + + if (st.st_mode & (S_IRWXG | S_IRWXO)) { + log_warnx("%s: group/world readable/writeable", fname); + return (-1); + } + + return (0); +} diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index 0aee308574d..d2b5c67e9ce 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.55 2004/02/09 01:46:34 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.56 2004/02/10 23:10:23 henning Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -897,6 +897,12 @@ parse_config(char *filename, struct bgpd_config *xconf, } infile = filename; + if (check_file_secrecy(fileno(fin), filename)) { + free(conf); + free(mrtconf); + return (-1); + } + yyparse(); fclose(fin); |