From 335524b9adf829701f9d27d79b1017d7d41b44f1 Mon Sep 17 00:00:00 2001 From: Warner Losh Date: Wed, 1 Jan 1997 00:03:49 +0000 Subject: [PATCH] Various security related deltas from OpenBSD dirs.c: From OpenBSD 1.2, 1.3, 1.5, 1.8, 1.10, 1.11, 1.12 1.2: use unique temporary files; netbsd pr#2544; lukem@supp.cpr.itg.telecom.com.au 1.3: updated patch from lukem@supp.cpr.itg.telecom.com.au to also make -r and -R work again 1.5: mktemp open & fdopen 1.8: /tmp// -> /tmp/ 1.10: Fix strncpy usage and correct strncat length field, from Theo. Also change some occurrence of MAXPATHLEN with sizeof(foo). 1.11: does noone know how to use strncat correctly? 1.12: use mkstemp() From NetBSD: Use open rather than create so we can specify exclusive open mode. main.c: From OpenBSD 1.2, 1.5 1.2: From NetBSD: support $TAPE. 1.5 Set umask to be read only by owner until we set real file permissions. tape.c: From NetBSD: Use open rather than create so we can specify exclusive open mode. --- sbin/restore/dirs.c | 50 +++++++++++++++++++++++++++++++-------------- sbin/restore/main.c | 7 ++++++- sbin/restore/tape.c | 3 ++- 3 files changed, 43 insertions(+), 17 deletions(-) diff --git a/sbin/restore/dirs.c b/sbin/restore/dirs.c index b092eab361fc..a4038eb1f63e 100644 --- a/sbin/restore/dirs.c +++ b/sbin/restore/dirs.c @@ -104,9 +104,9 @@ struct rstdirdesc { static long seekpt; static FILE *df, *mf; static RST_DIR *dirp; -static char dirfile[32] = "#"; /* No file */ -static char modefile[32] = "#"; /* No file */ -static char dot[2] = "."; /* So it can be modified */ +static char dirfile[MAXPATHLEN] = "#"; /* No file */ +static char modefile[MAXPATHLEN] = "#"; /* No file */ +static char dot[2] = "."; /* So it can be modified */ /* * Format of old style directories. @@ -142,11 +142,18 @@ extractdirs(genmode) register struct dinode *ip; struct inotab *itp; struct direct nulldir; + int fd; vprintf(stdout, "Extract directories from tape\n"); - (void) sprintf(dirfile, "%s/rstdir%d", _PATH_TMP, dumpdate); - df = fopen(dirfile, "w"); - if (df == NULL) { + (void) sprintf(dirfile, "%srstdir%d", _PATH_TMP, dumpdate); + if (command != 'r' && command != 'R') { + (void *) strcat(dirfile, "-XXXXXX"); + fd = mkstemp(dirfile); + } else + fd = open(dirfile, O_RDWR|O_CREAT|O_EXCL, 0666); + if (fd == -1 || (df = fdopen(fd, "w")) == NULL) { + if (fd != -1) + close(fd); fprintf(stderr, "restore: %s - cannot create directory temporary\n", dirfile); @@ -154,9 +161,15 @@ extractdirs(genmode) done(1); } if (genmode != 0) { - (void) sprintf(modefile, "%s/rstmode%d", _PATH_TMP, dumpdate); - mf = fopen(modefile, "w"); - if (mf == NULL) { + (void) sprintf(modefile, "%srstmode%d", _PATH_TMP, dumpdate); + if (command != 'r' && command != 'R') { + (void *) strcat(modefile, "-XXXXXX"); + fd = mkstemp(modefile); + } else + fd = open(modefile, O_RDWR|O_CREAT|O_EXCL, 0666); + if (fd == -1 || (mf = fdopen(fd, "w")) == NULL) { + if (fd != -1) + close(fd); fprintf(stderr, "restore: %s - cannot create modefile \n", modefile); @@ -239,8 +252,9 @@ treescan(pname, ino, todo) * begin search through the directory * skipping over "." and ".." */ - (void) strncpy(locname, pname, MAXPATHLEN); - (void) strncat(locname, "/", MAXPATHLEN); + (void) strncpy(locname, pname, sizeof(locname) - 1); + locname[sizeof(locname) - 1] = '\0'; + (void) strncat(locname, "/", sizeof(locname) - strlen(locname)); namelen = strlen(locname); rst_seekdir(dirp, itp->t_seekpt, itp->t_seekpt); dp = rst_readdir(dirp); /* "." */ @@ -260,9 +274,9 @@ treescan(pname, ino, todo) */ while (dp != NULL && dp->d_ino != 0) { locname[namelen] = '\0'; - if (namelen + dp->d_namlen >= MAXPATHLEN) { + if (namelen + dp->d_namlen >= sizeof(locname)) { fprintf(stderr, "%s%s: name exceeds %d char\n", - locname, dp->d_name, MAXPATHLEN); + locname, dp->d_name, sizeof(locname) - 1); } else { (void) strncat(locname, dp->d_name, (int)dp->d_namlen); treescan(locname, dp->d_ino, todo); @@ -585,7 +599,13 @@ setdirmodes(flags) char *cp; vprintf(stdout, "Set directory mode, owner, and times.\n"); - (void) sprintf(modefile, "%s/rstmode%d", _PATH_TMP, dumpdate); + if (command == 'r' || command == 'R') + (void) sprintf(modefile, "%srstmode%d", _PATH_TMP, dumpdate); + if (modefile[0] == '#') { + panic("modefile not defined\n"); + fprintf(stderr, "directory mode, owner, and times not set\n"); + return; + } mf = fopen(modefile, "r"); if (mf == NULL) { fprintf(stderr, "fopen: %s\n", strerror(errno)); @@ -640,7 +660,7 @@ genliteraldir(name, ino) itp = inotablookup(ino); if (itp == NULL) panic("Cannot find directory inode %d named %s\n", ino, name); - if ((ofile = creat(name, 0666)) < 0) { + if ((ofile = open(name, O_WRONLY | O_CREAT | O_TRUNC, 0666)) < 0) { fprintf(stderr, "%s: ", name); (void) fflush(stderr); fprintf(stderr, "cannot create file: %s\n", strerror(errno)); diff --git a/sbin/restore/main.c b/sbin/restore/main.c index 936116e319b8..a45994552353 100644 --- a/sbin/restore/main.c +++ b/sbin/restore/main.c @@ -82,13 +82,18 @@ main(argc, argv) { int ch; ino_t ino; - char *inputdev = _PATH_DEFTAPE; + char *inputdev; char *symtbl = "./restoresymtable"; char *p, name[MAXPATHLEN]; + /* Temp files should *not* be readable. We set permissions later. */ + (void) umask(077); + if (argc < 2) usage(); + if ((inputdev = getenv("TAPE")) == NULL) + inputdev = _PATH_DEFTAPE; obsolete(&argc, &argv); while ((ch = getopt(argc, argv, "b:cdf:himNRrs:tvxy")) != EOF) switch(ch) { diff --git a/sbin/restore/tape.c b/sbin/restore/tape.c index fcf41e85ea2c..7aae76daa715 100644 --- a/sbin/restore/tape.c +++ b/sbin/restore/tape.c @@ -583,7 +583,8 @@ extractfile(name) skipfile(); return (GOOD); } - if ((ofile = creat(name, 0666)) < 0) { + if ((ofile = open(name, O_WRONLY | O_CREAT | O_TRUNC, + 0666)) < 0) { fprintf(stderr, "%s: cannot create file: %s\n", name, strerror(errno)); skipfile();