Commit Graph

709 Commits

Author SHA1 Message Date
Stefan Eßer
6c2596f00c Change getlocalbase() to not allocate any heap memory
After the commit of the current version, Scott Long pointed out, that an
attacker might be able to cause a use-after-free access if this function
returned the value of the sysctl variable "user.localbase" by freeing
the allocated memory without the cached address being cleared in the
library function.

To resolve this issue, I have proposed the originally suggested version
with a statically allocated buffer in a review (D27370). There was no
feedback on this review and after waiting for more than 2 weeks, the
potential security issue is fixed by this commit. (There was no security
risk in practice, since none of the programs converted to use this
function attempted to free the buffer. The address could only have
pointed into the heap if user.localbase was set to a non-default value,
into r/o data or the environment, else.)

This version uses a static buffer of size LOCALBASE_CTL_LEN, which
defaults to MAXPATHLEN. This does not increase the memory footprint
of the library at this time, since its data segment grows from less
than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical
architectures, anyway.

Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code
that accesses the sysctl variable, values between 1 and MAXPATHLEN-1
will limit the maximum size of the prefix. When built with such a
value and if too large a value has been configured in user.localbase,
the value defined as ILLEGAL_PREFIX will be returned to cause any
file operations on that result to fail. (Default value is "/dev/null/",
the review contained "/\177", but I assume that "/dev/null" exists and
can not be accessed as a directory. Any other string that can be assumed
not be a valid path prefix could be used.)

I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for
the user.localbase variable, too. Doing this would guarantee that the
result always fit into the buffer in this library function (unless run
on a kernel built with a different buffer size.)

The function always returns a valid string, and only in case it is built
with a small static buffer and run on a system with too large a value in
user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing
the created path to be non-existent.

Differential Revision:	https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
Stefan Eßer
30d21d2795 Add function getlocalbase() to libutil.
This function returns the path to the local software base directory, by
default "/usr/local" (or the value of _PATH_LOCALBASE in include/paths.h
when building the world).

The value returned can be overridden by 2 methods:

- the LOCALBASE environment variable (ignored by SUID programs)
- else a non-default user.localbase sysctl value

Reviewed by:	hps (earlier version)
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D27236
2020-11-18 19:44:30 +00:00
Scott Long
8e1031086d Revert the whole getlocalbase() set of changes while a different design is
hashed out.
2020-11-15 20:24:59 +00:00
Scott Long
85a5fe290b Because getlocalbase() returns -1 on error, it needs to use a signed type
internally.  Do that, and make sure that conversations between signed and
unsigned don't overflow
2020-11-15 07:48:52 +00:00
Scott Long
bcf9ae2751 Fix a problem with r367686 related to the use of ssize_t. Not sure how this
escaped prior testing, but it should be better now.

Reported by:	lots
2020-11-14 19:04:36 +00:00
Scott Long
98b76d2227 Add the library function getlocalbase and its manual page. This helps to
unify the retrieval of the various ways that the local software base directory,
typically "/usr/local", is expressed in the system.

Reviewed by:	se
Differential Revision:	https://reviews.freebsd.org/D27022
2020-11-14 17:57:50 +00:00
Gordon Bergling
3d265fce43 Fix a few mandoc issues
- skipping paragraph macro: Pp after Sh
- sections out of conventional order: Sh EXAMPLES
- whitespace at end of input line
- normalizing date format
2020-10-09 19:12:44 +00:00
David Bright
9b934d4360 Add CAP_EVENT to pidfiles.
CAP_EVENT was omitted on pidfiles (in
pidfile_open()). There seems no reason why a process that creates
and writes a pidfile cannot monitor events on that file. This mod adds
the capability.

Reviewed by:	cem@
MFC after:	2 weeks
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D25363
2020-06-25 21:34:43 +00:00
Piotr Pawel Stefaniak
830efe5539 Make vipw error message less cryptic
Unable to find an editor, vipw would give this error:
# env EDITOR=fnord vipw
vipw: pw_edit(): No such file or directory

vigr or crontab do better:
# env EDITOR=fnord crontab -e
crontab: no crontab for root - using an empty one
crontab: fnord: No such file or directory
crontab: "fnord" exited with status 1

After this change, vipw behaves more like vigr or crontab:
# env EDITOR=fnord vipw
vipw: fnord: No such file or directory
vipw: "fnord" exited with status 1

Reviewed by:	rpokala, emaste
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D25369
2020-06-20 06:20:00 +00:00
Piotr Pawel Stefaniak
39c64ed6d1 libutil: remove extraneous ": " from error messages
Each of the err() family of functions already takes care of that.
2020-06-20 06:10:42 +00:00
Gordon Bergling
bc89b58def libutil: Document function HISTORY within the manpages
Reviewed by:	bcr (mentor)
Approved by:	bcr (mentor)
MFC after:	7 days
Differential Revision:	https://reviews.freebsd.org/D24795
2020-06-14 05:35:02 +00:00
Kyle Evans
acf2957e49 login.conf(5): split MAIL env var out into a "mail" capability
This allows it to be easily suppressed in, e.g., the "daemon" class where it
will not be properly expanded.

This is a part of D21481.

Submitted by:	Andrew Gierth <andrew_tao173.riddles.org.uk>
2020-02-05 04:17:14 +00:00
Simon J. Gerraty
2c9a9dfc18 Update Makefile.depend files
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22494
2019-12-11 17:37:53 +00:00
Emmanuel Vadot
a7b5a3d486 pkgbase: Put a lot of binaries and lib in FreeBSD-runtime
All of them are needed to be able to boot to single user and be able
to repair a existing FreeBSD installation so put them directly into
FreeBSD-runtime.

Reviewed by:    bapt, gjb
Differential Revision:  https://reviews.freebsd.org/D21503
2019-09-05 14:13:08 +00:00
Mateusz Guzik
ebea9e6d8f libutil: remove SIGSYS handling from setusercontext
It was a workaround for cases where the kernel lacks setloginclass(2),
added in the 9.x era.

Submitted by:	Pawel Biernacki
2019-09-02 13:55:31 +00:00
John Baldwin
72a52ef8c4 expand_number(3) parses suffixes, not prefixes.
While here, tidy the opening sentence a bit.

MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D20791
2019-07-20 16:03:54 +00:00
Mark Johnston
8e7299c08b Typo.
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2019-06-03 16:47:00 +00:00
Mariusz Zaborski
8a9e93bb21 Use funlinkat in pidfile to ensure we are removing the right file. 2019-04-06 11:24:43 +00:00
Mark Johnston
a273e09cb2 Fix pidfile_open(3) to handle relative paths with multiple components.
r322369's use of basename(3) was incorrect and worked by accident so
long as the pidfile path was absolute or consisted of a single
component.  Fix the basename() usage and add a regression test.

Reported by:	0mp
Reviewed by:	cem
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D19728
2019-03-27 19:40:18 +00:00
John Baldwin
2e43efd0bb Drop "All rights reserved" from my copyright statements.
Reviewed by:	rgrimes
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D19485
2019-03-06 22:11:45 +00:00
Sean Eric Fagan
18bb746b40 r343881 had an uninitialized error. This fixes that.
PR:             233849
Reported by:    Andre Albsmeier
MFC after:      1 month
Sponsored by:   iXsystems Inc
Differential Revision:  https://reviews.freebsd.org/D18785
2019-02-07 22:10:20 +00:00
Sean Eric Fagan
148d31b83d r339008 broke repquota for UFS. This rectifies that.
Refactor the function calls and tests so that, on UFS, the proper fields
are filled out.

PR:		233849
Reported by:	Andre Albsmeier
Reviewed by:	mav, delphij
MFC after:	1 month
Sponsored by:	iXsystems Inc
Differential Revision:	https://reviews.freebsd.org/D18785
2019-02-07 21:51:39 +00:00
Xin LI
1e4da04f06 Ensure buffer is nul-terminated.
MFC after:	2 weeks
2018-12-31 03:08:01 +00:00
Ian Lepore
757e8bdbea Stop exporting __pw_scan and __pw_initpwd as freebsd-private libc functions
for use in libutil, and instead compile the small amount of common code
directly into libutil with a .PATH reachover.

Discussed with: kib@
2018-07-27 19:47:42 +00:00
Ian Lepore
34e9190d82 Make pw_scan(3) more compatible with getpwent(3) et. al. when processing
data from /etc/passwd rather than /etc/master.passwd.

The libc getpwent(3) and related functions automatically read master.passwd
when run by root, or passwd when run by a non-root user.  When run by non-
root, getpwent() copes with the missing data by setting the corresponding
fields in the passwd struct to known values (zeroes for numbers, or a
pointer to an empty string for literals).  When libutil's pw_scan(3) was
used to parse a line without the root-accessible data, it was leaving
garbage in the corresponding fields.

These changes rename the static pw_init() function used by getpwent() and
friends to __pw_initpwd(), and move it into pw_scan.c so that common init
code can be shared between libc and libutil.  pw_scan(3) now calls
__pw_initpwd() before __pw_scan(), just like the getpwent() family does, so
that reading an arbitrary passwd file in either format and parsing it with
pw_scan(3) returns the same results as getpwent(3) would.

This also adds a new pw_initpwd(3) function to libutil, so that code which
creates passwd structs from scratch in some manner that doesn't involve
pw_scan() can initialize the struct to the values expected by lots of
existing code, which doesn't expect to encounter NULL pointers or garbage
values in some fields.
2018-07-26 18:34:38 +00:00
Sean Eric Fagan
aad5531e71 This exposes ZFS user and group quotas via the normal
quatactl(2) mechanism.  (Read-only at this point, however.)
In particular, this is to allow rpc.rquotad query quotas
for NFS mounts, allowing users to see their quotas on the
hosts using the datasets.

The changes specifically:

* Add new RPC entry points for querying quotas.
* Changes the library routines to allow non-UFS quotas.
* Changes rquotad to check for quotas on mounted filesystems,
rather than being limited to entries in /etc/fstab
* Lastly, adds a VFS entry-point for ZFS to query quotas.

Note that this makes one unavoidable behavioural change: if quotas
are enabled, then they can be queried, as opposed to the current
method of checking for quotas being specified in fstab.  (With
ZFS, if there are user or group quotas, they're used, always.)

Reviewed by:	delphij, mav
Approved by:	mav
Sponsored by:	iXsystems Inc
Differential Revision:	https://reviews.freebsd.org/D15886
2018-07-05 22:56:13 +00:00
Alan Somers
8a46c08a2a pty.3: Add a HISTORY section
These functions were first added in 4.3 BSD-Reno, according to
http://unix.superglobalmegacorp.com/ and the CSRG svn repository.

Reviewed by:	bcr, bjk
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D15652
2018-06-02 22:40:16 +00:00
John Baldwin
636402a76a Use __SCCSID() for SCCS IDs.
- Define NO__SCCSID in CFLAGS to preserve existing behavior of omitting
  SCCS IDs by default.
- While here, fix the $FreeBSD$ in pw_util.c to use __FBSDID.
2018-05-23 17:02:12 +00:00
Eitan Adler
7f0f2cbbdf open.3: Use .Fa where appropriate
Obtained From:	DragonFlyBSD (78732326a796ca521f3c0fe33c6fc9c695742ede)
2018-03-04 18:00:32 +00:00
Bartek Rutkowski
e285e32e56 humanize_number(3): fix math edge case in rounding large numbers
Fix for remainder overflow, when in rare cases adding remainder to divider
exceeded 1 and turned the total to 1000 in final formatting, taking up
the space for the unit character.

The fix continues the division of the original number if the above case
happens -- added the appropriate check to the for loop performing
the division. This lowers the value shown, to make it fit into the buffer
space provided (1.0M for 4+1 character buffer, as used by ls).

Add test case for the reported bug and extend test program to support
providing buffer length (ls -lh uses 5, tests hard-coded 4).

PR:		224498
Submitted by:	Pawel Biernacki <pawel.biernacki@gmail.com>
Reported by:	Masachika Ishizuka <ish@amail.plala.or.jp>
Reviewed by:	cem, kib
Approved by:	cem, kib
MFC after:	1 week
Sponsored by:	Mysterious Code Ltd.
Differential Revision:	D13578
2017-12-28 22:57:34 +00:00
Warner Losh
7e8fba7889 Close slave on fork error to prevent pty fd leak.
CID: 978209
2017-12-28 05:33:59 +00:00
Pedro F. Giffuni
5e53a4f90f lib: further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
2017-11-26 02:00:33 +00:00
Pedro F. Giffuni
8a16b7a18f General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
Baptiste Daroussin
b903189b6c Fix some nroff style issue
MFC after:	3 days
2017-11-11 14:39:13 +00:00
Bryan Drewery
ea825d0274 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
Sevan Janiyan
242afab281 Add caveat to kinfo_getvmmap(3) explaining high CPU utilisation.
Based on kib's reply on https://lists.freebsd.org/pipermail/freebsd-hackers/2016-July/049710.html

PR:		210904
Submitted by:	Yuri Victorovich <yuri AT rawbw DOT com>
Reviewed by:	jilles
Approved by:	bcr (mentor)
MFC after:	5 days
Differential Revision:	https://reviews.freebsd.org/D12004
2017-08-18 16:42:58 +00:00
Enji Cooper
188e46ab03 Add supporting changes for Add limited sandbox capability to "make check"
Non-tests/... changes:
- Add HAS_TESTS= to Makefiles with libraries and programs to enable iteration
  and propagate the appropriate environment down to *.test.mk.

tests/... changes:
- Add appropriate support Makefile.inc's to set HAS_TESTS in a minimal manner,
  since tests/... is a special subdirectory tree compared to the others.

MFC after:	2 months
MFC with:	r322511
Reviewed by:	arch (silence), testing (silence)
Differential Revision:	D12014
2017-08-14 19:21:37 +00:00
Mariusz Zaborski
1a32b20594 Limit descriptors stored in the pidfh structure.
Reviewed by:	markj, cem
Differential Revision:	https://reviews.freebsd.org/D11741
2017-08-10 16:50:13 +00:00
Mariusz Zaborski
4f9612a321 Store directory descriptor in the pidfh structure and use unlinkat(2)
function instead of unlink(2).

Now when pidfile_remove() uses unlinkat(2) to remove the pidfile
it is safe to use this function in capability mode.

Style fix: sort headers.

PR:		220524
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D11692
2017-08-10 16:45:05 +00:00
Enji Cooper
7921075587 MFhead@r322057 2017-08-04 17:41:49 +00:00
Mariusz Zaborski
73979478cc Introduce the flopenat(3) function.
Reviewed by:	des, emaste
Differential Revision:	https://reviews.freebsd.org/D11690
2017-08-04 14:24:24 +00:00
Enji Cooper
d511b20a69 Add HAS_TESTS to all Makefiles that are currently using the
`SUBDIR.${MK_TESTS}+= tests` idiom.

This is a follow up to r321912.
2017-08-02 08:50:42 +00:00
Enji Cooper
4b330699f8 Convert traditional ${MK_TESTS} conditional idiom for including test
directories to SUBDIR.${MK_TESTS} idiom

This is being done to pave the way for future work (and homogenity) in
^/projects/make-check-sandbox .

No functional change intended.

MFC after:	1 weeks
2017-08-02 08:35:51 +00:00
Ed Maste
e6db6692e5 enable pidfile tests on arm64
Pidfile tests were disabled on arm64 (in r286863) because they hung.
They have been fixed (r306098) and so can be enabled now.

PR:		202304
Sponsored by:	The FreeBSD Foundation
2017-07-19 14:07:38 +00:00
Stephen J. Kiernan
91601d8c5d When sysctlbyname fails, free buf before returning.
Submitted by:	Thomas Rix <trix@juniper.net>
Reviewed by:	jhb
Approved by:	sjg (mentor)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D9867
2017-06-01 16:44:39 +00:00
Pedro F. Giffuni
efa8af7c73 lib: initial use of reallocarray(3).
Make some use of reallocarray, attempting to limit it to cases where the
parameters are unsigned and there is some theoretical chance of overflow.

MFC afer:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D9980
2017-04-21 19:27:33 +00:00
Brooks Davis
72f0a13e60 Correct an out of bounds read with HN_AUTOSCALE and very large numbers.
The maximum scale is 6 (K, M, G, T, P, E) (B is 0).

Overly large explict scales were checked correctly, but for sufficently
large numbers HN_AUTOSCALE would get to 7 resulting in an out of bounds
read.

Found with humanize_number_test and CHERI bounds checking.

Reviewed by:	emaste
Obtained from:	CheriBSD
MFC after:	1 week
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D10376
2017-04-13 15:49:32 +00:00
Enji Cooper
279e2af5d1 Document sbuf_hexdump(9) in just sbuf(9)
- Remove duplicate references to sbuf_hexdump(9) from hexdump(3).
  sbuf_hexdump(9) already pointed back to hexdump(3) for implementation
  details.
- Refer to sbuf_hexdump(9) instead of sbuf(9) for completeness

MFC after:	1 week
Reviewed by:	vangyzen (earlier diff)
Sponsored by:	Dell EMC Isilon
Differential Revision:	D9912
2017-03-21 19:10:07 +00:00
Alan Somers
eeda0489ca Increase WARNS for libutil tests
ATF tests have a default WARNS of 0, unlike other usermode programs.

Reviewed by:  ngie, julian
MFC after:    3 weeks
Sponsored by: Spectra Logic Corporation
Differential Revision:        https://reviews.freebsd.org/D9933
2017-03-11 00:09:54 +00:00
Enji Cooper
fa42250152 Correct MLINKS for sbuf_hexdump(9)
sbuf_hexdump(9) should be linked to sbuf(9), not hexdump(3). Another
review will be posted to deduplicate the sbuf_hexdump reference in
in hexdump(3) or at the very least make the information less duplicative.

MFC after:	1 week
X-MFC with:	r313437
Sponsored by:	Dell EMC Isilon
2017-03-03 06:31:47 +00:00