127 lines
4.2 KiB
Diff
127 lines
4.2 KiB
Diff
From 48bc217a9e0cc5c6ad494cff925185912740dbb4 Mon Sep 17 00:00:00 2001
|
|
From: Kamil Dudka <kdudka@redhat.com>
|
|
Date: Tue, 4 Apr 2017 09:29:31 +0200
|
|
Subject: [PATCH] backup: prevent a symlink attack by operating on the file
|
|
descriptor
|
|
|
|
Use futimens() instead of utime() to change the timestamps on a backup
|
|
file. Otherwise, a non-privileged user could create an arbitrary symlink
|
|
with the name of the backup file and in this way fool a privileged user
|
|
to call utime() on the attacker-chosen file.
|
|
|
|
Upstream-commit: 70bcf752dcc82d1eed04ba4f900ed69ce2b97500
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
---
|
|
src/files.c | 24 ++++++++++++++----------
|
|
src/proto.h | 2 +-
|
|
2 files changed, 15 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/src/files.c b/src/files.c
|
|
index 033b963..df2627c 100644
|
|
--- a/src/files.c
|
|
+++ b/src/files.c
|
|
@@ -1541,12 +1541,14 @@ void init_backup_dir(void)
|
|
|
|
/* Read from inn, write to out. We assume inn is opened for reading,
|
|
* and out for writing. We return 0 on success, -1 on read error, or -2
|
|
- * on write error. */
|
|
-int copy_file(FILE *inn, FILE *out)
|
|
+ * on write error. inn is always closed by this function, out is closed
|
|
+ * only if close_out is true. */
|
|
+int copy_file(FILE *inn, FILE *out, bool close_out)
|
|
{
|
|
int retval = 0;
|
|
char buf[BUFSIZ];
|
|
size_t charsread;
|
|
+ int (*flush_out_fnc)(FILE *) = (close_out) ? fclose : fflush;
|
|
|
|
assert(inn != NULL && out != NULL && inn != out);
|
|
|
|
@@ -1564,7 +1566,7 @@ int copy_file(FILE *inn, FILE *out)
|
|
|
|
if (fclose(inn) == EOF)
|
|
retval = -1;
|
|
- if (fclose(out) == EOF)
|
|
+ if (flush_out_fnc(out) == EOF)
|
|
retval = -2;
|
|
|
|
return retval;
|
|
@@ -1655,13 +1657,13 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
|
|
int backup_fd;
|
|
FILE *backup_file;
|
|
char *backupname;
|
|
- struct utimbuf filetime;
|
|
+ static struct timespec filetime[2];
|
|
int copy_status;
|
|
int backup_cflags;
|
|
|
|
/* Save the original file's access and modification times. */
|
|
- filetime.actime = openfile->current_stat->st_atime;
|
|
- filetime.modtime = openfile->current_stat->st_mtime;
|
|
+ filetime[0].tv_sec = openfile->current_stat->st_atime;
|
|
+ filetime[1].tv_sec = openfile->current_stat->st_mtime;
|
|
|
|
if (f_open == NULL) {
|
|
/* Open the original file to copy to the backup. */
|
|
@@ -1790,7 +1792,7 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
|
|
#endif
|
|
|
|
/* Copy the file. */
|
|
- copy_status = copy_file(f, backup_file);
|
|
+ copy_status = copy_file(f, backup_file, FALSE);
|
|
|
|
if (copy_status != 0) {
|
|
statusline(ALERT, _("Error reading %s: %s"), realname,
|
|
@@ -1799,7 +1801,8 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
|
|
}
|
|
|
|
/* And set its metadata. */
|
|
- if (utime(backupname, &filetime) == -1 && !ISSET(INSECURE_BACKUP)) {
|
|
+ if (futimens(backup_fd, filetime) == -1 && !ISSET(INSECURE_BACKUP)) {
|
|
+ fclose(backup_file);
|
|
if (prompt_failed_backupwrite(backupname))
|
|
goto skip_backup;
|
|
statusline(HUSH, _("Error writing backup file %s: %s"),
|
|
@@ -1811,6 +1814,7 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
|
|
goto cleanup_and_exit;
|
|
}
|
|
|
|
+ fclose(backup_file);
|
|
free(backupname);
|
|
}
|
|
|
|
@@ -1867,7 +1871,7 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
|
|
}
|
|
}
|
|
|
|
- if (f_source == NULL || copy_file(f_source, f) != 0) {
|
|
+ if (f_source == NULL || copy_file(f_source, f, TRUE) != 0) {
|
|
statusline(ALERT, _("Error writing temp file: %s"),
|
|
strerror(errno));
|
|
unlink(tempname);
|
|
@@ -1975,7 +1979,7 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
|
|
goto cleanup_and_exit;
|
|
}
|
|
|
|
- if (copy_file(f_source, f) == -1) {
|
|
+ if (copy_file(f_source, f, TRUE) == -1) {
|
|
statusline(ALERT, _("Error writing %s: %s"), realname,
|
|
strerror(errno));
|
|
goto cleanup_and_exit;
|
|
diff --git a/src/proto.h b/src/proto.h
|
|
index 0250ad6..d8255a9 100644
|
|
--- a/src/proto.h
|
|
+++ b/src/proto.h
|
|
@@ -298,7 +298,7 @@ void init_backup_dir(void);
|
|
int delete_lockfile(const char *lockfilename);
|
|
int write_lockfile(const char *lockfilename, const char *origfilename, bool modified);
|
|
#endif
|
|
-int copy_file(FILE *inn, FILE *out);
|
|
+int copy_file(FILE *inn, FILE *out, bool close_out);
|
|
bool write_file(const char *name, FILE *f_open, bool tmp,
|
|
kind_of_writing_type method, bool nonamechange);
|
|
#ifndef NANO_TINY
|
|
--
|
|
2.9.3
|
|
|