fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-05 03:20:18 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

keyfile: move file permission check of keyfile to helper function

Browse source
This commit is contained in:
Thomas Haller 2018-09-27 12:58:58 +02:00
parent 2e0a95530f
commit 345c91a0a4
3 changed files with 72 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
src/settings/plugins/keyfile/nms-keyfile-reader.c
View file

@ -28,6 +28,7 @@
#include "nm-keyfile-internal.h"
#include "NetworkManagerUtils.h"
#include "nms-keyfile-utils.h"
/*****************************************************************************/
@ -116,31 +117,13 @@ NMConnection *
nms_keyfile_reader_from_file (const char *filename, GError **error)
{
gs_unref_keyfile GKeyFile *key_file = NULL;
struct stat statbuf;
NMConnection *connection = NULL;
GError *verify_error = NULL;
if (stat (filename, &statbuf) != 0 || !S_ISREG (statbuf.st_mode)) {
g_set_error_literal (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
"File did not exist or was not a regular file");
if (!nms_keyfile_utils_check_file_permissions (filename,
NULL,
error))
return NULL;
}
if (!NM_FLAGS_HAS (nm_utils_get_testing (), NM_UTILS_TEST_NO_KEYFILE_OWNER_CHECK)) {
if (statbuf.st_mode & 0077) {
g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
"File permissions (%o) were insecure",
statbuf.st_mode);
return NULL;
}
if (statbuf.st_uid != 0) {
g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
"File owner (%o) is insecure",
statbuf.st_mode);
return NULL;
}
}
key_file = g_key_file_new ();
if (!g_key_file_load_from_file (key_file, filename, G_KEY_FILE_NONE, error))

60
src/settings/plugins/keyfile/nms-keyfile-utils.c
View file

@ -24,6 +24,7 @@
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include "nm-setting-wired.h"
#include "nm-setting-wireless.h"
@ -113,6 +114,65 @@ nms_keyfile_utils_should_ignore_file (const char *filename)
return FALSE;
}
/*****************************************************************************/
gboolean
nms_keyfile_utils_check_file_permissions_stat (const struct stat *st,
GError **error)
{
g_return_val_if_fail (st, FALSE);
if (!S_ISREG (st->st_mode)) {
g_set_error_literal (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
"file is not a regular file");
return FALSE;
}
if (!NM_FLAGS_HAS (nm_utils_get_testing (), NM_UTILS_TEST_NO_KEYFILE_OWNER_CHECK)) {
if (st->st_uid != 0) {
g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
"File owner (%lld) is insecure",
(long long) st->st_uid);
return FALSE;
}
if (st->st_mode & 0077) {
g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
"File permissions (%03o) are insecure",
st->st_mode);
return FALSE;
}
}
return TRUE;
}
gboolean
nms_keyfile_utils_check_file_permissions (const char *filename,
struct stat *out_st,
GError **error)
{
struct stat st;
int errsv;
g_return_val_if_fail (filename && filename[0] == '/', FALSE);
if (stat (filename, &st) != 0) {
errsv = errno;
g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
"cannot access file: %s", g_strerror (errsv));
return FALSE;
}
if (!nms_keyfile_utils_check_file_permissions_stat (&st, error))
return FALSE;
NM_SET_OUT (out_st, st);
return TRUE;
}
/*****************************************************************************/
char *
nms_keyfile_utils_escape_filename (const char *filename)
{

8
src/settings/plugins/keyfile/nms-keyfile-utils.h
View file

@ -37,4 +37,12 @@ char *nms_keyfile_utils_escape_filename (const char *filename);
const char *nms_keyfile_utils_get_path (void);
struct stat;
gboolean nms_keyfile_utils_check_file_permissions_stat (const struct stat *st,
GError **error);
gboolean nms_keyfile_utils_check_file_permissions (const char *filename,
struct stat *out_st,
GError **error);
#endif /* __NMS_KEYFILE_UTILS_H__ */