path-components-safe: tighten /proc check

Attacks are possible via /proc/<pid>/fd/<n> involving
a deleted file, whereby the link target changes from
"/path/to/file" to "/path/to/file (deleted)", which
can be perpetrated by a different user, not related
to process <pid>, who has access to perform
unlink("/path/to/file").

* stdlib/path-test.tl (safe-abs-path): Perform the
pattern check regardless of effective user ID.

* tests/018/path-safe.tl: Test cases adjusted.

1 files changed, 14 insertions, 15 deletions

diff --git a/stdlib/path-test.tl b/stdlib/path-test.tl
index c0b4ea3e..55b5e842 100644
--- a/stdlib/path-test.tl
+++ b/stdlib/path-test.tl
@@ -183,21 +183,20 @@
 (defun safe-abs-path (comps)
   (flet ((digstr (s) [all s chr-isdigit]))
     (let ((safe t))
-      (if (zerop (geteuid))
-        (when-match ("proc" @(or @(digstr) "self") . @rest)
-                    (path-simplify comps)
-          (match-case rest
-            (@(or ("cwd" . @nil)
-                  ("root" . @nil)
-                  ("map_files" . @nil)
-                  ("fd" @(digstr) . @nil))
-             (zap safe))
-            (("task" @(digstr) . @trest)
-             (match-case trest
-               (@(or ("cwd" . @nil)
-                     ("root" . @nil)
-                     ("fd" @(digstr) . @nil))
-                (zap safe)))))))
+      (when-match ("proc" @(or @(digstr) "self") . @rest)
+                  (path-simplify comps)
+        (match-case rest
+          (@(or ("cwd" . @nil)
+                ("root" . @nil)
+                ("map_files" . @nil)
+                ("fd" @(digstr) . @nil))
+           (zap safe))
+          (("task" @(digstr) . @trest)
+           (match-case trest
+             (@(or ("cwd" . @nil)
+                   ("root" . @nil)
+                   ("fd" @(digstr) . @nil))
+              (zap safe))))))
       safe)))
 
 (defun path-components-safe (path)