repl: improve dotfile security tests.

We test the .txr_history file for bad permissions also, not
only .txr_profile. Though commands are not automatically
executed out of .txr_history, a user could execute a harmful
command due to not noticing the malicious modification.

An additional useful diagnostic is added: if a dotfile is
found to have the wrong permission, it's possible that this is
due to a poor umask setting. We check for a weak umask and
warn the user.

Note: the .txr_history check doesn't use the open stream,
therefore it is vulnerable to TOCTTOU race condition:
the file looks good, but between the time we verify this
and open the file to load it, the file has been replaced
by a malicious one.

* parser.c (report_security_problem): New static function,
factored out of load_rcfile. Includes umask test.
(load_rcfile): Call report_security_problem if the
.txr_profile is writable to others. Also, no need to call stat
any more; the path testing function now takes a stream
argument.
(repl): Check .txr_history for inappropriate writepermissions
also and call report_security_problem if so.

* sysif.c (umask_wrap): Change static function to external
linkage.

* sysif.c (umask_wrap): Declaration updated.

1 files changed, 1 insertions, 1 deletions

diff --git a/sysif.c b/sysif.c
index 6b646d9c..40dec6f0 100644
--- a/sysif.c
+++ b/sysif.c
@@ -1246,7 +1246,7 @@ static val wrap_lutimes(val target, val atime, val atimens,
 
 #if HAVE_SYS_STAT
 
-static val umask_wrap(val mask)
+val umask_wrap(val mask)
 {
   if (missingp(mask)) {
     mode_t m = umask(0777);