repl: improve dotfile security tests.

We test the .txr_history file for bad permissions also, not
only .txr_profile. Though commands are not automatically
executed out of .txr_history, a user could execute a harmful
command due to not noticing the malicious modification.

An additional useful diagnostic is added: if a dotfile is
found to have the wrong permission, it's possible that this is
due to a poor umask setting. We check for a weak umask and
warn the user.

Note: the .txr_history check doesn't use the open stream,
therefore it is vulnerable to TOCTTOU race condition:
the file looks good, but between the time we verify this
and open the file to load it, the file has been replaced
by a malicious one.

* parser.c (report_security_problem): New static function,
factored out of load_rcfile. Includes umask test.
(load_rcfile): Call report_security_problem if the
.txr_profile is writable to others. Also, no need to call stat
any more; the path testing function now takes a stream
argument.
(repl): Check .txr_history for inappropriate writepermissions
also and call report_security_problem if so.

* sysif.c (umask_wrap): Change static function to external
linkage.

* sysif.c (umask_wrap): Declaration updated.

1 files changed, 1 insertions, 0 deletions

diff --git a/sysif.h b/sysif.h
index c2a650c0..08349e5b 100644
--- a/sysif.h
+++ b/sysif.h
@@ -48,6 +48,7 @@ val num_time(time_t time);
 #if HAVE_SYS_STAT
 struct stat;
 val stat_to_struct(struct stat st, val path);
+val umask_wrap(val mask);
 #endif
 val stat_wrap(val path);
 val stdio_ftell(FILE *);