From 02b83600e20bbf7c61e09c9ad40ff35433da0c74 Mon Sep 17 00:00:00 2001 From: Kaz Kylheku Date: Thu, 9 Apr 2020 06:18:46 -0700 Subject: repl: improve dotfile security tests. We test the .txr_history file for bad permissions also, not only .txr_profile. Though commands are not automatically executed out of .txr_history, a user could execute a harmful command due to not noticing the malicious modification. An additional useful diagnostic is added: if a dotfile is found to have the wrong permission, it's possible that this is due to a poor umask setting. We check for a weak umask and warn the user. Note: the .txr_history check doesn't use the open stream, therefore it is vulnerable to TOCTTOU race condition: the file looks good, but between the time we verify this and open the file to load it, the file has been replaced by a malicious one. * parser.c (report_security_problem): New static function, factored out of load_rcfile. Includes umask test. (load_rcfile): Call report_security_problem if the .txr_profile is writable to others. Also, no need to call stat any more; the path testing function now takes a stream argument. (repl): Check .txr_history for inappropriate writepermissions also and call report_security_problem if so. * sysif.c (umask_wrap): Change static function to external linkage. * sysif.c (umask_wrap): Declaration updated. --- sysif.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sysif.c') diff --git a/sysif.c b/sysif.c index 6b646d9c..40dec6f0 100644 --- a/sysif.c +++ b/sysif.c @@ -1246,7 +1246,7 @@ static val wrap_lutimes(val target, val atime, val atimens, #if HAVE_SYS_STAT -static val umask_wrap(val mask) +val umask_wrap(val mask) { if (missingp(mask)) { mode_t m = umask(0777); -- cgit v1.2.3