diff options
author | Thomas Haller <thaller@redhat.com> | 2018-09-27 12:58:58 +0200 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2018-10-04 10:58:50 +0200 |
commit | df148096f79621fb508416563ccbb76098f0a923 (patch) | |
tree | 8ec6c7bdc9c9821fff3027b306b8f35e5417d83e | |
parent | cdcfddf92395ae8ade6fed57edec51272af07257 (diff) |
keyfile: move file permission check of keyfile to helper function
-rw-r--r-- | src/settings/plugins/keyfile/nms-keyfile-reader.c | 25 | ||||
-rw-r--r-- | src/settings/plugins/keyfile/nms-keyfile-utils.c | 60 | ||||
-rw-r--r-- | src/settings/plugins/keyfile/nms-keyfile-utils.h | 8 |
3 files changed, 72 insertions, 21 deletions
diff --git a/src/settings/plugins/keyfile/nms-keyfile-reader.c b/src/settings/plugins/keyfile/nms-keyfile-reader.c index 71578686c..4d61ebb45 100644 --- a/src/settings/plugins/keyfile/nms-keyfile-reader.c +++ b/src/settings/plugins/keyfile/nms-keyfile-reader.c @@ -28,6 +28,7 @@ #include "nm-keyfile-internal.h" #include "NetworkManagerUtils.h" +#include "nms-keyfile-utils.h" /*****************************************************************************/ @@ -116,31 +117,13 @@ NMConnection * nms_keyfile_reader_from_file (const char *filename, GError **error) { gs_unref_keyfile GKeyFile *key_file = NULL; - struct stat statbuf; NMConnection *connection = NULL; GError *verify_error = NULL; - if (stat (filename, &statbuf) != 0 || !S_ISREG (statbuf.st_mode)) { - g_set_error_literal (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION, - "File did not exist or was not a regular file"); + if (!nms_keyfile_utils_check_file_permissions (filename, + NULL, + error)) return NULL; - } - - if (!NM_FLAGS_HAS (nm_utils_get_testing (), NM_UTILS_TEST_NO_KEYFILE_OWNER_CHECK)) { - if (statbuf.st_mode & 0077) { - g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION, - "File permissions (%o) were insecure", - statbuf.st_mode); - return NULL; - } - - if (statbuf.st_uid != 0) { - g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION, - "File owner (%o) is insecure", - statbuf.st_mode); - return NULL; - } - } key_file = g_key_file_new (); if (!g_key_file_load_from_file (key_file, filename, G_KEY_FILE_NONE, error)) diff --git a/src/settings/plugins/keyfile/nms-keyfile-utils.c b/src/settings/plugins/keyfile/nms-keyfile-utils.c index 03f06670f..2a183d2f1 100644 --- a/src/settings/plugins/keyfile/nms-keyfile-utils.c +++ b/src/settings/plugins/keyfile/nms-keyfile-utils.c @@ -24,6 +24,7 @@ #include <stdlib.h> #include <string.h> +#include <sys/stat.h> #include "nm-setting-wired.h" #include "nm-setting-wireless.h" @@ -113,6 +114,65 @@ nms_keyfile_utils_should_ignore_file (const char *filename) return FALSE; } +/*****************************************************************************/ + +gboolean +nms_keyfile_utils_check_file_permissions_stat (const struct stat *st, + GError **error) +{ + g_return_val_if_fail (st, FALSE); + + if (!S_ISREG (st->st_mode)) { + g_set_error_literal (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION, + "file is not a regular file"); + return FALSE; + } + + if (!NM_FLAGS_HAS (nm_utils_get_testing (), NM_UTILS_TEST_NO_KEYFILE_OWNER_CHECK)) { + if (st->st_uid != 0) { + g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION, + "File owner (%lld) is insecure", + (long long) st->st_uid); + return FALSE; + } + + if (st->st_mode & 0077) { + g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION, + "File permissions (%03o) are insecure", + st->st_mode); + return FALSE; + } + } + + return TRUE; +} + +gboolean +nms_keyfile_utils_check_file_permissions (const char *filename, + struct stat *out_st, + GError **error) +{ + struct stat st; + int errsv; + + g_return_val_if_fail (filename && filename[0] == '/', FALSE); + + if (stat (filename, &st) != 0) { + errsv = errno; + g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION, + "cannot access file: %s", g_strerror (errsv)); + return FALSE; + } + + if (!nms_keyfile_utils_check_file_permissions_stat (&st, error)) + return FALSE; + + NM_SET_OUT (out_st, st); + return TRUE; +} + +/*****************************************************************************/ + char * nms_keyfile_utils_escape_filename (const char *filename) { diff --git a/src/settings/plugins/keyfile/nms-keyfile-utils.h b/src/settings/plugins/keyfile/nms-keyfile-utils.h index ec3bd4414..13a3eb009 100644 --- a/src/settings/plugins/keyfile/nms-keyfile-utils.h +++ b/src/settings/plugins/keyfile/nms-keyfile-utils.h @@ -37,4 +37,12 @@ char *nms_keyfile_utils_escape_filename (const char *filename); const char *nms_keyfile_utils_get_path (void); +struct stat; +gboolean nms_keyfile_utils_check_file_permissions_stat (const struct stat *st, + GError **error); + +gboolean nms_keyfile_utils_check_file_permissions (const char *filename, + struct stat *out_st, + GError **error); + #endif /* __NMS_KEYFILE_UTILS_H__ */ |