summaryrefslogtreecommitdiff
path: root/src/settings/plugins/keyfile/nms-keyfile-utils.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/settings/plugins/keyfile/nms-keyfile-utils.c')
-rw-r--r--src/settings/plugins/keyfile/nms-keyfile-utils.c60
1 files changed, 60 insertions, 0 deletions
diff --git a/src/settings/plugins/keyfile/nms-keyfile-utils.c b/src/settings/plugins/keyfile/nms-keyfile-utils.c
index 03f06670f..2a183d2f1 100644
--- a/src/settings/plugins/keyfile/nms-keyfile-utils.c
+++ b/src/settings/plugins/keyfile/nms-keyfile-utils.c
@@ -24,6 +24,7 @@
#include <stdlib.h>
#include <string.h>
+#include <sys/stat.h>
#include "nm-setting-wired.h"
#include "nm-setting-wireless.h"
@@ -113,6 +114,65 @@ nms_keyfile_utils_should_ignore_file (const char *filename)
return FALSE;
}
+/*****************************************************************************/
+
+gboolean
+nms_keyfile_utils_check_file_permissions_stat (const struct stat *st,
+ GError **error)
+{
+ g_return_val_if_fail (st, FALSE);
+
+ if (!S_ISREG (st->st_mode)) {
+ g_set_error_literal (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
+ "file is not a regular file");
+ return FALSE;
+ }
+
+ if (!NM_FLAGS_HAS (nm_utils_get_testing (), NM_UTILS_TEST_NO_KEYFILE_OWNER_CHECK)) {
+ if (st->st_uid != 0) {
+ g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
+ "File owner (%lld) is insecure",
+ (long long) st->st_uid);
+ return FALSE;
+ }
+
+ if (st->st_mode & 0077) {
+ g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
+ "File permissions (%03o) are insecure",
+ st->st_mode);
+ return FALSE;
+ }
+ }
+
+ return TRUE;
+}
+
+gboolean
+nms_keyfile_utils_check_file_permissions (const char *filename,
+ struct stat *out_st,
+ GError **error)
+{
+ struct stat st;
+ int errsv;
+
+ g_return_val_if_fail (filename && filename[0] == '/', FALSE);
+
+ if (stat (filename, &st) != 0) {
+ errsv = errno;
+ g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
+ "cannot access file: %s", g_strerror (errsv));
+ return FALSE;
+ }
+
+ if (!nms_keyfile_utils_check_file_permissions_stat (&st, error))
+ return FALSE;
+
+ NM_SET_OUT (out_st, st);
+ return TRUE;
+}
+
+/*****************************************************************************/
+
char *
nms_keyfile_utils_escape_filename (const char *filename)
{
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-05 11:03:31 +0000