gpg: Re-add checking of config file permissions.

* g10/gpg.c (main): Re-add permission checking of the user config file. Re-add code to check against the SE-Linux secured file list. (get_default_configname): Remove unused func. * configure.ac (SAFE_VERSION, SAFE_VERSION_DOT) (SAFE_VERSION_DASH): Remove. -- Die to the switch to the new option parser, the permissions were not anymore checked. This patch fixes this. Note that there there is no checking for the global config file because that file is not expected to be user modifiable. This patch also adds checking against the list of SE-linux secured files. However, like in the old code the checking does not work in practise because the to be checked files are added to the the list only after option parsing. Tested using temporary debug code. The SAFE_VERSION macros were used for RISC OS, which is not anymore supported, and only in the now removed get_default_configname. There purpose was that a RISC OS could use a modified config.h here. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-03 22:56:33 +02:00 · 2020-02-25 12:11:57 +01:00 · 2020-02-25 12:11:57 +01:00 · 7e8f28653c
commit 7e8f28653c
parent 833c04334a
2 changed files with 18 additions and 106 deletions
--- a/g10/gpg.c
+++ b/g10/gpg.c
@ -2272,64 +2272,6 @@ gpg_deinit_default_ctrl (ctrl_t ctrl)
 }


-char *
-get_default_configname (void)
-{
-  char *configname = NULL;
-  char *name = xstrdup (GPG_NAME EXTSEP_S "conf-" SAFE_VERSION);
-  char *ver = &name[strlen (GPG_NAME EXTSEP_S "conf-")];
-
-  do
-    {
-      if (configname)
-	{
-	  char *tok;
-
-	  xfree (configname);
-	  configname = NULL;
-
-	  if ((tok = strrchr (ver, SAFE_VERSION_DASH)))
-	    *tok='\0';
-	  else if ((tok = strrchr (ver, SAFE_VERSION_DOT)))
-	    *tok='\0';
-	  else
-	    break;
-	}
-
-      configname = make_filename (gnupg_homedir (), name, NULL);
-    }
-  while (access (configname, R_OK));
-
-  xfree(name);
-
-  if (! configname)
-    configname = make_filename (gnupg_homedir (),
-                                GPG_NAME EXTSEP_S "conf", NULL);
-  if (! access (configname, R_OK))
-    {
-      /* Print a warning when both config files are present.  */
-      char *p = make_filename (gnupg_homedir (), "options", NULL);
-      if (! access (p, R_OK))
-	log_info (_("Note: old default options file '%s' ignored\n"), p);
-      xfree (p);
-    }
-  else
-    {
-      /* Use the old default only if it exists.  */
-      char *p = make_filename (gnupg_homedir (), "options", NULL);
-      if (!access (p, R_OK))
-	{
-	  xfree (configname);
-	  configname = p;
-	}
-      else
-	xfree (p);
-    }
-
-  return configname;
-}
-
-
 int
 main (int argc, char **argv)
 {
@ -2581,46 +2523,6 @@ main (int argc, char **argv)
    gpgrt_set_confdir (GPGRT_CONFDIR_SYS, gnupg_sysconfdir ());
    gpgrt_set_confdir (GPGRT_CONFDIR_USER, gnupg_homedir ());

-
-    /* if( configname ) { */
-    /* FIXME: Add callback to check config file permissions.  */
-    /*   if(check_permissions(configname,1)) */
-    /*     { */
-    /*       /\* If any options file is unsafe, then disable any external */
-    /*          programs for keyserver calls or photo IDs.  Since the */
-    /*          external program to call is set in the options file, a */
-    /*          unsafe options file can lead to an arbitrary program */
-    /*          being run. *\/ */
-
-    /*       opt.exec_disable=1; */
-    /*     } */
-
-    /*     configlineno = 0; */
-    /*     configfp = fopen( configname, "r" ); */
-    /*     if (configfp && is_secured_file (fileno (configfp))) */
-    /*       { */
-    /*         fclose (configfp); */
-    /*         configfp = NULL; */
-    /*         gpg_err_set_errno (EPERM); */
-    /*       } */
-    /*     if( !configfp ) { */
-    /*         if( default_config ) { */
-    /*     	if( parse_debug ) */
-    /*     	    log_info(_("Note: no default option file '%s'\n"), */
-    /*     						    configname ); */
-    /*         } */
-    /*         else { */
-    /*     	log_error(_("option file '%s': %s\n"), */
-    /*     			    configname, strerror(errno) ); */
-    /*     	g10_exit(2); */
-    /*         } */
-    /*         xfree(configname); configname = NULL; */
-    /*     } */
-    /*     if( parse_debug && configname ) */
-    /*         log_info(_("reading options from '%s'\n"), configname ); */
-    /*     default_config = 0; */
-    /* } */
-
    while (gpgrt_argparser (&pargs, opts, GPG_NAME EXTSEP_S "conf" ))
      {
 	switch (pargs.r_opt)
@ -2634,6 +2536,24 @@ main (int argc, char **argv)
                xfree (last_configname);
                last_configname = xstrdup (pargs.r.ret_str);
                configname = last_configname;
+                if (is_secured_filename (configname))
+                  {
+                    pargs.r_opt = ARGPARSE_PERMISSION_ERROR;
+                    pargs.err = ARGPARSE_PRINT_ERROR;
+                  }
+                else if (strncmp (configname, gnupg_sysconfdir (),
+                                  strlen (gnupg_sysconfdir ())))
+                  {
+                    /* This is not the global config file and thus we
+                     * need to check the permissions: If the file is
+                     * unsafe, then disable any external programs for
+                     * keyserver calls or photo IDs.  Since the
+                     * external program to call is set in the options
+                     * file, a unsafe options file can lead to an
+                     * arbitrary program being run. */
+                    if (check_permissions (configname, 1))
+                      opt.exec_disable=1;
+                  }
              }
            else
              configname = NULL;