1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

gpg: Re-add checking of config file permissions.

* g10/gpg.c (main): Re-add permission checking of the user config
file.  Re-add code to check against the SE-Linux secured file list.
(get_default_configname): Remove unused func.
* configure.ac (SAFE_VERSION, SAFE_VERSION_DOT)
(SAFE_VERSION_DASH): Remove.
--

Die to the switch to the new option parser, the permissions were not
anymore checked.  This patch fixes this.  Note that there there is no
checking for the global config file because that file is not expected
to be user modifiable.

This patch also adds checking against the list of SE-linux secured
files.  However, like in the old code the checking does not work in
practise because the to be checked files are added to the the list
only after option parsing.  Tested using temporary debug code.

The SAFE_VERSION macros were used for RISC OS, which is not anymore
supported, and only in the now removed get_default_configname.  There
purpose was that a RISC OS could use a modified config.h here.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-02-25 12:11:57 +01:00
parent 833c04334a
commit 7e8f28653c
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 18 additions and 106 deletions

View File

@ -495,14 +495,6 @@ AH_BOTTOM([
#define EXEEXT_S ""
#endif
/* This is the same as VERSION, but should be overridden if the
platform cannot handle things like dots '.' in filenames. Set
SAFE_VERSION_DOT and SAFE_VERSION_DASH to whatever SAFE_VERSION
uses for dots and dashes. */
#define SAFE_VERSION VERSION
#define SAFE_VERSION_DOT '.'
#define SAFE_VERSION_DASH '-'
/* Some global constants.
* Note that the homedir must not end in a slash. */
#ifdef HAVE_DOSISH_SYSTEM

116
g10/gpg.c
View File

@ -2272,64 +2272,6 @@ gpg_deinit_default_ctrl (ctrl_t ctrl)
}
char *
get_default_configname (void)
{
char *configname = NULL;
char *name = xstrdup (GPG_NAME EXTSEP_S "conf-" SAFE_VERSION);
char *ver = &name[strlen (GPG_NAME EXTSEP_S "conf-")];
do
{
if (configname)
{
char *tok;
xfree (configname);
configname = NULL;
if ((tok = strrchr (ver, SAFE_VERSION_DASH)))
*tok='\0';
else if ((tok = strrchr (ver, SAFE_VERSION_DOT)))
*tok='\0';
else
break;
}
configname = make_filename (gnupg_homedir (), name, NULL);
}
while (access (configname, R_OK));
xfree(name);
if (! configname)
configname = make_filename (gnupg_homedir (),
GPG_NAME EXTSEP_S "conf", NULL);
if (! access (configname, R_OK))
{
/* Print a warning when both config files are present. */
char *p = make_filename (gnupg_homedir (), "options", NULL);
if (! access (p, R_OK))
log_info (_("Note: old default options file '%s' ignored\n"), p);
xfree (p);
}
else
{
/* Use the old default only if it exists. */
char *p = make_filename (gnupg_homedir (), "options", NULL);
if (!access (p, R_OK))
{
xfree (configname);
configname = p;
}
else
xfree (p);
}
return configname;
}
int
main (int argc, char **argv)
{
@ -2581,46 +2523,6 @@ main (int argc, char **argv)
gpgrt_set_confdir (GPGRT_CONFDIR_SYS, gnupg_sysconfdir ());
gpgrt_set_confdir (GPGRT_CONFDIR_USER, gnupg_homedir ());
/* if( configname ) { */
/* FIXME: Add callback to check config file permissions. */
/* if(check_permissions(configname,1)) */
/* { */
/* /\* If any options file is unsafe, then disable any external */
/* programs for keyserver calls or photo IDs. Since the */
/* external program to call is set in the options file, a */
/* unsafe options file can lead to an arbitrary program */
/* being run. *\/ */
/* opt.exec_disable=1; */
/* } */
/* configlineno = 0; */
/* configfp = fopen( configname, "r" ); */
/* if (configfp && is_secured_file (fileno (configfp))) */
/* { */
/* fclose (configfp); */
/* configfp = NULL; */
/* gpg_err_set_errno (EPERM); */
/* } */
/* if( !configfp ) { */
/* if( default_config ) { */
/* if( parse_debug ) */
/* log_info(_("Note: no default option file '%s'\n"), */
/* configname ); */
/* } */
/* else { */
/* log_error(_("option file '%s': %s\n"), */
/* configname, strerror(errno) ); */
/* g10_exit(2); */
/* } */
/* xfree(configname); configname = NULL; */
/* } */
/* if( parse_debug && configname ) */
/* log_info(_("reading options from '%s'\n"), configname ); */
/* default_config = 0; */
/* } */
while (gpgrt_argparser (&pargs, opts, GPG_NAME EXTSEP_S "conf" ))
{
switch (pargs.r_opt)
@ -2634,6 +2536,24 @@ main (int argc, char **argv)
xfree (last_configname);
last_configname = xstrdup (pargs.r.ret_str);
configname = last_configname;
if (is_secured_filename (configname))
{
pargs.r_opt = ARGPARSE_PERMISSION_ERROR;
pargs.err = ARGPARSE_PRINT_ERROR;
}
else if (strncmp (configname, gnupg_sysconfdir (),
strlen (gnupg_sysconfdir ())))
{
/* This is not the global config file and thus we
* need to check the permissions: If the file is
* unsafe, then disable any external programs for
* keyserver calls or photo IDs. Since the
* external program to call is set in the options
* file, a unsafe options file can lead to an
* arbitrary program being run. */
if (check_permissions (configname, 1))
opt.exec_disable=1;
}
}
else
configname = NULL;