libauth: open internal file-descriptors with OCEXEC flag
This commit is contained in:
parent
f341ae8c77
commit
f433f1426b
8 changed files with 24 additions and 22 deletions
|
@ -23,7 +23,7 @@ auth_challenge(char *fmt, ...)
|
||||||
return nil;
|
return nil;
|
||||||
}
|
}
|
||||||
|
|
||||||
if((c->afd = open("/mnt/factotum/rpc", ORDWR)) < 0){
|
if((c->afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC)) < 0){
|
||||||
Error:
|
Error:
|
||||||
auth_freechal(c);
|
auth_freechal(c);
|
||||||
free(p);
|
free(p);
|
||||||
|
|
|
@ -16,7 +16,7 @@ auth_chuid(AuthInfo *ai, char *ns)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* change uid */
|
/* change uid */
|
||||||
fd = open("#¤/capuse", OWRITE);
|
fd = open("#¤/capuse", OWRITE|OCEXEC);
|
||||||
if(fd < 0){
|
if(fd < 0){
|
||||||
werrstr("opening #¤/capuse: %r");
|
werrstr("opening #¤/capuse: %r");
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -29,10 +29,10 @@ auth_chuid(AuthInfo *ai, char *ns)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* get a link to factotum as new user */
|
/* get a link to factotum as new user */
|
||||||
fd = open("/srv/factotum", ORDWR);
|
fd = open("/srv/factotum", ORDWR|OCEXEC);
|
||||||
if(fd >= 0){
|
if(fd >= 0){
|
||||||
mount(fd, -1, "/mnt", MREPL, "");
|
if(mount(fd, -1, "/mnt", MREPL, "") == -1)
|
||||||
close(fd);
|
close(fd);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* set up new namespace */
|
/* set up new namespace */
|
||||||
|
|
|
@ -32,12 +32,11 @@ auth_getuserpasswd(AuthGetkey *getkey, char *fmt, ...)
|
||||||
UserPasswd *up;
|
UserPasswd *up;
|
||||||
|
|
||||||
up = nil;
|
up = nil;
|
||||||
rpc = nil;
|
|
||||||
params = nil;
|
params = nil;
|
||||||
|
|
||||||
fd = open("/mnt/factotum/rpc", ORDWR);
|
fd = open("/mnt/factotum/rpc", ORDWR|OCEXEC);
|
||||||
if(fd < 0)
|
if(fd < 0)
|
||||||
goto out;
|
return nil;
|
||||||
rpc = auth_allocrpc(fd);
|
rpc = auth_allocrpc(fd);
|
||||||
if(rpc == nil)
|
if(rpc == nil)
|
||||||
goto out;
|
goto out;
|
||||||
|
@ -69,7 +68,7 @@ auth_getuserpasswd(AuthGetkey *getkey, char *fmt, ...)
|
||||||
|
|
||||||
out:
|
out:
|
||||||
free(params);
|
free(params);
|
||||||
auth_freerpc(rpc);
|
|
||||||
close(fd);
|
close(fd);
|
||||||
|
auth_freerpc(rpc);
|
||||||
return up;
|
return up;
|
||||||
}
|
}
|
||||||
|
|
|
@ -200,7 +200,7 @@ auth_proxy(int fd, AuthGetkey *getkey, char *fmt, ...)
|
||||||
va_end(arg);
|
va_end(arg);
|
||||||
|
|
||||||
ai = nil;
|
ai = nil;
|
||||||
afd = open("/mnt/factotum/rpc", ORDWR);
|
afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC);
|
||||||
if(afd < 0){
|
if(afd < 0){
|
||||||
werrstr("opening /mnt/factotum/rpc: %r");
|
werrstr("opening /mnt/factotum/rpc: %r");
|
||||||
free(p);
|
free(p);
|
||||||
|
|
|
@ -31,7 +31,7 @@ dorespond(void *chal, uint nchal, char *user, uint nuser, void *resp, uint nresp
|
||||||
AuthRpc *rpc;
|
AuthRpc *rpc;
|
||||||
Attr *a;
|
Attr *a;
|
||||||
|
|
||||||
if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
|
if((afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC)) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if((rpc = auth_allocrpc(afd)) == nil){
|
if((rpc = auth_allocrpc(afd)) == nil){
|
||||||
|
|
|
@ -11,7 +11,7 @@ auth_userpasswd(char *user, char *passwd)
|
||||||
char *s;
|
char *s;
|
||||||
int afd;
|
int afd;
|
||||||
|
|
||||||
afd = open("/mnt/factotum/rpc", ORDWR);
|
afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC);
|
||||||
if(afd < 0)
|
if(afd < 0)
|
||||||
return nil;
|
return nil;
|
||||||
ai = nil;
|
ai = nil;
|
||||||
|
|
|
@ -41,7 +41,7 @@ buildns(int newns, char *user, char *file)
|
||||||
|
|
||||||
rpc = nil;
|
rpc = nil;
|
||||||
/* try for factotum now because later is impossible */
|
/* try for factotum now because later is impossible */
|
||||||
afd = open("/mnt/factotum/rpc", ORDWR);
|
afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC);
|
||||||
if(afd < 0 && newnsdebug)
|
if(afd < 0 && newnsdebug)
|
||||||
fprint(2, "open /mnt/factotum/rpc: %r\n");
|
fprint(2, "open /mnt/factotum/rpc: %r\n");
|
||||||
if(afd >= 0){
|
if(afd >= 0){
|
||||||
|
@ -58,8 +58,8 @@ buildns(int newns, char *user, char *file)
|
||||||
}
|
}
|
||||||
file = "/lib/namespace";
|
file = "/lib/namespace";
|
||||||
}
|
}
|
||||||
b = Bopen(file, OREAD);
|
b = Bopen(file, OREAD|OCEXEC);
|
||||||
if(b == 0){
|
if(b == nil){
|
||||||
werrstr("can't open %s: %r", file);
|
werrstr("can't open %s: %r", file);
|
||||||
return freecloserpc(rpc);
|
return freecloserpc(rpc);
|
||||||
}
|
}
|
||||||
|
@ -135,6 +135,8 @@ famount(int fd, AuthRpc *rpc, char *mntpt, int flags, char *aname)
|
||||||
auth_freeAI(ai);
|
auth_freeAI(ai);
|
||||||
}
|
}
|
||||||
ret = mount(fd, afd, mntpt, flags, aname);
|
ret = mount(fd, afd, mntpt, flags, aname);
|
||||||
|
if(ret == -1)
|
||||||
|
close(fd);
|
||||||
if(afd >= 0)
|
if(afd >= 0)
|
||||||
close(afd);
|
close(afd);
|
||||||
return ret;
|
return ret;
|
||||||
|
@ -151,7 +153,7 @@ nsop(char *fn, int argc, char *argv[], AuthRpc *rpc)
|
||||||
|
|
||||||
cdroot = 0;
|
cdroot = 0;
|
||||||
flags = 0;
|
flags = 0;
|
||||||
argv0 = 0;
|
argv0 = nil;
|
||||||
if(newnsdebug){
|
if(newnsdebug){
|
||||||
for (i = 0; i < argc; i++)
|
for (i = 0; i < argc; i++)
|
||||||
fprint(2, "%s ", argv[i]);
|
fprint(2, "%s ", argv[i]);
|
||||||
|
@ -176,7 +178,7 @@ nsop(char *fn, int argc, char *argv[], AuthRpc *rpc)
|
||||||
flags |= MREPL;
|
flags |= MREPL;
|
||||||
|
|
||||||
if(strcmp(argv0, ".") == 0 && argc == 1){
|
if(strcmp(argv0, ".") == 0 && argc == 1){
|
||||||
b = Bopen(argv[0], OREAD);
|
b = Bopen(argv[0], OREAD|OCEXEC);
|
||||||
if(b == nil)
|
if(b == nil)
|
||||||
return 0;
|
return 0;
|
||||||
cdroot |= nsfile(fn, b, rpc);
|
cdroot |= nsfile(fn, b, rpc);
|
||||||
|
@ -192,7 +194,7 @@ nsop(char *fn, int argc, char *argv[], AuthRpc *rpc)
|
||||||
else if(argc == 2)
|
else if(argc == 2)
|
||||||
unmount(argv[0], argv[1]);
|
unmount(argv[0], argv[1]);
|
||||||
}else if(strcmp(argv0, "mount") == 0){
|
}else if(strcmp(argv0, "mount") == 0){
|
||||||
fd = open(argv[0], ORDWR);
|
fd = open(argv[0], ORDWR|OCEXEC);
|
||||||
if(fd < 0){
|
if(fd < 0){
|
||||||
if(newnsdebug)
|
if(newnsdebug)
|
||||||
fprint(2, "%s: mount: %s: %r\n", fn, argv[0]);
|
fprint(2, "%s: mount: %s: %r\n", fn, argv[0]);
|
||||||
|
@ -204,8 +206,9 @@ nsop(char *fn, int argc, char *argv[], AuthRpc *rpc)
|
||||||
}else if(argc == 3){
|
}else if(argc == 3){
|
||||||
if(famount(fd, rpc, argv[1], flags, argv[2]) == -1 && newnsdebug)
|
if(famount(fd, rpc, argv[1], flags, argv[2]) == -1 && newnsdebug)
|
||||||
fprint(2, "%s: mount: %s %s %s: %r\n", fn, argv[0], argv[1], argv[2]);
|
fprint(2, "%s: mount: %s %s %s: %r\n", fn, argv[0], argv[1], argv[2]);
|
||||||
|
} else {
|
||||||
|
close(fd);
|
||||||
}
|
}
|
||||||
close(fd);
|
|
||||||
}else if(strcmp(argv0, "cd") == 0 && argc == 1){
|
}else if(strcmp(argv0, "cd") == 0 && argc == 1){
|
||||||
if(chdir(argv[0]) == 0 && *argv[0] == '/')
|
if(chdir(argv[0]) == 0 && *argv[0] == '/')
|
||||||
cdroot = 1;
|
cdroot = 1;
|
||||||
|
@ -316,7 +319,7 @@ expandarg(char *arg, char *buf)
|
||||||
strcpy(env, "#e/");
|
strcpy(env, "#e/");
|
||||||
strncpy(env+3, p, len);
|
strncpy(env+3, p, len);
|
||||||
env[3+len] = '\0';
|
env[3+len] = '\0';
|
||||||
fd = open(env, OREAD);
|
fd = open(env, OREAD|OCEXEC);
|
||||||
if(fd >= 0){
|
if(fd >= 0){
|
||||||
len = read(fd, &buf[n], ANAMELEN - 1);
|
len = read(fd, &buf[n], ANAMELEN - 1);
|
||||||
/* some singleton environment variables have trailing NULs */
|
/* some singleton environment variables have trailing NULs */
|
||||||
|
@ -345,7 +348,7 @@ setenv(char *name, char *val)
|
||||||
long s;
|
long s;
|
||||||
|
|
||||||
sprint(ename, "#e/%s", name);
|
sprint(ename, "#e/%s", name);
|
||||||
f = create(ename, OWRITE, 0664);
|
f = create(ename, OWRITE|OCEXEC, 0664);
|
||||||
if(f < 0)
|
if(f < 0)
|
||||||
return -1;
|
return -1;
|
||||||
s = strlen(val);
|
s = strlen(val);
|
||||||
|
|
|
@ -15,7 +15,7 @@ noworld(char *user)
|
||||||
char *p;
|
char *p;
|
||||||
int n;
|
int n;
|
||||||
|
|
||||||
b = Bopen("/adm/users", OREAD);
|
b = Bopen("/adm/users", OREAD|OCEXEC);
|
||||||
if(b == nil)
|
if(b == nil)
|
||||||
return 0;
|
return 0;
|
||||||
while((p = Brdline(b, '\n')) != nil){
|
while((p = Brdline(b, '\n')) != nil){
|
||||||
|
|
Loading…
Reference in a new issue