libauth: open internal file-descriptors with OCEXEC flag

This commit is contained in:
cinap_lenrek 2020-12-07 16:46:34 +01:00
parent f341ae8c77
commit f433f1426b
8 changed files with 24 additions and 22 deletions

View file

@ -23,7 +23,7 @@ auth_challenge(char *fmt, ...)
return nil; return nil;
} }
if((c->afd = open("/mnt/factotum/rpc", ORDWR)) < 0){ if((c->afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC)) < 0){
Error: Error:
auth_freechal(c); auth_freechal(c);
free(p); free(p);

View file

@ -16,7 +16,7 @@ auth_chuid(AuthInfo *ai, char *ns)
} }
/* change uid */ /* change uid */
fd = open("#¤/capuse", OWRITE); fd = open("#¤/capuse", OWRITE|OCEXEC);
if(fd < 0){ if(fd < 0){
werrstr("opening #¤/capuse: %r"); werrstr("opening #¤/capuse: %r");
return -1; return -1;
@ -29,10 +29,10 @@ auth_chuid(AuthInfo *ai, char *ns)
} }
/* get a link to factotum as new user */ /* get a link to factotum as new user */
fd = open("/srv/factotum", ORDWR); fd = open("/srv/factotum", ORDWR|OCEXEC);
if(fd >= 0){ if(fd >= 0){
mount(fd, -1, "/mnt", MREPL, ""); if(mount(fd, -1, "/mnt", MREPL, "") == -1)
close(fd); close(fd);
} }
/* set up new namespace */ /* set up new namespace */

View file

@ -32,12 +32,11 @@ auth_getuserpasswd(AuthGetkey *getkey, char *fmt, ...)
UserPasswd *up; UserPasswd *up;
up = nil; up = nil;
rpc = nil;
params = nil; params = nil;
fd = open("/mnt/factotum/rpc", ORDWR); fd = open("/mnt/factotum/rpc", ORDWR|OCEXEC);
if(fd < 0) if(fd < 0)
goto out; return nil;
rpc = auth_allocrpc(fd); rpc = auth_allocrpc(fd);
if(rpc == nil) if(rpc == nil)
goto out; goto out;
@ -69,7 +68,7 @@ auth_getuserpasswd(AuthGetkey *getkey, char *fmt, ...)
out: out:
free(params); free(params);
auth_freerpc(rpc);
close(fd); close(fd);
auth_freerpc(rpc);
return up; return up;
} }

View file

@ -200,7 +200,7 @@ auth_proxy(int fd, AuthGetkey *getkey, char *fmt, ...)
va_end(arg); va_end(arg);
ai = nil; ai = nil;
afd = open("/mnt/factotum/rpc", ORDWR); afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC);
if(afd < 0){ if(afd < 0){
werrstr("opening /mnt/factotum/rpc: %r"); werrstr("opening /mnt/factotum/rpc: %r");
free(p); free(p);

View file

@ -31,7 +31,7 @@ dorespond(void *chal, uint nchal, char *user, uint nuser, void *resp, uint nresp
AuthRpc *rpc; AuthRpc *rpc;
Attr *a; Attr *a;
if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0) if((afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC)) < 0)
return -1; return -1;
if((rpc = auth_allocrpc(afd)) == nil){ if((rpc = auth_allocrpc(afd)) == nil){

View file

@ -11,7 +11,7 @@ auth_userpasswd(char *user, char *passwd)
char *s; char *s;
int afd; int afd;
afd = open("/mnt/factotum/rpc", ORDWR); afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC);
if(afd < 0) if(afd < 0)
return nil; return nil;
ai = nil; ai = nil;

View file

@ -41,7 +41,7 @@ buildns(int newns, char *user, char *file)
rpc = nil; rpc = nil;
/* try for factotum now because later is impossible */ /* try for factotum now because later is impossible */
afd = open("/mnt/factotum/rpc", ORDWR); afd = open("/mnt/factotum/rpc", ORDWR|OCEXEC);
if(afd < 0 && newnsdebug) if(afd < 0 && newnsdebug)
fprint(2, "open /mnt/factotum/rpc: %r\n"); fprint(2, "open /mnt/factotum/rpc: %r\n");
if(afd >= 0){ if(afd >= 0){
@ -58,8 +58,8 @@ buildns(int newns, char *user, char *file)
} }
file = "/lib/namespace"; file = "/lib/namespace";
} }
b = Bopen(file, OREAD); b = Bopen(file, OREAD|OCEXEC);
if(b == 0){ if(b == nil){
werrstr("can't open %s: %r", file); werrstr("can't open %s: %r", file);
return freecloserpc(rpc); return freecloserpc(rpc);
} }
@ -135,6 +135,8 @@ famount(int fd, AuthRpc *rpc, char *mntpt, int flags, char *aname)
auth_freeAI(ai); auth_freeAI(ai);
} }
ret = mount(fd, afd, mntpt, flags, aname); ret = mount(fd, afd, mntpt, flags, aname);
if(ret == -1)
close(fd);
if(afd >= 0) if(afd >= 0)
close(afd); close(afd);
return ret; return ret;
@ -151,7 +153,7 @@ nsop(char *fn, int argc, char *argv[], AuthRpc *rpc)
cdroot = 0; cdroot = 0;
flags = 0; flags = 0;
argv0 = 0; argv0 = nil;
if(newnsdebug){ if(newnsdebug){
for (i = 0; i < argc; i++) for (i = 0; i < argc; i++)
fprint(2, "%s ", argv[i]); fprint(2, "%s ", argv[i]);
@ -176,7 +178,7 @@ nsop(char *fn, int argc, char *argv[], AuthRpc *rpc)
flags |= MREPL; flags |= MREPL;
if(strcmp(argv0, ".") == 0 && argc == 1){ if(strcmp(argv0, ".") == 0 && argc == 1){
b = Bopen(argv[0], OREAD); b = Bopen(argv[0], OREAD|OCEXEC);
if(b == nil) if(b == nil)
return 0; return 0;
cdroot |= nsfile(fn, b, rpc); cdroot |= nsfile(fn, b, rpc);
@ -192,7 +194,7 @@ nsop(char *fn, int argc, char *argv[], AuthRpc *rpc)
else if(argc == 2) else if(argc == 2)
unmount(argv[0], argv[1]); unmount(argv[0], argv[1]);
}else if(strcmp(argv0, "mount") == 0){ }else if(strcmp(argv0, "mount") == 0){
fd = open(argv[0], ORDWR); fd = open(argv[0], ORDWR|OCEXEC);
if(fd < 0){ if(fd < 0){
if(newnsdebug) if(newnsdebug)
fprint(2, "%s: mount: %s: %r\n", fn, argv[0]); fprint(2, "%s: mount: %s: %r\n", fn, argv[0]);
@ -204,8 +206,9 @@ nsop(char *fn, int argc, char *argv[], AuthRpc *rpc)
}else if(argc == 3){ }else if(argc == 3){
if(famount(fd, rpc, argv[1], flags, argv[2]) == -1 && newnsdebug) if(famount(fd, rpc, argv[1], flags, argv[2]) == -1 && newnsdebug)
fprint(2, "%s: mount: %s %s %s: %r\n", fn, argv[0], argv[1], argv[2]); fprint(2, "%s: mount: %s %s %s: %r\n", fn, argv[0], argv[1], argv[2]);
} else {
close(fd);
} }
close(fd);
}else if(strcmp(argv0, "cd") == 0 && argc == 1){ }else if(strcmp(argv0, "cd") == 0 && argc == 1){
if(chdir(argv[0]) == 0 && *argv[0] == '/') if(chdir(argv[0]) == 0 && *argv[0] == '/')
cdroot = 1; cdroot = 1;
@ -316,7 +319,7 @@ expandarg(char *arg, char *buf)
strcpy(env, "#e/"); strcpy(env, "#e/");
strncpy(env+3, p, len); strncpy(env+3, p, len);
env[3+len] = '\0'; env[3+len] = '\0';
fd = open(env, OREAD); fd = open(env, OREAD|OCEXEC);
if(fd >= 0){ if(fd >= 0){
len = read(fd, &buf[n], ANAMELEN - 1); len = read(fd, &buf[n], ANAMELEN - 1);
/* some singleton environment variables have trailing NULs */ /* some singleton environment variables have trailing NULs */
@ -345,7 +348,7 @@ setenv(char *name, char *val)
long s; long s;
sprint(ename, "#e/%s", name); sprint(ename, "#e/%s", name);
f = create(ename, OWRITE, 0664); f = create(ename, OWRITE|OCEXEC, 0664);
if(f < 0) if(f < 0)
return -1; return -1;
s = strlen(val); s = strlen(val);

View file

@ -15,7 +15,7 @@ noworld(char *user)
char *p; char *p;
int n; int n;
b = Bopen("/adm/users", OREAD); b = Bopen("/adm/users", OREAD|OCEXEC);
if(b == nil) if(b == nil)
return 0; return 0;
while((p = Brdline(b, '\n')) != nil){ while((p = Brdline(b, '\n')) != nil){