Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/mtree Add a -l flag which does "loose" permissions ...
details: https://anonhg.NetBSD.org/src/rev/8affcba3ddc6
branches: trunk
changeset: 515321:8affcba3ddc6
user: perry <perry%NetBSD.org@localhost>
date: Sat Sep 22 03:56:29 2001 +0000
description:
Add a -l flag which does "loose" permissions checks, i.e. a mode 444
matches a check for mode 644 (though obviously not the reverse). This
can be used by the nightly security run, making the output1 more useful
by having it contain fewer spurious permissions violations.
Note that I did not make -l work if you have a sgid/suid/sticky bit
set. I don't know how you could cause security trouble with more
stringent settings and a suid file, but I don't want to find out the
hard way.
diffstat:
usr.sbin/mtree/compare.c | 23 ++++++++++++++++++++---
usr.sbin/mtree/mtree.8 | 19 +++++++++++++++++--
usr.sbin/mtree/mtree.c | 17 ++++++++++++-----
3 files changed, 49 insertions(+), 10 deletions(-)
diffs (164 lines):
diff -r 2284c17ac927 -r 8affcba3ddc6 usr.sbin/mtree/compare.c
--- a/usr.sbin/mtree/compare.c Sat Sep 22 03:34:17 2001 +0000
+++ b/usr.sbin/mtree/compare.c Sat Sep 22 03:56:29 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: compare.c,v 1.25 2001/07/18 04:51:54 lukem Exp $ */
+/* $NetBSD: compare.c,v 1.26 2001/09/22 03:56:29 perry Exp $ */
/*-
* Copyright (c) 1989, 1993
@@ -38,7 +38,7 @@
#if 0
static char sccsid[] = "@(#)compare.c 8.1 (Berkeley) 6/6/93";
#else
-__RCSID("$NetBSD: compare.c,v 1.25 2001/07/18 04:51:54 lukem Exp $");
+__RCSID("$NetBSD: compare.c,v 1.26 2001/09/22 03:56:29 perry Exp $");
#endif
#endif /* not lint */
@@ -57,7 +57,7 @@
#include "mtree.h"
#include "extern.h"
-extern int iflag, mflag, tflag, uflag;
+extern int iflag, lflag, mflag, tflag, uflag;
static const char *ftype(u_int);
@@ -203,6 +203,22 @@
}
if (s->flags & F_MODE &&
s->st_mode != (p->fts_statp->st_mode & MBITS)) {
+ if (lflag) {
+ mode_t tmode, mode;
+
+ tmode = s->st_mode;
+ mode = p->fts_statp->st_mode & MBITS;
+ /*
+ * if none of the suid/sgid/etc bits are set,
+ * then if the mode is a subset of the target,
+ * skip.
+ */
+ if (!((tmode & ~(S_IRWXU|S_IRWXG|S_IRWXO)) ||
+ (mode & ~(S_IRWXU|S_IRWXG|S_IRWXO))))
+ if ((mode | tmode) == tmode)
+ goto skip;
+ }
+
LABEL;
(void)printf("%spermissions (%#lo, %#lo",
tab, (u_long)s->st_mode,
@@ -217,6 +233,7 @@
else
(void)printf(")\n");
tab = "\t";
+ skip:
}
if (s->flags & F_NLINK && s->type != F_DIR &&
s->st_nlink != p->fts_statp->st_nlink) {
diff -r 2284c17ac927 -r 8affcba3ddc6 usr.sbin/mtree/mtree.8
--- a/usr.sbin/mtree/mtree.8 Sat Sep 22 03:34:17 2001 +0000
+++ b/usr.sbin/mtree/mtree.8 Sat Sep 22 03:56:29 2001 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: mtree.8,v 1.14 2000/11/07 05:47:15 lukem Exp $
+.\" $NetBSD: mtree.8,v 1.15 2001/09/22 03:56:29 perry Exp $
.\"
.\" Copyright (c) 1989, 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -41,7 +41,7 @@
.Nd map a directory hierarchy
.Sh SYNOPSIS
.Nm ""
-.Op Fl cderUux
+.Op Fl cdelrUux
.Bk -words
.Op Fl i | Fl m
.Ek
@@ -90,6 +90,21 @@
.It Fl k
Use the ``type'' keyword plus the specified (whitespace or comma separated)
keywords instead of the current set of keywords.
+.It Fl l
+Do
+.Dq loose
+permissions checks, in which more stringent permissions
+will match less stringent ones. For example, a file marked mode 0444
+will pass a check for mode 0644.
+.Dq Loose
+checks apply only to read, write and execute permissions -- in
+particular, if other bits like the sticky bit or suid/sgid bits are
+set either in the specification or the file, exact checking will be
+performed. This flag may not be set at the same time as the
+.Fl u
+or
+.Fl U
+flags.
.It Fl m
If the schg and/or sappnd flags are specified, reset these flags. Note that
this is only possible with securelevel less than 1 (i. e. in single user mode
diff -r 2284c17ac927 -r 8affcba3ddc6 usr.sbin/mtree/mtree.c
--- a/usr.sbin/mtree/mtree.c Sat Sep 22 03:34:17 2001 +0000
+++ b/usr.sbin/mtree/mtree.c Sat Sep 22 03:56:29 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: mtree.c,v 1.16 2001/03/21 23:56:35 cgd Exp $ */
+/* $NetBSD: mtree.c,v 1.17 2001/09/22 03:56:29 perry Exp $ */
/*-
* Copyright (c) 1989, 1990, 1993
@@ -43,7 +43,7 @@
#if 0
static char sccsid[] = "@(#)mtree.c 8.1 (Berkeley) 6/6/93";
#else
-__RCSID("$NetBSD: mtree.c,v 1.16 2001/03/21 23:56:35 cgd Exp $");
+__RCSID("$NetBSD: mtree.c,v 1.17 2001/09/22 03:56:29 perry Exp $");
#endif
#endif /* not lint */
@@ -61,7 +61,8 @@
extern int crc_total;
int ftsoptions = FTS_PHYSICAL;
-int cflag, dflag, eflag, iflag, mflag, rflag, sflag, tflag, uflag, Uflag;
+int cflag, dflag, eflag, iflag, lflag, mflag,
+ rflag, sflag, tflag, uflag, Uflag;
int keys;
char fullpath[MAXPATHLEN];
@@ -79,7 +80,7 @@
dir = NULL;
keys = KEYDEFAULT;
- while ((ch = getopt(argc, argv, "cdef:iK:k:mp:rs:tUux")) != -1)
+ while ((ch = getopt(argc, argv, "cdef:iK:k:lmp:rs:tUux")) != -1)
switch((char)ch) {
case 'c':
cflag = 1;
@@ -108,6 +109,9 @@
if (*p != '\0')
keys |= parsekey(p, NULL);
break;
+ case 'l':
+ lflag = 1;
+ break;
case 'm':
mflag = 1;
break;
@@ -154,6 +158,9 @@
if (iflag == 1 && mflag == 1)
mtree_err("-i and -m flags are mutually exclusive");
+ if (lflag == 1 && uflag == 1)
+ mtree_err("-l and -u flags are mutually exclusive");
+
if (cflag) {
cwalk();
exit(0);
@@ -168,7 +175,7 @@
usage(void)
{
- (void)fprintf(stderr, "usage: mtree [-cderUux] [-i|-m] [-f spec]"
+ (void)fprintf(stderr, "usage: mtree [-cdelrUux] [-i|-m] [-f spec]"
" [-K key] [-k key] [-p path] [-s seed]\n");
exit(1);
}
Home |
Main Index |
Thread Index |
Old Index