17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 57257d1b4Sraf * Common Development and Distribution License (the "License"). 67257d1b4Sraf * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217257d1b4Sraf 227c478bd9Sstevel@tonic-gate /* 237257d1b4Sraf * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 247c478bd9Sstevel@tonic-gate * Use is subject to license terms. 257c478bd9Sstevel@tonic-gate */ 267c478bd9Sstevel@tonic-gate 277257d1b4Sraf #include "lint.h" 287c478bd9Sstevel@tonic-gate #include "mtlib.h" 297c478bd9Sstevel@tonic-gate #include <string.h> 307c478bd9Sstevel@tonic-gate #include <syslog.h> 317c478bd9Sstevel@tonic-gate #include <sys/stat.h> 327c478bd9Sstevel@tonic-gate #include <fcntl.h> 337c478bd9Sstevel@tonic-gate #include <limits.h> 347c478bd9Sstevel@tonic-gate #include <unistd.h> 357c478bd9Sstevel@tonic-gate #include <stdlib.h> 367c478bd9Sstevel@tonic-gate #include <thread.h> 377c478bd9Sstevel@tonic-gate #include <synch.h> 387c478bd9Sstevel@tonic-gate #include <ctype.h> 397c478bd9Sstevel@tonic-gate #include <errno.h> 407c478bd9Sstevel@tonic-gate #include "libc.h" 417c478bd9Sstevel@tonic-gate #include "nlspath_checks.h" 427c478bd9Sstevel@tonic-gate 4359f081edSraf extern const char **_environ; 447c478bd9Sstevel@tonic-gate 457c478bd9Sstevel@tonic-gate /* 467c478bd9Sstevel@tonic-gate * We want to prevent the use of NLSPATH by setugid applications but 477c478bd9Sstevel@tonic-gate * not completely. CDE depends on this very much. 487c478bd9Sstevel@tonic-gate * Yes, this is ugly. 497c478bd9Sstevel@tonic-gate */ 507c478bd9Sstevel@tonic-gate 517c478bd9Sstevel@tonic-gate struct trusted_systemdirs { 527c478bd9Sstevel@tonic-gate const char *dir; 537c478bd9Sstevel@tonic-gate size_t dirlen; 547c478bd9Sstevel@tonic-gate }; 557c478bd9Sstevel@tonic-gate 567c478bd9Sstevel@tonic-gate #define _USRLIB "/usr/lib/" 577c478bd9Sstevel@tonic-gate #define _USRDT "/usr/dt/" 587c478bd9Sstevel@tonic-gate #define _USROW "/usr/openwin/" 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate static const struct trusted_systemdirs prefix[] = { 617c478bd9Sstevel@tonic-gate { _USRLIB, sizeof (_USRLIB) - 1 }, 627c478bd9Sstevel@tonic-gate { _USRDT, sizeof (_USRDT) - 1 }, 637c478bd9Sstevel@tonic-gate { _USROW, sizeof (_USROW) - 1 }, 647c478bd9Sstevel@tonic-gate { NULL, 0 } 657c478bd9Sstevel@tonic-gate }; 667c478bd9Sstevel@tonic-gate 677c478bd9Sstevel@tonic-gate static int8_t nlspath_safe; 687c478bd9Sstevel@tonic-gate 697c478bd9Sstevel@tonic-gate /* 707c478bd9Sstevel@tonic-gate * Routine to check the safety of a messages file. 717c478bd9Sstevel@tonic-gate * When the program specifies a pathname and doesn't 727c478bd9Sstevel@tonic-gate * use NLSPATH, it should specify the "safe" flag as 1. 737c478bd9Sstevel@tonic-gate * Most checks will be disabled then. 747c478bd9Sstevel@tonic-gate * fstat64 is done here and the stat structure is returned 757c478bd9Sstevel@tonic-gate * to prevent duplication of system calls. 767c478bd9Sstevel@tonic-gate * 777c478bd9Sstevel@tonic-gate * The trust return value contains an indication of 787c478bd9Sstevel@tonic-gate * trustworthiness (i.e., does check_format need to be called or 797c478bd9Sstevel@tonic-gate * not) 807c478bd9Sstevel@tonic-gate */ 817c478bd9Sstevel@tonic-gate 827c478bd9Sstevel@tonic-gate int 837c478bd9Sstevel@tonic-gate nls_safe_open(const char *path, struct stat64 *statbuf, int *trust, int safe) 847c478bd9Sstevel@tonic-gate { 857c478bd9Sstevel@tonic-gate int fd; 867c478bd9Sstevel@tonic-gate int trust_path; 877c478bd9Sstevel@tonic-gate int systemdir = 0; 887c478bd9Sstevel@tonic-gate int abs_path = 0; 897c478bd9Sstevel@tonic-gate int trust_owner = 0; 907c478bd9Sstevel@tonic-gate int trust_group = 0; 917c478bd9Sstevel@tonic-gate const struct trusted_systemdirs *p; 927c478bd9Sstevel@tonic-gate 937c478bd9Sstevel@tonic-gate /* 947c478bd9Sstevel@tonic-gate * If SAFE_F has been specified or NLSPATH is safe (or not set), 957c478bd9Sstevel@tonic-gate * set trust_path and trust the file as an initial value. 967c478bd9Sstevel@tonic-gate */ 977c478bd9Sstevel@tonic-gate trust_path = *trust = safe || nlspath_safe; 987c478bd9Sstevel@tonic-gate 997c478bd9Sstevel@tonic-gate fd = open(path, O_RDONLY); 1007c478bd9Sstevel@tonic-gate 1017c478bd9Sstevel@tonic-gate if (fd < 0) 1027c478bd9Sstevel@tonic-gate return (-1); 1037c478bd9Sstevel@tonic-gate 1047c478bd9Sstevel@tonic-gate if (fstat64(fd, statbuf) == -1) { 1057c478bd9Sstevel@tonic-gate (void) close(fd); 1067c478bd9Sstevel@tonic-gate return (-1); 1077c478bd9Sstevel@tonic-gate } 1087c478bd9Sstevel@tonic-gate 1097c478bd9Sstevel@tonic-gate /* 1107c478bd9Sstevel@tonic-gate * Trust only files owned by root or bin (uid 2), except 1117c478bd9Sstevel@tonic-gate * when specified as full path or when NLSPATH is known to 1127c478bd9Sstevel@tonic-gate * be safe. 1137c478bd9Sstevel@tonic-gate * Don't trust files writable by other or writable 1147c478bd9Sstevel@tonic-gate * by non-bin, non-root system group. 1157c478bd9Sstevel@tonic-gate * Don't trust these files even if the path is correct. 1167c478bd9Sstevel@tonic-gate * Since we don't support changing uids/gids on our files, 1177c478bd9Sstevel@tonic-gate * we hardcode them here for now. 1187c478bd9Sstevel@tonic-gate */ 1197c478bd9Sstevel@tonic-gate 1207c478bd9Sstevel@tonic-gate /* 1217c478bd9Sstevel@tonic-gate * if the path is absolute and does not contain "/../", 1227c478bd9Sstevel@tonic-gate * set abs_path. 1237c478bd9Sstevel@tonic-gate */ 1247c478bd9Sstevel@tonic-gate if (*path == '/' && strstr(path, "/../") == NULL) { 1257c478bd9Sstevel@tonic-gate abs_path = 1; 1267c478bd9Sstevel@tonic-gate /* 1277c478bd9Sstevel@tonic-gate * if the path belongs to the trusted system directory, 1287c478bd9Sstevel@tonic-gate * set systemdir. 1297c478bd9Sstevel@tonic-gate */ 1307c478bd9Sstevel@tonic-gate for (p = prefix; p->dir; p++) { 1317c478bd9Sstevel@tonic-gate if (strncmp(p->dir, path, p->dirlen) == 0) { 1327c478bd9Sstevel@tonic-gate systemdir = 1; 1337c478bd9Sstevel@tonic-gate break; 1347c478bd9Sstevel@tonic-gate } 1357c478bd9Sstevel@tonic-gate } 1367c478bd9Sstevel@tonic-gate } 1377c478bd9Sstevel@tonic-gate 1387c478bd9Sstevel@tonic-gate /* 1397c478bd9Sstevel@tonic-gate * If the owner is root or bin, set trust_owner. 1407c478bd9Sstevel@tonic-gate */ 1417c478bd9Sstevel@tonic-gate if (statbuf->st_uid == 0 || statbuf->st_uid == 2) { 1427c478bd9Sstevel@tonic-gate trust_owner = 1; 1437c478bd9Sstevel@tonic-gate } 1447c478bd9Sstevel@tonic-gate /* 1457c478bd9Sstevel@tonic-gate * If the file is neither other-writable nor group-writable by 1467c478bd9Sstevel@tonic-gate * non-bin and non-root system group, set trust_group. 1477c478bd9Sstevel@tonic-gate */ 1487c478bd9Sstevel@tonic-gate if ((statbuf->st_mode & (S_IWOTH)) == 0 && 1497c478bd9Sstevel@tonic-gate ((statbuf->st_mode & (S_IWGRP)) == 0 || 1507257d1b4Sraf (statbuf->st_gid < 4 && statbuf->st_gid != 1))) { 1517c478bd9Sstevel@tonic-gate trust_group = 1; 1527c478bd9Sstevel@tonic-gate } 1537c478bd9Sstevel@tonic-gate 1547c478bd9Sstevel@tonic-gate /* 1557c478bd9Sstevel@tonic-gate * Even if UNSAFE_F has been specified and unsafe-NLSPATH 1567c478bd9Sstevel@tonic-gate * has been set, trust the file as long as it belongs to 1577c478bd9Sstevel@tonic-gate * the trusted system directory. 1587c478bd9Sstevel@tonic-gate */ 1597c478bd9Sstevel@tonic-gate if (!*trust && systemdir) { 1607c478bd9Sstevel@tonic-gate *trust = 1; 1617c478bd9Sstevel@tonic-gate } 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gate /* 1647c478bd9Sstevel@tonic-gate * If: 1657c478bd9Sstevel@tonic-gate * file is not a full pathname, 1667c478bd9Sstevel@tonic-gate * or 1677c478bd9Sstevel@tonic-gate * neither trust_owner nor trust_path is set, 1687c478bd9Sstevel@tonic-gate * or 1697c478bd9Sstevel@tonic-gate * trust_group is not set, 1707c478bd9Sstevel@tonic-gate * untrust it. 1717c478bd9Sstevel@tonic-gate */ 1727c478bd9Sstevel@tonic-gate if (*trust && 1737c478bd9Sstevel@tonic-gate (!abs_path || (!trust_owner && !trust_path) || !trust_group)) { 1747c478bd9Sstevel@tonic-gate *trust = 0; 1757c478bd9Sstevel@tonic-gate } 1767c478bd9Sstevel@tonic-gate 1777c478bd9Sstevel@tonic-gate /* 1787c478bd9Sstevel@tonic-gate * If set[ug]id process, open for the untrusted file should fail. 1797c478bd9Sstevel@tonic-gate * Otherwise, the message extracted from the untrusted file 1807c478bd9Sstevel@tonic-gate * will have to be checked by check_format(). 1817c478bd9Sstevel@tonic-gate */ 1827c478bd9Sstevel@tonic-gate if (issetugid()) { 1837c478bd9Sstevel@tonic-gate if (!*trust) { 1847c478bd9Sstevel@tonic-gate /* 1857c478bd9Sstevel@tonic-gate * Open should fail 1867c478bd9Sstevel@tonic-gate */ 1877c478bd9Sstevel@tonic-gate (void) close(fd); 1887c478bd9Sstevel@tonic-gate return (-1); 1897c478bd9Sstevel@tonic-gate } 1907c478bd9Sstevel@tonic-gate 1917c478bd9Sstevel@tonic-gate /* 1927c478bd9Sstevel@tonic-gate * if the path does not belong to the trusted system directory 1937c478bd9Sstevel@tonic-gate * or if the owner is neither root nor bin, untrust it. 1947c478bd9Sstevel@tonic-gate */ 1957c478bd9Sstevel@tonic-gate if (!systemdir || !trust_owner) { 1967c478bd9Sstevel@tonic-gate *trust = 0; 1977c478bd9Sstevel@tonic-gate } 1987c478bd9Sstevel@tonic-gate } 1997c478bd9Sstevel@tonic-gate 2007c478bd9Sstevel@tonic-gate return (fd); 2017c478bd9Sstevel@tonic-gate } 2027c478bd9Sstevel@tonic-gate 2037c478bd9Sstevel@tonic-gate /* 2047c478bd9Sstevel@tonic-gate * Extract a format into a normalized format string. 2057c478bd9Sstevel@tonic-gate * Returns the number of arguments converted, -1 on error. 2067c478bd9Sstevel@tonic-gate * The string norm should contain 2N bytes; an upperbound is the 2077c478bd9Sstevel@tonic-gate * length of the format string. 2087c478bd9Sstevel@tonic-gate * The canonical format consists of two chars: one is the conversion 2097c478bd9Sstevel@tonic-gate * character (s, c, d, x, etc), the second one is the option flag. 2107c478bd9Sstevel@tonic-gate * L, ll, l, w as defined below. 2117c478bd9Sstevel@tonic-gate * A special conversion character, '*', indicates that the argument 2127c478bd9Sstevel@tonic-gate * is used as a precision specifier. 2137c478bd9Sstevel@tonic-gate */ 2147c478bd9Sstevel@tonic-gate 2157c478bd9Sstevel@tonic-gate #define OPT_L 0x01 2167c478bd9Sstevel@tonic-gate #define OPT_l 0x02 2177c478bd9Sstevel@tonic-gate #define OPT_ll 0x04 2187c478bd9Sstevel@tonic-gate #define OPT_w 0x08 2197c478bd9Sstevel@tonic-gate #define OPT_h 0x10 2207c478bd9Sstevel@tonic-gate #define OPT_hh 0x20 2217c478bd9Sstevel@tonic-gate #define OPT_j 0x40 2227c478bd9Sstevel@tonic-gate 2237c478bd9Sstevel@tonic-gate /* Number of bytes per canonical format entry */ 2247c478bd9Sstevel@tonic-gate #define FORMAT_SIZE 2 2257c478bd9Sstevel@tonic-gate 2267c478bd9Sstevel@tonic-gate /* 2277c478bd9Sstevel@tonic-gate * Check and store the argument; allow each argument to be used only as 2287c478bd9Sstevel@tonic-gate * one type even though printf allows multiple uses. The specification only 2297c478bd9Sstevel@tonic-gate * allows one use, but we don't want to break existing functional code, 2307c478bd9Sstevel@tonic-gate * even if it's buggy. 2317c478bd9Sstevel@tonic-gate */ 2327c478bd9Sstevel@tonic-gate #define STORE(buf, size, arg, val) if (arg * FORMAT_SIZE + 1 >= size ||\ 2337c478bd9Sstevel@tonic-gate (strict ? \ 2347c478bd9Sstevel@tonic-gate (buf[arg*FORMAT_SIZE] != '\0' && \ 2357c478bd9Sstevel@tonic-gate buf[arg*FORMAT_SIZE] != val) \ 2367c478bd9Sstevel@tonic-gate : \ 2377c478bd9Sstevel@tonic-gate (buf[arg*FORMAT_SIZE] == 'n'))) \ 2387c478bd9Sstevel@tonic-gate return (-1); \ 2397c478bd9Sstevel@tonic-gate else {\ 2407c478bd9Sstevel@tonic-gate if (arg >= maxarg) \ 2417c478bd9Sstevel@tonic-gate maxarg = arg + 1; \ 2427c478bd9Sstevel@tonic-gate narg++; \ 2437c478bd9Sstevel@tonic-gate buf[arg*FORMAT_SIZE] = val; \ 2447c478bd9Sstevel@tonic-gate } 2457c478bd9Sstevel@tonic-gate 2467c478bd9Sstevel@tonic-gate /* 2477c478bd9Sstevel@tonic-gate * This function extracts sprintf format into a canonical 2487c478bd9Sstevel@tonic-gate * sprintf form. It's not as easy as just removing everything 2497c478bd9Sstevel@tonic-gate * that isn't a format specifier, because of "%n$" specifiers. 2507c478bd9Sstevel@tonic-gate * Ideally, this should be compatible with printf and not 2517c478bd9Sstevel@tonic-gate * fail on bad formats. 2527c478bd9Sstevel@tonic-gate * However, that makes writing a proper check_format that 2537c478bd9Sstevel@tonic-gate * doesn't cause crashes a lot harder. 2547c478bd9Sstevel@tonic-gate */ 2557c478bd9Sstevel@tonic-gate 2567c478bd9Sstevel@tonic-gate static int 2577c478bd9Sstevel@tonic-gate extract_format(const char *fmt, char *norm, size_t sz, int strict) 2587c478bd9Sstevel@tonic-gate { 2597c478bd9Sstevel@tonic-gate int narg = 0; 2607c478bd9Sstevel@tonic-gate int t, arg, argp; 2617c478bd9Sstevel@tonic-gate int dotseen; 2627c478bd9Sstevel@tonic-gate char flag; 2637c478bd9Sstevel@tonic-gate char conv; 2647c478bd9Sstevel@tonic-gate int lastarg = -1; 2657c478bd9Sstevel@tonic-gate int prevarg; 2667c478bd9Sstevel@tonic-gate int maxarg = 0; /* Highest index seen + 1 */ 2677c478bd9Sstevel@tonic-gate int lflag; 2687c478bd9Sstevel@tonic-gate 2697c478bd9Sstevel@tonic-gate (void) memset(norm, '\0', sz); 2707c478bd9Sstevel@tonic-gate 2717c478bd9Sstevel@tonic-gate #ifdef DEBUG 2727c478bd9Sstevel@tonic-gate printf("Format \"%s\" canonical form: ", fmt); 2737c478bd9Sstevel@tonic-gate #endif 2747c478bd9Sstevel@tonic-gate 2757c478bd9Sstevel@tonic-gate for (; *fmt; fmt++) { 2767c478bd9Sstevel@tonic-gate if (*fmt == '%') { 2777c478bd9Sstevel@tonic-gate if (*++fmt == '%') 2787c478bd9Sstevel@tonic-gate continue; 2797c478bd9Sstevel@tonic-gate 2807c478bd9Sstevel@tonic-gate if (*fmt == '\0') 2817c478bd9Sstevel@tonic-gate break; 2827c478bd9Sstevel@tonic-gate 2837c478bd9Sstevel@tonic-gate prevarg = lastarg; 2847c478bd9Sstevel@tonic-gate arg = ++lastarg; 2857c478bd9Sstevel@tonic-gate 2867c478bd9Sstevel@tonic-gate t = 0; 2877c478bd9Sstevel@tonic-gate while (*fmt && isdigit(*fmt)) 2887c478bd9Sstevel@tonic-gate t = t * 10 + *fmt++ - '0'; 2897c478bd9Sstevel@tonic-gate 2907c478bd9Sstevel@tonic-gate if (*fmt == '$') { 2917c478bd9Sstevel@tonic-gate lastarg = arg = t - 1; 2927c478bd9Sstevel@tonic-gate fmt++; 2937c478bd9Sstevel@tonic-gate } 2947c478bd9Sstevel@tonic-gate 2957c478bd9Sstevel@tonic-gate if (*fmt == '\0') 2967c478bd9Sstevel@tonic-gate goto end; 2977c478bd9Sstevel@tonic-gate 2987c478bd9Sstevel@tonic-gate dotseen = 0; 2997c478bd9Sstevel@tonic-gate flag = 0; 3007c478bd9Sstevel@tonic-gate lflag = 0; 3017c478bd9Sstevel@tonic-gate again: 3027c478bd9Sstevel@tonic-gate /* Skip flags */ 3037c478bd9Sstevel@tonic-gate while (*fmt) { 3047c478bd9Sstevel@tonic-gate switch (*fmt) { 3057c478bd9Sstevel@tonic-gate case '\'': 3067c478bd9Sstevel@tonic-gate case '+': 3077c478bd9Sstevel@tonic-gate case '-': 3087c478bd9Sstevel@tonic-gate case ' ': 3097c478bd9Sstevel@tonic-gate case '#': 3107c478bd9Sstevel@tonic-gate case '0': 3117c478bd9Sstevel@tonic-gate fmt++; 3127c478bd9Sstevel@tonic-gate continue; 3137c478bd9Sstevel@tonic-gate } 3147c478bd9Sstevel@tonic-gate break; 3157c478bd9Sstevel@tonic-gate } 3167c478bd9Sstevel@tonic-gate 3177c478bd9Sstevel@tonic-gate while (*fmt && isdigit(*fmt)) 3187c478bd9Sstevel@tonic-gate fmt++; 3197c478bd9Sstevel@tonic-gate 3207c478bd9Sstevel@tonic-gate if (*fmt == '*') { 3217c478bd9Sstevel@tonic-gate if (isdigit(fmt[1])) { 3227c478bd9Sstevel@tonic-gate fmt++; 3237c478bd9Sstevel@tonic-gate t = 0; 3247c478bd9Sstevel@tonic-gate while (*fmt && isdigit(*fmt)) 3257c478bd9Sstevel@tonic-gate t = t * 10 + *fmt++ - '0'; 3267c478bd9Sstevel@tonic-gate 3277c478bd9Sstevel@tonic-gate if (*fmt == '$') { 3287c478bd9Sstevel@tonic-gate argp = t - 1; 3297c478bd9Sstevel@tonic-gate STORE(norm, sz, argp, '*'); 3307c478bd9Sstevel@tonic-gate } 3317c478bd9Sstevel@tonic-gate /* 3327c478bd9Sstevel@tonic-gate * If digits follow a '*', it is 3337c478bd9Sstevel@tonic-gate * not loaded as an argument, the 3347c478bd9Sstevel@tonic-gate * digits are used instead. 3357c478bd9Sstevel@tonic-gate */ 3367c478bd9Sstevel@tonic-gate } else { 3377c478bd9Sstevel@tonic-gate /* 3387c478bd9Sstevel@tonic-gate * Weird as it may seem, if we 3397c478bd9Sstevel@tonic-gate * use an numbered argument, we 3407c478bd9Sstevel@tonic-gate * get the next one if we have 3417c478bd9Sstevel@tonic-gate * an unnumbered '*' 3427c478bd9Sstevel@tonic-gate */ 3437c478bd9Sstevel@tonic-gate if (fmt[1] == '$') 3447c478bd9Sstevel@tonic-gate fmt++; 3457c478bd9Sstevel@tonic-gate else { 3467c478bd9Sstevel@tonic-gate argp = arg; 3477c478bd9Sstevel@tonic-gate prevarg = arg; 3487c478bd9Sstevel@tonic-gate lastarg = ++arg; 3497c478bd9Sstevel@tonic-gate STORE(norm, sz, argp, '*'); 3507c478bd9Sstevel@tonic-gate } 3517c478bd9Sstevel@tonic-gate } 3527c478bd9Sstevel@tonic-gate fmt++; 3537c478bd9Sstevel@tonic-gate } 3547c478bd9Sstevel@tonic-gate 3557c478bd9Sstevel@tonic-gate /* Fail on two or more dots if we do strict checking */ 3567c478bd9Sstevel@tonic-gate if (*fmt == '.' || *fmt == '*') { 3577c478bd9Sstevel@tonic-gate if (dotseen && strict) 3587c478bd9Sstevel@tonic-gate return (-1); 3597c478bd9Sstevel@tonic-gate dotseen = 1; 3607c478bd9Sstevel@tonic-gate fmt++; 3617c478bd9Sstevel@tonic-gate goto again; 3627c478bd9Sstevel@tonic-gate } 3637c478bd9Sstevel@tonic-gate 3647c478bd9Sstevel@tonic-gate if (*fmt == '\0') 3657c478bd9Sstevel@tonic-gate goto end; 3667c478bd9Sstevel@tonic-gate 3677c478bd9Sstevel@tonic-gate while (*fmt) { 3687c478bd9Sstevel@tonic-gate switch (*fmt) { 3697c478bd9Sstevel@tonic-gate case 'l': 3707c478bd9Sstevel@tonic-gate if (!(flag & OPT_ll)) { 3717c478bd9Sstevel@tonic-gate if (lflag) { 3727c478bd9Sstevel@tonic-gate flag &= ~OPT_l; 3737c478bd9Sstevel@tonic-gate flag |= OPT_ll; 3747c478bd9Sstevel@tonic-gate } else { 3757c478bd9Sstevel@tonic-gate flag |= OPT_l; 3767c478bd9Sstevel@tonic-gate } 3777c478bd9Sstevel@tonic-gate } 3787c478bd9Sstevel@tonic-gate lflag++; 3797c478bd9Sstevel@tonic-gate break; 3807c478bd9Sstevel@tonic-gate case 'L': 3817c478bd9Sstevel@tonic-gate flag |= OPT_L; 3827c478bd9Sstevel@tonic-gate break; 3837c478bd9Sstevel@tonic-gate case 'w': 3847c478bd9Sstevel@tonic-gate flag |= OPT_w; 3857c478bd9Sstevel@tonic-gate break; 3867c478bd9Sstevel@tonic-gate case 'h': 3877c478bd9Sstevel@tonic-gate if (flag & (OPT_h|OPT_hh)) 3887c478bd9Sstevel@tonic-gate flag |= OPT_hh; 3897c478bd9Sstevel@tonic-gate else 3907c478bd9Sstevel@tonic-gate flag |= OPT_h; 3917c478bd9Sstevel@tonic-gate break; 3927c478bd9Sstevel@tonic-gate case 'j': 3937c478bd9Sstevel@tonic-gate flag |= OPT_j; 3947c478bd9Sstevel@tonic-gate break; 3957c478bd9Sstevel@tonic-gate case 'z': 3967c478bd9Sstevel@tonic-gate case 't': 3977c478bd9Sstevel@tonic-gate if (!(flag & OPT_ll)) { 3987c478bd9Sstevel@tonic-gate flag |= OPT_l; 3997c478bd9Sstevel@tonic-gate } 4007c478bd9Sstevel@tonic-gate break; 4017c478bd9Sstevel@tonic-gate case '\'': 4027c478bd9Sstevel@tonic-gate case '+': 4037c478bd9Sstevel@tonic-gate case '-': 4047c478bd9Sstevel@tonic-gate case ' ': 4057c478bd9Sstevel@tonic-gate case '#': 4067c478bd9Sstevel@tonic-gate case '.': 4077c478bd9Sstevel@tonic-gate case '*': 4087c478bd9Sstevel@tonic-gate goto again; 4097c478bd9Sstevel@tonic-gate default: 4107c478bd9Sstevel@tonic-gate if (isdigit(*fmt)) 4117c478bd9Sstevel@tonic-gate goto again; 4127c478bd9Sstevel@tonic-gate else 4137c478bd9Sstevel@tonic-gate goto done; 4147c478bd9Sstevel@tonic-gate } 4157c478bd9Sstevel@tonic-gate fmt++; 4167c478bd9Sstevel@tonic-gate } 4177c478bd9Sstevel@tonic-gate done: 4187c478bd9Sstevel@tonic-gate if (*fmt == '\0') 4197c478bd9Sstevel@tonic-gate goto end; 4207c478bd9Sstevel@tonic-gate 4217c478bd9Sstevel@tonic-gate switch (*fmt) { 4227c478bd9Sstevel@tonic-gate case 'C': 4237c478bd9Sstevel@tonic-gate flag |= OPT_l; 4247c478bd9Sstevel@tonic-gate /* FALLTHROUGH */ 4257c478bd9Sstevel@tonic-gate case 'd': 4267c478bd9Sstevel@tonic-gate case 'i': 4277c478bd9Sstevel@tonic-gate case 'o': 4287c478bd9Sstevel@tonic-gate case 'u': 4297c478bd9Sstevel@tonic-gate case 'c': 4307c478bd9Sstevel@tonic-gate case 'x': 4317c478bd9Sstevel@tonic-gate case 'X': 4327c478bd9Sstevel@tonic-gate conv = 'I'; 4337c478bd9Sstevel@tonic-gate break; 4347c478bd9Sstevel@tonic-gate case 'e': 4357c478bd9Sstevel@tonic-gate case 'E': 4367c478bd9Sstevel@tonic-gate case 'f': 4377c478bd9Sstevel@tonic-gate case 'F': 4387c478bd9Sstevel@tonic-gate case 'a': 4397c478bd9Sstevel@tonic-gate case 'A': 4407c478bd9Sstevel@tonic-gate case 'g': 4417c478bd9Sstevel@tonic-gate case 'G': 4427c478bd9Sstevel@tonic-gate conv = 'D'; 4437c478bd9Sstevel@tonic-gate break; 4447c478bd9Sstevel@tonic-gate case 'S': 4457c478bd9Sstevel@tonic-gate flag |= OPT_l; 4467c478bd9Sstevel@tonic-gate /* FALLTHROUGH */ 4477c478bd9Sstevel@tonic-gate case 's': 4487c478bd9Sstevel@tonic-gate conv = 's'; 4497c478bd9Sstevel@tonic-gate break; 4507c478bd9Sstevel@tonic-gate case 'p': 4517c478bd9Sstevel@tonic-gate case 'n': 4527c478bd9Sstevel@tonic-gate conv = *fmt; 4537c478bd9Sstevel@tonic-gate break; 4547c478bd9Sstevel@tonic-gate default: 4557c478bd9Sstevel@tonic-gate lastarg = prevarg; 4567c478bd9Sstevel@tonic-gate continue; 4577c478bd9Sstevel@tonic-gate } 4587c478bd9Sstevel@tonic-gate 4597c478bd9Sstevel@tonic-gate STORE(norm, sz, arg, conv); 4607c478bd9Sstevel@tonic-gate norm[arg*FORMAT_SIZE + 1] = flag; 4617c478bd9Sstevel@tonic-gate } 4627c478bd9Sstevel@tonic-gate } 4637c478bd9Sstevel@tonic-gate #ifdef DEBUG 4647c478bd9Sstevel@tonic-gate for (t = 0; t < maxarg * FORMAT_SIZE; t += FORMAT_SIZE) { 4657257d1b4Sraf printf("%c(%d)", norm[t], norm[t+1]); 4667c478bd9Sstevel@tonic-gate } 4677c478bd9Sstevel@tonic-gate putchar('\n'); 4687c478bd9Sstevel@tonic-gate #endif 4697c478bd9Sstevel@tonic-gate end: 4707c478bd9Sstevel@tonic-gate if (strict) 4717c478bd9Sstevel@tonic-gate for (arg = 0; arg < maxarg; arg++) 4727c478bd9Sstevel@tonic-gate if (norm[arg*FORMAT_SIZE] == '\0') 4737c478bd9Sstevel@tonic-gate return (-1); 4747c478bd9Sstevel@tonic-gate 4757c478bd9Sstevel@tonic-gate return (maxarg); 4767c478bd9Sstevel@tonic-gate } 4777c478bd9Sstevel@tonic-gate 4787c478bd9Sstevel@tonic-gate char * 4797c478bd9Sstevel@tonic-gate check_format(const char *org, const char *new, int strict) 4807c478bd9Sstevel@tonic-gate { 4817c478bd9Sstevel@tonic-gate char *ofmt, *nfmt, *torg; 4827c478bd9Sstevel@tonic-gate size_t osz, nsz; 4837c478bd9Sstevel@tonic-gate int olen, nlen; 4847c478bd9Sstevel@tonic-gate 4857c478bd9Sstevel@tonic-gate if (!org) { 4867c478bd9Sstevel@tonic-gate /* 4877c478bd9Sstevel@tonic-gate * Default message is NULL. 4887c478bd9Sstevel@tonic-gate * dtmail uses NULL for default message. 4897c478bd9Sstevel@tonic-gate */ 4907c478bd9Sstevel@tonic-gate torg = "(NULL)"; 4917c478bd9Sstevel@tonic-gate } else { 4927c478bd9Sstevel@tonic-gate torg = (char *)org; 4937c478bd9Sstevel@tonic-gate } 4947c478bd9Sstevel@tonic-gate 4957c478bd9Sstevel@tonic-gate /* Short cut */ 4967c478bd9Sstevel@tonic-gate if (org == new || strcmp(torg, new) == 0 || 4977c478bd9Sstevel@tonic-gate strchr(new, '%') == NULL) 4987c478bd9Sstevel@tonic-gate return ((char *)new); 4997c478bd9Sstevel@tonic-gate 5007c478bd9Sstevel@tonic-gate osz = strlen(torg) * FORMAT_SIZE; 5017c478bd9Sstevel@tonic-gate ofmt = malloc(osz); 5027c478bd9Sstevel@tonic-gate if (ofmt == NULL) 5037c478bd9Sstevel@tonic-gate return ((char *)org); 5047c478bd9Sstevel@tonic-gate 5057c478bd9Sstevel@tonic-gate olen = extract_format(torg, ofmt, osz, 0); 5067c478bd9Sstevel@tonic-gate 5077c478bd9Sstevel@tonic-gate if (olen == -1) 5087c478bd9Sstevel@tonic-gate syslog(LOG_AUTH|LOG_INFO, 5097c478bd9Sstevel@tonic-gate "invalid format in gettext argument: \"%s\"", torg); 5107c478bd9Sstevel@tonic-gate 5117c478bd9Sstevel@tonic-gate nsz = strlen(new) * FORMAT_SIZE; 5127c478bd9Sstevel@tonic-gate nfmt = malloc(nsz); 5137c478bd9Sstevel@tonic-gate if (nfmt == NULL) { 5147c478bd9Sstevel@tonic-gate free(ofmt); 5157c478bd9Sstevel@tonic-gate return ((char *)org); 5167c478bd9Sstevel@tonic-gate } 5177c478bd9Sstevel@tonic-gate 5187c478bd9Sstevel@tonic-gate nlen = extract_format(new, nfmt, nsz, strict); 5197c478bd9Sstevel@tonic-gate 5207c478bd9Sstevel@tonic-gate if (nlen == -1) { 5217c478bd9Sstevel@tonic-gate free(ofmt); 5227c478bd9Sstevel@tonic-gate free(nfmt); 5237c478bd9Sstevel@tonic-gate syslog(LOG_AUTH|LOG_NOTICE, 5247c478bd9Sstevel@tonic-gate "invalid format in message file \"%.100s\" -> \"%s\"", 5257c478bd9Sstevel@tonic-gate torg, new); 5267c478bd9Sstevel@tonic-gate errno = EBADMSG; 5277c478bd9Sstevel@tonic-gate return ((char *)org); 5287c478bd9Sstevel@tonic-gate } 5297c478bd9Sstevel@tonic-gate 5307c478bd9Sstevel@tonic-gate if (strict && (olen != nlen || olen == -1)) { 5317c478bd9Sstevel@tonic-gate free(ofmt); 5327c478bd9Sstevel@tonic-gate free(nfmt); 5337c478bd9Sstevel@tonic-gate syslog(LOG_AUTH|LOG_NOTICE, 5347c478bd9Sstevel@tonic-gate "incompatible format in message file: \"%.100s\" != \"%s\"", 5357c478bd9Sstevel@tonic-gate torg, new); 5367c478bd9Sstevel@tonic-gate errno = EBADMSG; 5377c478bd9Sstevel@tonic-gate return ((char *)org); 5387c478bd9Sstevel@tonic-gate } 5397c478bd9Sstevel@tonic-gate 5407c478bd9Sstevel@tonic-gate if (strict && memcmp(ofmt, nfmt, nlen * FORMAT_SIZE) == 0) { 5417c478bd9Sstevel@tonic-gate free(ofmt); 5427c478bd9Sstevel@tonic-gate free(nfmt); 5437c478bd9Sstevel@tonic-gate return ((char *)new); 5447c478bd9Sstevel@tonic-gate } else { 5457c478bd9Sstevel@tonic-gate if (!strict) { 5467c478bd9Sstevel@tonic-gate char *n; 5477c478bd9Sstevel@tonic-gate 5487c478bd9Sstevel@tonic-gate nlen *= FORMAT_SIZE; 5497c478bd9Sstevel@tonic-gate 5507c478bd9Sstevel@tonic-gate for (n = nfmt; n = memchr(n, 'n', nfmt + nlen - n); 5517c478bd9Sstevel@tonic-gate n++) { 5527c478bd9Sstevel@tonic-gate int off = (n - nfmt); 5537c478bd9Sstevel@tonic-gate 5547c478bd9Sstevel@tonic-gate if (off >= olen * FORMAT_SIZE || 5557c478bd9Sstevel@tonic-gate ofmt[off] != 'n' || 5567c478bd9Sstevel@tonic-gate ofmt[off+1] != nfmt[off+1]) { 5577c478bd9Sstevel@tonic-gate free(ofmt); 5587c478bd9Sstevel@tonic-gate free(nfmt); 5597c478bd9Sstevel@tonic-gate syslog(LOG_AUTH|LOG_NOTICE, 5607c478bd9Sstevel@tonic-gate "dangerous format in message file: " 5617c478bd9Sstevel@tonic-gate "\"%.100s\" -> \"%s\"", torg, new); 5627c478bd9Sstevel@tonic-gate errno = EBADMSG; 5637c478bd9Sstevel@tonic-gate return ((char *)org); 5647c478bd9Sstevel@tonic-gate } 5657c478bd9Sstevel@tonic-gate } 5667c478bd9Sstevel@tonic-gate free(ofmt); 5677c478bd9Sstevel@tonic-gate free(nfmt); 5687c478bd9Sstevel@tonic-gate return ((char *)new); 5697c478bd9Sstevel@tonic-gate } 5707c478bd9Sstevel@tonic-gate free(ofmt); 5717c478bd9Sstevel@tonic-gate free(nfmt); 5727c478bd9Sstevel@tonic-gate syslog(LOG_AUTH|LOG_NOTICE, 5737c478bd9Sstevel@tonic-gate "incompatible format in message file \"%.100s\" != \"%s\"", 5747c478bd9Sstevel@tonic-gate torg, new); 5757c478bd9Sstevel@tonic-gate errno = EBADMSG; 5767c478bd9Sstevel@tonic-gate return ((char *)org); 5777c478bd9Sstevel@tonic-gate } 5787c478bd9Sstevel@tonic-gate } 5797c478bd9Sstevel@tonic-gate 5807c478bd9Sstevel@tonic-gate /* 5817c478bd9Sstevel@tonic-gate * s1 is either name, or name=value 5827c478bd9Sstevel@tonic-gate * s2 is name=value 5837c478bd9Sstevel@tonic-gate * if names match, return value of s2, else NULL 5847c478bd9Sstevel@tonic-gate * used for environment searching: see getenv 5857c478bd9Sstevel@tonic-gate */ 5867c478bd9Sstevel@tonic-gate const char * 5877c478bd9Sstevel@tonic-gate nvmatch(const char *s1, const char *s2) 5887c478bd9Sstevel@tonic-gate { 5897c478bd9Sstevel@tonic-gate while (*s1 == *s2++) 5907c478bd9Sstevel@tonic-gate if (*s1++ == '=') 5917c478bd9Sstevel@tonic-gate return (s2); 5927c478bd9Sstevel@tonic-gate if (*s1 == '\0' && *(s2-1) == '=') 5937c478bd9Sstevel@tonic-gate return (s2); 5947c478bd9Sstevel@tonic-gate return (NULL); 5957c478bd9Sstevel@tonic-gate } 5967c478bd9Sstevel@tonic-gate 5977c478bd9Sstevel@tonic-gate /* 5987c478bd9Sstevel@tonic-gate * Handle NLSPATH environment variables in the environment. 5997c478bd9Sstevel@tonic-gate * This routine is hooked into getenv/putenv at first call. 6007c478bd9Sstevel@tonic-gate * 6017c478bd9Sstevel@tonic-gate * The intention is to ignore NLSPATH in set-uid applications, 6027c478bd9Sstevel@tonic-gate * and determine whether the NLSPATH in an application was set 6037c478bd9Sstevel@tonic-gate * by the applications or derived from the user's environment. 6047c478bd9Sstevel@tonic-gate */ 6057c478bd9Sstevel@tonic-gate 6067c478bd9Sstevel@tonic-gate void 6077c478bd9Sstevel@tonic-gate clean_env(void) 6087c478bd9Sstevel@tonic-gate { 6097c478bd9Sstevel@tonic-gate const char **p; 6107c478bd9Sstevel@tonic-gate 61159f081edSraf if (_environ == NULL) { 61259f081edSraf /* can happen when processing a SunOS 4.x AOUT file */ 6137257d1b4Sraf nlspath_safe = 1; 6147257d1b4Sraf return; 6157257d1b4Sraf } 6167257d1b4Sraf 6177c478bd9Sstevel@tonic-gate /* Find the first NLSPATH occurrence */ 61859f081edSraf for (p = _environ; *p; p++) 6197c478bd9Sstevel@tonic-gate if (**p == 'N' && nvmatch("NLSPATH", *p) != NULL) 6207c478bd9Sstevel@tonic-gate break; 6217c478bd9Sstevel@tonic-gate 6227c478bd9Sstevel@tonic-gate if (!*p) /* None found, we're safe */ 6237c478bd9Sstevel@tonic-gate nlspath_safe = 1; 6247c478bd9Sstevel@tonic-gate else if (issetugid()) { /* Found and set-uid, clean */ 6257c478bd9Sstevel@tonic-gate int off = 1; 6267c478bd9Sstevel@tonic-gate 627*9a67df4bSToomas Soome for (p++; (p[-off] = p[0]) != NULL; p++) 6287c478bd9Sstevel@tonic-gate if (**p == 'N' && nvmatch("NLSPATH", *p) != NULL) 6297c478bd9Sstevel@tonic-gate off++; 6307c478bd9Sstevel@tonic-gate 6317c478bd9Sstevel@tonic-gate nlspath_safe = 1; 6327c478bd9Sstevel@tonic-gate } 6337c478bd9Sstevel@tonic-gate } 634