1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include "lint.h"
30 #include "mtlib.h"
31 #include <string.h>
32 #include <syslog.h>
33 #include <sys/stat.h>
34 #include <fcntl.h>
35 #include <limits.h>
36 #include <unistd.h>
37 #include <stdlib.h>
38 #include <thread.h>
39 #include <synch.h>
40 #include <ctype.h>
41 #include <errno.h>
42 #include "libc.h"
43 #include "nlspath_checks.h"
44 
45 extern const char **_environ;
46 
47 /*
48  * We want to prevent the use of NLSPATH by setugid applications but
49  * not completely.  CDE depends on this very much.
50  * Yes, this is ugly.
51  */
52 
53 struct trusted_systemdirs {
54 	const char	*dir;
55 	size_t	dirlen;
56 };
57 
58 #define	_USRLIB	"/usr/lib/"
59 #define	_USRDT	"/usr/dt/"
60 #define	_USROW	"/usr/openwin/"
61 
62 static const struct trusted_systemdirs	prefix[] = {
63 	{ _USRLIB,	sizeof (_USRLIB) - 1 },
64 	{ _USRDT,	sizeof (_USRDT) - 1 },
65 	{ _USROW,	sizeof (_USROW) - 1 },
66 	{ NULL,		0 }
67 };
68 
69 static int8_t nlspath_safe;
70 
71 /*
72  * Routine to check the safety of a messages file.
73  * When the program specifies a pathname and doesn't
74  * use NLSPATH, it should specify the "safe" flag as 1.
75  * Most checks will be disabled then.
76  * fstat64 is done here and the stat structure is returned
77  * to prevent duplication of system calls.
78  *
79  * The trust return value contains an indication of
80  * trustworthiness (i.e., does check_format need to be called or
81  * not)
82  */
83 
84 int
85 nls_safe_open(const char *path, struct stat64 *statbuf, int *trust, int safe)
86 {
87 	int	fd;
88 	int	trust_path;
89 	int	systemdir = 0;
90 	int	abs_path = 0;
91 	int	trust_owner = 0;
92 	int	trust_group = 0;
93 	const struct trusted_systemdirs	*p;
94 
95 	/*
96 	 * If SAFE_F has been specified or NLSPATH is safe (or not set),
97 	 * set trust_path and trust the file as an initial value.
98 	 */
99 	trust_path = *trust = safe || nlspath_safe;
100 
101 	fd = open(path, O_RDONLY);
102 
103 	if (fd < 0)
104 		return (-1);
105 
106 	if (fstat64(fd, statbuf) == -1) {
107 		(void) close(fd);
108 		return (-1);
109 	}
110 
111 	/*
112 	 * Trust only files owned by root or bin (uid 2), except
113 	 * when specified as full path or when NLSPATH is known to
114 	 * be safe.
115 	 * Don't trust files writable by other or writable
116 	 * by non-bin, non-root system group.
117 	 * Don't trust these files even if the path is correct.
118 	 * Since we don't support changing uids/gids on our files,
119 	 * we hardcode them here for now.
120 	 */
121 
122 	/*
123 	 * if the path is absolute and does not contain "/../",
124 	 * set abs_path.
125 	 */
126 	if (*path == '/' && strstr(path, "/../") == NULL) {
127 		abs_path = 1;
128 		/*
129 		 * if the path belongs to the trusted system directory,
130 		 * set systemdir.
131 		 */
132 		for (p = prefix; p->dir; p++) {
133 			if (strncmp(p->dir, path, p->dirlen) == 0) {
134 				systemdir = 1;
135 				break;
136 			}
137 		}
138 	}
139 
140 	/*
141 	 * If the owner is root or bin, set trust_owner.
142 	 */
143 	if (statbuf->st_uid == 0 || statbuf->st_uid == 2) {
144 		trust_owner = 1;
145 	}
146 	/*
147 	 * If the file is neither other-writable nor group-writable by
148 	 * non-bin and non-root system group, set trust_group.
149 	 */
150 	if ((statbuf->st_mode & (S_IWOTH)) == 0 &&
151 	    ((statbuf->st_mode & (S_IWGRP)) == 0 ||
152 	    (statbuf->st_gid < 4 && statbuf->st_gid != 1))) {
153 		trust_group = 1;
154 	}
155 
156 	/*
157 	 * Even if UNSAFE_F has been specified and unsafe-NLSPATH
158 	 * has been set, trust the file as long as it belongs to
159 	 * the trusted system directory.
160 	 */
161 	if (!*trust && systemdir) {
162 		*trust = 1;
163 	}
164 
165 	/*
166 	 * If:
167 	 *	file is not a full pathname,
168 	 * or
169 	 *	neither trust_owner nor trust_path is set,
170 	 * or
171 	 *	trust_group is not set,
172 	 * untrust it.
173 	 */
174 	if (*trust &&
175 	    (!abs_path || (!trust_owner && !trust_path) || !trust_group)) {
176 		*trust = 0;
177 	}
178 
179 	/*
180 	 * If set[ug]id process, open for the untrusted file should fail.
181 	 * Otherwise, the message extracted from the untrusted file
182 	 * will have to be checked by check_format().
183 	 */
184 	if (issetugid()) {
185 		if (!*trust) {
186 			/*
187 			 * Open should fail
188 			 */
189 			(void) close(fd);
190 			return (-1);
191 		}
192 
193 		/*
194 		 * if the path does not belong to the trusted system directory
195 		 * or if the owner is neither root nor bin, untrust it.
196 		 */
197 		if (!systemdir || !trust_owner) {
198 			*trust = 0;
199 		}
200 	}
201 
202 	return (fd);
203 }
204 
205 /*
206  * Extract a format into a normalized format string.
207  * Returns the number of arguments converted, -1 on error.
208  * The string norm should contain 2N bytes; an upperbound is the
209  * length of the format string.
210  * The canonical format consists of two chars: one is the conversion
211  * character (s, c, d, x, etc), the second one is the option flag.
212  * L, ll, l, w as defined below.
213  * A special conversion character, '*', indicates that the argument
214  * is used as a precision specifier.
215  */
216 
217 #define	OPT_L		0x01
218 #define	OPT_l		0x02
219 #define	OPT_ll		0x04
220 #define	OPT_w		0x08
221 #define	OPT_h		0x10
222 #define	OPT_hh		0x20
223 #define	OPT_j		0x40
224 
225 /* Number of bytes per canonical format entry */
226 #define	FORMAT_SIZE	2
227 
228 /*
229  * Check and store the argument; allow each argument to be used only as
230  * one type even though printf allows multiple uses.  The specification only
231  * allows one use, but we don't want to break existing functional code,
232  * even if it's buggy.
233  */
234 #define	STORE(buf, size, arg, val) 	if (arg * FORMAT_SIZE + 1 >= size ||\
235 					    (strict ? \
236 					    (buf[arg*FORMAT_SIZE] != '\0' && \
237 					    buf[arg*FORMAT_SIZE] != val) \
238 						: \
239 					    (buf[arg*FORMAT_SIZE] == 'n'))) \
240 						return (-1); \
241 					else {\
242 						if (arg >= maxarg) \
243 							maxarg = arg + 1; \
244 						narg++; \
245 						buf[arg*FORMAT_SIZE] = val; \
246 					}
247 
248 /*
249  * This function extracts sprintf format into a canonical
250  * sprintf form.  It's not as easy as just removing everything
251  * that isn't a format specifier, because of "%n$" specifiers.
252  * Ideally, this should be compatible with printf and not
253  * fail on bad formats.
254  * However, that makes writing a proper check_format that
255  * doesn't cause crashes a lot harder.
256  */
257 
258 static int
259 extract_format(const char *fmt, char *norm, size_t sz, int strict)
260 {
261 	int narg = 0;
262 	int t, arg, argp;
263 	int dotseen;
264 	char flag;
265 	char conv;
266 	int lastarg = -1;
267 	int prevarg;
268 	int maxarg = 0;		/* Highest index seen + 1 */
269 	int lflag;
270 
271 	(void) memset(norm, '\0', sz);
272 
273 #ifdef DEBUG
274 	printf("Format \"%s\" canonical form: ", fmt);
275 #endif
276 
277 	for (; *fmt; fmt++) {
278 		if (*fmt == '%') {
279 			if (*++fmt == '%')
280 				continue;
281 
282 			if (*fmt == '\0')
283 				break;
284 
285 			prevarg = lastarg;
286 			arg = ++lastarg;
287 
288 			t = 0;
289 			while (*fmt && isdigit(*fmt))
290 				t = t * 10 + *fmt++ - '0';
291 
292 			if (*fmt == '$') {
293 				lastarg = arg = t - 1;
294 				fmt++;
295 			}
296 
297 			if (*fmt == '\0')
298 				goto end;
299 
300 			dotseen = 0;
301 			flag = 0;
302 			lflag = 0;
303 again:
304 			/* Skip flags */
305 			while (*fmt) {
306 				switch (*fmt) {
307 				case '\'':
308 				case '+':
309 				case '-':
310 				case ' ':
311 				case '#':
312 				case '0':
313 					fmt++;
314 					continue;
315 				}
316 				break;
317 			}
318 
319 			while (*fmt && isdigit(*fmt))
320 				fmt++;
321 
322 			if (*fmt == '*') {
323 				if (isdigit(fmt[1])) {
324 					fmt++;
325 					t = 0;
326 					while (*fmt && isdigit(*fmt))
327 						t = t * 10 + *fmt++ - '0';
328 
329 					if (*fmt == '$') {
330 						argp = t - 1;
331 						STORE(norm, sz, argp, '*');
332 					}
333 					/*
334 					 * If digits follow a '*', it is
335 					 * not loaded as an argument, the
336 					 * digits are used instead.
337 					 */
338 				} else {
339 					/*
340 					 * Weird as it may seem, if we
341 					 * use an numbered argument, we
342 					 * get the next one if we have
343 					 * an unnumbered '*'
344 					 */
345 					if (fmt[1] == '$')
346 						fmt++;
347 					else {
348 						argp = arg;
349 						prevarg = arg;
350 						lastarg = ++arg;
351 						STORE(norm, sz, argp, '*');
352 					}
353 				}
354 				fmt++;
355 			}
356 
357 			/* Fail on two or more dots if we do strict checking */
358 			if (*fmt == '.' || *fmt == '*') {
359 				if (dotseen && strict)
360 					return (-1);
361 				dotseen = 1;
362 				fmt++;
363 				goto again;
364 			}
365 
366 			if (*fmt == '\0')
367 				goto end;
368 
369 			while (*fmt) {
370 				switch (*fmt) {
371 				case 'l':
372 					if (!(flag & OPT_ll)) {
373 						if (lflag) {
374 							flag &= ~OPT_l;
375 							flag |= OPT_ll;
376 						} else {
377 							flag |= OPT_l;
378 						}
379 					}
380 					lflag++;
381 					break;
382 				case 'L':
383 					flag |= OPT_L;
384 					break;
385 				case 'w':
386 					flag |= OPT_w;
387 					break;
388 				case 'h':
389 					if (flag & (OPT_h|OPT_hh))
390 						flag |= OPT_hh;
391 					else
392 						flag |= OPT_h;
393 					break;
394 				case 'j':
395 					flag |= OPT_j;
396 					break;
397 				case 'z':
398 				case 't':
399 					if (!(flag & OPT_ll)) {
400 						flag |= OPT_l;
401 					}
402 					break;
403 				case '\'':
404 				case '+':
405 				case '-':
406 				case ' ':
407 				case '#':
408 				case '.':
409 				case '*':
410 					goto again;
411 				default:
412 					if (isdigit(*fmt))
413 						goto again;
414 					else
415 						goto done;
416 				}
417 				fmt++;
418 			}
419 done:
420 			if (*fmt == '\0')
421 				goto end;
422 
423 			switch (*fmt) {
424 			case 'C':
425 				flag |= OPT_l;
426 				/* FALLTHROUGH */
427 			case 'd':
428 			case 'i':
429 			case 'o':
430 			case 'u':
431 			case 'c':
432 			case 'x':
433 			case 'X':
434 				conv = 'I';
435 				break;
436 			case 'e':
437 			case 'E':
438 			case 'f':
439 			case 'F':
440 			case 'a':
441 			case 'A':
442 			case 'g':
443 			case 'G':
444 				conv = 'D';
445 				break;
446 			case 'S':
447 				flag |= OPT_l;
448 				/* FALLTHROUGH */
449 			case 's':
450 				conv = 's';
451 				break;
452 			case 'p':
453 			case 'n':
454 				conv = *fmt;
455 				break;
456 			default:
457 				lastarg = prevarg;
458 				continue;
459 			}
460 
461 			STORE(norm, sz, arg, conv);
462 			norm[arg*FORMAT_SIZE + 1] = flag;
463 		}
464 	}
465 #ifdef DEBUG
466 	for (t = 0; t < maxarg * FORMAT_SIZE; t += FORMAT_SIZE) {
467 		printf("%c(%d)", norm[t], norm[t+1]);
468 	}
469 	putchar('\n');
470 #endif
471 end:
472 	if (strict)
473 		for (arg = 0; arg < maxarg; arg++)
474 			if (norm[arg*FORMAT_SIZE] == '\0')
475 				return (-1);
476 
477 	return (maxarg);
478 }
479 
480 char *
481 check_format(const char *org, const char *new, int strict)
482 {
483 	char *ofmt, *nfmt, *torg;
484 	size_t osz, nsz;
485 	int olen, nlen;
486 
487 	if (!org) {
488 		/*
489 		 * Default message is NULL.
490 		 * dtmail uses NULL for default message.
491 		 */
492 		torg = "(NULL)";
493 	} else {
494 		torg = (char *)org;
495 	}
496 
497 	/* Short cut */
498 	if (org == new || strcmp(torg, new) == 0 ||
499 	    strchr(new, '%') == NULL)
500 		return ((char *)new);
501 
502 	osz = strlen(torg) * FORMAT_SIZE;
503 	ofmt = malloc(osz);
504 	if (ofmt == NULL)
505 		return ((char *)org);
506 
507 	olen = extract_format(torg, ofmt, osz, 0);
508 
509 	if (olen == -1)
510 		syslog(LOG_AUTH|LOG_INFO,
511 		    "invalid format in gettext argument: \"%s\"", torg);
512 
513 	nsz = strlen(new) * FORMAT_SIZE;
514 	nfmt = malloc(nsz);
515 	if (nfmt == NULL) {
516 		free(ofmt);
517 		return ((char *)org);
518 	}
519 
520 	nlen = extract_format(new, nfmt, nsz, strict);
521 
522 	if (nlen == -1) {
523 		free(ofmt);
524 		free(nfmt);
525 		syslog(LOG_AUTH|LOG_NOTICE,
526 		    "invalid format in message file \"%.100s\" -> \"%s\"",
527 		    torg, new);
528 		errno = EBADMSG;
529 		return ((char *)org);
530 	}
531 
532 	if (strict && (olen != nlen || olen == -1)) {
533 		free(ofmt);
534 		free(nfmt);
535 		syslog(LOG_AUTH|LOG_NOTICE,
536 		    "incompatible format in message file: \"%.100s\" != \"%s\"",
537 		    torg, new);
538 		errno = EBADMSG;
539 		return ((char *)org);
540 	}
541 
542 	if (strict && memcmp(ofmt, nfmt, nlen * FORMAT_SIZE) == 0) {
543 		free(ofmt);
544 		free(nfmt);
545 		return ((char *)new);
546 	} else {
547 		if (!strict) {
548 			char *n;
549 
550 			nlen *= FORMAT_SIZE;
551 
552 			for (n = nfmt; n = memchr(n, 'n', nfmt + nlen - n);
553 			    n++) {
554 				int off = (n - nfmt);
555 
556 				if (off >= olen * FORMAT_SIZE ||
557 				    ofmt[off] != 'n' ||
558 				    ofmt[off+1] != nfmt[off+1]) {
559 					free(ofmt);
560 					free(nfmt);
561 					syslog(LOG_AUTH|LOG_NOTICE,
562 					    "dangerous format in message file: "
563 					    "\"%.100s\" -> \"%s\"", torg, new);
564 					errno = EBADMSG;
565 					return ((char *)org);
566 				}
567 			}
568 			free(ofmt);
569 			free(nfmt);
570 			return ((char *)new);
571 		}
572 		free(ofmt);
573 		free(nfmt);
574 		syslog(LOG_AUTH|LOG_NOTICE,
575 		    "incompatible format in message file \"%.100s\" != \"%s\"",
576 		    torg, new);
577 		errno = EBADMSG;
578 		return ((char *)org);
579 	}
580 }
581 
582 /*
583  * s1 is either name, or name=value
584  * s2 is name=value
585  * if names match, return value of s2, else NULL
586  * used for environment searching: see getenv
587  */
588 const char *
589 nvmatch(const char *s1, const char *s2)
590 {
591 	while (*s1 == *s2++)
592 		if (*s1++ == '=')
593 			return (s2);
594 	if (*s1 == '\0' && *(s2-1) == '=')
595 		return (s2);
596 	return (NULL);
597 }
598 
599 /*
600  * Handle NLSPATH environment variables in the environment.
601  * This routine is hooked into getenv/putenv at first call.
602  *
603  * The intention is to ignore NLSPATH in set-uid applications,
604  * and determine whether the NLSPATH in an application was set
605  * by the applications or derived from the user's environment.
606  */
607 
608 void
609 clean_env(void)
610 {
611 	const char **p;
612 
613 	if (_environ == NULL) {
614 		/* can happen when processing a SunOS 4.x AOUT file */
615 		nlspath_safe = 1;
616 		return;
617 	}
618 
619 	/* Find the first NLSPATH occurrence */
620 	for (p = _environ; *p; p++)
621 		if (**p == 'N' && nvmatch("NLSPATH", *p) != NULL)
622 			break;
623 
624 	if (!*p)				/* None found, we're safe */
625 		nlspath_safe = 1;
626 	else if (issetugid()) {			/* Found and set-uid, clean */
627 		int off = 1;
628 
629 		for (p++; (p[-off] = p[0]) != '\0'; p++)
630 			if (**p == 'N' && nvmatch("NLSPATH", *p) != NULL)
631 				off++;
632 
633 		nlspath_safe = 1;
634 	}
635 }
636