CVE-2013-4476: lib-util: add file_check_permissions()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
index 89aa9aa7d8e5ae1a36ebea8f980de7f2fbefc096..f98cf6066a3cb3aee077b0c1361d0f613e200e7a 100644 (file)
--- a/lib/util/samba_util.h
+++ b/lib/util/samba_util.h
@@ -622,6 +622,15 @@ _PUBLIC_ time_t file_modtime(const char *fname);
 **/
 _PUBLIC_ bool directory_exist(const char *dname);
 
+/**
+ Check file permissions.
+**/
+struct stat;
+_PUBLIC_ bool file_check_permissions(const char *fname,
+                                    uid_t uid,
+                                    mode_t file_perms,
+                                    struct stat *pst);
+
 /**
  * Try to create the specified directory if it didn't exist.
  *

diff --git a/lib/util/util.c b/lib/util/util.c
index f0ed7f645b2062354c02dbaf9e477d01c17b46ab..3e9047ca9129bb0d351eb09cfedaf4770797e3ee 100644 (file)
--- a/lib/util/util.c
+++ b/lib/util/util.c
@@ -121,6 +121,50 @@ _PUBLIC_ time_t file_modtime(const char *fname)
        return(st.st_mtime);
 }
 
+/**
+ Check file permissions.
+**/
+
+_PUBLIC_ bool file_check_permissions(const char *fname,
+                                    uid_t uid,
+                                    mode_t file_perms,
+                                    struct stat *pst)
+{
+       int ret;
+       struct stat st;
+
+       if (pst == NULL) {
+               pst = &st;
+       }
+
+       ZERO_STRUCTP(pst);
+
+       ret = stat(fname, pst);
+       if (ret != 0) {
+               DEBUG(0, ("stat failed on file '%s': %s\n",
+                        fname, strerror(errno)));
+               return false;
+       }
+
+       if (pst->st_uid != uid && !uwrap_enabled()) {
+               DEBUG(0, ("invalid ownership of file '%s': "
+                        "owned by uid %u, should be %u\n",
+                        fname, (unsigned int)pst->st_uid,
+                        (unsigned int)uid));
+               return false;
+       }
+
+       if ((pst->st_mode & 0777) != file_perms) {
+               DEBUG(0, ("invalid permissions on file "
+                        "'%s': has 0%o should be 0%o\n", fname,
+                        (unsigned int)(pst->st_mode & 0777),
+                        (unsigned int)file_perms));
+               return false;
+       }
+
+       return true;
+}
+
 /**
  Check if a directory exists.
 **/