| Commit message (Collapse) | Author | Age |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This gets rid of some particularly awful allocation spaghetti in
src/globbing.c.
* bootstrap.conf (gnulib_modules): Add rbtree-list.
* lib/orderfiles.c (compare_physical_offsets): Expect arguments to be
const char * rather than const char **.
(order_files): Convert to taking a gl_list_t as an input/output argument
rather than an array. In the HAVE_LINUX_FIEMAP_H case, we produce a new
sorted list.
* lib/orderfiles.h (order_files): Update prototype.
* src/globbing.c (clear_glob): Remove.
(match_in_directory): Convert to gl_list. Remove inter-call allocation
and cleanup machinery.
(look_for_file): Convert to gl_list. Remove glob_t cleanup machinery;
the caller is now responsible for freeing the returned list.
* src/globbing.h (look_for_file): Update prototype.
* src/check_mandirs.c (add_dir_entries, count_glob_matches,
purge_normal): Convert to gl_list.
* src/straycats.c (check_for_stray): Likewise.
* src/check_mandirs.c (purge_whatis, purge_missing): Convert to gl_list.
Free list returned by look_for_file.
* src/globbing_test.c (main): Likewise.
* src/man.c (try_section, do_global_apropos_section): Likewise.
* src/zsoelim.l (zsoelim_open_file): Likewise.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* lib/glcontainers.h (GL_LIST_FOREACH_START, GL_LIST_FOREACH_END): New
macros.
* src/catman.c (main): Replace manual list iteration with equivalent
macros.
* src/man.c (do_global_apropos, locate_page_in_manpath): Likewise.
* src/mandb.c (main): Likewise.
* src/manp.c (get_config, print_list, get_sections, def_path,
get_manpath_from_path, create_pathlist, get_mandb_manpath, get_catpath,
is_global_mandir): Likewise.
* src/whatis.c (search): Likewise.
* src/zsoelim.l (zsoelim_open_file): Likewise.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is less annoying to type.
* lib/gl-container-helpers.c: Rename to ...
* lib/glcontainers.c: ... this.
* lib/gl-container-helpers.h: Rename to ...
* lib/glcontainers.h: ... this.
* lib/Makefile.am (libman_la_SOURCES): Replace gl-container-helpers.c
and gl-container-helpers.h with glcontainers.c and glcontainers.h.
* src/manp.c: Update include.
|
|
|
|
|
|
|
|
|
| |
* src/manp.c (string_equals, string_hash, string_free): Move to ...
* lib/gl-container-helpers.c (string_equals, string_hash, plain_free):
... here (new file).
* lib/gl-container-helpers.h: New file.
* lib/Makefile.am (libman_la_SOURCES): Add gl-container-helpers.c and
gl-container-helpers.h.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also remove lib/xchown.*; with only one call site, they don't pull their
weight over equivalent inline code.
* bootstrap.conf (gnulib_modules): Add lchown.
* configure.ac (AC_CHECK_FUNCS): Remove check for lchown.
* lib/Makefile.am (libman_la_SOURCES): Remove xchown.c and xchown.h.
* src/check_mandirs.c (chown_if_possible): Always use lchown rather than
chown, and inline the error check.
* po/POTFILES.in: Remove lib/xchown.c.
* po/man-db.pot, po/*.po: Update.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we're using <stdbool.h> anyway due to gl_list (with Gnulib
providing <stdbool.h> if necessary), it makes sense to use it for our
own functions that have essentially boolean semantics.
* lib/encodings.c (compatible_encodings, is_roff_device): Return bool.
* lib/pathsearch.c (pathsearch, pathsearch_executable,
directory_on_path): Likewise.
* lib/sandbox.c (search_ld_preload, can_load_seccomp): Likewise.
* lib/security.c (running_setuid): Likewise.
* lib/wordfnmatch.c (word_fnmatch): Likewise. Update all callers.
* src/check_mandirs.c (sanity_check_db): Likewise.
* src/man.c (duplicate_candidates): Likewise.
* src/manp.c (is_global_mandir): Likewise. Update all callers.
* src/whatis.c (suitable_manpath, match): Likewise.
(any_set, all_set): Likewise. Update all callers.
* lib/encodings.h (is_roff_device): Update prototype.
* lib/pathsearch.h (pathsearch_executable, directory_on_path): Likewise.
* lib/security.h (running_setuid): Likewise.
* lib/wordfnmatch.h (word_fnmatch): Likewise.
* src/manp.h (is_global_mandir): Likewise.
* src/mandb.c (mandb, process_manpath): Change global_manpath parameter
type to bool.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a proprietary antivirus program and I've only been able to guess
at how to handle it. Note that it is no longer supported by Microsoft
and so users should probably replace it with something else, but I still
want to minimise the number of support requests I get related to it.
* lib/sandbox.c (make_seccomp_filter): If libscep_pac.so is preloaded,
then allow some system calls related to sockets and System V message
queues.
* NEWS: Document this.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NULL is formally incorrect here since the standard allows it to be an
integer constant expression.
* lib/decompress.c (decompress_open, decompress_fdopen): Use (void *)
rather than NULL as a sentinel for variadic functions.
* libdb/db_delete.c (dbdelete): Likewise.
* src/catman.c (catman, parse_for_sec, main): Likewise.
* src/check_mandirs.c (add_dir_entries): Likewise.
* src/compression.c (comp_file): Likewise.
* src/filenames.c (make_filename): Likewise.
* src/globbing.c (look_for_file): Likewise.
* src/lexgrog.l (find_name): Likewise.
* src/man.c (do_extern, run_mandb, make_roff_command, make_browser,
setenv_less, add_output_iconv, make_display_command, tmp_cat_filename,
format_display_and_save, format_display, display_catman, display,
local_man_loop): Likewise.
* src/manconv_client.c (add_manconv): Likewise.
* src/manconv_main.c (parse_opt): Likewise.
* src/manp.c (pathappend, add_nls_manpaths, add_system_manpath,
add_dir_to_path_list, get_catpath): Likewise.
* src/straycats.c (check_for_stray, open_catdir, straycats): Likewise.
* src/whatis.c (use_grep, display): Likewise.
|
|
|
|
|
|
|
|
|
|
|
| |
* lib/decompress.c (decompress_zlib): Fix fd leak if gzdopen fails.
* lib/encodings.c (find_charset_locale): Free locale if setlocale fails.
* src/man.c (make_roff_command): Free fmt_prog.
* src/mandb.c (process_manpath): Free catpath if manpath is not a
directory.
* src/whatis.c (do_apropos): Free found_here.
Signed-off-by: Nikola Forró <nforro@redhat.com>
|
|
|
|
|
|
| |
* lib/sandbox.c (make_seccomp_filter): If libesets_pac.so is preloaded,
then allow msgset (second argument 0) and msgsnd.
* NEWS: Document this.
|
|
|
|
|
|
|
|
|
|
|
| |
These were previously only allowed when ESET File Security is in use,
but the Astrill VPN seems to require something similar, there are
doubtless other such preload hacks, and they're relatively harmless.
* lib/sandbox.c (make_seccomp_filter): Allow shmat (third argument
SHM_RDONLY), shmctl (second argument IPC_STAT), shmdt, and shmget
regardless of preloads.
* NEWS: Document this.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As usual for system calls, access(2) returns zero on success. However,
I generally think of it as "can we access this file in this way", where
boolean semantics would be more convenient, and find it too easy to
invert logic by accident when using the system call directly. Define a
CAN_ACCESS wrapper with boolean semantics.
* include/manconfig.h.in (CAN_ACCESS): New macro.
* lib/tempfile.c (path_search): Use CAN_ACCESS.
* src/catman.c (check_access): Likewise.
* src/filenames.c (make_filename): Likewise.
* src/man.c (make_roff_command, display): Likewise.
* src/ult_src.c (find_include): Likewise.
* src/whatis.c (use_grep): Likewise.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* lib/hashtable.c (plain_hashtable_free): Remove; this is precisely
equivalent to free.
* lib/hashtable.h (plain_hashtable_free): Remove.
* lib/orderfiles.c (order_files): Use free rather than
plain_hashtable_free.
* libdb/db_btree.c (btree_findkey): Likewise.
* lib/pathsearch.c (pathsearch, directory_on_path): Remove useless
if-before-free.
* libdb/db_lookup.c (free_mandata_elements): Likewise.
* src/check_mandirs.c (test_manfile, count_glob_matches): Likewise.
* src/descriptions.c (free_descriptions): Likewise.
* src/lexgrog_test.c (main): Likewise.
* src/man.c (display_filesystem, display_database, get_section_list):
Likewise.
* src/manp.c (add_system_manpath): Likewise.
* src/straycats.c (check_for_stray, straycats): Likewise.
* src/ult_src.c (ult_src): Likewise.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We no longer keep autogenerated files in git.
* .gitignore: Add **/Makefile, **/Makefile.in, /ABOUT-NLS, /aclocal.m4,
/build-aux, /config.h.in, /configure, /gl, /gnulib,
docs/INSTALL.autoconf, po/Makefile.in.in, po/Makevars, po/Rules-quot,
po/boldquot.sed, po/en@boldquot.header, po/en@quot.header,
po/insert-header.sin, po/quot.sed, and po/remove-potcdate.sin. Remove
docs/Makefile, gnulib/*, init/Makefile, init/systemd/Makefile,
lib/Makefile, libdb/Makefile, man/Makefile, man/*/Makefile,
manual/Makefile, po/Makefile, po/Makefile.in, src/Makefile,
src/tests/Makefile, and tools/Makefile.
* ABOUT-NLS, Makefile.in, aclocal.m4, autogen.sh, build-aux,
config.h.in, configure, docs/INSTALL.autoconf, docs/Makefile.in, gnulib,
init/Makefile.in, init/systemd/Makefile.in, lib/Makefile.in,
libdb/Makefile.in, man/Makefile.in, man/da/Makefile.in,
man/de/Makefile.in, man/es/Makefile.in, man/fr/Makefile.in,
man/id/Makefile.in, man/it/Makefile.in, man/ja/Makefile.in,
man/nl/Makefile.in, man/pl/Makefile.in, man/po4a/Makefile.in,
man/pt_BR/Makefile.in, man/ru/Makefile.in, man/sr/Makefile.in,
man/sv/Makefile.in, man/tr/Makefile.in, man/zh_CN/Makefile.in,
manual/Makefile.in, po/Makefile.in.in, po/Makevars, po/Rules-quot,
po/boldquot.sed, po/en@boldquot.header, po/en@quot.header,
po/insert-header.sin, po/quot.sed, po/remove-potcdate.sin,
src/Makefile.in, src/tests/Makefile.in, tools/Makefile.in: Remove.
* bootstrap, bootstrap.conf: New files.
* Makefile.am (GNULIB_PO, SUBDIRS, EXTRA_DIST, ACLOCAL_AMFLAGS): Refer
to gl/ rather than gnulib/ (gnulib/ now contains pristine source).
(EXTRA_DIST): Replace autogen.sh with bootstrap and bootstrap.conf.
Replace gnulib/argp-domain.patch with patches/argp-domain.patch. Add
patches/fdutimens-hurd.patch. Remove gnulib/m4/gnulib-cache.m4 and
gnulib/m4/gnulib-tool.m4.
* gnulib/argp-domain.patch: Rename to ...
* patches/argp-domain.patch: ... this. Update target paths.
* gnulib/fdutimens-hurd.patch: Rename to ...
* patches/fdutimens-hurd.patch: ... this. Update target paths.
* configure.ac (AM_GNU_GETTEXT_VERSION): Upgrade to 0.18.3, for
compatibility with current Automake.
(HAVE_GNULIB_PO, AC_CONFIG_FILES): Refer to gl/ rather than gnulib/.
* lib/Makefile.am (libman_la_CPPFLAGS, libman_la_LIBADD): Likewise.
* libdb/Makefile.am (libmandb_la_CPPFLAGS): Likewise.
* src/Makefile.am (AM_CPPFLAGS, LIBMAN): Likewise.
* src/tests/Makefile.am (AM_CPPFLAGS, fspause_LDADD): Likewise.
* docs/HACKING: Describe new policy.
* release.sh: Call ./bootstrap rather than ./autogen.sh.
|
|
|
|
|
|
|
|
|
|
| |
This is used by xz-utils >= 5.2.3 if the --threads=0 option is in use
(perhaps via XZ_DEFAULTS or XZ_OPT).
Reported by Axel Rohde.
* lib/sandbox.c (make_seccomp_filter): Allow sched_getaffinity.
* NEWS: Document this.
|
|
|
|
|
|
|
|
|
|
| |
Fixes Savannah bug #53575.
* m4/man-arg-cache-owner.m4: Set and substitute cache_top_owner.
* init/systemd/man-db.conf.in: Substitute cache_top_owner rather than
man_owner.
* init/systemd/Makefile.am (man-db.conf): Likewise.
* NEWS: Document this.
|
|
|
|
|
|
| |
* lib/decompress.c (decompress_open): Remove filename from
decompress_zlib command name. pipeline_dump already includes this
information from want_infile.
|
|
|
|
|
|
|
|
| |
This works better with downstream AppArmor confinement of decompressors.
* lib/decompress.c (decompress_open): Don't pass filename on
decompressor command lines.
* NEWS: Document this.
|
|
|
|
|
|
|
|
| |
Fixes Debian bug #891267.
* lib/sandbox.c (make_seccomp_filter): Allow sibling architectures on
x86/x86_64/x32.
* NEWS: Document this.
|
|
|
|
| |
* lib/sandbox.c (make_seccomp_filter, _sandbox_load): Declare as static.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is unfortunate but unavoidable: groff uses kill to explicitly pass
on SIGPIPE to its child processes, and we can't do any more
sophisticated filtering in seccomp.
Based on a patch by Paul Wise. Fixes Debian bug #892309.
* lib/sandbox.c (make_seccomp_filter): Allow kill and tgkill
unconditionally.
(adjust_seccomp_filter): Remove.
(_sandbox_load): Remove call to adjust_seccomp_filter.
* NEWS: Document this.
|
|
|
|
|
|
|
| |
Reported by Tobias Klausmann.
* lib/sandbox.c (make_seccomp_filter): Allow madvise.
* NEWS: Document this.
|
|
|
|
|
|
|
|
|
| |
Fixes Debian bug #891109.
* lib/sandbox.c (_sandbox_load): Interpret EFAULT from seccomp_load as
meaning that seccomp is unavailable, since this can be returned by some
versions of qemu-user.
* NEWS: Document this.
|
|
|
|
|
|
| |
* lib/sandbox.c (make_seccomp_filter): If libesets_pac.so is preloaded,
then allow some shared memory calls and checking for the existence of
other processes.
|
|
|
|
|
|
|
|
|
| |
Fixes Debian bug #890861.
* lib/sandbox.c (search_ld_preload): Cache /etc/ld.so.preload contents
between calls.
(make_seccomp_filter): Allow some socket-related system calls if
libsnoopy.so is preloaded.
|
|
|
|
|
|
| |
* lib/sandbox.c (make_seccomp_filter): LD_PRELOAD or /etc/ld.so.preload
can just contain "libesets_pac.so" without an explicit path, so make the
search slightly more permissive.
|
|
|
|
|
|
|
|
|
|
| |
At least ESET File Security may be configured using /etc/ld.so.preload
rather than the LD_PRELOAD environment variable, so unfortunately we
need to check that too.
* lib/sandbox.c (search_ld_preload): New function, handling both
LD_PRELOAD and /etc/ld.so.preload.
(can_load_seccomp, make_seccomp_filter): Use search_ld_preload.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a proprietary antivirus program, so this is only a best guess
from strace output. The choices are to disable the sandbox entirely or
to allow a few socket-related system calls if this antivirus program is
detected, and the latter is probably slightly better.
Reported by John Sivak.
* lib/sandbox.c (make_seccomp_filter): If LD_PRELOAD contains the
substring "/libesets_pac.so", then allow some socket-related system
calls so that the preload wrapper can talk to its daemon.
* NEWS: Document this.
|
|
|
|
|
|
|
|
|
|
|
| |
Patch from the anonymous reporter of
https://savannah.nongnu.org/bugs/?53183 (though I think is obvious for
copyright purposes given knowledge of the failing system call).
Fixes Savannah bug #53183 (maybe).
* lib/sandbox.c (make_seccomp_filter): Allow ioctl(fd, TIOCGWINSZ).
* NEWS: Document this.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xz is multithreaded, so the threading library may need to use tgkill to
pass signals between threads, for example when it receives SIGPIPE.
Fixes Savannah bug #53143.
* lib/sandbox.c (SC_ALLOW, SC_ALLOW_ARG_1, SC_ALLOW_ARG_2): Move macro
definitions out of make_seccomp_filter.
(adjust_seccomp_filter): New function.
(sandbox_load): Call adjust_seccomp_filter.
* NEWS: Document this.
|
|
|
|
|
|
|
|
|
| |
* Makefile.am, NEWS, README, docs/HACKING, docs/INSTALL.quick,
lib/sandbox.c, manual/misc.me, src/check_mandirs.c, src/man.c,
src/manconv.c, src/tests/man-1, src/tests/man-2, src/tests/mandb-2,
src/tests/mandb-4, src/tests/mandb-5, src/tests/zsoelim-1: Replace
http:// links with https:// equivalents.
* docs/HACKING: Replace git:// link with an https:// equivalent.
|
|
|
|
|
|
| |
* lib/sandbox.c (make_seccomp_filter): Allow mremap, which may be used
by iconv when reading files, depending on libc configuration.
* NEWS: Document this.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* lib/security.c (init_security, running_setuid): Define
unconditionally, with stub behaviour if MAN_OWNER is undefined.
* lib/security.h (get_man_owner): Only declare prototype if MAN_OWNER is
defined.
* src/check_mandirs.c (chown_if_possible) [!MAN_OWNER]: Mark path
argument as unused.
* src/lexgrog_test.c (main): Call init_security unconditionally.
* src/man.c (main): Likewise.
* src/manconv_client.c (manconv_pre_exec): Define unconditionally.
(add_manconv): Simplify, since running_setuid is now always defined.
* src/mandb.c (main): Call init_security unconditionally. Use
get_man_owner rather than equivalent inline code.
* src/manp.c (get_def): Define unconditionally.
* src/manp.h (get_def): Drop macro alternative.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we have pipecmd_pre_exec, this can be simplified quite a bit.
* lib/security.c (drop_privs): New function.
(do_system_drop_privs_child, do_system_drop_privs): Remove.
* lib/security.h (drop_privs): Add prototype.
(do_system_drop_privs): Remove prototype.
* src/man.c (make_browser): Add drop_privs pre-exec hook to browser
command.
(format_display): Call browser using pipeline_run rather than
do_system_drop_privs, since it now has a pre-exec hook to drop
privileges.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The sandbox interface now exposes the necessary load/free primitives,
and callers use them directly with pipecmd_pre_exec. This allows the
sandbox to be composed with other pre-exec hooks.
* lib/sandbox.c (man_sandbox_op, sandbox_attach,
sandbox_attach_permissive): Remove.
(sandbox_load): Rename to ...
(_sandbox_load): ... this.
(sandbox_load, sandbox_load_permissive): New functions.
(sandbox_free): Expect a man_sandbox * rather than a man_sandbox_op *.
* lib/sandbox.h: Update prototypes.
* lib/decompress.c (decompress_open, decompress_fdopen): Update sandbox
attachment calls.
* src/lexgrog.l (find_name): Likewise.
* src/man.c (add_col, make_roff_command, add_output_iconv,
make_display_command, open_cat_stream, display_catman): Likewise.
* src/manconv_client.c (add_manconv): Likewise.
* src/straycats.c (check_for_stray): Likewise.
* src/whatis.c (use_grep): Likewise.
|
|
|
|
|
| |
* lib/sandbox.c [HAVE_LIBSECCOMP]: Include <termios.h>, since some
architectures need this for TCGETS as well as <sys/ioctl.h>.
|
|
|
|
|
|
| |
* lib/sandbox.c (make_seccomp_filter): Allow ioctl (..., TCGETS, ...) in
non-permissive mode (ioctl in general is already allowed in permissive
mode).
|
|
|
|
|
|
|
|
|
| |
* lib/sandbox.c (gripe_seccomp_filter_unavailable): New function.
(can_load_seccomp): Return early if seccomp filtering has already been
detected as unavailable.
(sandbox_load): If seccomp_load returns an EINVAL error, assume that the
running kernel doesn't support seccomp filtering and emit a debugging
message rather than failing.
|
|
|
|
| |
* lib/sandbox.c (make_seccomp_filter): Add sync_file_range2.
|
|
|
|
|
| |
* lib/sandbox.c (make_seccomp_filter): Add arm_fadvise64_64 and
arm_sync_file_range.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes Debian bug #877199.
* configure.ac: Require libpipeline >= 1.5.0. Call MAN_LIBSECCOMP.
* docs/INSTALL.quick: Bump minimum libpipeline version to 1.5.0. List
libseccomp as recommended.
* lib/Makefile.am (libman_la_CPPFLAGS): Add $(libseccomp_CFLAGS).
(libman_la_SOURCES): Add sandbox.c and sandbox.h.
(libman_la_LDFLAGS): Add $(libseccomp_LIBS).
* lib/sandbox.c: New file.
* lib/sandbox.h: New file.
* m4/man-libseccomp.m4: New file.
* src/man.c (set_term): Check that process ID matches original before
calling tcsetattr.
(get_term): Record original process ID to work around an arguable bug in
pipecmd_exec.
* src/lexgrog_test.c (main), src/man.c (main), src/manconv_main.c
(main), src/mandb.c (main), src/zsoelim_main.c (main): Initialise
sandbox.
* lib/decompress.c (decompress_open, decompress_fdopen): Attach sandbox
to decompression commands.
* src/lexgrog.l (find_name): Attach sandbox to 'col'.
* src/man.c (add_col): Attach sandbox to 'col'.
(make_roff_command): Attach sandbox to 'zsoelim' and to groff-related
programs.
(add_output_iconv): Attach sandbox to 'iconv'.
(make_display_command): Attach sandbox to 'tr'.
(open_cat_stream, display_catman): Attach sandbox to compression
commands.
* src/manconv_client.c (add_manconv): Attach sandbox to manconv_stdin.
* src/straycats.c (check_for_stray): Attach sandbox to 'col'.
* src/whatis.c (use_grep): Attach sandbox to 'grep'.
* src/accessdb.c, src/catman.c, src/globbing_test.c, src/manpath.c:
Define stub sandbox variable.
* docs/NEWS: Document this.
|
|
|
|
| |
Needed to make the previous commit portable.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The latter had always been defined to the former anyway, and now that
the cache owner can be changed without actually installing setuid the
latter is more descriptive.
* m4/man-arg-cache-owner.m4: Define MAN_OWNER rather than
SECURE_MAN_UID. Update all users.
* include/manconfig.h.in (MAN_OWNER): Remove definition.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
man-db has created its cache directories as setgid root for nearly 20
years. This seems to have originated in https://bugs.debian.org/26002.
However, this has some dangerous consequences, such as:
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
It seems best to arrange for cache files and directories to be man:man
rather than man:root. To do this reliably, as well as adjusting various
chown and chmod calls, we make man and mandb be setgid man as well as
setuid man (except in the --disable-setuid case). This is a much
simpler and safer solution to the original problem, and doesn't
introduce any interesting new privilege since the man group's only real
purpose is to be the man user's primary group and nothing in cache
directories is group-writeable.
* configure.ac (AC_CHECK_FUNCS): Add lchown.
* lib/security.c (init_security): Record initial real and effective
group IDs as well as user IDs.
(drop_effective_privs, regain_effective_privs): Update gid.
* lib/xchown.c (xlchown) [HAVE_LCHOWN]: New function.
* lib/xchown.c (xlchown) [HAVE_LCHOWN]: Add prototype.
* m4/man-arg-setuid.m4: Set man_mode to 6755 rather than 4755 in the
--enable-setuid case.
* src/Makefile.am (install-exec-hook): Check for man_mode being 6755
rather than 4755. Set the group of man and mandb as well as their
owner.
* src/check_mandirs.c (chown_if_possible): New function. This is
somewhat more careful than previous implementations, changes the group
as well as the user if possible, and prefers lchown if it is available.
(mkcatdirs): Drop S_ISGID from cat directories. Use chown_if_possible.
(fix_permissions, fix_permissions_tree): New functions to remove setgid
bit from existing cat directories.
(testmandirs): Call fix_permissions_tree.
* src/check_mandirs.h (chown_if_possible): Add prototype.
* src/man.c (commit_tmp_cat): Set cat file group as well as owner.
* src/mandb.c (check_chown): Remove.
(do_chown): Stop taking a uid parameter. Use chown_if_possible.
(mandb): Use chown_if_possible for CACHEDIR.TAG. Set ownership and
permissions of CACHEDIR.TAG even if it already exists.
(process_manpath): Set ownership of database files even if they have not
been changed.
|
|
|
|
|
|
|
|
|
|
|
| |
If push_cleanup was called unexpectedly between a
push_cleanup/pop_cleanup pair, then the pop_cleanup would remove the
wrong cleanup function and chaos could ensue. Avoid this by being more
precise about which cleanup function should be popped.
* lib/cleanup.c (pop_cleanup): Take "fun" and "arg" arguments. Pop the
topmost matching function from the stack, rather than just the topmost
function. Update all callers and prototypes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's useful to have a notion of the cache owner even when man is not
installed setuid. --enable-setuid no longer takes an argument, and the
owner is now set by the --enable-cache-owner option instead.
* m4/man-arg-cache-owner.m4: New file.
* m4/man-arg-setuid.m4: Stop accepting an argument. Only set man_mode,
not man_owner.
* configure.ac: Call MAN_ARG_CACHE_OWNER.
* src/Makefile.am (install-exec-hook): Only chown man and mandb if
man_mode is 4755 (as well as the existing test for man_owner being
non-empty).
|
| |
|
|
|
|
|
|
|
|
|
| |
* lib/xchown.c: New file.
* lib/xchown.h: New file.
* lib/Makefile.am (libman_la_SOURCES): Add xchown.c and xchown.h.
* po/POTFILES.in: Add lib/xchown.c.
* src/check_mandirs.c (mkcatdirs): Call xchown instead of chown.
* src/man.c (format_display): Ignore errors from chdir ("/").
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's 2015. The compiler almost certainly knows better than we do.
* lib/security.c (gripe_set_euid): Remove inline qualifier.
* libdb/db_btree.c (btree_findkey): Likewise.
* libdb/mydbm.h (gdbm_exists): Likewise.
* src/catman.c (catman): Remove obsolete comment.
(add_arg, check_access): Remove inline qualifier.
* src/check_mandirs.c (add_dir_entries): Likewise.
* src/man.c (gripe_system, gripe_no_man, manopt_to_env, escape_less,
is_section, do_prompt, gripe_converting_name): Likewise.
* src/mandb.c (xremove, xrename, xchmod, finish_up, xchown,
do_chown, update_db_wrapper): Likewise.
* src/manp.c (gripe_reading_mp_config, gripe_stat_file,
gripe_not_directory, has_mandir, fsstnd): Likewise.
* src/whatis.c (do_whatis_section): Likewise.
|