[checkpath] / tmpdir.c

/* -*-c-*-
 *
 * Choose and check temporary directories
 *
 * (c) 1999 Mark Wooding
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of chkpath.
 *
 * chkpath is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * chkpath is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with chkpath; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "config.h"

#include <errno.h>
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <pwd.h>
#include <grp.h>

#include <mLib/alloc.h>
#include <mLib/dstr.h>
#include <mLib/macros.h>
#include <mLib/mdwopt.h>
#include <mLib/quis.h>
#include <mLib/report.h>

#include "checkpath.h"
#include "utils.h"

/*----- Static variables --------------------------------------------------*/

static uid_t me;
static struct checkpath cp;
static struct passwd *pw;

/*----- Main code ---------------------------------------------------------*/

/* --- @ok@ --- *
 *
 * Arguments:   @const char *p@ = pathname to check
 *              @int *f@ = try-to-create flag
 *
 * Returns:     Nonzero if the directory is OK
 *
 * Use:         Ensures that a directory is OK.  If @f@ is a real pointer,
 *              and @*f@ is set, then try to create the directory.
 */

static void complain(const char *p, const char *msg, int err)
{
  dstr d = DSTR_INIT;

  if (!cp.cp_verbose) return;
  dstr_putf(&d, "Path: %s: %s", p, msg);
  if (err) dstr_putf(&d, ": %s", strerror(err));
  moan("%s", d.buf);
  dstr_destroy(&d);
}

static int ok(const char *p, int *f)
{
  struct stat st;

  /* --- Read the directory status --- */

  if (lstat(p, &st)) {

    /* --- Maybe create it if it doesn't exist --- */

    if (errno != ENOENT || !f || !*f) {
      complain(p, "can't stat", errno);
      return (0);
    }
    if (mkdir(p, 0700)) {
      complain(p, "can't create", errno);
      *f = 0;
      return (0);
    }

    /* --- Now read the new status --- *
     *
     * This fixes a race condition between the previous @lstat@ call and
     * the @mkdir@.
     */

    if (lstat(p, &st)) {
      complain(p, "can't stat after creating", errno);
      return (0);
    }
  }

  /* --- Make sure the directory is good --- *
   *
   * It must be a genuine directory (not a link); it must be readable
   * and writable only by its owner, and that owner must be me.
   */

  if (!S_ISDIR(st.st_mode))
    complain(p, "not a directory", 0);
  else if (st.st_uid != me)
    complain(p, "not owner", 0);
  else if (st.st_mode & 0077)
    complain(p, "non-owner access permitted", 0);
  else if (~st.st_mode & 0700)
    complain(p, "owner lacks permissions", 0);
  else
    return (1);
  return (0);
}

/* --- @trytmp@ --- *
 *
 * Arguments:   @const char *parent@ = parent directory name
 *              @const char *base@ = subdirectory base name
 *
 * Returns:     Pointer to directory name, or null.  (String needs freeing.)
 *
 * Use:         Tries to find or create an appropriate temporary directory.
 */

static char *trytmp(const char *parent, const char *base)
{
  static char c[] = { "0123456789"
                      "abcdefghijklmnopqrstuvwxyz"
                      "ABCDEFGHIJKLMNOPQRSTUVWXYZ" };
  char *p, *q;
  char *qq;
  dstr d = DSTR_INIT;
  int createflag = 1;

  /* --- Make sure the parent directory is sane --- *
   *
   * Must make sure that all the lead-up to the temporary directory is safe.
   * Otherwise other people can play with symlinks or rename directories
   * after I've done all this careful work to make the endpoint directory
   * safe.
   */

  if (checkpath(parent, &cp))
    return (0);

  /* --- See whether the trivial version will work --- */

  dstr_putf(&d, "%s/%s", parent, base);
  if (ok(d.buf, &createflag))
    goto good;

  /* --- Now try with various suffixes --- */

  DENSURE(&d, 4);
  qq = d.buf + d.len;
  *qq++ = '-';

  for (p = c; *p; p++) {
    qq[0] = *p;
    qq[1] = 0;
    if (ok(d.buf, &createflag))
      goto good;
    for (q = c; *q; q++) {
      qq[1] = *q;
      qq[2] = 0;
      if (ok(d.buf, &createflag))
        goto good;
    }
  }

  /* --- No joy --- */

  dstr_destroy(&d);
  return (0);

good:
  p = xstrdup(d.buf);
  dstr_destroy(&d);
  return (p);
}

/* --- @fullcheck@ --- *
 *
 * Arguments:   @const char *p@ = pointer to path to check
 *
 * Returns:     Zero if it's a bad directory.
 *
 * Use:         Runs a thorough check on a directory.
 */

static int fullcheck(const char *p)
  { return (checkpath(p, &cp) == 0 && ok(p, 0)); }

/* --- @goodtmp@ --- *
 *
 * Arguments:   ---
 *
 * Returns:     Pointer to a known-good secure temporary directory, or
 *              null.
 *
 * Use:         Finds a good place to store temporary files.
 */

static char *goodtmp(void)
{
  char *p, *q;

  /* --- First of all, try the user's current choice --- */

  if ((p = getenv("TMPDIR")) != 0 && fullcheck(p))
    return (p);

  /* --- Try making a directory in `/tmp' --- */

  if ((q = trytmp("/tmp", pw->pw_name)) != 0)
    return (q);

  /* --- That failed: try a directory in the user's home --- */

  if ((q = trytmp(pw->pw_dir, "tmp")) != 0)
    return (q);

  /* --- Still no joy: give up --- *
   *
   * To be fair, if the user can't find a safe place in his own home
   * directory then he's pretty stuffed.
   */

  return (0);
}

/* --- @report@ --- */

static void report(unsigned what, int verbose,
                   const char *p, const char *msg,
                   void *arg)
  { moan("%s", msg); }

/* --- @usage@ --- */

static void usage(FILE *fp)
  { fprintf(fp, "Usage: %s [-bcv] [-C PATH] [-g NAME]\n", QUIS); }

/* --- @version@ --- */

static void version(FILE *fp)
  { fprintf(fp, "%s version %s\n", QUIS, VERSION); }

/* --- @help@ --- */

static void help(FILE *fp)
{
  version(fp);
  putc('\n', fp);
  usage(fp);
  fputs("\n\
Sets a suitable and secure temporary directory, or checks that a given\n\
directory is suitable for use with temporary files.  A directory is\n\
considered good for a particular user if it's readable and writable only\n\
by that user, and if all its parents are modifiable only by the user or\n\
root.\n\
\n\
Options supported:\n\
\n\
-h, --help              Display this help text.\n\
-V, --version           Display the program's version number.\n\
-u, --usage             Display a terse usage summary.\n\
\n\
-C, --check PATH        Check whether PATH is good, setting exit status.\n\
-b, --bourne            Output a `TMPDIR' setting for Bourne shell users.\n\
-c, --cshell            Output a `TMPDIR' setting for C shell users.\n\
-g, --group NAME        Trust group NAME to be honest and true.\n\
-v, --verbose           Report problems to standard error.\n\
\n\
The default action is to examine the caller's shell and output a suitable\n\
setting for that shell type.\n\
",
        fp);
}

/* --- @main@ --- *
 *
 * Arguments:   @int argc@ = number of command line arguments
 *              @char *argv[]@ = the actual argument strings
 *
 * Returns:     Zero if all went well, else nonzero.
 *
 * Use:         Performs helpful operations on temporary directories.
 */

int main(int argc, char *argv[])
{
  int shell = 0;
  int duff = 0;
  char *p;

  enum {
    sh_unknown,
    sh_bourne,
    sh_csh
  };

  /* --- Initialize variables --- */

  ego(argv[0]);
  me = cp.cp_uid = geteuid();
  cp.cp_what = (CP_WRWORLD | CP_WROTHGRP | CP_WROTHUSR |
                CP_STICKYOK | CP_REPORT | CP_ERROR);
  cp.cp_verbose = 0;
  cp.cp_report = report;
  cp.cp_gids = 0;                       /* ignore group membership */
  pw = getpwuid(me);
  if (!pw)
    die(1, "you don't exist");

  /* --- Parse arguments --- */

  for (;;) {
    static struct option opts[] = {
      { "help",         0,              0,      'h' },
      { "version",      0,              0,      'V' },
      { "usage",        0,              0,      'u' },
      { "check",        OPTF_ARGREQ,    0,      'C' },
      { "verify",       OPTF_ARGREQ,    0,      'C' },
      { "bourne",       0,              0,      'b' },
      { "cshell",       0,              0,      'c' },
      { "group",        OPTF_ARGREQ,    0,      'g' },
      { "verbose",      0,              0,      'v' },
      { 0,              0,              0,      0 }
    };
    int i = mdwopt(argc, argv, "hVu" "C:bcg:v", opts, 0, 0, 0);

    if (i < 0)
      break;
    switch (i) {
      case 'h':
        help(stdout);
        exit(0);
      case 'V':
        version(stdout);
        exit(0);
      case 'u':
        usage(stdout);
        exit(0);
      case 'C':
        return (!fullcheck(optarg));
        break;
      case 'b':
        shell = sh_bourne;
        break;
      case 'c':
        shell = sh_csh;
        break;
      case 'g':
        allowgroup(&cp, optarg);
        break;
      case 'v':
        cp.cp_verbose++;
        break;
      default:
        duff = 1;
        break;
    }
  }

  if (duff || optind != argc) {
    usage(stderr);
    exit(1);
  }

  /* --- Choose a shell --- */

  if (!shell) {
    if (!(p = getenv("SHELL")))
      p = pw->pw_shell;
    if (strstr(p, "csh"))
      shell = sh_csh;
    else
      shell = sh_bourne;
  }

  /* --- Start the checking --- */

  if ((p = goodtmp()) == 0)
    die(1, "no good tmp directory");
  switch (shell) {
    case sh_bourne:
      printf("TMPDIR=\"%s\"; export TMPDIR\n", p);
      break;
    case sh_csh:
      printf("setenv TMPDIR \"%s\"\n", p);
        break;
  }

  return (0);
}

/*----- That's all, folks -------------------------------------------------*/