3 * Choose and check temporary directories
5 * (c) 1999 Mark Wooding
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of chkpath.
12 * chkpath is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * chkpath is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with chkpath; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
37 #include <sys/types.h>
43 #include <mLib/alloc.h>
44 #include <mLib/dstr.h>
45 #include <mLib/macros.h>
46 #include <mLib/mdwopt.h>
47 #include <mLib/quis.h>
48 #include <mLib/report.h>
50 #include "checkpath.h"
53 /*----- Static variables --------------------------------------------------*/
57 static struct checkpath cp;
58 static struct passwd *pw;
59 static unsigned flags;
62 /*----- Main code ---------------------------------------------------------*/
66 * Arguments: @const char *p@ = pathname to check
67 * @int *f@ = try-to-create flag
69 * Returns: Nonzero if the directory is OK
71 * Use: Ensures that a directory is OK. If @f@ is a real pointer,
72 * and @*f@ is set, then try to create the directory.
75 static void complain(const char *p, const char *msg, int err)
79 if (!cp.cp_verbose) return;
80 dstr_putf(&d, "Path: %s: %s", p, msg);
81 if (err) dstr_putf(&d, ": %s", strerror(err));
86 static int ok(const char *p, int *f)
90 /* --- Read the directory status --- */
94 /* --- Maybe create it if it doesn't exist --- */
96 if (errno != ENOENT || !f || !*f) {
97 complain(p, "can't stat", errno);
100 if (mkdir(p, 0700)) {
101 complain(p, "can't create", errno);
106 /* --- Now read the new status --- *
108 * This fixes a race condition between the previous @lstat@ call and
113 complain(p, "can't stat after creating", errno);
118 /* --- Make sure the directory is good --- *
120 * It must be a genuine directory (not a link); it must be readable
121 * and writable only by its owner, and that owner must be me.
124 if (!S_ISDIR(st.st_mode))
125 complain(p, "not a directory", 0);
126 else if (st.st_uid != me)
127 complain(p, "not owner", 0);
128 else if (st.st_mode & S_IRWXO)
129 complain(p, "other access permitted", 0);
130 else if (!((flags & F_PRIVGRP) && st.st_gid != mygroup) &&
131 (st.st_mode & S_IRWXG))
132 complain(p, "other-group access permitted", 0);
133 else if (~st.st_mode & S_IRWXU)
134 complain(p, "owner lacks permissions", 0);
140 /* --- @trytmp@ --- *
142 * Arguments: @const char *parent@ = parent directory name
143 * @const char *base@ = subdirectory base name
145 * Returns: Pointer to directory name, or null. (String needs freeing.)
147 * Use: Tries to find or create an appropriate temporary directory.
150 static char *trytmp(const char *parent, const char *base)
152 static char c[] = { "0123456789"
153 "abcdefghijklmnopqrstuvwxyz"
154 "ABCDEFGHIJKLMNOPQRSTUVWXYZ" };
160 /* --- Make sure the parent directory is sane --- *
162 * Must make sure that all the lead-up to the temporary directory is safe.
163 * Otherwise other people can play with symlinks or rename directories
164 * after I've done all this careful work to make the endpoint directory
168 if (checkpath(parent, &cp))
171 /* --- See whether the trivial version will work --- */
173 dstr_putf(&d, "%s/%s", parent, base);
174 if (ok(d.buf, &createflag))
177 /* --- Now try with various suffixes --- */
183 for (p = c; *p; p++) {
186 if (ok(d.buf, &createflag))
188 for (q = c; *q; q++) {
191 if (ok(d.buf, &createflag))
207 /* --- @fullcheck@ --- *
209 * Arguments: @const char *p@ = pointer to path to check
211 * Returns: Zero if it's a bad directory.
213 * Use: Runs a thorough check on a directory.
216 static int fullcheck(const char *p)
217 { return (checkpath(p, &cp) == 0 && ok(p, 0)); }
219 /* --- @goodtmp@ --- *
223 * Returns: Pointer to a known-good secure temporary directory, or
226 * Use: Finds a good place to store temporary files.
229 static char *goodtmp(void)
233 /* --- First of all, try the user's current choice --- */
235 if ((p = getenv("TMPDIR")) != 0 && fullcheck(p))
238 /* --- Try making a directory in `/tmp' --- */
240 if ((q = trytmp("/tmp", pw->pw_name)) != 0)
243 /* --- That failed: try a directory in the user's home --- */
245 if ((q = trytmp(pw->pw_dir, "tmp")) != 0)
248 /* --- Still no joy: give up --- *
250 * To be fair, if the user can't find a safe place in his own home
251 * directory then he's pretty stuffed.
257 /* --- @report@ --- */
259 static void report(unsigned what, int verbose,
260 const char *p, const char *msg,
264 /* --- @usage@ --- */
266 static void usage(FILE *fp)
267 { fprintf(fp, "Usage: %s [-Tbcv] [-C PATH] [-g NAME]\n", QUIS); }
269 /* --- @version@ --- */
271 static void version(FILE *fp)
272 { fprintf(fp, "%s version %s\n", QUIS, VERSION); }
276 static void help(FILE *fp)
282 Sets a suitable and secure temporary directory, or checks that a given\n\
283 directory is suitable for use with temporary files. A directory is\n\
284 considered good for a particular user if it's readable and writable only\n\
285 by that user, and if all its parents are modifiable only by the user or\n\
288 Options supported:\n\
290 -h, --help Display this help text.\n\
291 -V, --version Display the program's version number.\n\
292 -u, --usage Display a terse usage summary.\n\
294 -C, --check PATH Check whether PATH is good, setting exit status.\n\
295 -T, --private-group Accept paths writable by primary group if it has\n\
297 -b, --bourne Output a `TMPDIR' setting for Bourne shell users.\n\
298 -c, --cshell Output a `TMPDIR' setting for C shell users.\n\
299 -g, --group NAME Trust group NAME to be honest and true.\n\
300 -v, --verbose Report problems to standard error.\n\
302 The default action is to examine the caller's shell and output a suitable\n\
303 setting for that shell type.\n\
310 * Arguments: @int argc@ = number of command line arguments
311 * @char *argv[]@ = the actual argument strings
313 * Returns: Zero if all went well, else nonzero.
315 * Use: Performs helpful operations on temporary directories.
318 int main(int argc, char *argv[])
332 /* --- Initialize variables --- */
335 me = cp.cp_uid = geteuid();
336 cp.cp_what = (CP_WRWORLD | CP_WROTHGRP | CP_WROTHUSR |
337 CP_STICKYOK | CP_REPORT | CP_ERROR);
339 cp.cp_report = report;
340 cp.cp_gids = 0; /* ignore group membership */
343 die(1, "you don't exist");
345 /* --- Parse arguments --- */
348 static struct option opts[] = {
349 { "help", 0, 0, 'h' },
350 { "version", 0, 0, 'V' },
351 { "usage", 0, 0, 'u' },
352 { "check", OPTF_ARGREQ, 0, 'C' },
353 { "verify", OPTF_ARGREQ, 0, 'C' },
354 { "private-group", 0, 0, 'T' },
355 { "bourne", 0, 0, 'b' },
356 { "cshell", 0, 0, 'c' },
357 { "group", OPTF_ARGREQ, 0, 'g' },
358 { "quiet", 0, 0, 'q' },
359 { "verbose", 0, 0, 'v' },
363 i = mdwopt(argc, argv, "hVu" "C:Tbcg:qv", opts, 0, 0, 0);
377 return (!fullcheck(optarg));
380 if (!private_group(&gid, cp.cp_verbose)) {
381 mygroup = gid; flags |= F_PRIVGRP;
382 if (checkpath_addgid(&cp, gid))
383 die(1, "too many groups");
393 allowgroup(&cp, optarg);
408 if (duff || optind != argc) {
413 /* --- Choose a shell --- */
416 if (!(p = getenv("SHELL")))
418 if (strstr(p, "csh"))
424 /* --- Start the checking --- */
426 if ((p = goodtmp()) == 0)
427 die(1, "no good tmp directory");
430 printf("TMPDIR=\"%s\"; export TMPDIR\n", p);
433 printf("setenv TMPDIR \"%s\"\n", p);
440 /*----- That's all, folks -------------------------------------------------*/
~mdw / checkpath / blob