[pulseaudio-discuss] [PATCH] Better error messages for secure directory creation

Alexander E. Patrakov patrakov at gmail.com
Sun Apr 20 08:58:18 PDT 2014 

Also, ignore unexpected fchmod results inside the user's home
directory. They sometimes happen due to home filesystems violating
POSIX requirements, including those specified at
http://pubs.opengroup.org/onlinepubs/009696899/functions/fchown.html

Details:
http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-April/020351.html
---
Note: this patch looks safe, but I think it is conceptually wrong. Apply
it only if you think that the other patch ("Remove redundant check of
directory permissions") opens a security hole.

 src/pulsecore/core-util.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/pulsecore/core-util.c b/src/pulsecore/core-util.c
index 0d9e354..c065f00 100644
--- a/src/pulsecore/core-util.c
+++ b/src/pulsecore/core-util.c
@@ -273,6 +273,7 @@ int pa_make_secure_dir(const char* dir, mode_t m, uid_t uid, gid_t gid, bool upd
     struct stat st;
     int r, saved_errno;
     bool retry = true;
+    bool implicit_owner = (uid == (uid_t)(-1)) && (gid == (gid_t)(-1));
 
     pa_assert(dir);
 
@@ -358,13 +359,26 @@ again:
         goto fail;
 
 #ifndef OS_IS_WIN32
-    if (!S_ISDIR(st.st_mode) ||
-        (st.st_uid != uid) ||
-        (st.st_gid != gid) ||
-        ((st.st_mode & 0777) != m)) {
+    if (!S_ISDIR(st.st_mode)) {
+        pa_log_error("\"%s\" should be a directory but actually isn't.", dir);
+        errno = EEXIST;
+        goto fail;
+    }
+    if ((st.st_uid != uid) || (st.st_gid != gid)) {
+        pa_log_error("\"%s\" has wrong owner or group and thus is not secure.", dir);
         errno = EACCES;
         goto fail;
     }
+    if ((st.st_mode & 0777) != m) {
+        pa_log_error("Directory \"%s\" has wrong permissions and thus is possibly insecure.", dir);
+        if (!implicit_owner) {
+            pa_log_warn("Taking this error seriously.");
+            errno = EACCES;
+            goto fail;
+        }
+        pa_log_warn("Ignoring this error, it looks like a broken filesystem that ignores fchmod by the owner.");
+        pa_log_warn("This is not something that PulseAudio can fix.");
+    }
 #else
     pa_log_warn("Secure directory creation not supported on Win32.");
 #endif
-- 
1.9.2

More information about the pulseaudio-discuss mailing list