Match-id-3ee2456dac2074661215f3139618a77874c29ea4

cli/src/cgrp.c

@@ -78,7 +78,9 @@ int ParseFileByLine(char* buffer, int bufferSize, const ParseFileLine fn, const
         free(str);
         return -1;
     }
-
+    if (CheckLegality(resolvedPath) != 0) {
+        Logger("Check file legality failed.", LEVEL_ERROR, SCREEN_YES);
+    }
     fp = fopen(resolvedPath, "r");
     if (fp == NULL) {
         Logger("cannot open file.", LEVEL_ERROR, SCREEN_YES);
@@ -271,16 +273,17 @@ int SetupCgroup(const struct ParsedConfig *config)
     FILE *cgroupAllow = NULL;
 
     if (realpath(config->cgroupPath, resolvedCgroupPath) == NULL && errno != ENOENT) {
-        str = FormatLogMessage("cannot canonicalize cgroup path: %s.", config->cgroupPath);
-        Logger(str, LEVEL_ERROR, SCREEN_YES);
+        Logger("cannot canonicalize cgroup.", LEVEL_ERROR, SCREEN_YES);
         free(str);
         return -1;
     }
-
+    if (CheckLegality(resolvedCgroupPath) != 0) {
+        Logger("Check file legality failed.", LEVEL_ERROR, SCREEN_YES);
+        return -1;
+    }
     cgroupAllow = fopen((const char *)resolvedCgroupPath, "a");
     if (cgroupAllow == NULL) {
-        str = FormatLogMessage("failed to open cgroup file: %s.", resolvedCgroupPath);
-        Logger(str, LEVEL_ERROR, SCREEN_YES);
+        Logger("failed to open cgroup file.", LEVEL_ERROR, SCREEN_YES);
         free(str);
         return -1;
     }
@@ -306,8 +309,7 @@ int SetupCgroup(const struct ParsedConfig *config)
         ret = SetupDeviceCgroup(cgroupAllow, (const char *)deviceName);
         if (ret < 0) {
             fclose(cgroupAllow);
-            str = FormatLogMessage("failed to setup cgroup for %s.", deviceName);
-            Logger(str, LEVEL_ERROR, SCREEN_YES);
+            Logger("failed to setup cgroup.", LEVEL_ERROR, SCREEN_YES);
             free(str);
             return -1;
         }

cli/src/logger.c

@@ -66,6 +66,9 @@ long GetLogSize(const char* filename)
     if (strlen(filename) > PATH_MAX || NULL == realpath(filename, path)) {
         return -1;
     }
+    if (CheckLegality(path) != 0) {
+        return -1;
+    }
     fp = fopen(path, "rb");
     long length = 0;
     if (fp != NULL) {
@@ -119,6 +122,9 @@ void WriteLogFile(const char* filename, long maxSize, const char* buffer, unsign
         if (strlen(filename) > PATH_MAX || NULL == realpath(filename, path)) {
             return;
         }
+        if (CheckLegality(path) != 0) {
+            return;
+        }
         fp = fopen(path, "a+");
         if (fp != NULL) {
             char now[TEMP_BUFFER] = {0};

cli/src/utils.c

@@ -150,4 +150,21 @@ int MakeMountPoints(const char *path, mode_t mode)
     }
     close(fd);
     return 0;
+}
+
+int CheckLegality(const char* filename)
+{
+    struct stat fileStat;
+    if (stat(filename, &fileStat) != 0) {
+        return -1;
+    }
+    if ((fileStat.st_uid != ROOT_UID) && (fileStat.st_uid != geteuid())) { // 操作文件owner非root/自己
+        fprintf(stderr, "Please check the folder owner!\n");
+        return -1;
+    }
+    if ((fileStat.st_mode & S_IWOTH) != 0) { // 操作文件对other用户可写
+        fprintf(stderr, "Please check the write permission!\n");
+        return -1;
+    }
+    return 0;
 }

cli/src/utils.h

@@ -7,8 +7,11 @@
 
 #include <stdbool.h>
 #include <sys/types.h>
+#include <sys/stat.h>
 #include "basic.h"
 
+#define ROOT_UID 0
+
 char *FormatLogMessage(char *format, ...);
 int IsStrEqual(const char *s1, const char *s2);
 int StrHasPrefix(const char *str, const char *prefix);
@@ -18,5 +21,6 @@ int CheckDirExists(const char *dir);
 int GetParentPathStr(const char *path, char *parent, size_t bufSize);
 int MakeDirWithParent(const char *path, mode_t mode);
 int MakeMountPoints(const char *path, mode_t mode);
+int CheckLegality(const char* filename);
 
 #endif