From 7d20803730d04fa2f8c7c3b636242a91193c11a5 Mon Sep 17 00:00:00 2001 From: BianTanggui Date: Wed, 19 Jan 2022 21:32:42 +0800 Subject: [PATCH] Match-id-7dc14342229757308f9f769f9338f83e90093888 --- cli/src/cgrp.c | 18 ++++++++++-------- cli/src/logger.c | 6 ++++++ cli/src/utils.c | 17 +++++++++++++++++ cli/src/utils.h | 4 ++++ 4 files changed, 37 insertions(+), 8 deletions(-) diff --git a/cli/src/cgrp.c b/cli/src/cgrp.c index 9aaef40..90f4b18 100644 --- a/cli/src/cgrp.c +++ b/cli/src/cgrp.c @@ -78,7 +78,9 @@ int ParseFileByLine(char* buffer, int bufferSize, const ParseFileLine fn, const free(str); return -1; } - + if (CheckLegality(resolvedPath) != 0) { + Logger("Check file legality failed.", LEVEL_ERROR, SCREEN_YES); + } fp = fopen(resolvedPath, "r"); if (fp == NULL) { Logger("cannot open file.", LEVEL_ERROR, SCREEN_YES); @@ -271,16 +273,17 @@ int SetupCgroup(const struct ParsedConfig *config) FILE *cgroupAllow = NULL; if (realpath(config->cgroupPath, resolvedCgroupPath) == NULL && errno != ENOENT) { - str = FormatLogMessage("cannot canonicalize cgroup path: %s.", config->cgroupPath); - Logger(str, LEVEL_ERROR, SCREEN_YES); + Logger("cannot canonicalize cgroup.", LEVEL_ERROR, SCREEN_YES); free(str); return -1; } - + if (CheckLegality(resolvedCgroupPath) != 0) { + Logger("Check file legality failed.", LEVEL_ERROR, SCREEN_YES); + return -1; + } cgroupAllow = fopen((const char *)resolvedCgroupPath, "a"); if (cgroupAllow == NULL) { - str = FormatLogMessage("failed to open cgroup file: %s.", resolvedCgroupPath); - Logger(str, LEVEL_ERROR, SCREEN_YES); + Logger("failed to open cgroup file.", LEVEL_ERROR, SCREEN_YES); free(str); return -1; } @@ -306,8 +309,7 @@ int SetupCgroup(const struct ParsedConfig *config) ret = SetupDeviceCgroup(cgroupAllow, (const char *)deviceName); if (ret < 0) { fclose(cgroupAllow); - str = FormatLogMessage("failed to setup cgroup for %s.", deviceName); - Logger(str, LEVEL_ERROR, SCREEN_YES); + Logger("failed to setup cgroup.", LEVEL_ERROR, SCREEN_YES); free(str); return -1; } diff --git a/cli/src/logger.c b/cli/src/logger.c index 1a0be42..6745515 100644 --- a/cli/src/logger.c +++ b/cli/src/logger.c @@ -66,6 +66,9 @@ long GetLogSize(const char* filename) if (strlen(filename) > PATH_MAX || NULL == realpath(filename, path)) { return -1; } + if (CheckLegality(path) != 0) { + return -1; + } fp = fopen(path, "rb"); long length = 0; if (fp != NULL) { @@ -119,6 +122,9 @@ void WriteLogFile(const char* filename, long maxSize, const char* buffer, unsign if (strlen(filename) > PATH_MAX || NULL == realpath(filename, path)) { return; } + if (CheckLegality(path) != 0) { + return; + } fp = fopen(path, "a+"); if (fp != NULL) { char now[TEMP_BUFFER] = {0}; diff --git a/cli/src/utils.c b/cli/src/utils.c index 529c7be..15413dc 100644 --- a/cli/src/utils.c +++ b/cli/src/utils.c @@ -150,4 +150,21 @@ int MakeMountPoints(const char *path, mode_t mode) } close(fd); return 0; +} + +int CheckLegality(const char* filename) +{ + struct stat fileStat; + if (stat(filename, &fileStat) != 0) { + return -1; + } + if ((fileStat.st_uid != ROOT_UID) && (fileStat.st_uid != geteuid())) { // 操作文件owner非root/自己 + fprintf(stderr, "Please check the folder owner!\n"); + return -1; + } + if ((fileStat.st_mode & S_IWOTH) != 0) { // 操作文件对other用户可写 + fprintf(stderr, "Please check the write permission!\n"); + return -1; + } + return 0; } \ No newline at end of file diff --git a/cli/src/utils.h b/cli/src/utils.h index e6f9412..ab83b5f 100644 --- a/cli/src/utils.h +++ b/cli/src/utils.h @@ -7,8 +7,11 @@ #include #include +#include #include "basic.h" +#define ROOT_UID 0 + char *FormatLogMessage(char *format, ...); int IsStrEqual(const char *s1, const char *s2); int StrHasPrefix(const char *str, const char *prefix); @@ -18,5 +21,6 @@ int CheckDirExists(const char *dir); int GetParentPathStr(const char *path, char *parent, size_t bufSize); int MakeDirWithParent(const char *path, mode_t mode); int MakeMountPoints(const char *path, mode_t mode); +int CheckLegality(const char* filename); #endif \ No newline at end of file