Add flag to disable dictionary permissions checks

diff --git a/src/lib/util/dict.h b/src/lib/util/dict.h
index aab9b28649bf0fd7ae3f8457cd34edac93afe7ed..aa896812aeab17e119f50a44d40519461ec48894 100644 (file)
--- a/src/lib/util/dict.h
+++ b/src/lib/util/dict.h
@@ -631,7 +631,9 @@ int                 fr_dict_const_free(fr_dict_t const **dict, char const *dependent) CC_HINT(
  *
  * @{
  */
-fr_dict_gctx_t const   *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir);
+fr_dict_gctx_t         *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir);
+
+void                   fr_dict_global_ctx_perm_check(fr_dict_gctx_t *gctx, bool enable);
 
 void                   fr_dict_global_ctx_set(fr_dict_gctx_t const *gctx);
 

diff --git a/src/lib/util/dict_priv.h b/src/lib/util/dict_priv.h
index 585e68759f32d57d02205c7a42204cf00693e567..7263029eeb474328500481f84cb4db24b183f1e1 100644 (file)
--- a/src/lib/util/dict_priv.h
+++ b/src/lib/util/dict_priv.h
@@ -113,6 +113,9 @@ struct fr_dict {
 struct fr_dict_gctx_s {
        bool                    free_at_exit;           //!< This gctx will be freed on exit.
 
+       bool                    perm_check;             //!< Whether we should check dictionary
+                                                       ///< file permissions as they're loaded.
+
        bool                    read_only;
 
        char                    *dict_dir_default;      //!< The default location for loading dictionaries if one

diff --git a/src/lib/util/dict_tokenize.c b/src/lib/util/dict_tokenize.c
index ddaa8ece810596c9901c3af98a99a21d6ae87570..8d53fb45c88d24349da8549d8e9f814cac8f8cfd 100644 (file)
--- a/src/lib/util/dict_tokenize.c
+++ b/src/lib/util/dict_tokenize.c
@@ -1916,7 +1916,7 @@ static int _dict_from_file(dict_tokenize_ctx_t *ctx,
         *      the server configuration with little difficulty.
         */
 #ifdef S_IWOTH
-       if ((statbuf.st_mode & S_IWOTH) != 0) {
+       if (dict_gctx->perm_check && ((statbuf.st_mode & S_IWOTH) != 0)) {
                fclose(fp);
                fr_strerror_printf_push("Dictionary is globally writable: %s. "
                                        "Refusing to start due to insecure configuration", fn);

diff --git a/src/lib/util/dict_util.c b/src/lib/util/dict_util.c
index 9d52ab579168107f55ce08e0ab04563fd881ad33..553d9f2fd6146496cfcfb3afe7d42b6114037aff 100644 (file)
--- a/src/lib/util/dict_util.c
+++ b/src/lib/util/dict_util.c
@@ -3680,7 +3680,7 @@ static int _dict_global_free(fr_dict_gctx_t *gctx)
  *     - A pointer to the new global context on success.
  *     - NULL on failure.
  */
-fr_dict_gctx_t const *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir)
+fr_dict_gctx_t *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir)
 {
        fr_dict_gctx_t *new_ctx;
 
@@ -3694,6 +3694,7 @@ fr_dict_gctx_t const *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit
                fr_strerror_const("Out of Memory");
                return NULL;
        }
+       new_ctx->perm_check = true;     /* Check file permissions by default */
 
        new_ctx->protocol_by_name = fr_hash_table_alloc(new_ctx, dict_protocol_name_hash, dict_protocol_name_cmp, NULL);
        if (!new_ctx->protocol_by_name) {
@@ -3728,6 +3729,16 @@ fr_dict_gctx_t const *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit
        return new_ctx;
 }
 
+/** Set whether we check dictionary file permissions
+ *
+ * @param[in] gctx     to alter.
+ * @param[in] enable   Whether we should check file permissions as they're loaded.
+ */
+void fr_dict_global_ctx_perm_check(fr_dict_gctx_t *gctx, bool enable)
+{
+       gctx->perm_check = enable;
+}
+
 /** Set a new, active, global dictionary context
  *
  * @param[in] gctx     To set.