From: Arran Cudbard-Bell Date: Tue, 14 Jun 2022 18:30:35 +0000 (-0500) Subject: Add flag to disable dictionary permissions checks X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c5f1431a180b47cd4060ed06bddfff4c9dae974c;p=thirdparty%2Ffreeradius-server.git Add flag to disable dictionary permissions checks --- diff --git a/src/lib/util/dict.h b/src/lib/util/dict.h index aab9b28649b..aa896812aea 100644 --- a/src/lib/util/dict.h +++ b/src/lib/util/dict.h @@ -631,7 +631,9 @@ int fr_dict_const_free(fr_dict_t const **dict, char const *dependent) CC_HINT( * * @{ */ -fr_dict_gctx_t const *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir); +fr_dict_gctx_t *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir); + +void fr_dict_global_ctx_perm_check(fr_dict_gctx_t *gctx, bool enable); void fr_dict_global_ctx_set(fr_dict_gctx_t const *gctx); diff --git a/src/lib/util/dict_priv.h b/src/lib/util/dict_priv.h index 585e68759f3..7263029eeb4 100644 --- a/src/lib/util/dict_priv.h +++ b/src/lib/util/dict_priv.h @@ -113,6 +113,9 @@ struct fr_dict { struct fr_dict_gctx_s { bool free_at_exit; //!< This gctx will be freed on exit. + bool perm_check; //!< Whether we should check dictionary + ///< file permissions as they're loaded. + bool read_only; char *dict_dir_default; //!< The default location for loading dictionaries if one diff --git a/src/lib/util/dict_tokenize.c b/src/lib/util/dict_tokenize.c index ddaa8ece810..8d53fb45c88 100644 --- a/src/lib/util/dict_tokenize.c +++ b/src/lib/util/dict_tokenize.c @@ -1916,7 +1916,7 @@ static int _dict_from_file(dict_tokenize_ctx_t *ctx, * the server configuration with little difficulty. */ #ifdef S_IWOTH - if ((statbuf.st_mode & S_IWOTH) != 0) { + if (dict_gctx->perm_check && ((statbuf.st_mode & S_IWOTH) != 0)) { fclose(fp); fr_strerror_printf_push("Dictionary is globally writable: %s. " "Refusing to start due to insecure configuration", fn); diff --git a/src/lib/util/dict_util.c b/src/lib/util/dict_util.c index 9d52ab57916..553d9f2fd61 100644 --- a/src/lib/util/dict_util.c +++ b/src/lib/util/dict_util.c @@ -3680,7 +3680,7 @@ static int _dict_global_free(fr_dict_gctx_t *gctx) * - A pointer to the new global context on success. * - NULL on failure. */ -fr_dict_gctx_t const *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir) +fr_dict_gctx_t *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir) { fr_dict_gctx_t *new_ctx; @@ -3694,6 +3694,7 @@ fr_dict_gctx_t const *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit fr_strerror_const("Out of Memory"); return NULL; } + new_ctx->perm_check = true; /* Check file permissions by default */ new_ctx->protocol_by_name = fr_hash_table_alloc(new_ctx, dict_protocol_name_hash, dict_protocol_name_cmp, NULL); if (!new_ctx->protocol_by_name) { @@ -3728,6 +3729,16 @@ fr_dict_gctx_t const *fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit return new_ctx; } +/** Set whether we check dictionary file permissions + * + * @param[in] gctx to alter. + * @param[in] enable Whether we should check file permissions as they're loaded. + */ +void fr_dict_global_ctx_perm_check(fr_dict_gctx_t *gctx, bool enable) +{ + gctx->perm_check = enable; +} + /** Set a new, active, global dictionary context * * @param[in] gctx To set.