From: Alan T. DeKok Date: Fri, 29 Jan 2016 01:31:39 +0000 (-0500) Subject: Add FILE_EXISTS for things like /dev/urandom. X-Git-Tag: release_3_0_12~263 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e461b5903192168b10df9179d2848c7a2f94910d;p=thirdparty%2Ffreeradius-server.git Add FILE_EXISTS for things like /dev/urandom. It has to exist, but we don't care about the permissions --- diff --git a/src/include/conffile.h b/src/include/conffile.h index 62d16b028d4..60c12b787b2 100644 --- a/src/include/conffile.h +++ b/src/include/conffile.h @@ -139,6 +139,7 @@ typedef struct timeval _timeval_t; #define PW_TYPE_MULTI (1 << 18) //!< CONF_PAIR can have multiple copies. #define PW_TYPE_NOT_EMPTY (1 << 19) //!< CONF_PAIR is required to have a non zero length value. +#define PW_TYPE_FILE_EXISTS ((1 << 20) | PW_TYPE_STRING) //!< File matching value must exist /* @} **/ #define FR_INTEGER_COND_CHECK(_name, _var, _cond, _new)\ diff --git a/src/main/conffile.c b/src/main/conffile.c index f890a9e2b09..2cf83ec2f3a 100644 --- a/src/main/conffile.c +++ b/src/main/conffile.c @@ -362,10 +362,9 @@ static FILE *cf_file_open(CONF_SECTION *cs, char const *filename) } /* - * Do some checks on the file as an "input" file. i.e. one read - * by a module. + * Do some checks on the file */ -static bool cf_file_input(CONF_SECTION *cs, char const *filename) +static bool cf_file_check(CONF_SECTION *cs, char const *filename, bool check_perms) { cf_file_t *file; CONF_DATA *cd; @@ -386,11 +385,13 @@ static bool cf_file_input(CONF_SECTION *cs, char const *filename) file->input = true; if (stat(filename, &file->buf) < 0) { - ERROR("Unable to open file \"%s\": %s", filename, fr_syserror(errno)); + ERROR("Unable to check file \"%s\": %s", filename, fr_syserror(errno)); talloc_free(file); return false; } + if (!check_perms) return true; + #ifdef S_IWOTH if ((file->buf.st_mode & S_IWOTH) != 0) { ERROR("Configuration file %s is globally writable. " @@ -1384,7 +1385,7 @@ static inline int fr_item_validate_ipaddr(CONF_SECTION *cs, char const *name, PW int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *data, char const *dflt) { int rcode; - bool deprecated, required, attribute, secret, file_input, cant_be_empty, tmpl, multi; + bool deprecated, required, attribute, secret, file_input, cant_be_empty, tmpl, multi, file_exists; char **q; char const *value; CONF_PAIR *cp = NULL; @@ -1399,6 +1400,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d attribute = (type & PW_TYPE_ATTRIBUTE); secret = (type & PW_TYPE_SECRET); file_input = (type == PW_TYPE_FILE_INPUT); /* check, not and */ + file_exists = (type == PW_TYPE_FILE_EXISTS); /* check, not and */ cant_be_empty = (type & PW_TYPE_NOT_EMPTY); tmpl = (type & PW_TYPE_TMPL); multi = (type & PW_TYPE_MULTI); @@ -1649,7 +1651,11 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d * to be caught as early as possible, during * server startup. */ - if (*q && file_input && !cf_file_input(cs, *q)) { + if (*q && file_input && !cf_file_check(cs, *q, true)) { + return -1; + } + + if (*q && file_exists && !cf_file_check(cs, *q, false)) { return -1; } break;