From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 27 Nov 2012 16:15:14 +0000 (-0500)
Subject: Do globally writable checks on directories, too
X-Git-Tag: release_2_2_1~210
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ffb018c3008e70e0842f0a43d20b7cfcedb5ef56;p=thirdparty%2Ffreeradius-server.git

Do globally writable checks on directories, too
---

diff --git a/src/main/conffile.c b/src/main/conffile.c
index 38b6aec7f90..7982aaa7d4c 100644
--- a/src/main/conffile.c
+++ b/src/main/conffile.c
@@ -1538,6 +1538,23 @@ static int cf_section_read(const char *filename, int *lineno, FILE *fp,
 				struct stat stat_buf;
 
 				DEBUG2("including files in directory %s", value );
+#ifdef S_IWOTH
+				/*
+				 *	Security checks.
+				 */
+				if (stat(value, &stat_buf) < 0) {
+					radlog(L_ERR, "%s[%d]: Failed reading directory %s: %s",
+					       filename, *lineno, 
+					       value, strerror(errno));
+					return -1;
+				}
+
+				if ((stat_buf.st_mode & S_IWOTH) != 0) {
+					radlog(L_ERR|L_CONS, "%s[%d]: Directory %s is globally writable.  Refusing to start due to insecure configuration.",
+					       filename, *lineno, value);
+					return -1;
+				}
+#endif
 				dir = opendir(value);
 				if (!dir) {
 					radlog(L_ERR, "%s[%d]: Error reading directory %s: %s",