diff options
| author | Bart Schaefer <barts@users.sourceforge.net> | 2000-07-26 08:54:58 +0000 |
|---|---|---|
| committer | Bart Schaefer <barts@users.sourceforge.net> | 2000-07-26 08:54:58 +0000 |
| commit | 04aaf1cd7f9fb791a3f305c2d8f6e7f995b1db6a (patch) | |
| tree | fca671c0afddd4aa0bc7d1f4914570b3fe0760ee | |
| parent | e7f910471143cfa56cc902e41c759ae91326f909 (diff) | |
| download | zsh-04aaf1cd7f9fb791a3f305c2d8f6e7f995b1db6a.tar.gz zsh-04aaf1cd7f9fb791a3f305c2d8f6e7f995b1db6a.tar.xz zsh-04aaf1cd7f9fb791a3f305c2d8f6e7f995b1db6a.zip | |
Move compinit security checks into compaudit.
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | Completion/Core/compaudit | 130 | ||||
| -rw-r--r-- | Completion/Core/compinit | 74 | ||||
| -rw-r--r-- | Doc/Zsh/compsys.yo | 31 |
4 files changed, 176 insertions, 65 deletions
diff --git a/ChangeLog b/ChangeLog index cd46f86b1..a5001962a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2000-07-26 Bart Schaefer <schaefer@zsh.org> + + * 12377: Completion/Core/compaudit, Completion/Core/compinit, + Doc/Zsh/compsys.yo: Separate compinit security checks into their + own callable function. + 2000-07-26 Sven Wischnowsky <wischnow@zsh.org> * 12378: Completion/Base/_arguments: make `_arguments --' use diff --git a/Completion/Core/compaudit b/Completion/Core/compaudit new file mode 100644 index 000000000..4ea31af58 --- /dev/null +++ b/Completion/Core/compaudit @@ -0,0 +1,130 @@ +# So that this file can also be read with `.' or `source' ... +compaudit() { # Define and then call + +# Audit the fpath to assure that it contains all the directories needed by +# the completion system, and that those directories are at least unlikely +# to contain dangerous files. This is far from perfect, as the modes or +# ownership of files or directories might change between the time of the +# audit and the time the function is executed. + +# This function is designed to be called from compinit, which assumes that +# it is in the same directory, i.e., it can be autoloaded from the initial +# fpath as compinit was. Most local parameter names in this function must +# therefore be the same as those used in compinit. + +emulate -L zsh +setopt extendedglob + +# The positional parameters are the directories to check, else fpath. +if (( $# )); then + local _compdir='' +elif (( $#fpath == 0 )); then + print 'compaudit: No directories in $fpath, cannot continue' 1>&2 + return 1 +else + set -- $fpath +fi + +# _i_check is defined by compinit; used here as a test for whether this +# function is running standalone or was called by compinit. If called +# by compinit, we use parameters that are defined in compinit's scope, +# otherwise we make them local here. +(( $+_i_check )) || { + local _i_q _i_line _i_file _i_fail=verbose + local -a _i_files _i_addfiles _i_wdirs _i_wfiles + local -a -U +h fpath +} + +fpath=( $* ) + +# _compdir may be defined by the user; see the compinit documentation. +# If it isn't defined, we want it to point somewhere sensible, but the +# user is allowed to set it to empty to bypass the check below. +(( $+_compdir )) || { + local _compdir=${fpath[(r)*/$ZSH_VERSION/*]} + [[ -z $_compdir ]] && _compdir=$fpath[1] + [[ -d $_compdir/../Core ]] && _compdir=${_compdir:h} +} + +_i_wdirs=() +_i_wfiles=() + +_i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) ) +if [[ -n $_compdir ]]; then + if [[ $#_i_files -lt 20 || $_compdir = */Core || -d $_compdir/Core ]]; then + # Too few files: we need some more directories, or we need to check + # that all directories (not just Core) are present. + _i_addfiles=() + if [[ $_compdir = */Core ]]; then + # Add all the Completion subdirectories + _i_addfiles=(${_compdir:h}/*(/)) + elif [[ -d $_compdir/Core ]]; then + # Likewise + _i_addfiles=(${_compdir}/*(/)) + fi + for _i_line in {1..$#i_addfiles}; do + _i_file=${_i_addfiles[$_i_line]} + [[ -d $_i_file && -z ${fpath[(r)$_i_file]} ]] || + _i_addfiles[$_i_line]= + done + fpath=($fpath $_i_addfiles) + _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) ) + fi +fi + +[[ $_i_fail == use ]] && return 0 + +# RedHat Linux "per-user groups" check. This is tricky, because it's very +# difficult to tell whether the sysadmin has put someone else into your +# "private" group (e.g., via the default group field in /etc/passwd, or +# by NFS group sharing with an untrustworthy machine). So we must assume +# that this has not happened, and pick the best group. + +local GROUP GROUPMEM _i_pw _i_gid +while IFS=: read GROUP _i_pw _i_gid GROUPMEM; do + if (( UID == EUID )); then + [[ $GROUP == $LOGNAME ]] && break + else + (( _i_gid == EGID )) && break # Somewhat arbitrary + fi +done < /etc/group + +# We search for: +# - world/group-writable directories in fpath not owned by root and the user +# - parent-directories of directories in fpath that are world/group-writable +# and not owned by root and the user (that would allow someone to put a +# digest file for one of the directories into the parent directory) +# - digest files for one of the directories in fpath not owned by root and +# the user +# - and for files in directories from fpath not owned by root and the user +# (including zwc files) + +if [[ $GROUP == $LOGNAME && ( -z $GROUPMEM || $GROUPMEM == $LOGNAME ) ]]; then + _i_wdirs=( ${^fpath}(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID}) + ${^fpath}/..(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID}) ) +else + _i_wdirs=( ${^fpath}(Nf:g+w:,f:o+w:,^u0u${EUID}) + ${^fpath}/..(Nf:g+w:,f:o+w:,^u0u${EUID}) ) +fi +_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N^u0u${EUID}) ) +_i_wfiles=( ${^fpath}/^([^_]*|*~)(N^u0u${EUID}) ) + +case "${#_i_wdirs}:${#_i_wfiles}" in +(0:0) _i_q= ;; +(0:*) _i_q=files ;; +(*:0) _i_q=directories ;; +(*:*) _i_q='directories and files' ;; +esac + +if [[ -n "$_i_q" ]]; then + [[ $_i_fail == verbose ]] && { + print There are insecure ${_i_q}: 1>&2 + print -l - $_i_wdirs $_i_wfiles + } + return 1 +fi +return 0 + +} # Define and then call + +compaudit "$@" diff --git a/Completion/Core/compinit b/Completion/Core/compinit index 61128af01..de11c8f8c 100644 --- a/Completion/Core/compinit +++ b/Completion/Core/compinit @@ -1,10 +1,11 @@ # Initialisation for new style completion. This mainly contains some helper # functions and aliases. Everything else is split into different files that -# will automatically be made autoloaded (see the end of this file). -# The names of the files that will be considered for autoloading have to -# start with an underscores (like `_setopt'). -# The first line of these files will be read and has to say what should be -# done with its contents: +# will automatically be made autoloaded (see the end of this file). The +# names of the files that will be considered for autoloading are those that +# begin with an underscores (like `_setopt'). +# +# The first line of each of these files is read and must indicate what +# should be done with its contents: # # `#compdef <names ...>' # If the first line looks like this, the file is autoloaded as a @@ -57,6 +58,13 @@ # the end). This takes the dumpfile as an argument. -d (with the # default dumpfile) is now the default; to turn off dumping use -D. +# The -C flag bypasses both the check for rebuilding the dump file and the +# usual call to compaudit; the -i flag causes insecure directories found by +# compaudit to be ignored, and the -u flag causes all directories found by +# compaudit to be used (without security checking). Otherwise the user is +# queried for whether to use or ignore the insecure directories (which +# means compinit should not be called from non-interactive shells). + emulate -L zsh setopt extendedglob @@ -321,57 +329,13 @@ typeset _i_wdirs _i_wfiles _i_wdirs=() _i_wfiles=() +autoload -U compaudit if [[ -n "$_i_check" ]]; then - _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) ) - if [[ $#_i_files -lt 20 || $_compdir = */Core || -d $_compdir/Core ]]; then - # Too few files: we need some more directories, - # or we need to check that all directories (not just Core) are present. - if [[ -n $_compdir ]]; then - _i_addfiles=() - if [[ $_compdir = */Core ]]; then - # Add all the Completion subdirectories - _i_addfiles=(${_compdir:h}/*(/)) - elif [[ -d $_compdir/Core ]]; then - # Likewise - _i_addfiles=(${_compdir}/*(/)) - fi - for _i_line in {1..$#i_addfiles}; do - _i_file=${_i_addfiles[$_i_line]} - [[ -d $_i_file && -z ${fpath[(r)$_i_file]} ]] || - _i_addfiles[$_i_line]= - done - fpath=($fpath $_i_addfiles) - _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) ) - fi - fi - if [[ "$_i_fail" != use ]]; then - typeset _i_q - - # We search for: - # - world/group-writable directories in fpath not owned by root and the user - # - parent-directories of directories in fpath that are world/group-writable - # and not owned by root and the user (that would allow someone to put a - # digest file for one of the directories into the parent directory) - # - digest files for one of the directories in fpath not owned by root and - # the user - # - and for files in directories from fpath not owned by root and the user - # (including zwc files) - - _i_wdirs=( ${^fpath}(Nf:g+w:,f:o+w:,^u0u${EUID}) - ${^fpath}/..(Nf:g+w:,f:o+w:,^u0u${EUID}) - ${^fpath}.zwc^([^_]*|*~)(N^u0u${EUID}) ) - _i_wfiles=( ${^fpath}/^([^_]*|*~)(N^u0u${EUID}) ) - - case "${#_i_wdirs}:${#_i_wfiles}" in - 0:0) _i_q= ;; - 0:*) _i_q=files ;; - *:0) _i_q=directories ;; - *:*) _i_q='directories and files' ;; - esac - + typeset _i_q + if ! eval compaudit; then if [[ -n "$_i_q" ]]; then if [[ "$_i_fail" = ask ]]; then - if ! read -q "?There are insecure $_i_q, continue [ny]? "; then + if ! read -q "?There are insecure $_i_q, use them anyway [ny]? "; then unfunction compinit compdef unset _comp_dumpfile _comp_secure compprefuncs comppostfuncs \ _comps _patcomps _postpatcomps _compautos _lastcomp @@ -461,7 +425,7 @@ if [[ ${_i_line[2]} = expand-or-complete ]] && bindkey '^i' complete-word fi -unfunction compinit -autoload -U compinit +unfunction compinit compaudit +autoload -U compinit compaudit return 0 diff --git a/Doc/Zsh/compsys.yo b/Doc/Zsh/compsys.yo index 48821efd5..76840e129 100644 --- a/Doc/Zsh/compsys.yo +++ b/Doc/Zsh/compsys.yo @@ -48,9 +48,9 @@ immediately. However, if tt(compinstall) has removed definitions, you will need to restart the shell to see the changes. To run tt(compinstall) you will need to make sure it is in a directory -mentioned in your tt($fpath) parameter, which should already be the case if +mentioned in your tt(fpath) parameter, which should already be the case if zsh was properly configured as long as your startup files do not remove the -appropriate directories from tt($fpath). Then it must be autoloaded +appropriate directories from tt(fpath). Then it must be autoloaded (`tt(autoload -U compinstall)' is recommended). You can abort the installation any time you are being prompted for information, and your tt(.zshrc) will not be altered at all; changes only take place right at the @@ -65,7 +65,7 @@ the current session when run directly by the user; if you have run tt(compinstall) it will be called automatically from your tt(.zshrc). To initialize the system, the function tt(compinit) should be in a -directory mentioned in the tt($fpath) variable, and should be autoloaded +directory mentioned in the tt(fpath) parameter, and should be autoloaded (`tt(autoload -U compinit)' is recommended), and then run simply as `tt(compinit)'. This will define a few utility functions, arrange for all the necessary shell functions to be @@ -110,14 +110,25 @@ where completion functions can be found; this is only necessary if they are not already in the function search path. For security reasons tt(compinit) also checks if the completion system -would use files not owned by root or the current user or files in +would use files not owned by root or by the current user, or files in directories that are world- or group-writable or that are not owned by -root or the current user. If such files or directories are found, -tt(Compinit) will ask if the completion system should really be used. -To avoid these tests and make all files found be used without asking, -the option tt(-u) can be given and to make tt(compinit) silently -ignore all insecure files and directories the options tt(-i) can be -given. +root or by the current user. If such files or directories are found, +tt(compinit) will ask if the completion system should really be used. To +avoid these tests and make all files found be used without asking, use the +option tt(-u), and to make tt(compinit) silently ignore all insecure files +and directories use the option tt(-i). This security check is skipped +entirely when the tt(-C) option is given. + +findex(compaudit) +The security check can be retried at any time by running the function +tt(compaudit). This is the same check used by tt(compinit), but when it +is executed directly any changes to tt(fpath) are made local to the +function so they do not persist. The directories to be checked may be +passed as arguments; if none are given, tt(compaudit) uses tt(fpath) and +tt(_compdir) to find completion system directories, adding missing ones +to tt(fpath) as necessary. To force a check of exactly the directories +currently named in tt(fpath), set tt(_compdir) to an empty string before +calling tt(compaudit) or tt(compinit). subsect(Autoloaded files) cindex(completion system, autoloaded functions) |