summary refs log tree commit diff
diff options
context:
space:
mode:
authorBart Schaefer <barts@users.sourceforge.net>2000-07-26 08:54:58 +0000
committerBart Schaefer <barts@users.sourceforge.net>2000-07-26 08:54:58 +0000
commit04aaf1cd7f9fb791a3f305c2d8f6e7f995b1db6a (patch)
treefca671c0afddd4aa0bc7d1f4914570b3fe0760ee
parente7f910471143cfa56cc902e41c759ae91326f909 (diff)
downloadzsh-04aaf1cd7f9fb791a3f305c2d8f6e7f995b1db6a.tar.gz
zsh-04aaf1cd7f9fb791a3f305c2d8f6e7f995b1db6a.tar.xz
zsh-04aaf1cd7f9fb791a3f305c2d8f6e7f995b1db6a.zip
Move compinit security checks into compaudit.
-rw-r--r--ChangeLog6
-rw-r--r--Completion/Core/compaudit130
-rw-r--r--Completion/Core/compinit74
-rw-r--r--Doc/Zsh/compsys.yo31
4 files changed, 176 insertions, 65 deletions
diff --git a/ChangeLog b/ChangeLog
index cd46f86b1..a5001962a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2000-07-26  Bart Schaefer  <schaefer@zsh.org>
+
+	* 12377: Completion/Core/compaudit, Completion/Core/compinit,
+	Doc/Zsh/compsys.yo: Separate compinit security checks into their
+	own callable function.
+
 2000-07-26  Sven Wischnowsky  <wischnow@zsh.org>
 
 	* 12378: Completion/Base/_arguments: make `_arguments --' use
diff --git a/Completion/Core/compaudit b/Completion/Core/compaudit
new file mode 100644
index 000000000..4ea31af58
--- /dev/null
+++ b/Completion/Core/compaudit
@@ -0,0 +1,130 @@
+# So that this file can also be read with `.' or `source' ...
+compaudit() {                           # Define and then call
+
+# Audit the fpath to assure that it contains all the directories needed by
+# the completion system, and that those directories are at least unlikely
+# to contain dangerous files.  This is far from perfect, as the modes or
+# ownership of files or directories might change between the time of the
+# audit and the time the function is executed.
+
+# This function is designed to be called from compinit, which assumes that
+# it is in the same directory, i.e., it can be autoloaded from the initial
+# fpath as compinit was.  Most local parameter names in this function must
+# therefore be the same as those used in compinit.
+
+emulate -L zsh
+setopt extendedglob
+
+# The positional parameters are the directories to check, else fpath.
+if (( $# )); then
+  local _compdir=''
+elif (( $#fpath == 0 )); then
+  print 'compaudit: No directories in $fpath, cannot continue' 1>&2
+  return 1
+else
+  set -- $fpath
+fi
+
+# _i_check is defined by compinit; used here as a test for whether this
+# function is running standalone or was called by compinit.  If called
+# by compinit, we use parameters that are defined in compinit's scope,
+# otherwise we make them local here.
+(( $+_i_check )) || {
+  local _i_q _i_line _i_file _i_fail=verbose
+  local -a _i_files _i_addfiles _i_wdirs _i_wfiles
+  local -a -U +h fpath
+}
+
+fpath=( $* )
+
+# _compdir may be defined by the user; see the compinit documentation.
+# If it isn't defined, we want it to point somewhere sensible, but the
+# user is allowed to set it to empty to bypass the check below.
+(( $+_compdir )) || {
+  local _compdir=${fpath[(r)*/$ZSH_VERSION/*]}
+  [[ -z $_compdir ]] && _compdir=$fpath[1]
+  [[ -d $_compdir/../Core ]] && _compdir=${_compdir:h}
+}
+
+_i_wdirs=()
+_i_wfiles=()
+
+_i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
+if [[ -n $_compdir ]]; then
+  if [[ $#_i_files -lt 20 || $_compdir = */Core || -d $_compdir/Core ]]; then
+    # Too few files: we need some more directories, or we need to check
+    # that all directories (not just Core) are present.
+    _i_addfiles=()
+    if [[ $_compdir = */Core ]]; then
+      # Add all the Completion subdirectories
+      _i_addfiles=(${_compdir:h}/*(/))
+    elif [[ -d $_compdir/Core ]]; then
+      # Likewise
+      _i_addfiles=(${_compdir}/*(/))
+    fi
+    for _i_line in {1..$#i_addfiles}; do
+      _i_file=${_i_addfiles[$_i_line]}
+      [[ -d $_i_file && -z ${fpath[(r)$_i_file]} ]] ||
+        _i_addfiles[$_i_line]=
+    done
+    fpath=($fpath $_i_addfiles)
+    _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
+  fi
+fi
+
+[[ $_i_fail == use ]] && return 0
+
+# RedHat Linux "per-user groups" check.  This is tricky, because it's very
+# difficult to tell whether the sysadmin has put someone else into your
+# "private" group (e.g., via the default group field in /etc/passwd, or
+# by NFS group sharing with an untrustworthy machine).  So we must assume
+# that this has not happened, and pick the best group.
+
+local GROUP GROUPMEM _i_pw _i_gid
+while IFS=: read GROUP _i_pw _i_gid GROUPMEM; do
+  if (( UID == EUID )); then
+    [[ $GROUP == $LOGNAME ]] && break
+  else
+    (( _i_gid == EGID )) && break       # Somewhat arbitrary
+  fi
+done < /etc/group
+
+# We search for:
+# - world/group-writable directories in fpath not owned by root and the user
+# - parent-directories of directories in fpath that are world/group-writable
+#   and not owned by root and the user (that would allow someone to put a
+#   digest file for one of the directories into the parent directory)
+# - digest files for one of the directories in fpath not owned by root and
+#   the user
+# - and for files in directories from fpath not owned by root and the user
+#   (including zwc files)
+
+if [[ $GROUP == $LOGNAME && ( -z $GROUPMEM || $GROUPMEM == $LOGNAME ) ]]; then
+  _i_wdirs=( ${^fpath}(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID})
+             ${^fpath}/..(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID}) )
+else
+  _i_wdirs=( ${^fpath}(Nf:g+w:,f:o+w:,^u0u${EUID})
+             ${^fpath}/..(Nf:g+w:,f:o+w:,^u0u${EUID}) )
+fi
+_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N^u0u${EUID}) )
+_i_wfiles=( ${^fpath}/^([^_]*|*~)(N^u0u${EUID}) )
+
+case "${#_i_wdirs}:${#_i_wfiles}" in
+(0:0) _i_q= ;;
+(0:*) _i_q=files ;;
+(*:0) _i_q=directories ;;
+(*:*) _i_q='directories and files' ;;
+esac
+
+if [[ -n "$_i_q" ]]; then
+  [[ $_i_fail == verbose ]] && {
+    print There are insecure ${_i_q}: 1>&2
+    print -l - $_i_wdirs $_i_wfiles
+  }
+  return 1
+fi
+return 0
+
+}                                       # Define and then call
+
+compaudit "$@"
diff --git a/Completion/Core/compinit b/Completion/Core/compinit
index 61128af01..de11c8f8c 100644
--- a/Completion/Core/compinit
+++ b/Completion/Core/compinit
@@ -1,10 +1,11 @@
 # Initialisation for new style completion. This mainly contains some helper
 # functions and aliases. Everything else is split into different files that
-# will automatically be made autoloaded (see the end of this file).
-# The names of the files that will be considered for autoloading have to
-# start with an underscores (like `_setopt').
-# The first line of these files will be read and has to say what should be
-# done with its contents:
+# will automatically be made autoloaded (see the end of this file).  The
+# names of the files that will be considered for autoloading are those that
+# begin with an underscores (like `_setopt').
+#
+# The first line of each of these files is read and must indicate what
+# should be done with its contents:
 #
 #   `#compdef <names ...>'
 #     If the first line looks like this, the file is autoloaded as a
@@ -57,6 +58,13 @@
 # the end).  This takes the dumpfile as an argument.  -d (with the
 # default dumpfile) is now the default; to turn off dumping use -D.
 
+# The -C flag bypasses both the check for rebuilding the dump file and the
+# usual call to compaudit; the -i flag causes insecure directories found by
+# compaudit to be ignored, and the -u flag causes all directories found by
+# compaudit to be used (without security checking).  Otherwise the user is
+# queried for whether to use or ignore the insecure directories (which
+# means compinit should not be called from non-interactive shells).
+
 emulate -L zsh
 setopt extendedglob
 
@@ -321,57 +329,13 @@ typeset _i_wdirs _i_wfiles
 _i_wdirs=()
 _i_wfiles=()
 
+autoload -U compaudit
 if [[ -n "$_i_check" ]]; then
-  _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
-  if [[ $#_i_files -lt 20 || $_compdir = */Core || -d $_compdir/Core ]]; then
-    # Too few files:  we need some more directories,
-    # or we need to check that all directories (not just Core) are present.
-    if [[ -n $_compdir ]]; then
-      _i_addfiles=()
-      if [[ $_compdir = */Core ]]; then
-        # Add all the Completion subdirectories
-        _i_addfiles=(${_compdir:h}/*(/))
-      elif [[ -d $_compdir/Core ]]; then
-        # Likewise
-        _i_addfiles=(${_compdir}/*(/))
-      fi
-      for _i_line in {1..$#i_addfiles}; do
-        _i_file=${_i_addfiles[$_i_line]}
-        [[ -d $_i_file && -z ${fpath[(r)$_i_file]} ]] ||
-          _i_addfiles[$_i_line]=
-      done
-      fpath=($fpath $_i_addfiles)
-      _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
-    fi
-  fi
-  if [[ "$_i_fail" != use ]]; then
-    typeset _i_q
-
-    # We search for:
-    # - world/group-writable directories in fpath not owned by root and the user
-    # - parent-directories of directories in fpath that are world/group-writable
-    #   and not owned by root and the user (that would allow someone to put a
-    #   digest file for one of the directories into the parent directory)
-    # - digest files for one of the directories in fpath not owned by root and
-    #   the user
-    # - and for files in directories from fpath not owned by root and the user
-    #   (including zwc files)
-
-    _i_wdirs=( ${^fpath}(Nf:g+w:,f:o+w:,^u0u${EUID})
-               ${^fpath}/..(Nf:g+w:,f:o+w:,^u0u${EUID})
-               ${^fpath}.zwc^([^_]*|*~)(N^u0u${EUID}) )
-    _i_wfiles=( ${^fpath}/^([^_]*|*~)(N^u0u${EUID}) )
-
-    case "${#_i_wdirs}:${#_i_wfiles}" in
-    0:0) _i_q= ;;
-    0:*) _i_q=files ;;
-    *:0) _i_q=directories ;;
-    *:*) _i_q='directories and files' ;;
-    esac
-
+  typeset _i_q
+  if ! eval compaudit; then
     if [[ -n "$_i_q" ]]; then
       if [[ "$_i_fail" = ask ]]; then
-        if ! read -q "?There are insecure $_i_q, continue [ny]? "; then
+        if ! read -q "?There are insecure $_i_q, use them anyway [ny]? "; then
           unfunction compinit compdef
           unset _comp_dumpfile _comp_secure compprefuncs comppostfuncs \
                 _comps _patcomps _postpatcomps _compautos _lastcomp
@@ -461,7 +425,7 @@ if [[ ${_i_line[2]} = expand-or-complete ]] &&
   bindkey '^i' complete-word
 fi
 
-unfunction compinit
-autoload -U compinit
+unfunction compinit compaudit
+autoload -U compinit compaudit
 
 return 0
diff --git a/Doc/Zsh/compsys.yo b/Doc/Zsh/compsys.yo
index 48821efd5..76840e129 100644
--- a/Doc/Zsh/compsys.yo
+++ b/Doc/Zsh/compsys.yo
@@ -48,9 +48,9 @@ immediately.  However, if tt(compinstall) has removed definitions, you will
 need to restart the shell to see the changes.
 
 To run tt(compinstall) you will need to make sure it is in a directory
-mentioned in your tt($fpath) parameter, which should already be the case if
+mentioned in your tt(fpath) parameter, which should already be the case if
 zsh was properly configured as long as your startup files do not remove the
-appropriate directories from tt($fpath).  Then it must be autoloaded
+appropriate directories from tt(fpath).  Then it must be autoloaded
 (`tt(autoload -U compinstall)' is recommended).  You can abort the
 installation any time you are being prompted for information, and your
 tt(.zshrc) will not be altered at all; changes only take place right at the
@@ -65,7 +65,7 @@ the current session when run directly by the user; if you have run
 tt(compinstall) it will be called automatically from your tt(.zshrc).
 
 To initialize the system, the function tt(compinit) should be in a
-directory mentioned in the tt($fpath) variable, and should be autoloaded
+directory mentioned in the tt(fpath) parameter, and should be autoloaded
 (`tt(autoload -U compinit)' is recommended), and then run simply as
 `tt(compinit)'.  This will define a
 few utility functions, arrange for all the necessary shell functions to be
@@ -110,14 +110,25 @@ where completion functions can be found; this is only necessary if they are
 not already in the function search path.
 
 For security reasons tt(compinit) also checks if the completion system
-would use files not owned by root or the current user or files in
+would use files not owned by root or by the current user, or files in
 directories that are world- or group-writable or that are not owned by 
-root or the current user.  If such files or directories are found,
-tt(Compinit) will ask if the completion system should really be used.
-To avoid these tests and make all files found be used without asking,
-the option tt(-u) can be given and to make tt(compinit) silently
-ignore all insecure files and directories the options tt(-i) can be
-given.
+root or by the current user.  If such files or directories are found,
+tt(compinit) will ask if the completion system should really be used.  To
+avoid these tests and make all files found be used without asking, use the
+option tt(-u), and to make tt(compinit) silently ignore all insecure files
+and directories use the option tt(-i).  This security check is skipped
+entirely when the tt(-C) option is given.
+
+findex(compaudit)
+The security check can be retried at any time by running the function
+tt(compaudit).  This is the same check used by tt(compinit), but when it
+is executed directly any changes to tt(fpath) are made local to the
+function so they do not persist.  The directories to be checked may be
+passed as arguments; if none are given, tt(compaudit) uses tt(fpath) and
+tt(_compdir) to find completion system directories, adding missing ones
+to tt(fpath) as necessary.  To force a check of exactly the directories
+currently named in tt(fpath), set tt(_compdir) to an empty string before
+calling tt(compaudit) or tt(compinit).
 
 subsect(Autoloaded files)
 cindex(completion system, autoloaded functions)