Ticket #88: max-perm.2

Index: vuurmuur/libvuurmuur/src/config.c
===================================================================
--- vuurmuur.orig/libvuurmuur/src/config.c      2009-04-25 10:49:57.000000000 +0200
+++ vuurmuur/libvuurmuur/src/config.c   2009-04-25 11:12:52.000000000 +0200
@@ -393,7 +393,38 @@
     }
     fclose(fp);
 
-    /* check if we like the configfile */
+    /* MAX_PERMISSION
+     * First (even before calling stat_ok to check the config file),
+     * load the MAX_PERMISSION value. Allow allow any permissions at
+     * first, since ask_configfile uses the max_permission value. */
+    cnf->max_permission = ANY_PERMISSION;
+    result = ask_configfile(askconfig_debuglvl, "MAX_PERMISSION", answer, cnf->configfile, sizeof(answer));
+    if(result == 1)
+    {
+        char *endptr;
+        /* ok, found, parse it as an octal mode */
+        cnf->max_permission = strtol(answer, &endptr, 8);
+
+        /* If strol fails, it will set endptr to answer. Also check that
+         * there was no trailing garbage at the end of the string. */
+        if (endptr == answer || *endptr != '\0')
+        {
+            (void)vrprint.warning("Warning", "Invalid MAX_PERMISSION setting: %s. It should be an octal permission number. Using default (%o).", answer, DEFAULT_MAX_PERMISSION);
+            cnf->max_permission = DEFAULT_MAX_PERMISSION;
+
+            retval = VR_CNF_W_ILLEGAL_VAR;
+        }
+    }
+    else if(result == 0)
+    {
+        /* ignore missing, use default */
+        cnf->max_permission = DEFAULT_MAX_PERMISSION;
+    }
+    else
+        return(VR_CNF_E_UNKNOWN_ERR);
+
+    /* Now that we know the maximum permission a config file can have,
+     * check if we like the configfile */
     if(!(stat_ok(debuglvl, cnf->configfile, STATOK_WANT_FILE, STATOK_VERBOSE, STATOK_MUST_EXIST)))
         return(VR_CNF_E_FILE_PERMISSION);
 
Index: vuurmuur/libvuurmuur/src/io.c
===================================================================
--- vuurmuur.orig/libvuurmuur/src/io.c  2009-04-25 10:49:57.000000000 +0200
+++ vuurmuur/libvuurmuur/src/io.c       2009-04-25 11:12:52.000000000 +0200
@@ -104,7 +104,7 @@
 stat_ok(const int debuglvl, const char *file_loc, char type, char output, char must_exist)
 {
     struct stat stat_buf;
-    mode_t      mode = 0600;
+    mode_t max, perm;
 
     /* safety */
     if(file_loc == NULL)
@@ -160,15 +160,6 @@
         return(0);
     }
 
-    /* if a file is writable by someone other than root, we refuse to open it */
-    if(stat_buf.st_mode & S_IWGRP || stat_buf.st_mode & S_IWOTH)
-    {
-        if(output == STATOK_VERBOSE)
-            (void)vrprint.error(-1, "Error", "opening '%s': For security reasons Vuurmuur will not open files that are writable by 'group' or 'other'. Check the file content & permissions.", file_loc);
-
-        return(0);
-    }
-
     /* we demand that all files are owned by root */
     if(stat_buf.st_uid != 0 || stat_buf.st_gid != 0)
     {
@@ -178,43 +169,25 @@
         return(0);
     }
 
-    int fixperm = 0;
-    /* some warnings about the permissions being too relax */
-    if(stat_buf.st_mode & S_IRGRP)
-    {
-        (void)vrprint.info("Info", "'%s' is readable by 'group'. This is not recommended. ", file_loc);
-        fixperm = 1;
-    }
-    if(stat_buf.st_mode & S_IROTH)
-    {
-        (void)vrprint.info("Info", "'%s' is readable by and 'other'. This is not recommended.", file_loc);
-        fixperm = 1;
-    }
-
-    if(stat_buf.st_mode & S_IXGRP)
-    {
-        (void)vrprint.info("Info", "'%s' is executable by 'group'. This is not recommended.", file_loc);
-        fixperm = 1;
-    }
-    if(stat_buf.st_mode & S_IXOTH)
+    if (conf.max_permission != ANY_PERMISSION)
     {
-        (void)vrprint.info("Info", "'%s' is executable by 'other'. This is not recommended.", file_loc);
-        fixperm = 1;
-    }
-
-    if (fixperm) {
-        /* for dirs */
-        if(S_ISDIR(stat_buf.st_mode))
-            mode = 0700;
-        /* for files */
-        else if(S_ISREG(stat_buf.st_mode))
-            mode = 0600;
+        /* Extract the permission bits from the mode */
+        perm = stat_buf.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO);
+        /* Maximum permissions. Remove +x for files */
+        max = conf.max_permission;
+        if (S_ISREG(stat_buf.st_mode) == 1)
+            max &= ~(S_IXUSR|S_IXGRP|S_IXOTH);
 
-        (void)vrprint.info("Info", "Resetting permissions of '%s' to %o.", file_loc, mode);
-        if(chmod(file_loc, mode) == -1)
+        /* See if the file mode has more bits set than the maximum allowed */
+        if(perm & ~max)
         {
-            (void)vrprint.error(-1, "Error", "failed to repair permissions for '%s': %s.", file_loc, strerror(errno));
-            return(0);
+            (void)vrprint.info("Info", "'%s' has mode %o, which is more than maximum allowed mode %o. Resetting to %o.", file_loc, perm, max, max);
+
+            if(chmod(file_loc, max) == -1)
+            {
+                (void)vrprint.error(-1, "Error", "failed to repair permissions for '%s': %s.", file_loc, strerror(errno));
+                return(0);
+            }
         }
     }
 
Index: vuurmuur/libvuurmuur/src/vuurmuur.h
===================================================================
--- vuurmuur.orig/libvuurmuur/src/vuurmuur.h    2009-04-25 10:50:05.000000000 +0200
+++ vuurmuur/libvuurmuur/src/vuurmuur.h 2009-04-25 11:12:52.000000000 +0200
@@ -145,6 +145,8 @@
 #define DEFAULT_LOAD_MODULES            TRUE                /* default we load modules */
 #define DEFAULT_MODULES_WAITTIME        0                   /* default we don't wait */
 
+#define DEFAULT_MAX_PERMISSION          0700                /* default only allow user rwx */
+
 #define MAX_LOGRULE_SIZE                512
 #define MAX_PIPE_COMMAND                512                 /* maximum lenght of the pipe command */
 #define MAX_RULECOMMENT_LEN             64                  /* length in characters (for widec) */
@@ -152,7 +154,9 @@
 #define PROC_IPCONNTRACK                "/proc/net/ip_conntrack"
 #define PROC_NFCONNTRACK                "/proc/net/nf_conntrack"
 
-
+/* Special permission value, meaning don't check permissions. The value
+ * is simply all ones. */
+#define ANY_PERMISSION                  (~((mode_t)0))
 /*
     regexes
 */
@@ -427,6 +431,11 @@
     /* this is detected at runtime */
     char            use_nfconntrack;
 
+       /* Maximum permissions for files and directories used by vuurmuur
+          (config & log files). This should include x bits, which are
+          filtered out for files. */
+       mode_t          max_permission;
+
 } conf;
 
 
Index: vuurmuur/vuurmuur/skel/etc/vuurmuur/config.conf.sample
===================================================================
--- vuurmuur.orig/vuurmuur/skel/etc/vuurmuur/config.conf.sample 2009-04-25 11:13:02.000000000 +0200
+++ vuurmuur/vuurmuur/skel/etc/vuurmuur/config.conf.sample      2009-04-25 11:13:05.000000000 +0200
@@ -75,4 +75,10 @@
 # Ignore echo-broadcasts? (yes/no)
 PROTECT_ECHOBROADCAST="Yes"
 
+# Don't allow config and log files and directories to be accessable by
+# anyone but root. For files, the execute bits are automatically
+# stripped from this value. This should be an octal number describing
+# the maximum allowable permissions.
+MAX_PERMISSION="700"
+
 # end of file