1
//! Implementation logic for `fs-mistrust`.
2

            
3
use std::{
4
    fs::{FileType, Metadata},
5
    path::Path,
6
};
7

            
8
#[cfg(target_family = "unix")]
9
use std::os::unix::prelude::MetadataExt;
10

            
11
use crate::{
12
    walk::{PathType, ResolvePath},
13
    Error, Result, Type,
14
};
15

            
16
/// Definition for the "sticky bit", which on Unix means that the contents of
17
/// directory may not be renamed, deleted, or otherwise modified by a non-owner
18
/// of those contents, even if the user has write permissions on the directory.
19
///
20
/// This is the usual behavior for /tmp: You can make your own directories in
21
/// /tmp, but you can't modify other people's.
22
///
23
/// (We'd use libc's version of `S_ISVTX`, but they vacillate between u16 and
24
/// u32 depending what platform you're on.)
25
#[cfg(target_family = "unix")]
26
pub(crate) const STICKY_BIT: u32 = 0o1000;
27

            
28
/// Helper: Box an iterator of errors.
29
351886
fn boxed<'a, I: Iterator<Item = Error> + 'a>(iter: I) -> Box<dyn Iterator<Item = Error> + 'a> {
30
351886
    Box::new(iter)
31
351886
}
32

            
33
impl<'a> super::Verifier<'a> {
34
    /// Return an iterator of all the security problems with `path`.
35
    ///
36
    /// If the iterator is empty, then there is no problem with `path`.
37
    //
38
    // TODO: This iterator is not fully lazy; sometimes, calls to check_one()
39
    // return multiple errors when it would be better for them to return only
40
    // one (since we're ignoring errors after the first).  This might be nice
41
    // to fix in the future if we can do so without adding much complexity
42
    // to the code.  It's not urgent, since the allocations won't cost much
43
    // compared to the filesystem access.
44
175943
    pub(crate) fn check_errors(&self, path: &Path) -> impl Iterator<Item = Error> + '_ {
45
175943
        if self.mistrust.is_disabled() {
46
            // We don't want to walk the path in this case at all: we'll just
47
            // look at the last element.
48

            
49
153424
            let meta = match path.metadata() {
50
138730
                Ok(meta) => meta,
51
14694
                Err(e) => return boxed(vec![Error::inspecting(e, path)].into_iter()),
52
            };
53
138730
            let mut errors = Vec::new();
54
138730
            self.check_type(path, PathType::Final, &meta, &mut errors);
55
138730
            return boxed(errors.into_iter());
56
22519
        }
57

            
58
22519
        let rp = match ResolvePath::new(path) {
59
22519
            Ok(rp) => rp,
60
            Err(e) => return boxed(vec![e].into_iter()),
61
        };
62

            
63
        // Filter to remove every path that is a prefix of ignore_prefix. (IOW,
64
        // if stop_at_dir is /home/arachnidsGrip, real_stop_at_dir will be
65
        // /home, and we'll ignore / and /home.)
66
103586
        let should_retain = move |r: &Result<_>| match (r, &self.mistrust.ignore_prefix) {
67
62914
            (Ok((p, _, _)), Some(ignore_prefix)) => !ignore_prefix.starts_with(p),
68
40308
            (_, _) => true,
69
103222
        };
70

            
71
22519
        boxed(
72
22519
            rp.filter(should_retain)
73
22519
                // Finally, check the path for errors.
74
22519
                //
75
22519
                // See `check_one` below for a note on TOCTOU issues.
76
56937
                .flat_map(move |r| match r {
77
51815
                    Ok((path, path_type, metadata)) => {
78
51815
                        self.check_one(path.as_path(), path_type, &metadata)
79
                    }
80
4758
                    Err(e) => vec![e],
81
56937
                }),
82
22519
        )
83
175943
    }
84

            
85
    /// If check_contents is set, return an iterator over all the errors in
86
    /// elements _contained in this directory_.
87
    #[cfg(feature = "walkdir")]
88
175943
    pub(crate) fn check_content_errors(&self, path: &Path) -> impl Iterator<Item = Error> + '_ {
89
        use std::sync::Arc;
90

            
91
175943
        if !self.check_contents || self.mistrust.is_disabled() {
92
171596
            return boxed(std::iter::empty());
93
4347
        }
94
4347

            
95
4347
        boxed(
96
4347
            walkdir::WalkDir::new(path)
97
4347
                .follow_links(false)
98
4347
                .min_depth(1)
99
4347
                .into_iter()
100
4350
                .flat_map(move |ent| match ent {
101
                    Err(err) => vec![Error::Listing(Arc::new(err))],
102
4
                    Ok(ent) => match ent.metadata() {
103
4
                        Ok(meta) => self
104
4
                            .check_one(ent.path(), PathType::Content, &meta)
105
4
                            .into_iter()
106
4
                            .map(|e| Error::Content(Box::new(e)))
107
4
                            .collect(),
108
                        Err(err) => vec![Error::Listing(Arc::new(err))],
109
                    },
110
4350
                }),
111
4347
        )
112
175943
    }
113

            
114
    /// Return an empty iterator.
115
    #[cfg(not(feature = "walkdir"))]
116
    pub(crate) fn check_content_errors(&self, _path: &Path) -> impl Iterator<Item = Error> + '_ {
117
        std::iter::empty()
118
    }
119

            
120
    /// Check a single `path` for conformance with this `Verifier`.
121
    ///
122
    /// Note that this result is only meaningful if all of the _ancestors_ of
123
    /// this path have been checked.  Otherwise, a non-trusted user could change
124
    /// where this path points after it has been checked.
125
    #[must_use]
126
118223
    pub(crate) fn check_one(
127
118223
        &self,
128
118223
        path: &Path,
129
118223
        path_type: PathType,
130
118223
        meta: &Metadata,
131
118223
    ) -> Vec<Error> {
132
118223
        let mut errors = Vec::new();
133
118223

            
134
118223
        self.check_type(path, path_type, meta, &mut errors);
135
118223
        #[cfg(target_family = "unix")]
136
118223
        self.check_permissions(path, path_type, meta, &mut errors);
137
118223
        errors
138
118223
    }
139

            
140
    /// Check whether a given file has the correct type, and push an error into
141
    /// `errors` if not. Other inputs are as for `check_one`.
142
256953
    fn check_type(
143
256953
        &self,
144
256953
        path: &Path,
145
256953
        path_type: PathType,
146
256953
        meta: &Metadata,
147
256953
        errors: &mut Vec<Error>,
148
256953
    ) {
149
256953
        let want_type = match path_type {
150
            PathType::Symlink => {
151
                // There's nothing to check on a symlink encountered _while
152
                // looking up the target_; its permissions and ownership do not
153
                // actually matter.
154
12
                return;
155
            }
156
40572
            PathType::Intermediate => Type::Dir,
157
149961
            PathType::Final => self.enforce_type,
158
66408
            PathType::Content => Type::DirOrFile,
159
        };
160

            
161
256941
        if !want_type.matches(meta.file_type()) {
162
164
            errors.push(Error::BadType(path.into()));
163
256777
        }
164
256953
    }
165

            
166
    /// Check whether a given file has the correct ownership and permissions,
167
    /// and push errors into `errors` if not. Other inputs are as for
168
    /// `check_one`.
169
    ///
170
    /// On iOS, check permissions but assumes the owner is the current user.
171
    #[cfg(target_family = "unix")]
172
118223
    fn check_permissions(
173
118223
        &self,
174
118223
        path: &Path,
175
118223
        path_type: PathType,
176
118223
        meta: &Metadata,
177
118223
        errors: &mut Vec<Error>,
178
118223
    ) {
179
118223
        // We need to check that the owner is trusted, since the owner can
180
118223
        // always change the permissions of the object.  (If we're talking
181
118223
        // about a directory, the owner cah change the permissions and owner
182
118223
        // of anything in the directory.)
183
118223

            
184
118223
        #[cfg(all(
185
118223
            not(target_os = "ios"),
186
118223
            not(target_os = "tvos"),
187
118223
            not(target_os = "android")
188
118223
        ))]
189
118223
        {
190
118223
            let uid = meta.uid();
191
118223
            if uid != 0 && Some(uid) != self.mistrust.trust_user {
192
                errors.push(Error::BadOwner(path.into(), uid));
193
118223
            }
194
        }
195

            
196
        // On Unix-like platforms, symlink permissions are ignored (and usually
197
        // not settable). Theoretically, the symlink owner shouldn't matter, but
198
        // it's less confusing to consistently require the right owner.
199
118223
        if path_type == PathType::Symlink {
200
12
            return;
201
118211
        }
202

            
203
118211
        let mut forbidden_bits = if !self.readable_okay && path_type == PathType::Final {
204
            // If this is the target object, and it must not be readable, then
205
            // we forbid it to be group-rwx and all-rwx.
206
            //
207
            // (We allow _content_ to be globally readable even if readable_okay
208
            // is false, since we check that the Final directory is itself
209
            // unreadable.  This is okay unless the content has hard links: see
210
            // the Limitations section of the crate-level documentation.)
211
7672
            0o077
212
        } else {
213
            // If this is the target object and it may be readable, or if this
214
            // is _any parent directory_ or any content, then we typically
215
            // forbid the group-write and all-write bits.  (Those are the bits
216
            // that would allow non-trusted users to change the object, or
217
            // change things around in a directory.)
218
110539
            if meta.is_dir() && meta.mode() & STICKY_BIT != 0 && path_type == PathType::Intermediate
219
            {
220
                // This is an intermediate directory and this sticky bit is
221
                // set.  Thus, we don't care if it is world-writable or
222
                // group-writable, since only the _owner_  of a file in this
223
                // directory can move or rename it.
224
8060
                0o000
225
            } else {
226
                // It's not a sticky-bit intermediate directory; actually
227
                // forbid 022.
228
102479
                0o022
229
            }
230
        };
231
        // If we trust the GID, then we allow even more bits to be set.
232
        #[cfg(all(
233
            not(target_os = "ios"),
234
            not(target_os = "tvos"),
235
            not(target_os = "android")
236
        ))]
237
118211
        if self.mistrust.trust_group == Some(meta.gid()) {
238
4
            forbidden_bits &= !0o070;
239
118207
        }
240

            
241
        // Both iOS and Android have some directory on the path for application data directory
242
        // which is group writeable. However both system already offer some guarantees regarding
243
        // application data being kept away from other apps.
244
        //
245
        // iOS: https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html
246
        // > For security purposes, an iOS app’s interactions with the file system are limited
247
        // to the directories inside the app’s sandbox directory
248
        //
249
        // Android: https://developer.android.com/training/data-storage
250
        // > App-specific storage: [...] Use the directories within internal storage to save
251
        // sensitive information that other apps shouldn't access.
252
        #[cfg(any(target_os = "ios", target_os = "tvos", target_os = "android"))]
253
        {
254
            forbidden_bits &= !0o070;
255
        }
256

            
257
118211
        let bad_bits = meta.mode() & forbidden_bits;
258
118211
        if bad_bits != 0 {
259
506
            errors.push(Error::BadPermission(
260
506
                path.into(),
261
506
                meta.mode() & 0o777,
262
506
                bad_bits,
263
506
            ));
264
117705
        }
265
118223
    }
266
}
267

            
268
impl super::Type {
269
    /// Return true if this required type is matched by a given `FileType`
270
    /// object.
271
256941
    fn matches(&self, have_type: FileType) -> bool {
272
256941
        match self {
273
85413
            Type::Dir => have_type.is_dir(),
274
480
            Type::File => have_type.is_file(),
275
171048
            Type::DirOrFile => have_type.is_dir() || have_type.is_file(),
276
            Type::Anything => true,
277
        }
278
256941
    }
279
}