If a directory is world-writable or is not owned by root, skip it

and emit a warning.  This is a security measure since ldconfig
influences the shared libraries used by all programs.

I think the check should be made even more stringent by also
ignoring group-writable directories.  I will make that change soon
unless we encounter a good reason not to do it.

Submitted by:	Maxime Henrion <mhenrion@cybercable.fr>

1 files changed, 15 insertions, 0 deletions

diff --git a/sbin/ldconfig/ldconfig.c b/sbin/ldconfig/ldconfig.c
index 76f8299..cde4f9a 100644
--- a/sbin/ldconfig/ldconfig.c
+++ b/sbin/ldconfig/ldconfig.c
@@ -259,6 +259,7 @@ int	silent;
 {
 	DIR		*dd;
 	struct dirent	*dp;
+	struct stat	stbuf;
 	char		name[MAXPATHLEN];
 	int		dewey[MAXDEWEY], ndewey;
 
@@ -269,6 +270,20 @@ int	silent;
 		return -1;
 	}
 
+	/* Do some security checks */
+	if (fstat(dirfd(dd), &stbuf) == -1) {
+		warn("%s", dir);
+		return -1;
+	}
+	if (stbuf.st_uid != 0) {
+		warnx("%s: not owned by root", dir);
+		return -1;
+	}
+	if ((stbuf.st_mode & S_IWOTH) != 0) {
+		warnx("%s: ignoring world-writable directory", dir);
+		return -1;
+	}
+
 	while ((dp = readdir(dd)) != NULL) {
 		register int n;
 		register char *cp;