If a directory is world-writable or is not owned by root, skip it

and emit a warning.  This is a security measure since ldconfig
influences the shared libraries used by all programs.

I think the check should be made even more stringent by also
ignoring group-writable directories.  I will make that change soon
unless we encounter a good reason not to do it.

Submitted by:	Maxime Henrion <mhenrion@cybercable.fr>

3 files changed, 35 insertions, 5 deletions

diff --git a/sbin/ldconfig/elfhints.c b/sbin/ldconfig/elfhints.c
index 6af39b6..f7139df 100644
--- a/sbin/ldconfig/elfhints.c
+++ b/sbin/ldconfig/elfhints.c
@@ -57,7 +57,22 @@ static int		 ndirs;
 static void
 add_dir(const char *hintsfile, const char *name)
 {
-	int	i;
+	struct stat 	stbuf;
+	int		i;
+
+	/* Do some security checks */
+	if (stat(name, &stbuf) == -1) {
+		warn("%s", name);
+		return;
+	}
+	if (stbuf.st_uid != 0) {
+		warnx("%s: not owned by root", name);
+		return;
+	}
+	if ((stbuf.st_mode & S_IWOTH) != 0) {
+		warnx("%s: ignoring world-writable directory", name);
+        	return;
+	}
 
 	for (i = 0;  i < ndirs;  i++)
 		if (strcmp(dirs[i], name) == 0)
diff --git a/sbin/ldconfig/ldconfig.8 b/sbin/ldconfig/ldconfig.8
index 8f4f801..f008d90 100644
--- a/sbin/ldconfig/ldconfig.8
+++ b/sbin/ldconfig/ldconfig.8
@@ -61,7 +61,10 @@ line.  Blank lines and lines starting with the comment character
 .Ql \&#
 are ignored.
 .Pp
-The shared libraries so found will be automatically available for loading
+For security reasons, directories which are world-writable or which
+are not owned by root produce warning messages and are skipped.
+.Pp
+The shared libraries which are found will be automatically available for loading
 if needed by the program being prepared for execution.
 This obviates the need
 for storing search paths within the executable.
@@ -137,9 +140,6 @@ In
 addition to building a set of hints for quick lookup, it also serves to
 specify the trusted collection of directories from which shared objects can
 be safely loaded.
-It is presumed that the set of directories specified to
-.Nm ldconfig
-are under control of the system's administrator.
 .Sh ENVIRONMENT
 .Bl -tag -width OBJFORMATxxx -compact
 .It Ev OBJFORMAT
diff --git a/sbin/ldconfig/ldconfig.c b/sbin/ldconfig/ldconfig.c
index 76f8299..cde4f9a 100644
--- a/sbin/ldconfig/ldconfig.c
+++ b/sbin/ldconfig/ldconfig.c
@@ -259,6 +259,7 @@ int	silent;
 {
 	DIR		*dd;
 	struct dirent	*dp;
+	struct stat	stbuf;
 	char		name[MAXPATHLEN];
 	int		dewey[MAXDEWEY], ndewey;
 
@@ -269,6 +270,20 @@ int	silent;
 		return -1;
 	}
 
+	/* Do some security checks */
+	if (fstat(dirfd(dd), &stbuf) == -1) {
+		warn("%s", dir);
+		return -1;
+	}
+	if (stbuf.st_uid != 0) {
+		warnx("%s: not owned by root", dir);
+		return -1;
+	}
+	if ((stbuf.st_mode & S_IWOTH) != 0) {
+		warnx("%s: ignoring world-writable directory", dir);
+		return -1;
+	}
+
 	while ((dp = readdir(dd)) != NULL) {
 		register int n;
 		register char *cp;