RubyGems - homefs - Versions diffs - 0.3.0 → 0.3.1 - Mend

homefs 0.3.0 → 0.3.1

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f11d42ee83c4b4ebf69e367d4ae58cc1a4927fac
-  data.tar.gz: c8bba0a2cad6c689a3865c910c7d172c14bb9933
+  metadata.gz: 9aa5fb16b6856552286724fd6fd1e45f46bc5a6f
+  data.tar.gz: ca26c140a4ad789d383edbe43a7040d2fa23b8f4
 SHA512:
-  metadata.gz: d31980d7d5be1f62af06b45e14ae95bfc1001202eb674edb479921730c5fea3eb7c5908158b613fe7ff721edf418554cf1d29a8a7678d269c76ed6e30ab08156
-  data.tar.gz: 714090d6643662fe47fdc65987fd867a8da0368ef5cfa9534211ea314120ec5eadd53914ece6196e7d8e58f17c004bd13dbfb2426746fd1e5e98685a428426ae
+  metadata.gz: 7294eef3cd9569a078789e8b148de97054584084e792deb5bee24d5c5d234314fc7ea6d0d7dc11bc69d93002ec1e34cf9e455edc54b5af75e9428e1517e87349
+  data.tar.gz: 5b350ef36937e79201cf61c005acb21447ad014f51c96a1dd06f52753402e19d189e083f339fec10e1536e038bc41a257452878bc52f494ba6bbb1166ab75ddd

data/lib/homefs/debug.rb CHANGED Viewed

@@ -10,9 +10,13 @@ class HomeFS
                         ret = object.send(method, *args)
                         warn "\tMethod returned #{ret.inspect}"
                         return ret
+                    rescue SystemCallError => e
+                        warn e
+                        raise e
                     rescue Exception => e
                         warn e
                         warn e.backtrace
+                        raise e
                     end
                 end
             end

data/lib/homefs/homefs.rb CHANGED Viewed

@@ -22,7 +22,6 @@ class HomeFS
     def initialize(path, options = Hash.new)
         @relpath = path
         read_passwd
-        read_group
     end
     # Read or re-read /etc/passwd to update the internal table of home
@@ -55,30 +54,6 @@ class HomeFS
         }
     end
-    # Read or re-read /etc/group to update the internal table of
-    # group membership.
-    # @return [void]
-    def read_group
-        # Try to read from getent
-        group = `getent group`
-        if $? != 0
-            group = File.read('/etc/group')
-        end
-        @groups = Hash.new
-        group.each_line.map { |line|
-            next if line.strip.empty?
-            _name, _, gid, members = line.split(':')
-            members = members.strip.split(',').map {|member| @usernames[member]}
-            [Integer(gid), members]
-        }.reject { |line|
-            line.nil?
-        }.each { |gid, members|
-            @groups[gid] = members
-        }
-    end
     # Return the path to the root of HomeFS relative to the underlying
     # filesystem. If _path_ is specified, it is taken to be relative to the
     # root of HomeFS.
@@ -99,162 +74,28 @@ class HomeFS
         end
     end
-    # Check whether the given file has a mode that matches the given mask. If
-    # check_ids is true, the third-least significant digit of the mask is set to
-    # zero if the calling user is not the owner of the file, and the
-    # second-least significant digit of the mask is zeroed if the calling user's
-    # group is not the group of the file. This has the effect of only checking
-    # the owner's permissions if we're the owner, and only checking the group
-    # permissions if we're in that group.
-    #
-    # This method checks if _any_ of the set bits in the mask are set in the
-    # file's mode. It does not check if the mask matches the file's mode, nor
-    # does it check if _all_ set bits in the mask are set in the file's mode.
-    #
-    # The first three least significant digits of the mode, in octal, (that is,
-    # the three rightmost digits) control the read (4), write (2), and execute
-    # (1) permissions of the file. The next digit controls setuid (4), setgid
-    # (2), and the sticky bit (1) of the file.
-    #
-    # It is recommended to see
-    #   man chmod
-    # to get a more detailed description about file modes.
-    #
-    # @example Test if we can write to a file
-    #   mode_mask("/example", 0222, true)
-    #   mode_mask("/example", 0222)
-    # @example Test if a file is executable by anyone
-    #   mode_mask("/binary", 0111, false)
-    # @example Test if a directory has the sticky bit set
-    #   mode_mask("/tmp", 01000, false)
-    #
-    # @param [String] file the path to the file to check
-    # @param [Integer] mask the mask against which to check the file's mode.
-    #   It is recommended you write this in octal (with a leading 0).
-    # @param [Integer] uid if not nil, only check user and group permissions
-    #   if the user it represents is, respectively, the owner of the
-    #   file/in the file's group.
-    # @return [Boolean] whether the mode of _file_ matches the given mask
-    def mode_mask(file, mask, uid = nil)
-        stat = File.stat(file)
-        fmode = stat.mode
-        if uid
-            fuid, fgid = stat.uid, stat.gid
-            # Zero out the third digit (in octal).
-            # We could use a constant here, but this works
-            # for a mask of any length
-            if uid != fuid
-                mask &= ~(mask & 0700)
-            end
-            if !@groups[fgid].include?(uid)
-                mask &= ~(mask & 0070)
+    # If HomeFS is running as root, drop_priv sets the effective user ID
+    # and effective group ID to _uid_ and _gid_, respectively, and then
+    # calls the block passed to the method. Before returning, drop_priv
+    # that the EUID and EGID are each set back to 0.
+    # @param [Integer] uid the user ID to set the effective user ID to
+    # @param [Integer] gid the group ID to set the effective group ID to
+    # @yield an environment with the EUID and EGID set to _uid_ and _gid_
+    # @return the result of the block
+    def drop_priv(uid, gid)
+        if Process::Sys.getuid == 0
+            begin
+                Process::Sys.setegid(gid)
+                Process::Sys.seteuid(uid)
+                ret = yield
+            ensure
+                Process::Sys.seteuid(0)
+                Process::Sys.setegid(0)
             end
-        end
-        fmode & mask != 0
-    end
-    # Test whether we can write to the given path. If no file exists at _path_,
-    # we test if the parent directory is either writable or has the sticky bit
-    # set.
-    # @param [String] path the path to test
-    # @param [Integer] uid the UID to check the privilage of. If nil, this
-    # method returns whether the file is writable by anyone.
-    # @return [Boolean] whether the given path is writable
-    def writable?(path, uid = nil)
-        if !File.exist?(path)
-            mode_mask(File.dirname(path), 01222, uid)
         else
-            mode_mask(path, 0222, uid)
-        end
-    end
-    # Test whether the user described by _uid_ can read from the given
-    # path. If no file exists at the given path, an Errno::ENOENT is
-    # raised.
-    # @param [String] path the path to test
-    # @param [Integer] uid the UID to check the privilage of. If nil, this
-    # method returns whether the file is readable by anyone.
-    # @return [Boolean] whether the given path is readable
-    # @raise [Errno::ENOENT] if no file exists at _path_
-    def readable?(path, uid = nil)
-        mode_mask(path, 0444, uid)
-    end
-    # Test whether the user described by _uid_ can execute the given
-    # path. If no file exists at the given path, an Errno::ENOENT is
-    # raised.
-    # @param [String] path the path to test
-    # @param [Integer] uid the UID to check the privilage of. If nil, this
-    # method returns whether the file is executable by anyone.
-    # @return [Boolean] whether the given path is executable
-    # @raise [Errno::ENOENT] if no file exists at _path_
-    def executable?(path, uid = nil)
-        mode_mask(path, 0111, uid)
-    end
-    # This method raises an Errno::EACCES if the user given by _uid_ cannot
-    # write to the given path. The check is the same as in {#writable?}.
-    # @param [String] relpath the path to test, relative to the root of
-    # HomeFS (not the actual filesystem)
-    # @param [Integer] uid the UID to check the privilage of
-    # @return [void]
-    # @raise [Errno::EACCES] if the path is not writable by the given user
-    def check_writable(uid, relpath)
-        hpath = homepath(uid, relpath)
-        unless writable?(hpath, uid)
-            fail Errno::EACCES, relpath
-        end
-    end
-    # This method raises an Errno::EACCES if the user given by _uid_ cannot
-    # read from the given path.
-    # @param [String] relpath the path to test, relative to the root of
-    # HomeFS (not the actual filesystem)
-    # @param [Integer] uid the UID to check the privilage of
-    # @return [void]
-    # @raise [Errno::EACCES] if the path is not readable by the given user
-    # @raise [Errno::ENOENT] if no file or directory exists at the given
-    # path
-    def check_readable(uid, relpath)
-        hpath = homepath(uid, relpath)
-        unless readable?(hpath, uid)
-            fail Errno::EACCES, relpath
-        end
-    end
-    # This method raises an Errno::EACCES if the user given by _uid_ cannot
-    # list the given directory, i.e., if the user does not have the execute
-    # and read permissions on the given directory. If the path given is not
-    # a directory, the dirname of the given path is tested.
-    # @param [String] relpath the path to test, relative to the root of
-    # HomeFS (not the actual filesystem)
-    # @param [Integer] uid the UID to check the privilage of
-    # @return [void]
-    # @raise [Errno::EACCES] if the path is not readable by the given user
-    def check_listable(uid, relpath)
-        hpath = homepath(uid, relpath)
-        unless File.directory?(hpath)
-            hpath = File.dirname(hpath)
-        end
-        unless readable?(hpath) && executable?(hpath)
-            fail Errno::EACCES, relpath
-        end
-    end
-    # This method raises an Errno::EACCES if the user given by _uid_ is not
-    # the owner of the file described by _relpath_
-    # @param [String] relpath the path to test, relative to the root of
-    # HomeFS (not the actual filesystem)
-    # @param [Integer] uid the UID to check ownership of
-    # @return [void]
-    # @raise [Errno::EACCES] if the path is not owned by the given user
-    # @raise [Errno::ENOENT] if no file or directory exists at the given
-    # path
-    def check_owner(uid, relpath)
-        hpath = File.dirname(homepath(uid, relpath))
-        unless File.stat(hpath).uid == uid
-            fail Errno::EACCES, relpath
+            ret = yield
         end
+        return ret
     end
     # Check access permissions
@@ -269,8 +110,16 @@ class HomeFS
     #   called directly
     def access(context, path, mode)
         uid = context.uid
-        unless mode_mask(homepath(uid, path), mode * 0111, uid)
-            raise Errno::EACCES
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            access = true
+            check_read = (mode & 4 != 0)
+            check_write = (mode & 2 != 0)
+            check_execute = (mode & 1 != 0)
+            access &&= File.readable?(hpath) if check_read
+            access &&= File.writable?(hpath) if check_write
+            access &&= File.executable?(hpath) if check_execute
+            access
         end
     end
@@ -285,9 +134,11 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def chmod(context, path, mode)
-        hpath = homepath(context.uid, path)
-        check_owner(context.uid, path)
-        File.chmod(mode, hpath)
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            File.chmod(mode, hpath)
+        end
     end
     # Change file ownership
@@ -302,9 +153,11 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def chown(context, path, uid, gid)
-        raise Errno::EACCES, path if context.uid != 0
-        hpath = homepath(context.uid, path)
-        File.chown(uid, gid, hpath)
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            File.chown(mode, hpath)
+        end
     end
     # Create and open a file
@@ -321,23 +174,11 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def create(context, path, mode, ffi)
-        check_writable(context.uid, path)
-        hpath = homepath(context.uid, path)
-        # It is important that we create the file and chown it before we
-        # set its mode to prevent a possible privilage escalation
-        # race-condition. To be more specific, if this filesystem is
-        # running as root (which it usually is), the file will be created
-        # owned by root. If the mode were set when the file is created,
-        # then an attacker could create a setuid file writable by anyone,
-        # and then, in the 'real' filesystem (not HomeFS), quickly write a
-        # small program that just executes /bin/bash. If the write
-        # completed before handle.chown was called, the attacker could have
-        # a setuid shell.
-        handle = File.new(hpath, File::CREAT | File::WRONLY, 0600)
-        handle.chown(context.uid, context.gid)
-        handle.chmod(mode)
-        ffi.fh = handle
+        uid = context.uid
+        hpath = homepath(uid, path)
+        ffi.fh = drop_priv(uid, context.gid) do
+            File.new(hpath, File::CREAT | File::WRONLY, mode)
+        end
     end
     # Get attributes of an open file
@@ -431,8 +272,11 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def getattr(context, path)
-        check_listable(context.uid, path)
-        File.lstat(homepath(context.uid, path))
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            File.lstat(hpath)
+        end
     end
     # Called when filesystem is initialised
@@ -457,20 +301,22 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def link(context, from, to)
-        hfrom = homepath(context.uid, from)
-        check_writable(context.uid, from)
-        File.link(hfrom, to)
-        File.chown(context.uid, hfrom) if context.uid == 0
+        uid = context.uid
+        hfrom = homepath(uid, from)
+        drop_priv(uid, context.gid) do
+            File.link(hfrom, to)
+        end
     end
     # (see RFuse::Fuse#mkdir)
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def mkdir(context, path, mode)
-        check_writable(context.uid, path)
-        hpath = homepath(context.uid, path)
-        Dir.mkdir(hpath, mode)
-        File.chown(context.uid, context.gid, hpath) if context.uid == 0
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            Dir.mkdir(hpath, mode)
+        end
     end
     # File open operation
@@ -488,24 +334,17 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def open(context, path, ffi)
-        if ffi.flags & File::RDWR != 0
-            mask = 0666
-        elsif ffi.flags & File::WRONLY != 0
-            mask = 0222
-        else
-            mask = 0444
-        end
-        hpath = homepath(context.uid, path)
-        unless mode_mask(hpath, mask, context.uid)
-            fail Errno::EACCES, path
-        end
+        uid = context.uid
+        hpath = homepath(uid, path)
         # We pass the flags straight into File.open because the constants
         # in RFuse::Fcntl and File::Constants have the same values, because
         # they both have the same values as the open syscall. If this were
         # not the case, we'd have the map the values of RFuse::Fcntl to
         # their equivalents in File::Constants
-        ffi.fh = File.open(hpath, ffi.flags)
+        drop_priv(uid, context.gid) do
+            ffi.fh = File.open(hpath, ffi.flags)
+        end
     end
     # Open directory
@@ -524,8 +363,11 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def opendir(context, path, ffi)
-        check_listable(context.uid, path)
-        ffi.fh = Dir.new(homepath(context.uid, path))
+        uid = context.uid
+        hpath = homepath(uid, path)
+        ffi.fh = drop_priv(uid, context.gid) do
+            Dir.new(hpath)
+        end
     end
     # Read data from an open file
@@ -547,7 +389,7 @@ class HomeFS
         else
             ffi.fh.seek(offset, :SET)
         end
-        ffi.fh.read(size)
+        ffi.fh.read(size) || ''
     end
     # (see RFuse::Fuse#readdir)
@@ -603,12 +445,12 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def rename(context, from, to)
-        hfrom = homepath(context.uid, from)
-        hto = homepath(context.uid, to)
-        check_readable(context.uid, from)
-        check_writable(File.dirname(from), context.uid)
-        check_writable(File.dirname(to), context.uid)
-        FileUtils.mv(hfrom, hto, :force => true)
+        uid = context.uid
+        hfrom = homepath(uid, from)
+        hto = homepath(uid, to)
+        drop_priv(uid, context.gid) do
+            FileUtils.mv(hfrom, hto, :force => true)
+        end
     end
     # Create a symbolic link
@@ -624,12 +466,10 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def symlink(context, to, from)
-        check_writable(context.uid, from)
-        hfrom = homepath(context.uid, from)
-        File.symlink(to, hfrom)
-        begin
-            File.lchown(context.uid, context.gid, hfrom)
-        rescue
+        uid = context.uid
+        hfrom = homepath(uid, from)
+        drop_priv(uid, context.gid) do
+            File.symlink(to, hfrom)
         end
     end
@@ -644,8 +484,11 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def truncate(context, path, offset)
-        check_writable(context.uid, path)
-        File.truncate(homepath(context.uid, path), offset)
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            File.truncate(hpath, offset)
+        end
     end
     # Remove a file
@@ -658,8 +501,11 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def unlink(context, path)
-        check_writable(context.uid, File.dirname(path))
-        File.unlink(homepath(context.uid, path))
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            File.unlink(hpath)
+        end
     end
     # Change access/modification times of a file
@@ -674,8 +520,11 @@ class HomeFS
     # @note This method should usually only be called by FUSE, and not
     #   called directly
     def utimens(context, path, actime, modtime)
-        check_writable(context.uid, path)
-        File.utime(actime, modtime, homepath(context.uid, path))
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            File.utime(actime, modtime, hpath)
+        end
     end
     # Write data to an open file
@@ -717,9 +566,11 @@ begin
     # @note This method is only defined if the gem 'ffi-xattr' is
     # available
     def getxattr(context, path, name)
-        check_readable(context.uid, path)
-        hpath = homepath(context.uid, path)
-        check_nodata Xattr::Lib.get(hpath, false, name)
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            check_nodata Xattr::Lib.get(hpath, false, name)
+        end
     end
     # Set extended attributes
@@ -737,9 +588,11 @@ begin
     # @note This method is only defined if the gem 'ffi-xattr' is
     # available
     def setxattr(context, path, name, data, flags)
-        check_writable(context.uid, path)
-        hpath = homepath(context.uid, path)
-        Xattr::Lib.set(hpath, false, name, data)
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            Xattr::Lib.set(hpath, false, name, data)
+        end
     end
     # List extended attributes
@@ -754,9 +607,11 @@ begin
     # @note This method is only defined if the gem 'ffi-xattr' is
     # available
     def listxattr(context, path)
-        check_readable(context.uid, path)
-        hpath = homepath(context.uid, path)
-        check_nodata Xattr::Lib.list(hpath, false)
+        uid = context.uid
+        hpath = homepath(uid, path)
+        drop_priv(uid, context.gid) do
+            check_nodata Xattr::Lib.list(hpath, false)
+        end
     end
     # Remove extended attribute

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: homefs
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Dylan Frese
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-10-28 00:00:00.000000000 Z
+date: 2015-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rfuse