15c49f
From db1f27c0350e9e437c93780ffe88648ae1984467 Mon Sep 17 00:00:00 2001
15c49f
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
15c49f
Date: Wed, 6 Jan 2021 10:16:00 -0700
15c49f
Subject: [PATCH] Fix potential directory existing info leak in sudoedit. When
15c49f
 creating a new file, sudoedit checks to make sure the parent directory exists
15c49f
 so it can provide the user with a sensible error message.  However, this
15c49f
 could be used to test for the existence of directories not normally
15c49f
 accessible to the user by pointing to them with a symbolic link when the
15c49f
 parent directory is controlled by the user.  Problem reported by Matthias
15c49f
 Gerstner of SUSE.
15c49f
15c49f
---
15c49f
 src/sudo_edit.c | 29 ++++++++++++++++++++++++-----
15c49f
 1 file changed, 24 insertions(+), 5 deletions(-)
15c49f
15c49f
diff --git a/src/sudo_edit.c b/src/sudo_edit.c
15c49f
index 82e04a71b..5502b7bd9 100644
15c49f
--- a/src/sudo_edit.c
15c49f
+++ b/src/sudo_edit.c
15c49f
@@ -541,14 +541,33 @@ sudo_edit_create_tfiles(struct command_details *command_details,
15c49f
 	    S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
15c49f
 	if (ofd != -1 || errno == ENOENT) {
15c49f
 	    if (ofd == -1) {
15c49f
-		/* New file, verify parent dir exists unless in cwd. */
15c49f
+		/*
15c49f
+		 * New file, verify parent dir exists unless in cwd.
15c49f
+		 * This fails early so the user knows ahead of time if the
15c49f
+		 * edit won't succeed.  Additional checks are performed
15c49f
+		 * when copying the temporary file back to the origin.
15c49f
+		 */
15c49f
 		char *slash = strrchr(files[i], '/');
15c49f
 		if (slash != NULL && slash != files[i]) {
15c49f
-		    int serrno = errno;
15c49f
+		    const int sflags = command_details->flags;
15c49f
+		    const int serrno = errno;
15c49f
+		    int dfd;
15c49f
+
15c49f
+		    /*
15c49f
+		     * The parent directory is allowed to be a symbolic
15c49f
+		     * link as long as *its* parent is not writable.
15c49f
+		     */
15c49f
 		    *slash = '\0';
15c49f
-		    if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) {
15c49f
-			memset(&sb, 0, sizeof(sb));
15c49f
-			rc = 0;
15c49f
+		    SET(command_details->flags, CD_SUDOEDIT_FOLLOW);
15c49f
+		    dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS,
15c49f
+			S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
15c49f
+		    command_details->flags = sflags;
15c49f
+		    if (dfd != -1) {
15c49f
+			if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) {
15c49f
+			    memset(&sb, 0, sizeof(sb));
15c49f
+			    rc = 0;
15c49f
+			}
15c49f
+			close(dfd);
15c49f
 		    }
15c49f
 		    *slash = '/';
15c49f
 		    errno = serrno;
15c49f
-- 
15c49f
2.26.2
15c49f