1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
/*
* This is the header file for the trust function
*
* Author information:
* Matt Bishop
* Department of Computer Science
* University of California at Davis
* Davis, CA 95616-8562
* phone (916) 752-8060
* email bishop@cs.ucdavis.edu
*
* This code is placed in the public domain. I do ask that
* you keep my name associated with it, that you not represent
* it as written by you, and that you preserve these comments.
* This software is provided "as is" and without any guarantees
* of any sort.
*/
/*
* trustfile return codes
*/
#define TF_ERROR -1 /* can't check -- error */
#define TF_NO 0 /* file isn't trustworthy */
#define TF_YES 1 /* file is trustworthy */
/*
* error codes
*/
#define TF_BADFILE 1 /* file name illegal */
#define TF_BADNAME 2 /* name not valid (prob. ran out of room) */
#define TF_BADSTAT 3 /* stat of file failed (see errno for why) */
#define TF_NOROOM 4 /* not enough allocated space */
/*
* untrustworthy codes
*/
#define TF_BADUID 10 /* owner nmot trustworthy */
#define TF_BADGID 11 /* group writeable and member not trustworthy */
#define TF_BADOTH 12 /* anyone can write it */
/*
* the basic constant -- what is the longest path name possible?
* It should be at least the max path length as defined by system
* + 4 ("/../") + max file name length as defined by system; this
* should rarely fail (I rounded it up to 2048)
*/
#define MAXFILENAME 2048
/*
* function declaration
*
* #ifdef __STDC__
* extern int trustfile(char *, int *, int *);
* #else
* extern int trustfile();
* #endif
*/
/*
* these are useful global variables
*
* first set: who you gonna trust, by default?
* if the user does not specify a trusted or untrusted set of users,
* all users are considered untrusted EXCEPT:
* UID 0 -- root as root can do anything on most UNIX systems, this
* seems reasonable
* tf_euid -- programmer-selectable UID
* if the caller specifies a specific UID by putting
* it in this variable, it will be trusted; this is
* typically used to trust the effective UID of the
* process (note: NOT the real UID, which will cause all
* sorts of problems!) By default, this is set to -1,
* so if it's not set, root is the only trusted user
*/
extern uid_t tf_euid; /* space for EUID of process */
/*
* second set: how do you report problems?
* tf_errno on return when an error has occurred, this is set
* to the code indicating the reason for the error:
* TF_BADFILE passed NULL for pointer to file name
* TF_BADNAME could not expand to full path name
* TF_BADSTAT stat failed; usu. file doesn't exist
* TF_BADUID owner untrusted
* TF_BADGID group untrusted & can write
* TF_BADOTH anyone can write
* the value is preserved across calls where no error
* occurs, just like errno(2)
* tf_path if error occurs and a file name is involved, this
* contains the file name causing the problem
*/
extern char tf_path[MAXFILENAME]; /* error path for trust function */
extern uid_t rootonly[];
extern int EUIDSLOT;
|