mirror of
git://git.code.sf.net/p/zsh/code
synced 2025-10-22 16:20:23 +02:00
31015: compaudit fix to allow executable owner to own completion files
This commit is contained in:
Peter Stephenson
parent
af68fb3cf4
commit
ef8e43aed2
2 changed files with 43 additions and 11 deletions
|
|
@ -82,18 +82,45 @@ fi
|
|||
|
||||
[[ $_i_fail == use ]] && return 0
|
||||
|
||||
# We will always allow files to be owned by root and the owner of the
|
||||
# present process.
|
||||
local _i_owners="u0u${EUID}"
|
||||
|
||||
# Places we will look for a link to the executable
|
||||
local -a _i_exes
|
||||
_i_exes=(
|
||||
/proc/$$/exe
|
||||
/proc/$$/object/a.out
|
||||
)
|
||||
local _i_exe
|
||||
|
||||
# If we can find out who owns the executable, we will allow files to
|
||||
# be owned by that user, too. The argument is that if you don't trust
|
||||
# the owner of the executable, it's way too late to worry about it now...
|
||||
for _i_exe in _i_exes; do
|
||||
if [[ -e $_i_exe ]] ;then
|
||||
if zmodload -F zsh/stat b:zstat 2>/dev/null; then
|
||||
local -A _i_stathash
|
||||
if zstat -H _i_stathash /proc/$$/exe &&
|
||||
[[ $_i_stathash[uid] -ne 0 ]]; then
|
||||
_i_owners+="u${_i_stathash[uid]}"
|
||||
fi
|
||||
fi
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
# We search for:
|
||||
# - world/group-writable directories in fpath not owned by root and the user
|
||||
# - world/group-writable directories in fpath not owned by $_i_owners
|
||||
# - parent-directories of directories in fpath that are world/group-writable
|
||||
# and not owned by root and the user (that would allow someone to put a
|
||||
# and not owned by $_i_owners (that would allow someone to put a
|
||||
# digest file for one of the directories into the parent directory)
|
||||
# - digest files for one of the directories in fpath not owned by root and
|
||||
# the user
|
||||
# - and for files in directories from fpath not owned by root and the user
|
||||
# - digest files for one of the directories in fpath not owned by $_i_owners
|
||||
# - and for files in directories from fpath not owned by $_i_owners
|
||||
# (including zwc files)
|
||||
|
||||
_i_wdirs=( ${^fpath}(N-f:g+w:,-f:o+w:,-^u0u${EUID})
|
||||
${^fpath:h}(N-f:g+w:,-f:o+w:,-^u0u${EUID}) )
|
||||
_i_wdirs=( ${^fpath}(N-f:g+w:,-f:o+w:,-^${_i_owners})
|
||||
${^fpath:h}(N-f:g+w:,-f:o+w:,-^${_i_owners}) )
|
||||
|
||||
# RedHat Linux "per-user groups" check. This is tricky, because it's very
|
||||
# difficult to tell whether the sysadmin has put someone else into your
|
||||
|
|
@ -111,7 +138,7 @@ if (( $#_i_wdirs )); then
|
|||
|
||||
if [[ $GROUP == $LOGNAME && ( -z $GROUPMEM || $GROUPMEM == $LOGNAME ) ]]
|
||||
then
|
||||
_i_wdirs=( ${^_i_wdirs}(N-f:g+w:^g:${GROUP}:,-f:o+w:,-^u0u${EUID}) )
|
||||
_i_wdirs=( ${^_i_wdirs}(N-f:g+w:^g:${GROUP}:,-f:o+w:,-^${_i_owners}) )
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
@ -122,8 +149,8 @@ then
|
|||
_i_wdirs=( ${_i_wdirs:#/usr/local/*} ${^_i_ulwdirs}(Nf:g+ws:^g:staff:,f:o+w:,^u0) )
|
||||
fi
|
||||
|
||||
_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N-^u0u${EUID}) )
|
||||
_i_wfiles=( ${^fpath}/^([^_]*|*~)(N-^u0u${EUID}) )
|
||||
_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N-^${_i_owners}) )
|
||||
_i_wfiles=( ${^fpath}/^([^_]*|*~)(N-^${_i_owners}) )
|
||||
|
||||
case "${#_i_wdirs}:${#_i_wfiles}" in
|
||||
(0:0) _i_q= ;;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue