1# So that this file can also be read with `.' or `source' ... 2compaudit() { # Define and then call 3 4# Audit the fpath to assure that it contains all the directories needed by 5# the completion system, and that those directories are at least unlikely 6# to contain dangerous files. This is far from perfect, as the modes or 7# ownership of files or directories might change between the time of the 8# audit and the time the function is executed. 9 10# This function is designed to be called from compinit, which assumes that 11# it is in the same directory, i.e., it can be autoloaded from the initial 12# fpath as compinit was. Most local parameter names in this function must 13# therefore be the same as those used in compinit. 14 15emulate -L zsh 16setopt extendedglob 17 18[[ -x /usr/bin/getent ]] || getent() { 19 if [[ $2 = <-> ]]; then 20 grep ":$2:[^:]*$" /etc/$1 21 else 22 grep "^$2:" /etc/$1 23 fi 24} 25 26# The positional parameters are the directories to check, else fpath. 27if (( $# )); then 28 local _compdir='' 29elif (( $#fpath == 0 )); then 30 print 'compaudit: No directories in $fpath, cannot continue' 1>&2 31 return 1 32else 33 set -- $fpath 34fi 35 36# _i_check is defined by compinit; used here as a test for whether this 37# function is running standalone or was called by compinit. If called 38# by compinit, we use parameters that are defined in compinit's scope, 39# otherwise we make them local here. 40(( $+_i_check )) || { 41 local _i_q _i_line _i_file _i_fail=verbose 42 local -a _i_files _i_addfiles _i_wdirs _i_wfiles 43 local -a -U +h fpath 44} 45 46fpath=( $* ) 47 48# _compdir may be defined by the user; see the compinit documentation. 49# If it isn't defined, we want it to point somewhere sensible, but the 50# user is allowed to set it to empty to bypass the check below. 51(( $+_compdir )) || { 52 local _compdir=${fpath[(r)*/$ZSH_VERSION/*]} 53 [[ -z $_compdir ]] && _compdir=$fpath[1] 54 ### [[ -d $_compdir/../Base ]] && _compdir=${_compdir:h} 55} 56 57_i_wdirs=() 58_i_wfiles=() 59 60_i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) ) 61if [[ -n $_compdir ]]; then 62 if [[ $#_i_files -lt 20 || $_compdir = */Base || -d $_compdir/Base ]]; then 63 # Too few files: we need some more directories, or we need to check 64 # that all directories (not just Base) are present. 65 _i_addfiles=() 66 if [[ -d $_compdir/Base/Core ]]; then 67 # Add all the Completion subdirectories (CVS-layout) 68 _i_addfiles=(${_compdir}/*/*(/^M)) 69 elif [[ -d $_compdir/Base ]]; then 70 # Likewise (installation-layout) 71 _i_addfiles=(${_compdir}/*(/^M)) 72 fi 73 for _i_line in {1..$#_i_addfiles}; do 74 _i_file=${_i_addfiles[$_i_line]} 75 [[ -d $_i_file && -z ${fpath[(r)$_i_file]} ]] || 76 _i_addfiles[$_i_line]= 77 done 78 fpath=($fpath $_i_addfiles) 79 _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) ) 80 fi 81fi 82 83[[ $_i_fail == use ]] && return 0 84 85# We will always allow files to be owned by root and the owner of the 86# present process. 87local _i_owners="u0u${EUID}" 88 89# Places we will look for a link to the executable 90local -a _i_exes 91_i_exes=( 92 /proc/$$/exe 93 /proc/$$/object/a.out 94 ) 95local _i_exe 96 97# If we can find out who owns the executable, we will allow files to 98# be owned by that user, too. The argument is that if you don't trust 99# the owner of the executable, it's way too late to worry about it now... 100for _i_exe in $_i_exes; do 101 if [[ -e $_i_exe ]] ;then 102 if zmodload -F zsh/stat b:zstat 2>/dev/null; then 103 local -A _i_stathash 104 if zstat -H _i_stathash $_i_exe && 105 [[ $_i_stathash[uid] -ne 0 ]]; then 106 _i_owners+="u${_i_stathash[uid]}" 107 fi 108 fi 109 break 110 fi 111done 112 113# We search for: 114# - world/group-writable directories in fpath not owned by $_i_owners 115# - parent-directories of directories in fpath that are world/group-writable 116# and not owned by $_i_owners (that would allow someone to put a 117# digest file for one of the directories into the parent directory) 118# - digest files for one of the directories in fpath not owned by $_i_owners 119# - and for files in directories from fpath not owned by $_i_owners 120# (including zwc files) 121 122_i_wdirs=( ${^fpath}(N-f:g+w:,-f:o+w:,-^${_i_owners}) 123 ${^fpath:h}(N-f:g+w:,-f:o+w:,-^${_i_owners}) ) 124 125# RedHat Linux "per-user groups" check. This is tricky, because it's very 126# difficult to tell whether the sysadmin has put someone else into your 127# "private" group (e.g., via the default group field in /etc/passwd, or 128# by NFS group sharing with an untrustworthy machine). So we must assume 129# that this has not happened, and pick the best group. 130 131if (( $#_i_wdirs )); then 132 local GROUP GROUPMEM _i_pw _i_gid 133 if ((UID == EUID )); then 134 getent group $LOGNAME | IFS=: read GROUP _i_pw _i_gid GROUPMEM 135 else 136 getent group $EGID | IFS=: read GROUP _i_pw _i_gid GROUPMEM 137 fi 138 139 if [[ $GROUP == $LOGNAME && ( -z $GROUPMEM || $GROUPMEM == $LOGNAME ) ]] 140 then 141 _i_wdirs=( ${^_i_wdirs}(N-f:g+w:^g:${GROUP}:,-f:o+w:,-^${_i_owners}) ) 142 fi 143fi 144 145if [[ -f /etc/debian_version ]] 146then 147 local _i_ulwdirs 148 _i_ulwdirs=( ${(M)_i_wdirs:#/usr/local/*} ) 149 _i_wdirs=( ${_i_wdirs:#/usr/local/*} ${^_i_ulwdirs}(Nf:g+ws:^g:staff:,f:o+w:,^u0) ) 150fi 151 152_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N-^${_i_owners}) ) 153_i_wfiles=( ${^fpath}/^([^_]*|*~)(N-^${_i_owners}) ) 154 155case "${#_i_wdirs}:${#_i_wfiles}" in 156(0:0) _i_q= ;; 157(0:*) _i_q=files ;; 158(*:0) _i_q=directories ;; 159(*:*) _i_q='directories and files' ;; 160esac 161 162if [[ -n "$_i_q" ]]; then 163 [[ $_i_fail == verbose ]] && { 164 print There are insecure ${_i_q}: 1>&2 165 print -l - $_i_wdirs $_i_wfiles 166 } 167 return 1 168fi 169return 0 170 171} # Define and then call 172 173compaudit "$@" 174