1# So that this file can also be read with `.' or `source' ...
2compaudit() {                           # Define and then call
3
4# Audit the fpath to assure that it contains all the directories needed by
5# the completion system, and that those directories are at least unlikely
6# to contain dangerous files.  This is far from perfect, as the modes or
7# ownership of files or directories might change between the time of the
8# audit and the time the function is executed.
9
10# This function is designed to be called from compinit, which assumes that
11# it is in the same directory, i.e., it can be autoloaded from the initial
12# fpath as compinit was.  Most local parameter names in this function must
13# therefore be the same as those used in compinit.
14
15emulate -L zsh
16setopt extendedglob
17
18[[ -x /usr/bin/getent ]] || getent() {
19  if [[ $2 = <-> ]]; then
20    grep ":$2:[^:]*$" /etc/$1
21  else
22    grep "^$2:" /etc/$1
23  fi
24}
25
26# The positional parameters are the directories to check, else fpath.
27if (( $# )); then
28  local _compdir=''
29elif (( $#fpath == 0 )); then
30  print 'compaudit: No directories in $fpath, cannot continue' 1>&2
31  return 1
32else
33  set -- $fpath
34fi
35
36# _i_check is defined by compinit; used here as a test for whether this
37# function is running standalone or was called by compinit.  If called
38# by compinit, we use parameters that are defined in compinit's scope,
39# otherwise we make them local here.
40(( $+_i_check )) || {
41  local _i_q _i_line _i_file _i_fail=verbose
42  local -a _i_files _i_addfiles _i_wdirs _i_wfiles
43  local -a -U +h fpath
44}
45
46fpath=( $* )
47
48# _compdir may be defined by the user; see the compinit documentation.
49# If it isn't defined, we want it to point somewhere sensible, but the
50# user is allowed to set it to empty to bypass the check below.
51(( $+_compdir )) || {
52  local _compdir=${fpath[(r)*/$ZSH_VERSION/*]}
53  [[ -z $_compdir ]] && _compdir=$fpath[1]
54  ### [[ -d $_compdir/../Base ]] && _compdir=${_compdir:h}
55}
56
57_i_wdirs=()
58_i_wfiles=()
59
60_i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
61if [[ -n $_compdir ]]; then
62  if [[ $#_i_files -lt 20 || $_compdir = */Base || -d $_compdir/Base ]]; then
63    # Too few files: we need some more directories, or we need to check
64    # that all directories (not just Base) are present.
65    _i_addfiles=()
66    if [[ -d $_compdir/Base/Core ]]; then
67      # Add all the Completion subdirectories (CVS-layout)
68      _i_addfiles=(${_compdir}/*/*(/^M))
69    elif [[ -d $_compdir/Base ]]; then
70      # Likewise (installation-layout)
71      _i_addfiles=(${_compdir}/*(/^M))
72    fi
73    for _i_line in {1..$#_i_addfiles}; do
74      _i_file=${_i_addfiles[$_i_line]}
75      [[ -d $_i_file && -z ${fpath[(r)$_i_file]} ]] ||
76        _i_addfiles[$_i_line]=
77    done
78    fpath=($fpath $_i_addfiles)
79    _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
80  fi
81fi
82
83[[ $_i_fail == use ]] && return 0
84
85# We will always allow files to be owned by root and the owner of the
86# present process.
87local _i_owners="u0u${EUID}"
88
89# Places we will look for a link to the executable
90local -a _i_exes
91_i_exes=(
92    /proc/$$/exe
93    /proc/$$/object/a.out
94    )
95local _i_exe
96
97# If we can find out who owns the executable, we will allow files to
98# be owned by that user, too.  The argument is that if you don't trust
99# the owner of the executable, it's way too late to worry about it now...
100for _i_exe in $_i_exes; do
101  if [[ -e $_i_exe ]] ;then
102    if zmodload -F zsh/stat b:zstat 2>/dev/null; then
103      local -A _i_stathash
104      if zstat -H _i_stathash $_i_exe &&
105	[[ $_i_stathash[uid] -ne 0 ]]; then
106	_i_owners+="u${_i_stathash[uid]}"
107      fi
108    fi
109    break
110  fi
111done
112
113# We search for:
114# - world/group-writable directories in fpath not owned by $_i_owners
115# - parent-directories of directories in fpath that are world/group-writable
116#   and not owned by $_i_owners (that would allow someone to put a
117#   digest file for one of the directories into the parent directory)
118# - digest files for one of the directories in fpath not owned by $_i_owners
119# - and for files in directories from fpath not owned by $_i_owners
120#   (including zwc files)
121
122_i_wdirs=( ${^fpath}(N-f:g+w:,-f:o+w:,-^${_i_owners})
123           ${^fpath:h}(N-f:g+w:,-f:o+w:,-^${_i_owners}) )
124
125# RedHat Linux "per-user groups" check.  This is tricky, because it's very
126# difficult to tell whether the sysadmin has put someone else into your
127# "private" group (e.g., via the default group field in /etc/passwd, or
128# by NFS group sharing with an untrustworthy machine).  So we must assume
129# that this has not happened, and pick the best group.
130
131if (( $#_i_wdirs )); then
132  local GROUP GROUPMEM _i_pw _i_gid
133  if ((UID == EUID )); then
134    getent group $LOGNAME | IFS=: read GROUP _i_pw _i_gid GROUPMEM
135  else
136    getent group $EGID | IFS=: read GROUP _i_pw _i_gid GROUPMEM
137  fi
138
139  if [[ $GROUP == $LOGNAME && ( -z $GROUPMEM || $GROUPMEM == $LOGNAME ) ]]
140  then
141    _i_wdirs=( ${^_i_wdirs}(N-f:g+w:^g:${GROUP}:,-f:o+w:,-^${_i_owners}) )
142  fi
143fi
144
145if [[ -f /etc/debian_version ]]
146then
147  local _i_ulwdirs
148  _i_ulwdirs=( ${(M)_i_wdirs:#/usr/local/*} )
149  _i_wdirs=( ${_i_wdirs:#/usr/local/*} ${^_i_ulwdirs}(Nf:g+ws:^g:staff:,f:o+w:,^u0) )
150fi
151
152_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N-^${_i_owners}) )
153_i_wfiles=( ${^fpath}/^([^_]*|*~)(N-^${_i_owners}) )
154
155case "${#_i_wdirs}:${#_i_wfiles}" in
156(0:0) _i_q= ;;
157(0:*) _i_q=files ;;
158(*:0) _i_q=directories ;;
159(*:*) _i_q='directories and files' ;;
160esac
161
162if [[ -n "$_i_q" ]]; then
163  [[ $_i_fail == verbose ]] && {
164    print There are insecure ${_i_q}: 1>&2
165    print -l - $_i_wdirs $_i_wfiles
166  }
167  return 1
168fi
169return 0
170
171}                                       # Define and then call
172
173compaudit "$@"
174