X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fshare%2Fcheckperms;h=aa67d964c1630e849b2aae39ae7d2497a6beec94;hb=7aa9067b4694d42b3b7a63a65ea70b74fed5b363;hp=731790e1d7c03a084cbbd2cca0e950535588f62a;hpb=cb632251263ede89aca882f953fcb28dde88593b;p=monkeysphere.git

diff --git a/src/share/checkperms b/src/share/checkperms
index 731790e..aa67d96 100755
--- a/src/share/checkperms
+++ b/src/share/checkperms
@@ -40,10 +40,17 @@ defined($path) or die "You must pass a username and an absolute path.\n";
 my $pw = getpwnam($username) or die "no such user $username\n";
 $path =~ m#^/# or die "path was not absolute (did not start with /)\n";
 
-sub debug {
+sub mslog {
+  my $level = shift;
+
+  # FIXME: check and compare the log level
   if ($ENV{LOG_LEVEL} eq 'DEBUG') {
-    # FIXME: prefix with $ENV{LOG_PREFIX}
-    printf STDERR @_;
+    my $format = shift;
+    my $out = sprintf($format, @_);
+
+    $out =~ s/^/$ENV{LOG_PREFIX}/ ;
+
+    printf STDERR "%s", $out;
   }
 }
 
@@ -57,11 +64,11 @@ sub permissions_ok {
 
   while (S_ISLNK($stat->mode)) {
     my $newpath = realpath($path) or return "cannot trace symlink '$path'";
-    debug("tracing link %s to %s\n", $path, $newpath);
+    mslog('DEBUG', "tracing link %s to %s\n", $path, $newpath);
     $path = $newpath;
     $stat = lstat($path) or return "cannot stat '$path'";
   }
-  debug("checking '%s'\n", $path);
+  mslog('DEBUG', "checking '%s'\n", $path);
 
   if (($stat->uid != $user->uid) &&
       ($stat->uid != 0)) {
@@ -69,16 +76,20 @@ sub permissions_ok {
 		   $path, $stat->uid, $user->name, $user->uid);
   }
 
-  if (S_IWGRP & $stat->mode) {
+  if ($stat->mode & S_IWGRP) {
     return sprintf("improper group writability on '%s'", $path);
   }
 
-  if (S_IWGRP & $stat->mode) {
-    return sprintf("improper group writability on '%s'", $path);
+  if ($stat->mode & S_IWOTH) {
+    return sprintf("improper other writability on '%s'", $path);
   }
 
-  if (S_IWOTH & $stat->mode) {
-    return sprintf("improper other writability on '%s'", $path);
+  # see the rationalization in secure_filename() in auth.c in the
+  # OpenSSH sources for an explanation of this bailout (see also
+  # monkeysphere #675):
+  if ($path eq $user->dir) {
+    mslog('DEBUG', "stopping at the %s's home directory '%s'\n", $user->name, $path);
+    return undef;
   }
 
   my $nextlevel = dirname($path);