Do globally writable checks on directories, too

FreeRADIUS · Nov 27, 2012 · ffb018c · ffb018c
1 parent dbd561b
commit ffb018c
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/src/main/conffile.c b/src/main/conffile.c
@@ -1538,6 +1538,23 @@ static int cf_section_read(const char *filename, int *lineno, FILE *fp,
 				struct stat stat_buf;
 
 				DEBUG2("including files in directory %s", value );
+#ifdef S_IWOTH
+				/*
+				 *	Security checks.
+				 */
+				if (stat(value, &stat_buf) < 0) {
+					radlog(L_ERR, "%s[%d]: Failed reading directory %s: %s",
+					       filename, *lineno, 
+					       value, strerror(errno));
+					return -1;
+				}
+
+				if ((stat_buf.st_mode & S_IWOTH) != 0) {
+					radlog(L_ERR|L_CONS, "%s[%d]: Directory %s is globally writable.  Refusing to start due to insecure configuration.",
+					       filename, *lineno, value);
+					return -1;
+				}
+#endif
 				dir = opendir(value);
 				if (!dir) {
 					radlog(L_ERR, "%s[%d]: Error reading directory %s: %s",