libext2fs: use a safe_getenv() function everywhere

Hoist safe_getenv() from test_io.c and unix_io.c to a globally exported ext2fs_safe_getenv() and use it instead of getenv() in libext2fs. This provides a bit more safety if e2fsprogs programs are used in setuid contexts. Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: Theodore Ts'o <tytso@mit.edu> 2024-04-25 10:19:08 -0400
committer: Theodore Ts'o <tytso@mit.edu> 2024-04-25 10:19:08 -0400
commit: eefbea0da8109c049ceb289d8cf160d5840cf9bd (patch)
tree: 61b758f4ac7202018590283c502238aa36d28447
parent: 7f748825697554a7b4355b6c938b4b5f4ded43e1 (diff)
download: e2fsprogs-eefbea0da8109c049ceb289d8cf160d5840cf9bd.tar.gz
11 files changed, 44 insertions, 86 deletions
diff --git a/debian/libext2fs2t64.symbols b/debian/libext2fs2t64.symbols
index 82c09604c..7e4742738 100644
--- a/debian/libext2fs2t64.symbols
+++ b/debian/libext2fs2t64.symbols
@@ -414,7 +414,7 @@ libext2fs.so.2 libext2fs2t64 #MINVER#
  ext2fs_is_fast_symlink@Base 1.44.0~rc1
  ext2fs_journal_sb_start@Base 1.42.12
  ext2fs_link@Base 1.37
- ext2fs_list_backups@Base 1.47.1~rc1
+ Ext2fs_list_backups@Base 1.47.1~rc1
  ext2fs_llseek@Base 1.37
  ext2fs_lookup@Base 1.37
  ext2fs_make_generic_bitmap@Base 1.41.0
@@ -511,6 +511,7 @@ libext2fs.so.2 libext2fs2t64 #MINVER#
  ext2fs_rewrite_to_io@Base 1.37
  ext2fs_rw_bitmaps@Base 1.46.0
  ext2fs_set_alloc_block_callback@Base 1.41.0
+ ext2fs_safe_getenv@Base 1.47.1~rc1
  ext2fs_set_bit64@Base 1.42
  ext2fs_set_bit@Base 1.37
  ext2fs_set_bitmap_padding@Base 1.37
diff --git a/lib/ext2fs/Makefile.in b/lib/ext2fs/Makefile.in
index 36c3e8ee8..e9c23d341 100644
--- a/lib/ext2fs/Makefile.in
+++ b/lib/ext2fs/Makefile.in
@@ -93,6 +93,7 @@ OBJS= $(DEBUGFS_LIB_OBJS) $(RESIZE_LIB_OBJS) $(E2IMAGE_LIB_OBJS) \
 	gen_bitmap64.o \
 	get_num_dirs.o \
 	get_pathname.o \
+	getenv.o \
 	getsize.o \
 	getsectsize.o \
 	hashmap.o \
@@ -175,6 +176,7 @@ SRCS= ext2_err.c \
 	$(srcdir)/gen_bitmap64.c \
 	$(srcdir)/get_num_dirs.c \
 	$(srcdir)/get_pathname.c \
+	$(srcdir)/getenv.c \
 	$(srcdir)/getsize.c \
 	$(srcdir)/getsectsize.c \
 	$(srcdir)/hashmap.c \
@@ -903,6 +905,12 @@ get_pathname.o: $(srcdir)/get_pathname.c $(top_builddir)/lib/config.h \
  $(srcdir)/ext2_fs.h $(srcdir)/ext3_extents.h $(top_srcdir)/lib/et/com_err.h \
  $(srcdir)/ext2_io.h $(top_builddir)/lib/ext2fs/ext2_err.h \
  $(srcdir)/ext2_ext_attr.h $(srcdir)/hashmap.h $(srcdir)/bitops.h
+getenv.o: $(srcdir)/getenv.c $(top_builddir)/lib/config.h \
+ $(top_builddir)/lib/dirpaths.h $(srcdir)/ext2fs.h \
+ $(top_builddir)/lib/ext2fs/ext2_types.h $(srcdir)/ext2_fs.h \
+ $(srcdir)/ext3_extents.h $(top_srcdir)/lib/et/com_err.h $(srcdir)/ext2_io.h \
+ $(top_builddir)/lib/ext2fs/ext2_err.h $(srcdir)/ext2_ext_attr.h \
+ $(srcdir)/hashmap.h $(srcdir)/bitops.h
 getsize.o: $(srcdir)/getsize.c $(top_builddir)/lib/config.h \
  $(top_builddir)/lib/dirpaths.h $(srcdir)/ext2_fs.h \
  $(top_builddir)/lib/ext2fs/ext2_types.h $(srcdir)/ext2fs.h \
@@ -1056,6 +1064,13 @@ openfs.o: $(srcdir)/openfs.c $(top_builddir)/lib/config.h \
  $(srcdir)/ext2_io.h $(top_builddir)/lib/ext2fs/ext2_err.h \
  $(srcdir)/ext2_ext_attr.h $(srcdir)/hashmap.h $(srcdir)/bitops.h \
  $(srcdir)/e2image.h
+orphan.o: $(srcdir)/orphan.c $(top_builddir)/lib/config.h \
+ $(top_builddir)/lib/dirpaths.h $(srcdir)/ext2_fs.h \
+ $(top_builddir)/lib/ext2fs/ext2_types.h $(srcdir)/ext2fsP.h \
+ $(srcdir)/ext2fs.h $(srcdir)/ext2_fs.h $(srcdir)/ext3_extents.h \
+ $(top_srcdir)/lib/et/com_err.h $(srcdir)/ext2_io.h \
+ $(top_builddir)/lib/ext2fs/ext2_err.h $(srcdir)/ext2_ext_attr.h \
+ $(srcdir)/hashmap.h $(srcdir)/bitops.h
 progress.o: $(srcdir)/progress.c $(top_builddir)/lib/config.h \
  $(top_builddir)/lib/dirpaths.h $(srcdir)/ext2fs.h \
  $(top_builddir)/lib/ext2fs/ext2_types.h $(srcdir)/ext2_fs.h \
@@ -1420,23 +1435,23 @@ e2freefrag.o: $(top_srcdir)/misc/e2freefrag.c $(top_builddir)/lib/config.h \
  $(top_srcdir)/lib/support/dqblk_v2.h \
  $(top_srcdir)/lib/support/quotaio_tree.h
 create_inode.o: $(top_srcdir)/misc/create_inode.c \
- $(top_srcdir)/misc/create_inode_libarchive.c \
  $(top_builddir)/lib/config.h $(top_builddir)/lib/dirpaths.h \
  $(srcdir)/ext2fs.h $(top_builddir)/lib/ext2fs/ext2_types.h \
  $(srcdir)/ext2_fs.h $(srcdir)/ext3_extents.h $(top_srcdir)/lib/et/com_err.h \
  $(srcdir)/ext2_io.h $(top_builddir)/lib/ext2fs/ext2_err.h \
  $(srcdir)/ext2_ext_attr.h $(srcdir)/hashmap.h $(srcdir)/bitops.h \
  $(srcdir)/fiemap.h $(top_srcdir)/misc/create_inode.h \
- $(top_srcdir)/lib/e2p/e2p.h $(top_srcdir)/lib/support/nls-enable.h
+ $(top_srcdir)/lib/e2p/e2p.h $(top_srcdir)/lib/support/nls-enable.h \
+ $(top_srcdir)/misc/create_inode_libarchive.h
 create_inode_libarchive.o: $(top_srcdir)/misc/create_inode_libarchive.c \
- $(top_srcdir)/misc/create_inode_libarchive.c \
  $(top_builddir)/lib/config.h $(top_builddir)/lib/dirpaths.h \
- $(srcdir)/ext2fs.h $(top_builddir)/lib/ext2fs/ext2_types.h \
- $(srcdir)/ext2_fs.h $(srcdir)/ext3_extents.h $(top_srcdir)/lib/et/com_err.h \
+ $(top_builddir)/lib/ext2fs/ext2_types.h $(top_srcdir)/misc/create_inode.h \
+ $(top_srcdir)/lib/et/com_err.h $(top_srcdir)/lib/e2p/e2p.h \
+ $(srcdir)/ext2_fs.h $(srcdir)/ext2fs.h $(srcdir)/ext3_extents.h \
  $(srcdir)/ext2_io.h $(top_builddir)/lib/ext2fs/ext2_err.h \
  $(srcdir)/ext2_ext_attr.h $(srcdir)/hashmap.h $(srcdir)/bitops.h \
- $(srcdir)/fiemap.h $(top_srcdir)/misc/create_inode.h \
- $(top_srcdir)/lib/e2p/e2p.h $(top_srcdir)/lib/support/nls-enable.h
+ $(top_srcdir)/misc/create_inode_libarchive.h \
+ $(top_srcdir)/lib/support/nls-enable.h
 journal.o: $(top_srcdir)/debugfs/journal.c $(top_builddir)/lib/config.h \
  $(top_builddir)/lib/dirpaths.h $(top_srcdir)/debugfs/journal.h \
  $(srcdir)/../../e2fsck/jfs_user.h $(srcdir)/ext2_fs.h \
diff --git a/lib/ext2fs/ext2fs.h b/lib/ext2fs/ext2fs.h
index 624c1a10b..f3d98f600 100644
--- a/lib/ext2fs/ext2fs.h
+++ b/lib/ext2fs/ext2fs.h
@@ -1559,6 +1559,9 @@ errcode_t ext2fs_count_used_blocks(ext2_filsys fs, blk64_t start,
 extern unsigned int ext2fs_list_backups(ext2_filsys fs, unsigned int *three,
 				unsigned int *five, unsigned int *seven);
 
+/* getenv.c */
+extern char *ext2fs_safe_getenv(const char *arg);
+
 /* get_num_dirs.c */
 extern errcode_t ext2fs_get_num_dirs(ext2_filsys fs, ext2_ino_t *ret_num_dirs);
 
diff --git a/lib/ext2fs/gen_bitmap64.c b/lib/ext2fs/gen_bitmap64.c
index 5936dcf53..48745551c 100644
--- a/lib/ext2fs/gen_bitmap64.c
+++ b/lib/ext2fs/gen_bitmap64.c
@@ -257,7 +257,7 @@ void ext2fs_free_generic_bmap(ext2fs_generic_bitmap gen_bmap)
 		return;
 
 #ifdef ENABLE_BMAP_STATS
-	if (getenv("E2FSPROGS_BITMAP_STATS")) {
+	if (ext2fs_safe_getenv("E2FSPROGS_BITMAP_STATS")) {
 		ext2fs_print_bmap_statistics(bmap);
 		bmap->bitmap_ops->print_stats(bmap);
 	}
diff --git a/lib/ext2fs/initialize.c b/lib/ext2fs/initialize.c
index 2a08a7e86..513bf5a7e 100644
--- a/lib/ext2fs/initialize.c
+++ b/lib/ext2fs/initialize.c
@@ -125,7 +125,7 @@ errcode_t ext2fs_initialize(const char *name, int flags,
 	fs->flags |= EXT2_FLAG_SWAP_BYTES;
 #endif
 
-	time_env = getenv("E2FSPROGS_FAKE_TIME");
+	time_env = ext2fs_safe_getenv("E2FSPROGS_FAKE_TIME");
 	if (time_env)
 		fs->now = strtoul(time_env, NULL, 0);
 
diff --git a/lib/ext2fs/ismounted.c b/lib/ext2fs/ismounted.c
index a7db1a5c4..c1c3102b0 100644
--- a/lib/ext2fs/ismounted.c
+++ b/lib/ext2fs/ismounted.c
@@ -108,7 +108,7 @@ static errcode_t check_mntent_file(const char *mtab_file, const char *file,
 
 	if ((f = setmntent (mtab_file, "r")) == NULL) {
 		if (errno == ENOENT) {
-			if (getenv("EXT2FS_NO_MTAB_OK"))
+			if (ext2fs_safe_getenv("EXT2FS_NO_MTAB_OK"))
 				return 0;
 			else
 				return EXT2_ET_NO_MTAB_FILE;
@@ -366,15 +366,15 @@ errcode_t ext2fs_check_mount_point(const char *device, int *mount_flags,
 	errcode_t	retval = 0;
 	int 		busy = 0;
 
-	if (getenv("EXT2FS_PRETEND_RO_MOUNT")) {
+	if (ext2fs_safe_getenv("EXT2FS_PRETEND_RO_MOUNT")) {
 		*mount_flags = EXT2_MF_MOUNTED | EXT2_MF_READONLY;
-		if (getenv("EXT2FS_PRETEND_ROOTFS"))
+		if (ext2fs_safe_getenv("EXT2FS_PRETEND_ROOTFS"))
 			*mount_flags = EXT2_MF_ISROOT;
 		return 0;
 	}
-	if (getenv("EXT2FS_PRETEND_RW_MOUNT")) {
+	if (ext2fs_safe_getenv("EXT2FS_PRETEND_RW_MOUNT")) {
 		*mount_flags = EXT2_MF_MOUNTED;
-		if (getenv("EXT2FS_PRETEND_ROOTFS"))
+		if (ext2fs_safe_getenv("EXT2FS_PRETEND_ROOTFS"))
 			*mount_flags = EXT2_MF_ISROOT;
 		return 0;
 	}
diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
index eb44d5864..ed2f7c31f 100644
--- a/lib/ext2fs/openfs.c
+++ b/lib/ext2fs/openfs.c
@@ -149,7 +149,7 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
 	fs->flags |= EXT2_FLAG_MASTER_SB_ONLY;
 	fs->umask = 022;
 
-	time_env = getenv("E2FSPROGS_FAKE_TIME");
+	time_env = ext2fs_safe_getenv("E2FSPROGS_FAKE_TIME");
 	if (time_env)
 		fs->now = strtoul(time_env, NULL, 0);
 
diff --git a/lib/ext2fs/progress.c b/lib/ext2fs/progress.c
index fe4292fa7..61ab3f04a 100644
--- a/lib/ext2fs/progress.c
+++ b/lib/ext2fs/progress.c
@@ -53,7 +53,7 @@ void ext2fs_numeric_progress_init(ext2_filsys fs,
 	backspaces[sizeof(backspaces)-1] = 0;
 
 	memset(progress, 0, sizeof(*progress));
-	if (getenv("E2FSPROGS_SKIP_PROGRESS"))
+	if (ext2fs_safe_getenv("E2FSPROGS_SKIP_PROGRESS"))
 		progress->skip_progress++;
 
 
diff --git a/lib/ext2fs/test_io.c b/lib/ext2fs/test_io.c
index 6843edbcf..0324e532d 100644
--- a/lib/ext2fs/test_io.c
+++ b/lib/ext2fs/test_io.c
@@ -23,14 +23,6 @@
 #if HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
-#ifdef HAVE_SYS_PRCTL_H
-#include <sys/prctl.h>
-#else
-#define PR_GET_DUMPABLE 3
-#endif
-#if (!defined(HAVE_PRCTL) && defined(linux))
-#include <sys/syscall.h>
-#endif
 
 #include "ext2_fs.h"
 #include "ext2fs.h"
@@ -144,31 +136,6 @@ static void test_abort(io_channel channel, unsigned long block)
 	abort();
 }
 
-static char *safe_getenv(const char *arg)
-{
-#if !defined(_WIN32)
-	if ((getuid() != geteuid()) || (getgid() != getegid()))
-		return NULL;
-#endif
-#if HAVE_PRCTL
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 0)
-		return NULL;
-#else
-#if (defined(linux) && defined(SYS_prctl))
-	if (syscall(SYS_prctl, PR_GET_DUMPABLE, 0, 0, 0, 0) == 0)
-		return NULL;
-#endif
-#endif
-
-#if defined(HAVE_SECURE_GETENV)
-	return secure_getenv(arg);
-#elif defined(HAVE___SECURE_GETENV)
-	return __secure_getenv(arg);
-#else
-	return getenv(arg);
-#endif
-}
-
 static errcode_t test_open(const char *name, int flags, io_channel *channel)
 {
 	io_channel	io = NULL;
@@ -217,25 +184,25 @@ static errcode_t test_open(const char *name, int flags, io_channel *channel)
 	data->write_blk64 =	test_io_cb_write_blk64;
 
 	data->outfile = NULL;
-	if ((value = safe_getenv("TEST_IO_LOGFILE")) != NULL)
+	if ((value = ext2fs_safe_getenv("TEST_IO_LOGFILE")) != NULL)
 		data->outfile = fopen(value, "w");
 	if (!data->outfile)
 		data->outfile = stderr;
 
 	data->flags = 0;
-	if ((value = safe_getenv("TEST_IO_FLAGS")) != NULL)
+	if ((value = ext2fs_safe_getenv("TEST_IO_FLAGS")) != NULL)
 		data->flags = strtoul(value, NULL, 0);
 
 	data->block = 0;
-	if ((value = safe_getenv("TEST_IO_BLOCK")) != NULL)
+	if ((value = ext2fs_safe_getenv("TEST_IO_BLOCK")) != NULL)
 		data->block = strtoul(value, NULL, 0);
 
 	data->read_abort_count = 0;
-	if ((value = safe_getenv("TEST_IO_READ_ABORT")) != NULL)
+	if ((value = ext2fs_safe_getenv("TEST_IO_READ_ABORT")) != NULL)
 		data->read_abort_count = strtoul(value, NULL, 0);
 
 	data->write_abort_count = 0;
-	if ((value = safe_getenv("TEST_IO_WRITE_ABORT")) != NULL)
+	if ((value = ext2fs_safe_getenv("TEST_IO_WRITE_ABORT")) != NULL)
 		data->write_abort_count = strtoul(value, NULL, 0);
 
 	if (data->real) {
diff --git a/lib/ext2fs/undo_io.c b/lib/ext2fs/undo_io.c
index f4a6d5267..a1bb4054f 100644
--- a/lib/ext2fs/undo_io.c
+++ b/lib/ext2fs/undo_io.c
@@ -809,7 +809,7 @@ static errcode_t undo_close(io_channel channel)
 	if (--channel->refcount > 0)
 		return 0;
 	/* Before closing write the file system identity */
-	if (!getenv("UNDO_IO_SIMULATE_UNFINISHED"))
+	if (!ext2fs_safe_getenv("UNDO_IO_SIMULATE_UNFINISHED"))
 		data->hdr.state = ext2fs_cpu_to_le32(E2UNDO_STATE_FINISHED);
 	err = write_undo_indexes(data, 1);
 	ext2fs_remove_exit_fn(undo_atexit, data);
diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c
index 33c5d5686..b06df0681 100644
--- a/lib/ext2fs/unix_io.c
+++ b/lib/ext2fs/unix_io.c
@@ -53,11 +53,6 @@
 #ifdef HAVE_SYS_MOUNT_H
 #include <sys/mount.h>
 #endif
-#ifdef HAVE_SYS_PRCTL_H
-#include <sys/prctl.h>
-#else
-#define PR_GET_DUMPABLE 3
-#endif
 #if HAVE_SYS_STAT_H
 #include <sys/stat.h>
 #endif
@@ -182,29 +177,6 @@ static errcode_t unix_get_stats(io_channel channel, io_stats *stats)
 	return retval;
 }
 
-static char *safe_getenv(const char *arg)
-{
-	if ((getuid() != geteuid()) || (getgid() != getegid()))
-		return NULL;
-#ifdef HAVE_PRCTL
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 0)
-		return NULL;
-#else
-#if (defined(linux) && defined(SYS_prctl))
-	if (syscall(SYS_prctl, PR_GET_DUMPABLE, 0, 0, 0, 0) == 0)
-		return NULL;
-#endif
-#endif
-
-#if defined(HAVE_SECURE_GETENV)
-	return secure_getenv(arg);
-#elif defined(HAVE___SECURE_GETENV)
-	return __secure_getenv(arg);
-#else
-	return getenv(arg);
-#endif
-}
-
 /*
  * Here are the raw I/O functions
  */
@@ -728,7 +700,7 @@ static errcode_t unix_open_channel(const char *name, int fd,
 	struct		utsname ut;
 #endif
 
-	if (safe_getenv("UNIX_IO_FORCE_BOUNCE"))
+	if (ext2fs_safe_getenv("UNIX_IO_FORCE_BOUNCE"))
 		flags |= IO_FLAG_FORCE_BOUNCE;
 
 #ifdef __linux__
@@ -761,7 +733,7 @@ static errcode_t unix_open_channel(const char *name, int fd,
 	io->refcount = 1;
 	io->flags = 0;
 
-	if (safe_getenv("UNIX_IO_NOZEROOUT"))
+	if (ext2fs_safe_getenv("UNIX_IO_NOZEROOUT"))
 		io->flags |= CHANNEL_FLAGS_NOZEROOUT;
 
 	memset(data, 0, sizeof(struct unix_private_data));
author	Theodore Ts'o <tytso@mit.edu>	2024-04-25 10:19:08 -0400
committer	Theodore Ts'o <tytso@mit.edu>	2024-04-25 10:19:08 -0400
commit	eefbea0da8109c049ceb289d8cf160d5840cf9bd (patch)
tree	61b758f4ac7202018590283c502238aa36d28447
parent	7f748825697554a7b4355b6c938b4b5f4ded43e1 (diff)
download	e2fsprogs-eefbea0da8109c049ceb289d8cf160d5840cf9bd.tar.gz