Also, ignore unexpected fchmod results inside the user's home directory. They sometimes happen due to home filesystems violating POSIX requirements, including those specified at http://pubs.opengroup.org/onlinepubs/009696899/functions/fchown.html Details: http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-April/020351.html --- Note: this patch looks safe, but I think it is conceptually wrong. Apply it only if you think that the other patch ("Remove redundant check of directory permissions") opens a security hole. src/pulsecore/core-util.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/pulsecore/core-util.c b/src/pulsecore/core-util.c index 0d9e354..c065f00 100644 --- a/src/pulsecore/core-util.c +++ b/src/pulsecore/core-util.c @@ -273,6 +273,7 @@ int pa_make_secure_dir(const char* dir, mode_t m, uid_t uid, gid_t gid, bool upd struct stat st; int r, saved_errno; bool retry = true; + bool implicit_owner = (uid == (uid_t)(-1)) && (gid == (gid_t)(-1)); pa_assert(dir); @@ -358,13 +359,26 @@ again: goto fail; #ifndef OS_IS_WIN32 - if (!S_ISDIR(st.st_mode) || - (st.st_uid != uid) || - (st.st_gid != gid) || - ((st.st_mode & 0777) != m)) { + if (!S_ISDIR(st.st_mode)) { + pa_log_error("\"%s\" should be a directory but actually isn't.", dir); + errno = EEXIST; + goto fail; + } + if ((st.st_uid != uid) || (st.st_gid != gid)) { + pa_log_error("\"%s\" has wrong owner or group and thus is not secure.", dir); errno = EACCES; goto fail; } + if ((st.st_mode & 0777) != m) { + pa_log_error("Directory \"%s\" has wrong permissions and thus is possibly insecure.", dir); + if (!implicit_owner) { + pa_log_warn("Taking this error seriously."); + errno = EACCES; + goto fail; + } + pa_log_warn("Ignoring this error, it looks like a broken filesystem that ignores fchmod by the owner."); + pa_log_warn("This is not something that PulseAudio can fix."); + } #else pa_log_warn("Secure directory creation not supported on Win32."); #endif -- 1.9.2
