mosquitto/lib/misc_mosq.c

/*
Copyright (c) 2009-2020 Roger Light <roger@atchoo.org>

All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License 2.0
and Eclipse Distribution License v1.0 which accompany this distribution.

The Eclipse Public License is available at
   https://www.eclipse.org/legal/epl-2.0/
and the Eclipse Distribution License is available at
  http://www.eclipse.org/org/documents/edl-v10.php.

SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause

Contributors:
   Roger Light - initial implementation and documentation.
*/

/* This contains general purpose utility functions that are not specific to
 * Mosquitto/MQTT features. */

#include "config.h"

#include <ctype.h>
#include <errno.h>
#include <limits.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#  include <winsock2.h>
#  include <aclapi.h>
#  include <io.h>
#  include <lmcons.h>
#  include <fcntl.h>
#  define PATH_MAX MAX_PATH
#else
#  include <sys/stat.h>
#  include <pwd.h>
#  include <grp.h>
#  include <unistd.h>
#endif

#include "misc_mosq.h"
#include "logging_mosq.h"


FILE *mosquitto__fopen(const char *path, const char *mode, bool restrict_read)
{
#ifdef WIN32
	char buf[4096];
	int rc;
	int flags = 0;

	rc = ExpandEnvironmentStringsA(path, buf, 4096);
	if(rc == 0 || rc > 4096){
		return NULL;
	}else{
		if (restrict_read) {
			HANDLE hfile;
			SECURITY_ATTRIBUTES sec;
			EXPLICIT_ACCESS_A ea;
			PACL pacl = NULL;
			char username[UNLEN + 1];
			DWORD ulen = UNLEN;
			SECURITY_DESCRIPTOR sd;
			DWORD dwCreationDisposition;
			int fd;
			FILE *fptr;

			switch(mode[0]){
				case 'a':
					dwCreationDisposition = OPEN_ALWAYS;
					flags = _O_APPEND;
					break;
				case 'r':
					dwCreationDisposition = OPEN_EXISTING;
					flags = _O_RDONLY;
					break;
				case 'w':
					dwCreationDisposition = CREATE_ALWAYS;
					break;
				default:
					return NULL;
			}

			GetUserNameA(username, &ulen);
			if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) {
				return NULL;
			}
			BuildExplicitAccessWithNameA(&ea, username, GENERIC_ALL, SET_ACCESS, NO_INHERITANCE);
			if (SetEntriesInAclA(1, &ea, NULL, &pacl) != ERROR_SUCCESS) {
				return NULL;
			}
			if (!SetSecurityDescriptorDacl(&sd, TRUE, pacl, FALSE)) {
				LocalFree(pacl);
				return NULL;
			}

			memset(&sec, 0, sizeof(sec));
			sec.nLength = sizeof(SECURITY_ATTRIBUTES);
			sec.bInheritHandle = FALSE;
			sec.lpSecurityDescriptor = &sd;

			hfile = CreateFileA(buf, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ,
				&sec,
				dwCreationDisposition,
				FILE_ATTRIBUTE_NORMAL,
				NULL);

			LocalFree(pacl);

			fd = _open_osfhandle((intptr_t)hfile, flags);
			if (fd < 0) {
				return NULL;
			}

			fptr = _fdopen(fd, mode);
			if (!fptr) {
				_close(fd);
				return NULL;
			}
			if(mode[0] == 'a'){
				fseek(fptr, 0, SEEK_END);
			}
			return fptr;

		}else {
			return fopen(buf, mode);
		}
	}
#else
	FILE *fptr;
	struct stat statbuf;

	if (restrict_read) {
		mode_t old_mask;

		old_mask = umask(0077);
		fptr = fopen(path, mode);
		umask(old_mask);
	}else{
		fptr = fopen(path, mode);
	}
	if(!fptr) return NULL;

	if(fstat(fileno(fptr), &statbuf) < 0){
		fclose(fptr);
		return NULL;
	}

	if(restrict_read){
		if(statbuf.st_mode & S_IRWXO){
#ifdef WITH_BROKER
			log__printf(NULL, MOSQ_LOG_WARNING,
#else
			fprintf(stderr,
#endif
					"Warning: File %s has world readable permissions. Future versions will refuse to load this file.",
					path);
#if 0
			return NULL;
#endif
		}
		if(statbuf.st_uid != getuid()){
			char buf[4096];
			struct passwd pw, *result;

			getpwuid_r(getuid(), &pw, buf, sizeof(buf), &result);
			if(result){
#ifdef WITH_BROKER
				log__printf(NULL, MOSQ_LOG_WARNING,
#else
				fprintf(stderr,
#endif
						"Warning: File %s owner is not %s. Future versions will refuse to load this file.",
						path, result->pw_name);
			}
#if 0
			// Future version
			return NULL;
#endif
		}
		if(statbuf.st_gid != getgid()){
			char buf[4096];
			struct group grp, *result;

			getgrgid_r(getgid(), &grp, buf, sizeof(buf), &result);
			if(result){
#ifdef WITH_BROKER
				log__printf(NULL, MOSQ_LOG_WARNING,
#else
				fprintf(stderr,
#endif
						"Warning: File %s group is not %s. Future versions will refuse to load this file.",
						path, result->gr_name);
			}
#if 0
			// Future version
			return NULL
#endif
		}
	}


	if(!S_ISREG(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)){
#ifdef WITH_BROKER
		log__printf(NULL, MOSQ_LOG_ERR, "Error: %s is not a file.", path);
#endif
		fclose(fptr);
		return NULL;
	}
	return fptr;
#endif
}


char *misc__trimblanks(char *str)
{
	char *endptr;

	if(str == NULL) return NULL;

	while(isspace(str[0])){
		str++;
	}
	endptr = &str[strlen(str)-1];
	while(endptr > str && isspace(endptr[0])){
		endptr[0] = '\0';
		endptr--;
	}
	return str;
}


char *fgets_extending(char **buf, int *buflen, FILE *stream)
{
	char *rc;
	char endchar;
	int offset = 0;
	char *newbuf;
	size_t len;

	if(stream == NULL || buf == NULL || buflen == NULL || *buflen < 1){
		return NULL;
	}

	do{
		rc = fgets(&((*buf)[offset]), (*buflen)-offset, stream);
		if(feof(stream) || rc == NULL){
			return rc;
		}

		len = strlen(*buf);
		if(len == 0){
			return rc;
		}
		endchar = (*buf)[len-1];
		if(endchar == '\n'){
			return rc;
		}
		/* No EOL char found, so extend buffer */
		offset = (*buflen)-1;
		*buflen += 1000;
		newbuf = realloc(*buf, (size_t)*buflen);
		if(!newbuf){
			return NULL;
		}
		*buf = newbuf;
	}while(1);
}
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`/*`
Update changelog. Release page. Bump copyright. 2020-02-27 23:26:58 +00:00			`Copyright (c) 2009-2020 Roger Light <roger@atchoo.org>`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00
			`All rights reserved. This program and the accompanying materials`
Update to EPL-2.0 2020-11-25 17:34:21 +00:00			`are made available under the terms of the Eclipse Public License 2.0`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`and Eclipse Distribution License v1.0 which accompany this distribution.`

			`The Eclipse Public License is available at`
Update to EPL-2.0 2020-11-25 17:34:21 +00:00			`https://www.eclipse.org/legal/epl-2.0/`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`and the Eclipse Distribution License is available at`
			`http://www.eclipse.org/org/documents/edl-v10.php.`

Fix SPDX identifiers: EDL-1.0 -> BSD-3-Clause. The two licenses are the same. 2021-01-20 11:46:18 +00:00			`SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause`
Add SPDX license identifiers. 2020-12-01 18:21:59 +00:00
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`Contributors:`
			`Roger Light - initial implementation and documentation.`
			`*/`

			`/* This contains general purpose utility functions that are not specific to`
			`* Mosquitto/MQTT features. */`

			`#include "config.h"`

			`#include <ctype.h>`
Fix Coverity Scan 1486944 (backport from develop) 2022-10-26 09:06:38 +00:00			`#include <errno.h>`
			`#include <limits.h>`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`#include <stdbool.h>`
			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <string.h>`

			`#ifdef WIN32`
			`# include <winsock2.h>`
			`# include <aclapi.h>`
			`# include <io.h>`
			`# include <lmcons.h>`
Fix log file being truncated on Windows. 2021-10-05 10:33:35 +00:00			`# include <fcntl.h>`
Fix Coverity Scan 1486944 (backport from develop) 2022-10-26 09:06:38 +00:00			`# define PATH_MAX MAX_PATH`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`#else`
			`# include <sys/stat.h>`
Warn on lax permissions on sensitive files. - Broker will log warnings if sensitive files are world readable/writable, or if the owner/group is not the same as the user/group the broker is running as. In future versions the broker will refuse to open these files. 2023-06-08 20:02:29 +00:00			`# include <pwd.h>`
			`# include <grp.h>`
Fix Coverity Scan 1486944 (backport from develop) 2022-10-26 09:06:38 +00:00			`# include <unistd.h>`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`#endif`

Minor build fixes. 2021-03-21 09:17:53 +00:00			`#include "misc_mosq.h"`
Fix broker not quiting if `password_file` is specified as a directory. Closes #2241. Thanks to Bryan Pearson. 2021-08-21 21:44:24 +00:00			`#include "logging_mosq.h"`
Minor build fixes. 2021-03-21 09:17:53 +00:00
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00
			`FILE mosquitto__fopen(const char path, const char *mode, bool restrict_read)`
			`{`
			`#ifdef WIN32`
			`char buf[4096];`
			`int rc;`
Fix log file being truncated on Windows. 2021-10-05 10:33:35 +00:00			`int flags = 0;`

Fixed compilation error on Win32 UNICODE platform. Signed-off-by: raspopov <raspopov@cherubicsoft.com> 2020-10-26 15:17:22 +00:00			`rc = ExpandEnvironmentStringsA(path, buf, 4096);`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`if(rc == 0 \|\| rc > 4096){`
			`return NULL;`
			`}else{`
			`if (restrict_read) {`
			`HANDLE hfile;`
			`SECURITY_ATTRIBUTES sec;`
Fixed compilation error on Win32 UNICODE platform. Signed-off-by: raspopov <raspopov@cherubicsoft.com> 2020-10-26 15:17:22 +00:00			`EXPLICIT_ACCESS_A ea;`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`PACL pacl = NULL;`
			`char username[UNLEN + 1];`
Fixed some VS2017 compilation error and warnings (#1916) * Fixed some VS2017 compilation errors and warnings. Signed-off-by: raspopov <raspopov@cherubicsoft.com> 2020-12-02 15:59:45 +00:00			`DWORD ulen = UNLEN;`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`SECURITY_DESCRIPTOR sd;`
			`DWORD dwCreationDisposition;`
Fix building with Visual Studio 2008 This older Microsoft compiler does not support mixing declarations and code and misses some error defines. This commit enables building with VS2008 by moving up some variable declarations and defining error codes to their WinSock counterparts in case they're not defined. Signed-off-by: Christian Beier <info@christianbeier.net> 2021-04-18 19:23:25 +00:00			`int fd;`
			`FILE *fptr;`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00
			`switch(mode[0]){`
			`case 'a':`
			`dwCreationDisposition = OPEN_ALWAYS;`
Fix log file being truncated on Windows. 2021-10-05 10:33:35 +00:00			`flags = _O_APPEND;`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`break;`
			`case 'r':`
			`dwCreationDisposition = OPEN_EXISTING;`
Fix log file being truncated on Windows. 2021-10-05 10:33:35 +00:00			`flags = _O_RDONLY;`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`break;`
			`case 'w':`
			`dwCreationDisposition = CREATE_ALWAYS;`
			`break;`
			`default:`
			`return NULL;`
			`}`

Fixed compilation error on Win32 UNICODE platform. Signed-off-by: raspopov <raspopov@cherubicsoft.com> 2020-10-26 15:17:22 +00:00			`GetUserNameA(username, &ulen);`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) {`
			`return NULL;`
			`}`
Fixed compilation error on Win32 UNICODE platform. Signed-off-by: raspopov <raspopov@cherubicsoft.com> 2020-10-26 15:17:22 +00:00			`BuildExplicitAccessWithNameA(&ea, username, GENERIC_ALL, SET_ACCESS, NO_INHERITANCE);`
			`if (SetEntriesInAclA(1, &ea, NULL, &pacl) != ERROR_SUCCESS) {`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`return NULL;`
			`}`
			`if (!SetSecurityDescriptorDacl(&sd, TRUE, pacl, FALSE)) {`
			`LocalFree(pacl);`
			`return NULL;`
			`}`

Fix log file being truncated on Windows. 2021-10-05 10:33:35 +00:00			`memset(&sec, 0, sizeof(sec));`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`sec.nLength = sizeof(SECURITY_ATTRIBUTES);`
			`sec.bInheritHandle = FALSE;`
			`sec.lpSecurityDescriptor = &sd;`

Fixed compilation error on Win32 UNICODE platform. Signed-off-by: raspopov <raspopov@cherubicsoft.com> 2020-10-26 15:17:22 +00:00			`hfile = CreateFileA(buf, GENERIC_READ \| GENERIC_WRITE, FILE_SHARE_READ,`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`&sec,`
			`dwCreationDisposition,`
			`FILE_ATTRIBUTE_NORMAL,`
			`NULL);`

			`LocalFree(pacl);`

Fix log file being truncated on Windows. 2021-10-05 10:33:35 +00:00			`fd = _open_osfhandle((intptr_t)hfile, flags);`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`if (fd < 0) {`
			`return NULL;`
			`}`

Fix building with Visual Studio 2008 This older Microsoft compiler does not support mixing declarations and code and misses some error defines. This commit enables building with VS2008 by moving up some variable declarations and defining error codes to their WinSock counterparts in case they're not defined. Signed-off-by: Christian Beier <info@christianbeier.net> 2021-04-18 19:23:25 +00:00			`fptr = _fdopen(fd, mode);`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`if (!fptr) {`
			`_close(fd);`
			`return NULL;`
			`}`
Move to end of file on append, when on Windows. 2021-10-15 14:51:32 +00:00			`if(mode[0] == 'a'){`
			`fseek(fptr, 0, SEEK_END);`
			`}`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`return fptr;`

			`}else {`
			`return fopen(buf, mode);`
			`}`
			`}`
			`#else`
Fix Coverity Scan 1486944 (backport from develop) 2022-10-26 09:06:38 +00:00			`FILE *fptr;`
			`struct stat statbuf;`
Fix broker not quiting if `password_file` is specified as a directory. Closes #2241. Thanks to Bryan Pearson. 2021-08-21 21:44:24 +00:00
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`if (restrict_read) {`
			`mode_t old_mask;`

			`old_mask = umask(0077);`
			`fptr = fopen(path, mode);`
			`umask(old_mask);`
			`}else{`
Fix Coverity Scan 1486944 (backport from develop) 2022-10-26 09:06:38 +00:00			`fptr = fopen(path, mode);`
			`}`
			`if(!fptr) return NULL;`

			`if(fstat(fileno(fptr), &statbuf) < 0){`
			`fclose(fptr);`
			`return NULL;`
			`}`

Warn on lax permissions on sensitive files. - Broker will log warnings if sensitive files are world readable/writable, or if the owner/group is not the same as the user/group the broker is running as. In future versions the broker will refuse to open these files. 2023-06-08 20:02:29 +00:00			`if(restrict_read){`
			`if(statbuf.st_mode & S_IRWXO){`
			`#ifdef WITH_BROKER`
			`log__printf(NULL, MOSQ_LOG_WARNING,`
			`#else`
			`fprintf(stderr,`
			`#endif`
			`"Warning: File %s has world readable permissions. Future versions will refuse to load this file.",`
			`path);`
			`#if 0`
			`return NULL;`
			`#endif`
			`}`
			`if(statbuf.st_uid != getuid()){`
			`char buf[4096];`
			`struct passwd pw, *result;`

			`getpwuid_r(getuid(), &pw, buf, sizeof(buf), &result);`
			`if(result){`
			`#ifdef WITH_BROKER`
			`log__printf(NULL, MOSQ_LOG_WARNING,`
			`#else`
			`fprintf(stderr,`
			`#endif`
			`"Warning: File %s owner is not %s. Future versions will refuse to load this file.",`
			`path, result->pw_name);`
			`}`
			`#if 0`
			`// Future version`
			`return NULL;`
			`#endif`
			`}`
			`if(statbuf.st_gid != getgid()){`
			`char buf[4096];`
			`struct group grp, *result;`

			`getgrgid_r(getgid(), &grp, buf, sizeof(buf), &result);`
			`if(result){`
			`#ifdef WITH_BROKER`
			`log__printf(NULL, MOSQ_LOG_WARNING,`
			`#else`
			`fprintf(stderr,`
			`#endif`
			`"Warning: File %s group is not %s. Future versions will refuse to load this file.",`
			`path, result->gr_name);`
			`}`
			`#if 0`
			`// Future version`
			`return NULL`
			`#endif`
			`}`
			`}`


Fix Coverity Scan 1486944 (backport from develop) 2022-10-26 09:06:38 +00:00			`if(!S_ISREG(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)){`
			`#ifdef WITH_BROKER`
			`log__printf(NULL, MOSQ_LOG_ERR, "Error: %s is not a file.", path);`
			`#endif`
			`fclose(fptr);`
			`return NULL;`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`}`
Fix Coverity Scan 1486944 (backport from develop) 2022-10-26 09:06:38 +00:00			`return fptr;`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`#endif`
			`}`


			`char misc__trimblanks(char str)`
			`{`
			`char *endptr;`

			`if(str == NULL) return NULL;`

			`while(isspace(str[0])){`
			`str++;`
			`}`
			`endptr = &str[strlen(str)-1];`
			`while(endptr > str && isspace(endptr[0])){`
			`endptr[0] = '\0';`
			`endptr--;`
			`}`
			`return str;`
			`}`


			`char fgets_extending(char buf, int buflen, FILE *stream)`
			`{`
			`char *rc;`
			`char endchar;`
			`int offset = 0;`
			`char *newbuf;`
Fix possible out of bounds memory reads when reading configuration. This would happen with a corrupt/crafted configuration file. Unless your configuration file is writable by untrusted users this is not a risk. Closes #567213. Thanks to Roland Sako. 2021-07-22 15:43:06 +00:00			`size_t len;`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00
			`if(stream == NULL \|\| buf == NULL \|\| buflen == NULL \|\| *buflen < 1){`
			`return NULL;`
			`}`

			`do{`
			`rc = fgets(&((buf)[offset]), (buflen)-offset, stream);`
Fix broker not quiting if `password_file` is specified as a directory. Closes #2241. Thanks to Bryan Pearson. 2021-08-21 21:44:24 +00:00			`if(feof(stream) \|\| rc == NULL){`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`return rc;`
			`}`

Fix possible out of bounds memory reads when reading configuration. This would happen with a corrupt/crafted configuration file. Unless your configuration file is writable by untrusted users this is not a risk. Closes #567213. Thanks to Roland Sako. 2021-07-22 15:43:06 +00:00			`len = strlen(*buf);`
			`if(len == 0){`
			`return rc;`
			`}`
			`endchar = (*buf)[len-1];`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`if(endchar == '\n'){`
			`return rc;`
			`}`
			`/* No EOL char found, so extend buffer */`
			`offset = (*buflen)-1;`
			`*buflen += 1000;`
Fix conversion errors. 2020-10-17 00:23:08 +00:00			`newbuf = realloc(buf, (size_t)buflen);`
Improve password file parsing in the broker and mosqitto_passwd. Closes #1584. Thanks to panava. 2020-02-04 16:05:58 +00:00			`if(!newbuf){`
			`return NULL;`
			`}`
			`*buf = newbuf;`
			`}while(1);`
			`}`