1 /* $NetBSD: ex_init.c,v 1.3 2013/11/25 22:43:46 christos Exp $ */ 2 /*- 3 * Copyright (c) 1992, 1993, 1994 4 * The Regents of the University of California. All rights reserved. 5 * Copyright (c) 1992, 1993, 1994, 1995, 1996 6 * Keith Bostic. All rights reserved. 7 * 8 * See the LICENSE file for redistribution information. 9 */ 10 11 #include "config.h" 12 13 #ifndef lint 14 static const char sccsid[] = "Id: ex_init.c,v 10.31 2001/06/25 15:19:16 skimo Exp (Berkeley) Date: 2001/06/25 15:19:16 "; 15 #endif /* not lint */ 16 17 #include <sys/param.h> 18 #include <sys/types.h> /* XXX: param.h may not have included types.h */ 19 #include <sys/queue.h> 20 #include <sys/stat.h> 21 22 #include <bitstring.h> 23 #include <fcntl.h> 24 #include <limits.h> 25 #include <stdio.h> 26 #include <stdlib.h> 27 #include <string.h> 28 #include <unistd.h> 29 30 #include "../common/common.h" 31 #include "tag.h" 32 #include "pathnames.h" 33 34 enum rc { NOEXIST, NOPERM, RCOK }; 35 static enum rc exrc_isok __P((SCR *, struct stat *, const char *, int, int)); 36 37 static int ex_run_file __P((SCR *, const char *)); 38 39 /* 40 * ex_screen_copy -- 41 * Copy ex screen. 42 * 43 * PUBLIC: int ex_screen_copy __P((SCR *, SCR *)); 44 */ 45 int 46 ex_screen_copy(SCR *orig, SCR *sp) 47 { 48 EX_PRIVATE *oexp, *nexp; 49 50 /* Create the private ex structure. */ 51 CALLOC_RET(orig, nexp, EX_PRIVATE *, 1, sizeof(EX_PRIVATE)); 52 sp->ex_private = nexp; 53 54 /* Initialize queues. */ 55 TAILQ_INIT(&nexp->tq); 56 TAILQ_INIT(&nexp->tagfq); 57 LIST_INIT(&nexp->cscq); 58 59 if (orig == NULL) { 60 } else { 61 oexp = EXP(orig); 62 63 if (oexp->lastbcomm != NULL && 64 (nexp->lastbcomm = v_wstrdup(sp, oexp->lastbcomm, 65 STRLEN(oexp->lastbcomm))) == NULL) { 66 msgq(sp, M_SYSERR, NULL); 67 return(1); 68 } 69 if (ex_tag_copy(orig, sp)) 70 return (1); 71 } 72 return (0); 73 } 74 75 /* 76 * ex_screen_end -- 77 * End a vi screen. 78 * 79 * PUBLIC: int ex_screen_end __P((SCR *)); 80 */ 81 int 82 ex_screen_end(SCR *sp) 83 { 84 EX_PRIVATE *exp; 85 int rval; 86 87 if ((exp = EXP(sp)) == NULL) 88 return (0); 89 90 rval = 0; 91 92 /* Close down script connections. */ 93 if (F_ISSET(sp, SC_SCRIPT) && sscr_end(sp)) 94 rval = 1; 95 96 if (argv_free(sp)) 97 rval = 1; 98 99 if (exp->ibp != NULL) 100 free(exp->ibp); 101 102 if (exp->lastbcomm != NULL) 103 free(exp->lastbcomm); 104 105 if (ex_tag_free(sp)) 106 rval = 1; 107 108 /* Free private memory. */ 109 free(exp); 110 sp->ex_private = NULL; 111 112 return (rval); 113 } 114 115 /* 116 * ex_optchange -- 117 * Handle change of options for ex. 118 * 119 * PUBLIC: int ex_optchange __P((SCR *, int, const char *, u_long *)); 120 */ 121 int 122 ex_optchange(SCR *sp, int offset, const char *str, u_long *valp) 123 { 124 switch (offset) { 125 case O_TAGS: 126 return (ex_tagf_alloc(sp, str)); 127 } 128 return (0); 129 } 130 131 /* 132 * ex_exrc -- 133 * Read the EXINIT environment variable and the startup exrc files, 134 * and execute their commands. 135 * 136 * PUBLIC: int ex_exrc __P((SCR *)); 137 */ 138 int 139 ex_exrc(SCR *sp) 140 { 141 struct stat hsb, lsb; 142 char *p, path[MAXPATHLEN]; 143 const CHAR_T *wp; 144 size_t wlen; 145 146 /* 147 * Source the system, environment, $HOME and local .exrc values. 148 * Vi historically didn't check $HOME/.exrc if the environment 149 * variable EXINIT was set. This is all done before the file is 150 * read in, because things in the .exrc information can set, for 151 * example, the recovery directory. 152 * 153 * !!! 154 * While nvi can handle any of the options settings of historic vi, 155 * the converse is not true. Since users are going to have to have 156 * files and environmental variables that work with both, we use nvi 157 * versions of both the $HOME and local startup files if they exist, 158 * otherwise the historic ones. 159 * 160 * !!! 161 * For a discussion of permissions and when what .exrc files are 162 * read, see the comment above the exrc_isok() function below. 163 * 164 * !!! 165 * If the user started the historic of vi in $HOME, vi read the user's 166 * .exrc file twice, as $HOME/.exrc and as ./.exrc. We avoid this, as 167 * it's going to make some commands behave oddly, and I can't imagine 168 * anyone depending on it. 169 */ 170 switch (exrc_isok(sp, &hsb, _PATH_SYSEXRC, 1, 0)) { 171 case NOEXIST: 172 case NOPERM: 173 break; 174 case RCOK: 175 if (ex_run_file(sp, _PATH_SYSEXRC)) 176 return (1); 177 break; 178 } 179 180 /* Run the commands. */ 181 if (EXCMD_RUNNING(sp->wp)) 182 (void)ex_cmd(sp); 183 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 184 return (0); 185 186 if ((p = getenv("NEXINIT")) != NULL) { 187 CHAR2INT(sp, p, strlen(p) + 1, wp, wlen); 188 if (ex_run_str(sp, "NEXINIT", wp, wlen - 1, 1, 0)) 189 return (1); 190 } else if ((p = getenv("EXINIT")) != NULL) { 191 CHAR2INT(sp, p, strlen(p) + 1, wp, wlen); 192 if (ex_run_str(sp, "EXINIT", wp, wlen - 1, 1, 0)) 193 return (1); 194 } else if ((p = getenv("HOME")) != NULL && *p) { 195 (void)snprintf(path, sizeof(path), "%s/%s", p, _PATH_NEXRC); 196 switch (exrc_isok(sp, &hsb, path, 0, 1)) { 197 case NOEXIST: 198 (void)snprintf(path, 199 sizeof(path), "%s/%s", p, _PATH_EXRC); 200 if (exrc_isok(sp, 201 &hsb, path, 0, 1) == RCOK && ex_run_file(sp, path)) 202 return (1); 203 break; 204 case NOPERM: 205 break; 206 case RCOK: 207 if (ex_run_file(sp, path)) 208 return (1); 209 break; 210 } 211 } 212 213 /* Run the commands. */ 214 if (EXCMD_RUNNING(sp->wp)) 215 (void)ex_cmd(sp); 216 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 217 return (0); 218 219 /* Previous commands may have set the exrc option. */ 220 if (O_ISSET(sp, O_EXRC)) { 221 switch (exrc_isok(sp, &lsb, _PATH_NEXRC, 0, 0)) { 222 case NOEXIST: 223 if (exrc_isok(sp, &lsb, _PATH_EXRC, 0, 0) == RCOK && 224 (lsb.st_dev != hsb.st_dev || 225 lsb.st_ino != hsb.st_ino) && 226 ex_run_file(sp, _PATH_EXRC)) 227 return (1); 228 break; 229 case NOPERM: 230 break; 231 case RCOK: 232 if ((lsb.st_dev != hsb.st_dev || 233 lsb.st_ino != hsb.st_ino) && 234 ex_run_file(sp, _PATH_NEXRC)) 235 return (1); 236 break; 237 } 238 /* Run the commands. */ 239 if (EXCMD_RUNNING(sp->wp)) 240 (void)ex_cmd(sp); 241 if (F_ISSET(sp, SC_EXIT | SC_EXIT_FORCE)) 242 return (0); 243 } 244 245 return (0); 246 } 247 248 /* 249 * ex_run_file -- 250 * Set up a file of ex commands to run. 251 */ 252 static int 253 ex_run_file(SCR *sp, const char *name) 254 { 255 EXCMD cmd; 256 const CHAR_T *wp; 257 size_t wlen; 258 259 ex_cinit(sp, &cmd, C_SOURCE, 0, OOBLNO, OOBLNO, 0); 260 CHAR2INT(sp, name, strlen(name)+1, wp, wlen); 261 argv_exp0(sp, &cmd, wp, wlen - 1); 262 return (ex_source(sp, &cmd)); 263 } 264 265 /* 266 * ex_run_str -- 267 * Set up a string of ex commands to run. 268 * 269 * PUBLIC: int ex_run_str __P((SCR *, const char *, const CHAR_T *, size_t, int, int)); 270 */ 271 int 272 ex_run_str(SCR *sp, const char *name, const CHAR_T *str, size_t len, int ex_flags, int nocopy) 273 { 274 WIN *wp; 275 EXCMD *ecp; 276 277 wp = sp->wp; 278 if (EXCMD_RUNNING(wp)) { 279 CALLOC_RET(sp, ecp, EXCMD *, 1, sizeof(EXCMD)); 280 LIST_INSERT_HEAD(&wp->ecq, ecp, q); 281 } else 282 ecp = &wp->excmd; 283 284 F_INIT(ecp, 285 ex_flags ? E_BLIGNORE | E_NOAUTO | E_NOPRDEF | E_VLITONLY : 0); 286 287 if (nocopy) 288 ecp->cp = __UNCONST(str); 289 else 290 if ((ecp->cp = v_wstrdup(sp, str, len)) == NULL) 291 return (1); 292 ecp->clen = len; 293 294 if (name == NULL) 295 ecp->if_name = NULL; 296 else { 297 if ((ecp->if_name = v_strdup(sp, name, strlen(name))) == NULL) 298 return (1); 299 ecp->if_lno = 1; 300 F_SET(ecp, E_NAMEDISCARD); 301 } 302 303 return (0); 304 } 305 306 /* 307 * exrc_isok -- 308 * Check a .exrc file for source-ability. 309 * 310 * !!! 311 * Historically, vi read the $HOME and local .exrc files if they were owned 312 * by the user's real ID, or the "sourceany" option was set, regardless of 313 * any other considerations. We no longer support the sourceany option as 314 * it's a security problem of mammoth proportions. We require the system 315 * .exrc file to be owned by root, the $HOME .exrc file to be owned by the 316 * user's effective ID (or that the user's effective ID be root) and the 317 * local .exrc files to be owned by the user's effective ID. In all cases, 318 * the file cannot be writeable by anyone other than its owner. 319 * 320 * In O'Reilly ("Learning the VI Editor", Fifth Ed., May 1992, page 106), 321 * it notes that System V release 3.2 and later has an option "[no]exrc". 322 * The behavior is that local .exrc files are read only if the exrc option 323 * is set. The default for the exrc option was off, so, by default, local 324 * .exrc files were not read. The problem this was intended to solve was 325 * that System V permitted users to give away files, so there's no possible 326 * ownership or writeability test to ensure that the file is safe. 327 * 328 * POSIX 1003.2-1992 standardized exrc as an option. It required the exrc 329 * option to be off by default, thus local .exrc files are not to be read 330 * by default. The Rationale noted (incorrectly) that this was a change 331 * to historic practice, but correctly noted that a default of off improves 332 * system security. POSIX also required that vi check the effective user 333 * ID instead of the real user ID, which is why we've switched from historic 334 * practice. 335 * 336 * We initialize the exrc variable to off. If it's turned on by the system 337 * or $HOME .exrc files, and the local .exrc file passes the ownership and 338 * writeability tests, then we read it. This breaks historic 4BSD practice, 339 * but it gives us a measure of security on systems where users can give away 340 * files. 341 */ 342 static enum rc 343 exrc_isok(SCR *sp, struct stat *sbp, const char *path, int rootown, int rootid) 344 { 345 enum { ROOTOWN, OWN, WRITER } etype; 346 uid_t euid; 347 int nf1, nf2; 348 char *a, *b, buf[MAXPATHLEN]; 349 350 /* Check for the file's existence. */ 351 if (stat(path, sbp)) 352 return (NOEXIST); 353 354 /* Check ownership permissions. */ 355 euid = geteuid(); 356 if (!(rootown && sbp->st_uid == 0) && 357 !(rootid && euid == 0) && sbp->st_uid != euid) { 358 etype = rootown ? ROOTOWN : OWN; 359 goto denied; 360 } 361 362 /* Check writeability. */ 363 if (sbp->st_mode & (S_IWGRP | S_IWOTH)) { 364 etype = WRITER; 365 goto denied; 366 } 367 return (RCOK); 368 369 denied: a = msg_print(sp, path, &nf1); 370 if (strchr(path, '/') == NULL && getcwd(buf, sizeof(buf)) != NULL) { 371 b = msg_print(sp, buf, &nf2); 372 switch (etype) { 373 case ROOTOWN: 374 msgq(sp, M_ERR, 375 "125|%s/%s: not sourced: not owned by you or root", 376 b, a); 377 break; 378 case OWN: 379 msgq(sp, M_ERR, 380 "126|%s/%s: not sourced: not owned by you", b, a); 381 break; 382 case WRITER: 383 msgq(sp, M_ERR, 384 "127|%s/%s: not sourced: writeable by a user other than the owner", b, a); 385 break; 386 } 387 if (nf2) 388 FREE_SPACE(sp, b, 0); 389 } else 390 switch (etype) { 391 case ROOTOWN: 392 msgq(sp, M_ERR, 393 "128|%s: not sourced: not owned by you or root", a); 394 break; 395 case OWN: 396 msgq(sp, M_ERR, 397 "129|%s: not sourced: not owned by you", a); 398 break; 399 case WRITER: 400 msgq(sp, M_ERR, 401 "130|%s: not sourced: writeable by a user other than the owner", a); 402 break; 403 } 404 405 if (nf1) 406 FREE_SPACE(sp, a, 0); 407 return (NOPERM); 408 } 409