make sure idmap files aren't writable by others

otherwise, other local users could change the mapping, and gain access
to things they shouldn't

2 files changed, 22 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index acd1001..19cf11f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2012-03-08  Miklos Szeredi <miklos@szeredi.hu>
+
+	* Make sure idmap files aren't writable by others otherwise, other
+	local users could change the mapping, and gain access to things
+	they shouldn't.  Patch by Mike Kelly
+
 2012-02-08  Chris Wolfe <cwolfe@chromium.org>
 
 	* Add -o slave. This option routes the sftp communication over stdin
diff --git a/sshfs.c b/sshfs.c
index 8119d68..408123c 100644
--- a/sshfs.c
+++ b/sshfs.c
@@ -3696,6 +3696,7 @@ static void read_id_map(char *file, uint32_t *(*map_fn)(char *),
 	FILE *fp;
 	char line[LINE_MAX];
 	unsigned int lineno = 0;
+	uid_t local_uid = getuid();
 
 	fp = fopen(file, "r");
 	if (fp == NULL) {
@@ -3703,6 +3704,21 @@ static void read_id_map(char *file, uint32_t *(*map_fn)(char *),
 				file, strerror(errno));
 		exit(1);
 	}
+	struct stat st;
+	if (fstat(fileno(fp), &st) == -1) {
+		fprintf(stderr, "failed to stat '%s': %s\n", file,
+				strerror(errno));
+		exit(1);
+	}
+	if (st.st_uid != local_uid) {
+		fprintf(stderr, "'%s' is not owned by uid %lu\n", file,
+				(unsigned long)local_uid);
+		exit(1);
+	}
+	if (st.st_mode & S_IWGRP || st.st_mode & S_IWOTH) {
+		fprintf(stderr, "'%s' is writable by other users\n", file);
+		exit(1);
+	}
 
 	while (fgets(line, LINE_MAX, fp) != NULL) {
 		lineno++;