X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/blobdiff_plain/6e4fb64e6141727b8144bb77265bf0a4a8450a39..5e71c4446e10c27c1db0c7e7e5b71be68f3b88de:/authenticate.c

diff --git a/authenticate.c b/authenticate.c
index 5ecce15f..ba83a899 100644
--- a/authenticate.c
+++ b/authenticate.c
@@ -55,7 +55,7 @@ static void gen_challenge(char *addr, char *challenge)
 
 	memset(input, 0, sizeof(input));
 
-	strlcpy((char *)input, addr, 16);
+	strlcpy((char *)input, addr, 17);
 	gettimeofday(&tv, NULL);
 	SIVAL(input, 16, tv.tv_sec);
 	SIVAL(input, 20, tv.tv_usec);
@@ -75,12 +75,31 @@ static int get_secret(int module, char *user, char *secret, int len)
 	int fd, found=0;
 	char line[MAXPATHLEN];
 	char *p, *pass=NULL;
+	STRUCT_STAT st;
+	int ok = 1;
+	extern int am_root;
 
 	if (!fname || !*fname) return 0;
 
 	fd = open(fname,O_RDONLY);
 	if (fd == -1) return 0;
 
+	if (do_stat(fname, &st) == -1) {
+		rprintf(FERROR,"stat(%s) : %s\n", fname, strerror(errno));
+		ok = 0;
+	} else if ((st.st_mode & 06) != 0) {
+		rprintf(FERROR,"secrets file must not be other-accessible\n");
+		ok = 0;
+	} else if (am_root && (st.st_uid != 0)) {
+		rprintf(FERROR,"secrets file must be owned by root when running as root\n");
+		ok = 0;
+	}
+	if (!ok) {
+		rprintf(FERROR,"continuing without secrets file\n");
+		close(fd);
+		return 0;
+	}
+
 	while (!found) {
 		int i = 0;
 		memset(line, 0, sizeof(line));