/usr/share/zsh/functions/Completion/compaudit is in zsh-common 5.1.1-1ubuntu2.3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | # So that this file can also be read with `.' or `source' ...
compaudit() { # Define and then call
# Audit the fpath to assure that it contains all the directories needed by
# the completion system, and that those directories are at least unlikely
# to contain dangerous files. This is far from perfect, as the modes or
# ownership of files or directories might change between the time of the
# audit and the time the function is executed.
# This function is designed to be called from compinit, which assumes that
# it is in the same directory, i.e., it can be autoloaded from the initial
# fpath as compinit was. Most local parameter names in this function must
# therefore be the same as those used in compinit.
emulate -L zsh
setopt extendedglob
[[ -x /usr/bin/getent ]] || getent() {
if [[ $2 = <-> ]]; then
grep ":$2:[^:]*$" /etc/$1
else
grep "^$2:" /etc/$1
fi
}
# The positional parameters are the directories to check, else fpath.
if (( $# )); then
local _compdir=''
elif (( $#fpath == 0 )); then
print 'compaudit: No directories in $fpath, cannot continue' 1>&2
return 1
else
set -- $fpath
fi
# _i_check is defined by compinit; used here as a test for whether this
# function is running standalone or was called by compinit. If called
# by compinit, we use parameters that are defined in compinit's scope,
# otherwise we make them local here.
(( $+_i_check )) || {
local _i_q _i_line _i_file _i_fail=verbose
local -a _i_files _i_addfiles _i_wdirs _i_wfiles
local -a -U +h fpath
}
fpath=( $* )
# _compdir may be defined by the user; see the compinit documentation.
# If it isn't defined, we want it to point somewhere sensible, but the
# user is allowed to set it to empty to bypass the check below.
(( $+_compdir )) || {
local _compdir=${fpath[(r)*/$ZSH_VERSION/*]}
[[ -z $_compdir ]] && _compdir=$fpath[1]
### [[ -d $_compdir/../Base ]] && _compdir=${_compdir:h}
}
_i_wdirs=()
_i_wfiles=()
_i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
if [[ -n $_compdir ]]; then
if [[ $#_i_files -lt 20 || $_compdir = */Base || -d $_compdir/Base ]]; then
# Too few files: we need some more directories, or we need to check
# that all directories (not just Base) are present.
_i_addfiles=()
if [[ -d $_compdir/Base/Core ]]; then
# Add all the Completion subdirectories (CVS-layout)
_i_addfiles=(${_compdir}/*/*(/^M))
elif [[ -d $_compdir/Base ]]; then
# Likewise (installation-layout)
_i_addfiles=(${_compdir}/*(/^M))
fi
for _i_line in {1..$#_i_addfiles}; do
(( $_i_line )) || break
_i_file=${_i_addfiles[$_i_line]}
[[ -d $_i_file && -z ${fpath[(r)$_i_file]} ]] ||
_i_addfiles[$_i_line]=
done
fpath=($fpath $_i_addfiles)
_i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
fi
fi
[[ $_i_fail == use ]] && return 0
# We will always allow files to be owned by root and the owner of the
# present process.
local _i_owners="u0u${EUID}"
# Places we will look for a link to the executable
local -a _i_exes
_i_exes=(
/proc/$$/exe
/proc/$$/object/a.out
)
local _i_exe
# If we can find out who owns the executable, we will allow files to
# be owned by that user, too. The argument is that if you don't trust
# the owner of the executable, it's way too late to worry about it now...
for _i_exe in $_i_exes; do
if [[ -e $_i_exe ]] ;then
if zmodload -F zsh/stat b:zstat 2>/dev/null; then
local -A _i_stathash
if zstat -H _i_stathash $_i_exe &&
[[ $_i_stathash[uid] -ne 0 ]]; then
_i_owners+="u${_i_stathash[uid]}"
fi
fi
break
fi
done
# We search for:
# - world/group-writable directories in fpath not owned by $_i_owners
# - parent-directories of directories in fpath that are world/group-writable
# and not owned by $_i_owners (that would allow someone to put a
# digest file for one of the directories into the parent directory)
# - digest files for one of the directories in fpath not owned by $_i_owners
# - and for files in directories from fpath not owned by $_i_owners
# (including zwc files)
_i_wdirs=( ${^fpath}(N-f:g+w:,-f:o+w:,-^${_i_owners})
${^fpath:h}(N-f:g+w:,-f:o+w:,-^${_i_owners}) )
# RedHat Linux "per-user groups" check. This is tricky, because it's very
# difficult to tell whether the sysadmin has put someone else into your
# "private" group (e.g., via the default group field in /etc/passwd, or
# by NFS group sharing with an untrustworthy machine). So we must assume
# that this has not happened, and pick the best group.
if (( $#_i_wdirs )); then
local GROUP GROUPMEM _i_pw _i_gid
if ((UID == EUID )); then
getent group $LOGNAME | IFS=: read GROUP _i_pw _i_gid GROUPMEM
else
getent group $EGID | IFS=: read GROUP _i_pw _i_gid GROUPMEM
fi
if [[ $GROUP == $LOGNAME && ( -z $GROUPMEM || $GROUPMEM == $LOGNAME ) ]]
then
_i_wdirs=( ${^_i_wdirs}(N-f:g+w:^g:${GROUP}:,-f:o+w:,-^${_i_owners}) )
fi
fi
if [[ -f /etc/debian_version ]]
then
local _i_ulwdirs
_i_ulwdirs=( ${(M)_i_wdirs:#/usr/local/*} )
_i_wdirs=( ${_i_wdirs:#/usr/local/*} ${^_i_ulwdirs}(Nf:g+ws:^g:staff:,f:o+w:,^u0) )
fi
_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N-^${_i_owners}) )
_i_wfiles=( ${^fpath}/^([^_]*|*~)(N-^${_i_owners}) )
case "${#_i_wdirs}:${#_i_wfiles}" in
(0:0) _i_q= ;;
(0:*) _i_q=files ;;
(*:0) _i_q=directories ;;
(*:*) _i_q='directories and files' ;;
esac
if [[ -n "$_i_q" ]]; then
[[ $_i_fail == verbose ]] && {
print There are insecure ${_i_q}: 1>&2
print -l - $_i_wdirs $_i_wfiles
}
return 1
fi
return 0
} # Define and then call
compaudit "$@"
|