From f0de5f5c43f39d45b5d9a656a80864f7a643e283 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 25 May 2020 21:18:29 -0400 Subject: [PATCH] lib/base: heim_config_parse_file_multi warn if ignoring included config At present Heimdal silently ignores included configuration files that cannot be successfully opened or parsed. This is done to ensure that an administrator or configuration management tool cannot lock users out of a machine due to an editing mistake. This change modifies heim_config_parse_file_multi() to warn the user if a configuration file cannot be parsed or if an included ("include" or "includedir") configuration file cannot be opened. Example warnings for a configuration file starting with: includedir c:/temp where some of the matching file names cannot be parsed: Ignoring: c:\temp\20170516:1: binding before section or opened: Ignoring: open or stat c:\temp\AUAA-83: Permission denied A top level configuration file will also generate a warning if it can be opened but cannot be parsed successfully produces Ignoring: c:\temp\foo.cmd:1: binding before section Ignoring: C:\ProgramData\Kerberos\krb5.conf:22: unmatched } Change-Id: I455854156f4a61e1b7dad7f96601eca23d2368eb --- lib/base/config_file.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/base/config_file.c b/lib/base/config_file.c index 13392f2d8..85a71db50 100644 --- a/lib/base/config_file.c +++ b/lib/base/config_file.c @@ -658,17 +658,21 @@ heim_config_parse_file_multi(heim_context context, ret = heim_config_parse_debug(&f, res, &lineno, &str); fclose(f.f); if (ret) { - if (ret != HEIM_ERR_CONFIG_BADFORMAT) { + if (ret != HEIM_ERR_CONFIG_BADFORMAT) ret = HEIM_ERR_CONFIG_BADFORMAT; - heim_set_error_message(context, ret, "%s:%u: %s", - fname, lineno, str); - } + heim_set_error_message(context, ret, "%s:%u: %s", + fname, lineno, str); goto out; } } out: config_include_depth--; + if (ret == HEIM_ERR_CONFIG_BADFORMAT || (ret && config_include_depth > 0)) { + heim_warn(context, ret, "Ignoring", fname); + if (config_include_depth > 0) + ret = 0; + } free(newfname); return ret; }