Avoid local exploitability with compile output file. Add 'compile' as a synonym for 'generate'

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3254 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -8821,8 +8821,9 @@ define_firewall() # $1 = Command (Start or Restart)
 #
 # Compile a Restore Script
 #
-generate_firewall() # $1 = File Name
+compile_firewall() # $1 = File Name
 {
+    file=$1 dir=$(dirname $1)
     #
     # We overload a number of functions when compiling.
     #
@@ -8903,6 +8904,21 @@ generate_firewall() # $1 = File Name
     #
     # END OVERLOADED FUNCTIONS
     #
+    case $file in
+	*/*)
+	    [ -d $dir ] || startup_error "Directory $dir does not exist"
+	    [ -h $dir ] && startup_error "$dir is a Symbolic Link"
+	    [ -d $file ] && startup_error "$file is a Directory"
+	    [ -h $file ] && startup_error "$file is a Symbolic Link"
+
+	    ;;
+	*)
+	    file=/var/lib/shorewall/$1
+	    ;;
+    esac
+
+    [ -f $file -a ! -x $file ] && startup_error "$file exists and is not a restore file"
+
     verify_os_version
     verify_ip
 
@@ -9029,15 +9045,6 @@ generate_firewall() # $1 = File Name
 
     run_user_exit started
 
-    case $1 in
-	*/*)
-	    file=$1
-	    ;;
-	*)
-	    file=/var/lib/shorewall/$1
-	    ;;
-    esac
-
     mv -f $RESTOREBASE $file
 
     chmod 700 $file
@@ -9593,10 +9600,10 @@ case "$COMMAND" in
 	check_config
 	;;
 
-    generate)
+    compile|generate)
 	[ $# -ne 2 ] && usage
 	do_initialize
-	generate_firewall $2
+	compile_firewall $2
 	;;
 
     call)

Shorewall/help

@@ -65,6 +65,14 @@ clear)
     firewall is causing connection problems."
 	;;
 
+compile)
+	echo "compile: compile [ <directory name> ] <file name>
+    Compiles the current configuration into the executable file
+    /var/lib/shorewall/<file name>"
+
+    'generate' is a synonym for 'compile'.
+	;;
+
 debug)
 	echo "debug: debug
     If you include the keyword debug as the first argument to any
@@ -115,6 +123,8 @@ generate)
 	echo "generate: generate [ <directory name> ] <file name>
     Compiles the current configuration into the executable file
     /var/lib/shorewall/<file name>"
+
+    'compile' is a synonym for 'generate'.
 	;;
 
 help)

Shorewall/shorewall

@@ -108,7 +108,7 @@
 #                                                  confirmation to accept or reject the new
 #                                                  configuration
 #
-#          shorewall generate [ <directory> ] ]<filename>
+#          shorewall {generate|compile} [ <directory> ] ]<filename>
 #                                                  Compile a pseudo restore file.
 #
 #          shorewall reload [ <directory name> ]   Safe reload
@@ -505,6 +505,7 @@ usage() # $1 = exit status
     echo "   allow <address> ..."
     echo "   check [ <directory> ]"
     echo "   clear"
+    echo "   compile [ <directory name> ] <file name>"
     echo "   drop <address> ..."
     echo "   dump"
     echo "   forget [ <file name> ]"
@@ -818,7 +819,7 @@ case "$1" in
 	export NOROUTES
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
 	;;
-    generate)
+    compile|generate)
 	file=
 	case $# in
 	    1)
@@ -901,7 +902,7 @@ case "$1" in
 
 	export NOROUTES
 
-	if $SHOREWALL_SHELL $FIREWALL $debugging $nolock generate .reload; then
+	if $SHOREWALL_SHELL $FIREWALL $debugging $nolock compile .reload; then
 	   [ -n "$QUIET" ] && QUIET=-q
 	   $0 $QUIET restore .reload
 	fi