From owner-freebsd-bugs Wed Jan 27 10:50:10 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA23247 for freebsd-bugs-outgoing; Wed, 27 Jan 1999 10:50:10 -0800 (PST) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA23176 for ; Wed, 27 Jan 1999 10:50:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id KAA09540; Wed, 27 Jan 1999 10:50:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from nobody@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA22605; Wed, 27 Jan 1999 10:45:04 -0800 (PST) (envelope-from nobody) Message-Id: <199901271845.KAA22605@hub.freebsd.org> Date: Wed, 27 Jan 1999 10:45:04 -0800 (PST) From: jose@we.lc.ehu.es To: freebsd-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: www-1.0 Subject: bin/9729: lpr -r does not remove files under sticky directories [FIX KNOWN] Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 9729 >Category: bin >Synopsis: lpr -r does not remove files under sticky directories [FIX KNOWN] >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jan 27 10:50:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: Jose M. Alcaide >Release: 3.0-STABLE (1999/01/26) >Organization: Universidad del Pais Vasco - Dept. de Electricidad y Electronica >Environment: FreeBSD tiburon.we.lc.ehu.es 3.0-STABLE FreeBSD 3.0-STABLE #1: Tue Jan 26 11:31:42 CET 1999 toor@tiburon.we.lc.ehu.es:/usr/src/sys/compile/TIBURON i386 >Description: A serious bug was introduced in lpr.c version 1.22, which prevents lpr from removing files (when called as "lpr -r") when they are under a "sticky" directory (such as /tmp). This is serious because some packages (such as Samba) spool the print jobs under such directories (/var/spool/samba, for example). Since files are not removed after they are queued, the directory contents grows, and grows... until /var is full. >How-To-Repeat: As an unprivileged user, create a non empty file in a sticky directory (such as /tmp). Then, do a "lpr -r ". >Fix: Yes, it is known. (All references are to lpr.c version 1.27.) Starting at line 653, the checkwriteperm() function checks that the owner UID of the file matchs the variable "userid", which should store the real UID of the lpr process. However, the "userid" variable has never been initialized (its contents is 0 since it is static). The problem resides in main(), lines 269-276. The "userid" variable is modified only here. But this only happens if getlogin() returns NULL. Simply, the sentence "userid = getuid()" should be moved just before that "if" structure. I did not write a patch because I think that there are more problems in those lines of code. For example, the "person" variable is always modified, so it renders the lpr's "-U" option useless. And, inside that "if", another expression compares "person" with 0; this is not needed because "person" must be NULL there. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message