From owner-freebsd-audit  Sat Aug 18 22:28:50 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7])
	by hub.freebsd.org (Postfix) with ESMTP id F40D337B405
	for <audit@FreeBSD.org>; Sat, 18 Aug 2001 22:28:46 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 6814366D3E; Sat, 18 Aug 2001 22:28:46 -0700 (PDT)
Date: Sat, 18 Aug 2001 22:28:46 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Kris Kennaway <kris@obsecurity.org>
Cc: audit@FreeBSD.org
Subject: Re: Checking issetugid() with getenv() in libraries
Message-ID: <20010818222846.B79436@xor.obsecurity.org>
References: <20010818221258.A79194@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="SkvwRMAIpAhPCcCJ"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010818221258.A79194@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Aug 18, 2001 at 10:12:58PM -0700
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG


--SkvwRMAIpAhPCcCJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Aug 18, 2001 at 10:12:58PM -0700, Kris Kennaway wrote:
> There were a number of places where library routines blindly use
> getenv() in ways which may be insecure if called from setugid code.
> Please review the following.
>=20
> I also changed the uthread_info.c to respect TMPDIR if !issetugid()
> instead of dumping to /tmp always.

Another one:

Index: ./libdialog/rc.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/gnu/lib/libdialog/rc.c,v
retrieving revision 1.2
diff -u -r1.2 rc.c
--- ./libdialog/rc.c	1994/10/20 21:56:43	1.2
+++ ./libdialog/rc.c	2001/08/19 05:27:47
@@ -103,12 +103,12 @@
    *
    */
=20
-  if ((tempptr =3D getenv("DIALOGRC")) !=3D NULL)
+  if (issetugid() =3D=3D 0 && (tempptr =3D getenv("DIALOGRC")) !=3D NULL)
     rc_file =3D fopen(tempptr, "rt");
=20
   if (tempptr =3D=3D NULL || rc_file =3D=3D NULL) {    /* step (a) failed?=
 */
     /* try step (b) */
-    if ((tempptr =3D getenv("HOME")) =3D=3D NULL)
+    if (issetugid() !=3D 0 || (tempptr =3D getenv("HOME")) =3D=3D NULL)
       return 0;    /* step (b) failed, use default values */
=20
     if (tempptr[0] =3D=3D '\0' || lastch(tempptr) =3D=3D '/')

Kris

--SkvwRMAIpAhPCcCJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7f06NWry0BWjoQKURAmBkAKCc6DF8pWAjuWQi96p5qsW0o+nk+gCfRcJP
cJym2cmXJdJqc245DlkyJMw=
=GhKl
-----END PGP SIGNATURE-----

--SkvwRMAIpAhPCcCJ--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message