From owner-freebsd-audit Tue Apr 3 3:58:37 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ida.interface-business.de (ida.interface-business.de [193.101.57.9]) by hub.freebsd.org (Postfix) with ESMTP id 0F48537B71A for ; Tue, 3 Apr 2001 03:58:32 -0700 (PDT) (envelope-from j@ida.interface-business.de) Received: (from j@localhost) by ida.interface-business.de id f33AwPK77332 for audit@freebsd.org; Tue, 3 Apr 2001 12:58:25 +0200 (MET DST) Date: Tue, 3 Apr 2001 12:58:25 +0200 From: J Wunsch To: audit@freebsd.org Subject: security nit in lpr/common/common.c? Message-ID: <20010403125825.C75920@ida.interface-business.de> Reply-To: Joerg Wunsch Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Phone: +49-351-31809-14 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Organization: interface systems GmbH, Dresden Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all, the following doesn't seem to be quite right to me: while ((d = readdir(dirp)) != NULL) { if (d->d_name[0] != 'c' || d->d_name[1] != 'f') continue; /* daemon control files only */ seteuid(euid); if (stat(d->d_name, &stbuf) < 0) continue; /* Doesn't exist */ seteuid(uid); Shouldn't this be while ((d = readdir(dirp)) != NULL) { int i; if (d->d_name[0] != 'c' || d->d_name[1] != 'f') continue; /* daemon control files only */ seteuid(euid); i = stat(d->d_name, &stbuf); seteuid(uid); if (i < 0) continue; /* Doesn't exist */ instead? Judging from some ktrace output it's not really a security problem since the switch is from/to UID 0, but just in case... -- J"org Wunsch Unix support engineer joerg_wunsch@interface-systems.de http://www.interface-systems.de/~j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message