Date: Sun, 2 Sep 2001 22:54:45 -0700 From: Kris Kennaway <kris@obsecurity.org> To: audit@FreeBSD.org Subject: issetugid checks revisited Message-ID: <20010902225445.A27902@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I posted a broken version of this a few weeks ago. I think this
updated version fixes all of the bugs..reviews, please?
Kris
Index: lib/libc/db/test/dbtest.c
===================================================================
RCS file: /mnt/ncvs/src/lib/libc/db/test/dbtest.c,v
retrieving revision 1.4
diff -u -r1.4 dbtest.c
--- lib/libc/db/test/dbtest.c 2000/08/04 10:50:21 1.4
+++ lib/libc/db/test/dbtest.c 2001/08/20 07:44:18
@@ -52,6 +52,7 @@
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
+#include <paths.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -155,9 +156,8 @@
* want it around, and it often screws up tests.
*/
if (fname == NULL) {
- p = getenv("TMPDIR");
- if (p == NULL)
- p = "/var/tmp";
+ if (issetugid() != 0 || (p = getenv("TMPDIR")) == NULL);
+ p = _PATH_VARTMP;
(void)snprintf(buf, sizeof(buf), "%s/__dbtest", p);
fname = buf;
(void)unlink(buf);
Index: lib/libc/gen/exec.c
===================================================================
RCS file: /mnt/ncvs/src/lib/libc/gen/exec.c,v
retrieving revision 1.17
diff -u -r1.17 exec.c
--- lib/libc/gen/exec.c 2001/08/13 14:06:21 1.17
+++ lib/libc/gen/exec.c 2001/08/20 07:45:03
@@ -222,7 +222,7 @@
}
/* Get the path we're searching. */
- if (!(path = getenv("PATH")))
+ if (issetugid() != 0 || (path = getenv("PATH")) == NULL)
path = _PATH_DEFPATH;
cur = alloca(strlen(path) + 1);
if (cur == NULL) {
Index: lib/libc/rpc/getnetpath.c
===================================================================
RCS file: /mnt/ncvs/src/lib/libc/rpc/getnetpath.c,v
retrieving revision 1.1
diff -u -r1.1 getnetpath.c
--- lib/libc/rpc/getnetpath.c 2001/03/19 12:49:51 1.1
+++ lib/libc/rpc/getnetpath.c 2001/08/19 04:35:18
@@ -105,7 +105,7 @@
}
np_sessionp->valid = NP_VALID;
np_sessionp->ncp_list = NULL;
- if ((npp = getenv(NETPATH)) == NULL) {
+ if (issetugid() != 0 || (npp = getenv(NETPATH)) == NULL) {
np_sessionp->netpath = NULL;
} else {
(void) endnetconfig(np_sessionp->nc_handlep);/* won't need nc session*/
Index: lib/libc/stdio/tmpfile.c
===================================================================
RCS file: /mnt/ncvs/src/lib/libc/stdio/tmpfile.c,v
retrieving revision 1.6
diff -u -r1.6 tmpfile.c
--- lib/libc/stdio/tmpfile.c 2001/07/07 04:08:32 1.6
+++ lib/libc/stdio/tmpfile.c 2001/08/20 07:45:29
@@ -61,8 +61,7 @@
char *buf;
const char *tmpdir;
- tmpdir = getenv("TMPDIR");
- if (tmpdir == NULL)
+ if (issetugid() != 0 || (tmpdir = getenv("TMPDIR")) == NULL)
tmpdir = _PATH_TMP;
(void)asprintf(&buf, "%s%s%s", tmpdir,
Index: lib/libc_r/uthread/uthread_info.c
===================================================================
RCS file: /mnt/ncvs/src/lib/libc_r/uthread/uthread_info.c,v
retrieving revision 1.20
diff -u -r1.20 uthread_info.c
--- lib/libc_r/uthread/uthread_info.c 2001/08/11 05:16:00 1.20
+++ lib/libc_r/uthread/uthread_info.c 2001/08/20 07:46:25
@@ -31,13 +31,14 @@
*
* $FreeBSD: src/lib/libc_r/uthread/uthread_info.c,v 1.20 2001/08/11 05:16:00 imp Exp $
*/
+#include <errno.h>
+#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
-#include <fcntl.h>
#include <string.h>
-#include <unistd.h>
+#include <paths.h>
#include <pthread.h>
-#include <errno.h>
+#include <unistd.h>
#include "pthread_private.h"
#ifndef NELEMENTS
@@ -85,15 +86,18 @@
int fd;
int i;
pthread_t pthread;
- char tmpfile[128];
+ char *tmpdir;
+ char tmpfile[PATH_MAX];
pq_list_t *pq_list;
+ if (issetugid() != 0 || (tmpdir = getenv("TMPDIR")) == NULL)
+ tmpdir = _PATH_TMP;
for (i = 0; i < 100000; i++) {
- snprintf(tmpfile, sizeof(tmpfile), "/tmp/uthread.dump.%u.%i",
- getpid(), i);
+ snprintf(tmpfile, sizeof(tmpfile), "%s/uthread.dump.%u.%i",
+ tmpdir, getpid(), i);
/* Open the dump file for append and create it if necessary: */
if ((fd = __sys_open(tmpfile, O_RDWR | O_CREAT | O_EXCL,
- 0666)) < 0) {
+ 0644)) < 0) {
/* Can't open the dump file. */
if (errno == EEXIST)
continue;
Index: lib/libcompat/4.3/rexec.c
===================================================================
RCS file: /mnt/ncvs/src/lib/libcompat/4.3/rexec.c,v
retrieving revision 1.6
diff -u -r1.6 rexec.c
--- lib/libcompat/4.3/rexec.c 2000/08/04 11:15:48 1.6
+++ lib/libcompat/4.3/rexec.c 2001/08/20 10:23:33
@@ -52,6 +52,7 @@
#include <errno.h>
#include <ctype.h>
#include <err.h>
+#include <pwd.h>
#include <stdlib.h>
#include <unistd.h>
@@ -144,8 +145,15 @@
char myname[MAXHOSTNAMELEN], *mydomain;
int t, i, c, usedefault = 0;
struct stat stb;
+ struct passwd *pwd;
- hdir = getenv("HOME");
+ if (issetugid() != 0 || (hdir = getenv("HOME")) == NULL) {
+ pwd = getpwuid(getuid());
+ if (pwd == NULL)
+ return (0);
+ hdir = pwd->pw_dir;
+ }
+
if (hdir == NULL)
hdir = ".";
if (strlen(hdir) + 8 > sizeof(buf))
Index: lib/libncp/ncpl_rcfile.c
===================================================================
RCS file: /mnt/ncvs/src/lib/libncp/ncpl_rcfile.c,v
retrieving revision 1.3
diff -u -r1.3 ncpl_rcfile.c
--- lib/libncp/ncpl_rcfile.c 2000/05/26 02:00:20 1.3
+++ lib/libncp/ncpl_rcfile.c 2001/08/20 10:23:08
@@ -389,8 +389,15 @@
ncp_open_rcfile(void) {
char *home, *fn;
int error;
+ struct passwd *pwd;
- home = getenv("HOME");
+ if (issetugid() != 0 || (home = getenv("HOME")) == NULL) {
+ pwd = getpwuid(getuid());
+ if (pwd == NULL)
+ return 0;
+ home = pwd->pw_dir;
+ }
+
if (home) {
fn = malloc(strlen(home) + 20);
sprintf(fn, "%s/.nwfsrc", home);
Index: gnu/lib/libdialog/rc.c
===================================================================
RCS file: /mnt/ncvs/src/gnu/lib/libdialog/rc.c,v
retrieving revision 1.2
diff -u -r1.2 rc.c
--- gnu/lib/libdialog/rc.c 1994/10/20 21:56:43 1.2
+++ gnu/lib/libdialog/rc.c 2001/08/20 07:55:27
@@ -86,8 +86,8 @@
int parse_rc(void)
{
int i, l = 1, parse, fg, bg, hl;
- unsigned char str[MAX_LEN+1], *var, *value, *tempptr;
- FILE *rc_file;
+ unsigned char str[MAX_LEN+1], *var, *value, *tempptr = NULL;
+ FILE *rc_file = NULL;
/*
*
@@ -103,12 +103,12 @@
*
*/
- if ((tempptr = getenv("DIALOGRC")) != NULL)
+ if (issetugid() == 0 && (tempptr = getenv("DIALOGRC")) != NULL)
rc_file = fopen(tempptr, "rt");
if (tempptr == NULL || rc_file == NULL) { /* step (a) failed? */
/* try step (b) */
- if ((tempptr = getenv("HOME")) == NULL)
+ if (issetugid() != 0 || (tempptr = getenv("HOME")) == NULL)
return 0; /* step (b) failed, use default values */
if (tempptr[0] == '\0' || lastch(tempptr) == '/')
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7kxslWry0BWjoQKURAszbAJ9kJr3vO/qc3EWEYI39cq9YxfJUzgCeOfcc
0ggDdqHpwaWx9a3rJx6Mz/U=
=KMwF
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010902225445.A27902>