From owner-freebsd-bugs@FreeBSD.ORG  Tue Jan 16 21:50:24 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2993F16A415
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 16 Jan 2007 21:50:24 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 093E913C471
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 16 Jan 2007 21:50:24 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l0GLoNts020071
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 16 Jan 2007 21:50:23 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l0GLoNFU020070;
	Tue, 16 Jan 2007 21:50:23 GMT (envelope-from gnats)
Resent-Date: Tue, 16 Jan 2007 21:50:23 GMT
Resent-Message-Id: <200701162150.l0GLoNFU020070@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Bjoern Voigt<bjoern@cs.tu-berlin.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3B43016A407
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 16 Jan 2007 21:47:14 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 2B79013C43E
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 16 Jan 2007 21:47:14 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l0GLlDsT096590
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 16 Jan 2007 21:47:13 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l0GLlDSe096574;
	Tue, 16 Jan 2007 21:47:13 GMT (envelope-from nobody)
Message-Id: <200701162147.l0GLlDSe096574@www.freebsd.org>
Date: Tue, 16 Jan 2007 21:47:13 GMT
From: Bjoern Voigt<bjoern@cs.tu-berlin.de>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.0
Cc: 
Subject: misc/108020: Comsat does not verify return values of getpwnam and
	setuid
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2007 21:50:24 -0000


>Number:         108020
>Category:       misc
>Synopsis:       Comsat does not verify return values of getpwnam and setuid
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 16 21:50:21 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Bjoern Voigt
>Release:        6.2-PRERELEASE
>Organization:
>Environment:
FreeBSD mybox 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #2: Sun Nov 26 21:50:02 CET 2006     root@mybox:/usr/obj/lx/suse/var/ctm/src/sys/GENERIC.bv  i386
>Description:
I reviewed the code of comsat (/usr/src/libexec/comsat/comsat.c).

There are two potential problems in function jkfprintf():

[...]
        /* Set effective uid to user in case mail drop is on nfs */
        if ((p = getpwnam(user)) != NULL)
                (void) setuid(p->pw_uid);
[...]

1) If getpwnam() fails the function is continued without dropping privileges.
2) The return value of setuid() is not checked. The manual page says that setuid() could only fail for non-root. Anyway, it's no good style to ignore the result of setuid().
>How-To-Repeat:
Faked comsat requests could be generated with "nc" (netcat). A "bad" user could send non-existing user names (getpwnam() will fail and setuid() will not be called). He could also send file names which should not be readable by the user with receives the biff messages. 

netcat could be used this way (tested with netcat from ports collection):

$ /usr/local/bin/nc -u localhost 512
user@0:/some/file
Control-c
(Mail for "user", offset byte 0, mailbox "/some/file")
>Fix:
getpwnam problem:
I suggest to return function jkfprintf() if getpwnam() fails.

setuid problem:
I suggest to return function jkfprintf() if getpwnam() fails and if getuid() returns 0 (root). The check for user root may not be necessary since normal users can not really switch the uid with setuid() if the program is not installed with set-uid (as far as I know).

I could help with a patch and with testing.
>Release-Note:
>Audit-Trail:
>Unformatted: