From owner-freebsd-audit Sat Aug 18 22:13: 8 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id 86F2F37B406 for ; Sat, 18 Aug 2001 22:12:59 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BC39C66D3E; Sat, 18 Aug 2001 22:12:58 -0700 (PDT) Date: Sat, 18 Aug 2001 22:12:58 -0700 From: Kris Kennaway To: audit@FreeBSD.org Subject: Checking issetugid() with getenv() in libraries Message-ID: <20010818221258.A79194@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable There were a number of places where library routines blindly use getenv() in ways which may be insecure if called from setugid code. Please review the following. I also changed the uthread_info.c to respect TMPDIR if !issetugid() instead of dumping to /tmp always. Kris Index: libc/db/test/dbtest.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/db/test/dbtest.c,v retrieving revision 1.4 diff -u -r1.4 dbtest.c --- libc/db/test/dbtest.c 2000/08/04 10:50:21 1.4 +++ libc/db/test/dbtest.c 2001/08/19 04:25:47 @@ -155,7 +155,8 @@ * want it around, and it often screws up tests. */ if (fname =3D=3D NULL) { - p =3D getenv("TMPDIR"); + if (issetugid() =3D=3D 0) + p =3D getenv("TMPDIR"); if (p =3D=3D NULL) p =3D "/var/tmp"; (void)snprintf(buf, sizeof(buf), "%s/__dbtest", p); Index: libc/gen/exec.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/gen/exec.c,v retrieving revision 1.16 diff -u -r1.16 exec.c --- libc/gen/exec.c 2001/01/24 12:59:21 1.16 +++ libc/gen/exec.c 2001/08/19 04:25:23 @@ -224,7 +224,7 @@ } =20 /* Get the path we're searching. */ - if (!(path =3D getenv("PATH"))) + if (issetugid() !=3D 0 || !(path =3D getenv("PATH"))) path =3D _PATH_DEFPATH; cur =3D alloca(strlen(path) + 1); if (cur =3D=3D NULL) { Index: libc/rpc/getnetpath.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/rpc/getnetpath.c,v retrieving revision 1.1 diff -u -r1.1 getnetpath.c --- libc/rpc/getnetpath.c 2001/03/19 12:49:51 1.1 +++ libc/rpc/getnetpath.c 2001/08/19 04:35:18 @@ -105,7 +105,7 @@ } np_sessionp->valid =3D NP_VALID; np_sessionp->ncp_list =3D NULL; - if ((npp =3D getenv(NETPATH)) =3D=3D NULL) { + if (issetugid() !=3D 0 || (npp =3D getenv(NETPATH)) =3D=3D NULL) { np_sessionp->netpath =3D NULL; } else { (void) endnetconfig(np_sessionp->nc_handlep);/* won't need nc session*/ Index: libc/stdio/tmpfile.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/stdio/tmpfile.c,v retrieving revision 1.6 diff -u -r1.6 tmpfile.c --- libc/stdio/tmpfile.c 2001/07/07 04:08:32 1.6 +++ libc/stdio/tmpfile.c 2001/08/19 04:19:53 @@ -61,7 +61,8 @@ char *buf; const char *tmpdir; =20 - tmpdir =3D getenv("TMPDIR"); + if (issetugid() =3D=3D 0) + tmpdir =3D getenv("TMPDIR"); if (tmpdir =3D=3D NULL) tmpdir =3D _PATH_TMP; =20 Index: libc_r/uthread/uthread_info.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc_r/uthread/uthread_info.c,v retrieving revision 1.19 diff -u -r1.19 uthread_info.c --- libc_r/uthread/uthread_info.c 2001/04/10 04:19:20 1.19 +++ libc_r/uthread/uthread_info.c 2001/05/28 22:08:44 @@ -31,13 +31,14 @@ * * $FreeBSD: src/lib/libc_r/uthread/uthread_info.c,v 1.19 2001/04/10 04:19= :20 deischen Exp $ */ +#include +#include #include #include -#include #include -#include +#include #include -#include +#include #include "pthread_private.h" =20 #ifndef NELEMENTS @@ -85,15 +86,21 @@ int fd; int i; pthread_t pthread; - char tmpfile[128]; + char *tmpdir; + char tmpfile[PATH_MAX]; pq_list_t *pq_list; =20 + tmpdir =3D NULL; + if (issetugid() =3D=3D 0) + tmpdir =3D getenv("TMPDIR"); + if (tmpdir =3D=3D NULL) + tmpdir =3D _PATH_TMP; for (i =3D 0; i < 100000; i++) { - snprintf(tmpfile, sizeof(tmpfile), "/tmp/uthread.dump.%u.%i", - getpid(), i); + snprintf(tmpfile, sizeof(tmpfile), "%s/uthread.dump.%u.%i", + tmpdir, getpid(), i); /* Open the dump file for append and create it if necessary: */ if ((fd =3D __sys_open(tmpfile, O_RDWR | O_CREAT | O_EXCL, - 0666)) < 0) { + 0644)) < 0) { /* Can't open the dump file. */ if (errno =3D=3D EEXIST) continue; Index: libcompat/4.3/rexec.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libcompat/4.3/rexec.c,v retrieving revision 1.6 diff -u -r1.6 rexec.c --- libcompat/4.3/rexec.c 2000/08/04 11:15:48 1.6 +++ libcompat/4.3/rexec.c 2001/08/19 04:54:58 @@ -145,6 +145,8 @@ int t, i, c, usedefault =3D 0; struct stat stb; =20 + if (issetugid() !=3D 0) + return (0); /* Don't read .netrc */ hdir =3D getenv("HOME"); if (hdir =3D=3D NULL) hdir =3D "."; Index: libncp/ncpl_rcfile.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libncp/ncpl_rcfile.c,v retrieving revision 1.3 diff -u -r1.3 ncpl_rcfile.c --- libncp/ncpl_rcfile.c 2000/05/26 02:00:20 1.3 +++ libncp/ncpl_rcfile.c 2001/08/19 04:52:39 @@ -390,7 +390,8 @@ char *home, *fn; int error; =20 - home =3D getenv("HOME"); + if (issetugid() =3D=3D 0) + home =3D getenv("HOME"); if (home) { fn =3D malloc(strlen(home) + 20); sprintf(fn, "%s/.nwfsrc", home); Index: libss/pager.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libss/pager.c,v retrieving revision 1.5 diff -u -r1.5 pager.c --- libss/pager.c 2000/12/09 09:35:33 1.5 +++ libss/pager.c 2001/08/19 04:56:47 @@ -81,7 +81,7 @@ sigsetmask(mask); } if (_ss_pager_name =3D=3D (char *)NULL) { - if ((_ss_pager_name =3D getenv("PAGER")) =3D=3D (char *)NULL) + if (issetugid() !=3D0 || (_ss_pager_name =3D getenv("PAGER")) =3D=3D (ch= ar *)NULL) _ss_pager_name =3D MORE; } (void) execlp(_ss_pager_name, _ss_pager_name, (char *) NULL); --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7f0rZWry0BWjoQKURAl4GAKCpRirZxSivGKofcK3KE8FleLC/pACgxxkn bADUshcl3FDEuqbu6HAgvog= =0C9n -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message