Date: Tue, 3 Apr 2001 12:58:25 +0200 From: J Wunsch <j@ida.interface-business.de> To: audit@freebsd.org Subject: security nit in lpr/common/common.c? Message-ID: <20010403125825.C75920@ida.interface-business.de>
index | next in thread | raw e-mail
Hi all,
the following doesn't seem to be quite right to me:
while ((d = readdir(dirp)) != NULL) {
if (d->d_name[0] != 'c' || d->d_name[1] != 'f')
continue; /* daemon control files only */
seteuid(euid);
if (stat(d->d_name, &stbuf) < 0)
continue; /* Doesn't exist */
seteuid(uid);
Shouldn't this be
while ((d = readdir(dirp)) != NULL) {
int i;
if (d->d_name[0] != 'c' || d->d_name[1] != 'f')
continue; /* daemon control files only */
seteuid(euid);
i = stat(d->d_name, &stbuf);
seteuid(uid);
if (i < 0)
continue; /* Doesn't exist */
instead?
Judging from some ktrace output it's not really a security problem
since the switch is from/to UID 0, but just in case...
--
J"org Wunsch Unix support engineer
joerg_wunsch@interface-systems.de http://www.interface-systems.de/~j
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010403125825.C75920>