Date: Sat, 18 Aug 2001 22:12:58 -0700 From: Kris Kennaway <kris@obsecurity.org> To: audit@FreeBSD.org Subject: Checking issetugid() with getenv() in libraries Message-ID: <20010818221258.A79194@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
There were a number of places where library routines blindly use
getenv() in ways which may be insecure if called from setugid code.
Please review the following.
I also changed the uthread_info.c to respect TMPDIR if !issetugid()
instead of dumping to /tmp always.
Kris
Index: libc/db/test/dbtest.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc/db/test/dbtest.c,v
retrieving revision 1.4
diff -u -r1.4 dbtest.c
--- libc/db/test/dbtest.c 2000/08/04 10:50:21 1.4
+++ libc/db/test/dbtest.c 2001/08/19 04:25:47
@@ -155,7 +155,8 @@
* want it around, and it often screws up tests.
*/
if (fname =3D=3D NULL) {
- p =3D getenv("TMPDIR");
+ if (issetugid() =3D=3D 0)
+ p =3D getenv("TMPDIR");
if (p =3D=3D NULL)
p =3D "/var/tmp";
(void)snprintf(buf, sizeof(buf), "%s/__dbtest", p);
Index: libc/gen/exec.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc/gen/exec.c,v
retrieving revision 1.16
diff -u -r1.16 exec.c
--- libc/gen/exec.c 2001/01/24 12:59:21 1.16
+++ libc/gen/exec.c 2001/08/19 04:25:23
@@ -224,7 +224,7 @@
}
=20
/* Get the path we're searching. */
- if (!(path =3D getenv("PATH")))
+ if (issetugid() !=3D 0 || !(path =3D getenv("PATH")))
path =3D _PATH_DEFPATH;
cur =3D alloca(strlen(path) + 1);
if (cur =3D=3D NULL) {
Index: libc/rpc/getnetpath.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc/rpc/getnetpath.c,v
retrieving revision 1.1
diff -u -r1.1 getnetpath.c
--- libc/rpc/getnetpath.c 2001/03/19 12:49:51 1.1
+++ libc/rpc/getnetpath.c 2001/08/19 04:35:18
@@ -105,7 +105,7 @@
}
np_sessionp->valid =3D NP_VALID;
np_sessionp->ncp_list =3D NULL;
- if ((npp =3D getenv(NETPATH)) =3D=3D NULL) {
+ if (issetugid() !=3D 0 || (npp =3D getenv(NETPATH)) =3D=3D NULL) {
np_sessionp->netpath =3D NULL;
} else {
(void) endnetconfig(np_sessionp->nc_handlep);/* won't need nc session*/
Index: libc/stdio/tmpfile.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc/stdio/tmpfile.c,v
retrieving revision 1.6
diff -u -r1.6 tmpfile.c
--- libc/stdio/tmpfile.c 2001/07/07 04:08:32 1.6
+++ libc/stdio/tmpfile.c 2001/08/19 04:19:53
@@ -61,7 +61,8 @@
char *buf;
const char *tmpdir;
=20
- tmpdir =3D getenv("TMPDIR");
+ if (issetugid() =3D=3D 0)
+ tmpdir =3D getenv("TMPDIR");
if (tmpdir =3D=3D NULL)
tmpdir =3D _PATH_TMP;
=20
Index: libc_r/uthread/uthread_info.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc_r/uthread/uthread_info.c,v
retrieving revision 1.19
diff -u -r1.19 uthread_info.c
--- libc_r/uthread/uthread_info.c 2001/04/10 04:19:20 1.19
+++ libc_r/uthread/uthread_info.c 2001/05/28 22:08:44
@@ -31,13 +31,14 @@
*
* $FreeBSD: src/lib/libc_r/uthread/uthread_info.c,v 1.19 2001/04/10 04:19=
:20 deischen Exp $
*/
+#include <errno.h>
+#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
-#include <fcntl.h>
#include <string.h>
-#include <unistd.h>
+#include <paths.h>
#include <pthread.h>
-#include <errno.h>
+#include <unistd.h>
#include "pthread_private.h"
=20
#ifndef NELEMENTS
@@ -85,15 +86,21 @@
int fd;
int i;
pthread_t pthread;
- char tmpfile[128];
+ char *tmpdir;
+ char tmpfile[PATH_MAX];
pq_list_t *pq_list;
=20
+ tmpdir =3D NULL;
+ if (issetugid() =3D=3D 0)
+ tmpdir =3D getenv("TMPDIR");
+ if (tmpdir =3D=3D NULL)
+ tmpdir =3D _PATH_TMP;
for (i =3D 0; i < 100000; i++) {
- snprintf(tmpfile, sizeof(tmpfile), "/tmp/uthread.dump.%u.%i",
- getpid(), i);
+ snprintf(tmpfile, sizeof(tmpfile), "%s/uthread.dump.%u.%i",
+ tmpdir, getpid(), i);
/* Open the dump file for append and create it if necessary: */
if ((fd =3D __sys_open(tmpfile, O_RDWR | O_CREAT | O_EXCL,
- 0666)) < 0) {
+ 0644)) < 0) {
/* Can't open the dump file. */
if (errno =3D=3D EEXIST)
continue;
Index: libcompat/4.3/rexec.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libcompat/4.3/rexec.c,v
retrieving revision 1.6
diff -u -r1.6 rexec.c
--- libcompat/4.3/rexec.c 2000/08/04 11:15:48 1.6
+++ libcompat/4.3/rexec.c 2001/08/19 04:54:58
@@ -145,6 +145,8 @@
int t, i, c, usedefault =3D 0;
struct stat stb;
=20
+ if (issetugid() !=3D 0)
+ return (0); /* Don't read .netrc */
hdir =3D getenv("HOME");
if (hdir =3D=3D NULL)
hdir =3D ".";
Index: libncp/ncpl_rcfile.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libncp/ncpl_rcfile.c,v
retrieving revision 1.3
diff -u -r1.3 ncpl_rcfile.c
--- libncp/ncpl_rcfile.c 2000/05/26 02:00:20 1.3
+++ libncp/ncpl_rcfile.c 2001/08/19 04:52:39
@@ -390,7 +390,8 @@
char *home, *fn;
int error;
=20
- home =3D getenv("HOME");
+ if (issetugid() =3D=3D 0)
+ home =3D getenv("HOME");
if (home) {
fn =3D malloc(strlen(home) + 20);
sprintf(fn, "%s/.nwfsrc", home);
Index: libss/pager.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libss/pager.c,v
retrieving revision 1.5
diff -u -r1.5 pager.c
--- libss/pager.c 2000/12/09 09:35:33 1.5
+++ libss/pager.c 2001/08/19 04:56:47
@@ -81,7 +81,7 @@
sigsetmask(mask);
}
if (_ss_pager_name =3D=3D (char *)NULL) {
- if ((_ss_pager_name =3D getenv("PAGER")) =3D=3D (char *)NULL)
+ if (issetugid() !=3D0 || (_ss_pager_name =3D getenv("PAGER")) =3D=3D (ch=
ar *)NULL)
_ss_pager_name =3D MORE;
}
(void) execlp(_ss_pager_name, _ss_pager_name, (char *) NULL);
--cNdxnHkX5QqsyA0e
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7f0rZWry0BWjoQKURAl4GAKCpRirZxSivGKofcK3KE8FleLC/pACgxxkn
bADUshcl3FDEuqbu6HAgvog=
=0C9n
-----END PGP SIGNATURE-----
--cNdxnHkX5QqsyA0e--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010818221258.A79194>