Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 18 Aug 2001 22:28:46 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        audit@FreeBSD.org
Subject:   Re: Checking issetugid() with getenv() in libraries
Message-ID:  <20010818222846.B79436@xor.obsecurity.org>
In-Reply-To: <20010818221258.A79194@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Aug 18, 2001 at 10:12:58PM -0700
References:  <20010818221258.A79194@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--SkvwRMAIpAhPCcCJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Aug 18, 2001 at 10:12:58PM -0700, Kris Kennaway wrote:
> There were a number of places where library routines blindly use
> getenv() in ways which may be insecure if called from setugid code.
> Please review the following.
>=20
> I also changed the uthread_info.c to respect TMPDIR if !issetugid()
> instead of dumping to /tmp always.

Another one:

Index: ./libdialog/rc.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/gnu/lib/libdialog/rc.c,v
retrieving revision 1.2
diff -u -r1.2 rc.c
--- ./libdialog/rc.c	1994/10/20 21:56:43	1.2
+++ ./libdialog/rc.c	2001/08/19 05:27:47
@@ -103,12 +103,12 @@
    *
    */
=20
-  if ((tempptr =3D getenv("DIALOGRC")) !=3D NULL)
+  if (issetugid() =3D=3D 0 && (tempptr =3D getenv("DIALOGRC")) !=3D NULL)
     rc_file =3D fopen(tempptr, "rt");
=20
   if (tempptr =3D=3D NULL || rc_file =3D=3D NULL) {    /* step (a) failed?=
 */
     /* try step (b) */
-    if ((tempptr =3D getenv("HOME")) =3D=3D NULL)
+    if (issetugid() !=3D 0 || (tempptr =3D getenv("HOME")) =3D=3D NULL)
       return 0;    /* step (b) failed, use default values */
=20
     if (tempptr[0] =3D=3D '\0' || lastch(tempptr) =3D=3D '/')

Kris

--SkvwRMAIpAhPCcCJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7f06NWry0BWjoQKURAmBkAKCc6DF8pWAjuWQi96p5qsW0o+nk+gCfRcJP
cJym2cmXJdJqc245DlkyJMw=
=GhKl
-----END PGP SIGNATURE-----

--SkvwRMAIpAhPCcCJ--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010818222846.B79436>