Date: Sat, 18 Aug 2001 22:28:46 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: audit@FreeBSD.org Subject: Re: Checking issetugid() with getenv() in libraries Message-ID: <20010818222846.B79436@xor.obsecurity.org> In-Reply-To: <20010818221258.A79194@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Aug 18, 2001 at 10:12:58PM -0700 References: <20010818221258.A79194@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Sat, Aug 18, 2001 at 10:12:58PM -0700, Kris Kennaway wrote:
> There were a number of places where library routines blindly use
> getenv() in ways which may be insecure if called from setugid code.
> Please review the following.
>
> I also changed the uthread_info.c to respect TMPDIR if !issetugid()
> instead of dumping to /tmp always.
Another one:
Index: ./libdialog/rc.c
===================================================================
RCS file: /mnt/ncvs/src/gnu/lib/libdialog/rc.c,v
retrieving revision 1.2
diff -u -r1.2 rc.c
--- ./libdialog/rc.c 1994/10/20 21:56:43 1.2
+++ ./libdialog/rc.c 2001/08/19 05:27:47
@@ -103,12 +103,12 @@
*
*/
- if ((tempptr = getenv("DIALOGRC")) != NULL)
+ if (issetugid() == 0 && (tempptr = getenv("DIALOGRC")) != NULL)
rc_file = fopen(tempptr, "rt");
if (tempptr == NULL || rc_file == NULL) { /* step (a) failed? */
/* try step (b) */
- if ((tempptr = getenv("HOME")) == NULL)
+ if (issetugid() != 0 || (tempptr = getenv("HOME")) == NULL)
return 0; /* step (b) failed, use default values */
if (tempptr[0] == '\0' || lastch(tempptr) == '/')
Kris
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7f06NWry0BWjoQKURAmBkAKCc6DF8pWAjuWQi96p5qsW0o+nk+gCfRcJP
cJym2cmXJdJqc245DlkyJMw=
=GhKl
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010818222846.B79436>