Date: Fri, 10 Dec 1999 02:33:29 -0800 (PST) From: Alfred Perlstein <bright@wintelcom.net> To: Andre Albsmeier <andre.albsmeier@mchp.siemens.de> Cc: Warner Losh <imp@village.org>, Garance A Drosihn <drosih@rpi.edu>, current@FreeBSD.ORG Subject: Re: NO! Re: [PATCHES] Two fixes for lpd/lpc for review and test Message-ID: <Pine.BSF.4.21.9912100211050.4557-100000@fw.wintelcom.net> In-Reply-To: <19991210074205.B12325@internal>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 10 Dec 1999, Andre Albsmeier wrote:
> On Thu, 09-Dec-1999 at 15:02:41 -0800, Alfred Perlstein wrote:
> > On Thu, 9 Dec 1999, Andre Albsmeier wrote:
> >
> > ...
> >
> > > For better reference, here is the current patch:
> > >
> >
> > I don't have too much time to think about this, argue me this:
>
> Sure, please tell me if you don't want to get CC'ed on this anymore.
I'm sorry if I sounded like that, I didn't mean to. :)
> > why should I allow a user to print any file on the system?
> >
> > the race condition is still there.
>
> Right :-(. The file won't be given to the user anymore but he can
> print everything. However, there must be a solution for this...
Can someone take a look at this?
Basically, it makes the link to the file, if it can unlink the original
it will then chown the spool file if it can't delete or read the original
then the user didn't have permission and it backs out.
Index: lpr.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/lpr/lpr/lpr.c,v
retrieving revision 1.31
diff -u -r1.31 lpr.c
--- lpr.c 1999/11/30 16:15:22 1.31
+++ lpr.c 1999/12/10 14:09:08
@@ -384,6 +384,46 @@
}
if (sflag)
printf("%s: %s: not linked, copying instead\n", name, arg);
+ if (f) {
+ seteuid(euid);
+ if (link(arg, dfname) == 0) {
+ int ret;
+
+ seteuid(uid);
+ /*
+ * if we can access and remove the file without
+ * special setuid-ness then allow it.
+ */
+ ret = access(dfname, R_OK);
+ if (ret == 0)
+ ret = unlink(arg);
+ seteuid(euid);
+ if (ret == 0) {
+ /* unlink was successful fixup perms */
+ chown(dfname, userid, getegid());
+ chmod(dfname, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
+ } else {
+ /*
+ * the user handed me a file the don't have access to,
+ * remove it from the spooldir and try other methods
+ */
+ unlink(dfname);
+ seteuid(uid);
+ goto nohardlink;
+ }
+ seteuid(uid);
+ if (format == 'p')
+ card('T', title ? title : arg);
+ for (i = 0; i < ncopies; i++)
+ card(format, &dfname[inchar-2]);
+ card('U', &dfname[inchar-2]);
+ card('N', arg);
+ nact++;
+ continue;
+ }
+ seteuid(uid); /* restore old uid */
+ }
+nohardlink:
if ((i = open(arg, O_RDONLY)) < 0) {
printf("%s: cannot open %s\n", name, arg);
} else {
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9912100211050.4557-100000>