From owner-freebsd-hackers Tue Apr 11 08:01:57 1995 Return-Path: hackers-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id IAA21299 for hackers-outgoing; Tue, 11 Apr 1995 08:01:57 -0700 Received: from mpp.com (dialup-1-81.gw.umn.edu [134.84.101.81]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id IAA21292 for ; Tue, 11 Apr 1995 08:01:41 -0700 Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id KAA01076 for freebsd-hackers@freebsd.org; Tue, 11 Apr 1995 10:00:48 -0500 From: Mike Pritchard Message-Id: <199504111500.KAA01076@mpp.com> Subject: atrun fix To: freebsd-hackers@FreeBSD.org Date: Tue, 11 Apr 1995 10:00:48 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3232 Sender: hackers-owner@FreeBSD.org Precedence: bulk Here is a fix for the atrun security hole. When sending mail, atrun will switch ids to that of the user running the at job. This will prevent the user from spoofing sendmail any more than they could from a login shell. I also fixed it so that it correctly sets up the users groups before running the at job or sending mail to the user. It also now requires that the user be present in the password file before allowing the job to execute. One other functional change is that mail will no longer be sent to "root" if atrun can't figure out who to send mail to. This is a side effect of requiring that the user be present in the password file. -Mike *** orig/atrun.c Tue Apr 11 08:29:43 1995 --- ./atrun.c Tue Apr 11 09:47:51 1995 *************** *** 74,83 **** } static void ! run_file(filename, uid, gid) const char *filename; uid_t uid; - gid_t gid; { /* * Run a file by by spawning off a process which redirects I/O, --- 74,82 ---- } static void ! run_file(filename, uid) const char *filename; uid_t uid; { /* * Run a file by by spawning off a process which redirects I/O, *************** *** 125,138 **** fcntl(fd_in, F_SETFD, fflags & ~FD_CLOEXEC); if (fscanf(stream, "#! /bin/sh\n# mail %8s %d", mailbuf, &send_mail) == 2) { mailname = mailbuf; } else { ! pentry = getpwuid(uid); ! if (pentry == NULL) ! mailname = "root"; ! else ! mailname = pentry->pw_name; } fclose(stream); if (chdir(_PATH_ATSPOOL) < 0) --- 124,135 ---- fcntl(fd_in, F_SETFD, fflags & ~FD_CLOEXEC); + if ((pentry = getpwuid(uid)) == NULL) + perr("Unable to determine login name for job"); if (fscanf(stream, "#! /bin/sh\n# mail %8s %d", mailbuf, &send_mail) == 2) { mailname = mailbuf; } else { ! mailname = pentry->pw_name; } fclose(stream); if (chdir(_PATH_ATSPOOL) < 0) *************** *** 193,199 **** if (queue > 'b') nice(queue - 'b'); ! if (setgid(gid) < 0) perr("Cannot change group"); if (setuid(uid) < 0) --- 190,198 ---- if (queue > 'b') nice(queue - 'b'); ! if (initgroups(pentry->pw_name, pentry->pw_gid) < 0) ! perr("Cannot initialize group list"); ! if (setgid(pentry->pw_gid) < 0) perr("Cannot change group"); if (setuid(uid) < 0) *************** *** 221,229 **** --- 220,238 ---- if (open(filename, O_RDONLY) != STDIN_FILENO) perr("Cannot reopen output file"); + PRIV_START + + if (initgroups(pentry->pw_name, pentry->pw_gid) < 0) + perr("Cannot initialize group list"); + if (setgid(pentry->pw_gid) < 0) + perr("Cannot change group"); + if (setuid(uid) < 0) + perr("Cannot set user id"); execl(_PATH_SENDMAIL, _PATH_SENDMAIL, mailname, (char *) NULL); perr("Exec failed"); + + PRIV_END } waitpid(pid, (int *) NULL, 0); } *************** *** 315,321 **** PRIV_END ! run_file(dirent->d_name, buf.st_uid, buf.st_gid); } /* Delete older files */ if (older && !(S_IXUSR & buf.st_mode) && --- 324,330 ---- PRIV_END ! run_file(dirent->d_name, buf.st_uid); } /* Delete older files */ if (older && !(S_IXUSR & buf.st_mode) &&