Date: Sun, 2 Sep 2001 22:54:45 -0700 From: Kris Kennaway <kris@obsecurity.org> To: audit@FreeBSD.org Subject: issetugid checks revisited Message-ID: <20010902225445.A27902@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I posted a broken version of this a few weeks ago. I think this updated version fixes all of the bugs..reviews, please? Kris Index: lib/libc/db/test/dbtest.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/db/test/dbtest.c,v retrieving revision 1.4 diff -u -r1.4 dbtest.c --- lib/libc/db/test/dbtest.c 2000/08/04 10:50:21 1.4 +++ lib/libc/db/test/dbtest.c 2001/08/20 07:44:18 @@ -52,6 +52,7 @@ #include <errno.h> #include <fcntl.h> #include <limits.h> +#include <paths.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -155,9 +156,8 @@ * want it around, and it often screws up tests. */ if (fname =3D=3D NULL) { - p =3D getenv("TMPDIR"); - if (p =3D=3D NULL) - p =3D "/var/tmp"; + if (issetugid() !=3D 0 || (p =3D getenv("TMPDIR")) =3D=3D NULL); + p =3D _PATH_VARTMP; (void)snprintf(buf, sizeof(buf), "%s/__dbtest", p); fname =3D buf; (void)unlink(buf); Index: lib/libc/gen/exec.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/gen/exec.c,v retrieving revision 1.17 diff -u -r1.17 exec.c --- lib/libc/gen/exec.c 2001/08/13 14:06:21 1.17 +++ lib/libc/gen/exec.c 2001/08/20 07:45:03 @@ -222,7 +222,7 @@ } =20 /* Get the path we're searching. */ - if (!(path =3D getenv("PATH"))) + if (issetugid() !=3D 0 || (path =3D getenv("PATH")) =3D=3D NULL) path =3D _PATH_DEFPATH; cur =3D alloca(strlen(path) + 1); if (cur =3D=3D NULL) { Index: lib/libc/rpc/getnetpath.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/rpc/getnetpath.c,v retrieving revision 1.1 diff -u -r1.1 getnetpath.c --- lib/libc/rpc/getnetpath.c 2001/03/19 12:49:51 1.1 +++ lib/libc/rpc/getnetpath.c 2001/08/19 04:35:18 @@ -105,7 +105,7 @@ } np_sessionp->valid =3D NP_VALID; np_sessionp->ncp_list =3D NULL; - if ((npp =3D getenv(NETPATH)) =3D=3D NULL) { + if (issetugid() !=3D 0 || (npp =3D getenv(NETPATH)) =3D=3D NULL) { np_sessionp->netpath =3D NULL; } else { (void) endnetconfig(np_sessionp->nc_handlep);/* won't need nc session*/ Index: lib/libc/stdio/tmpfile.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/stdio/tmpfile.c,v retrieving revision 1.6 diff -u -r1.6 tmpfile.c --- lib/libc/stdio/tmpfile.c 2001/07/07 04:08:32 1.6 +++ lib/libc/stdio/tmpfile.c 2001/08/20 07:45:29 @@ -61,8 +61,7 @@ char *buf; const char *tmpdir; =20 - tmpdir =3D getenv("TMPDIR"); - if (tmpdir =3D=3D NULL) + if (issetugid() !=3D 0 || (tmpdir =3D getenv("TMPDIR")) =3D=3D NULL) tmpdir =3D _PATH_TMP; =20 (void)asprintf(&buf, "%s%s%s", tmpdir, Index: lib/libc_r/uthread/uthread_info.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc_r/uthread/uthread_info.c,v retrieving revision 1.20 diff -u -r1.20 uthread_info.c --- lib/libc_r/uthread/uthread_info.c 2001/08/11 05:16:00 1.20 +++ lib/libc_r/uthread/uthread_info.c 2001/08/20 07:46:25 @@ -31,13 +31,14 @@ * * $FreeBSD: src/lib/libc_r/uthread/uthread_info.c,v 1.20 2001/08/11 05:16= :00 imp Exp $ */ +#include <errno.h> +#include <fcntl.h> #include <stdio.h> #include <stdlib.h> -#include <fcntl.h> #include <string.h> -#include <unistd.h> +#include <paths.h> #include <pthread.h> -#include <errno.h> +#include <unistd.h> #include "pthread_private.h" =20 #ifndef NELEMENTS @@ -85,15 +86,18 @@ int fd; int i; pthread_t pthread; - char tmpfile[128]; + char *tmpdir; + char tmpfile[PATH_MAX]; pq_list_t *pq_list; =20 + if (issetugid() !=3D 0 || (tmpdir =3D getenv("TMPDIR")) =3D=3D NULL) + tmpdir =3D _PATH_TMP; for (i =3D 0; i < 100000; i++) { - snprintf(tmpfile, sizeof(tmpfile), "/tmp/uthread.dump.%u.%i", - getpid(), i); + snprintf(tmpfile, sizeof(tmpfile), "%s/uthread.dump.%u.%i", + tmpdir, getpid(), i); /* Open the dump file for append and create it if necessary: */ if ((fd =3D __sys_open(tmpfile, O_RDWR | O_CREAT | O_EXCL, - 0666)) < 0) { + 0644)) < 0) { /* Can't open the dump file. */ if (errno =3D=3D EEXIST) continue; Index: lib/libcompat/4.3/rexec.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libcompat/4.3/rexec.c,v retrieving revision 1.6 diff -u -r1.6 rexec.c --- lib/libcompat/4.3/rexec.c 2000/08/04 11:15:48 1.6 +++ lib/libcompat/4.3/rexec.c 2001/08/20 10:23:33 @@ -52,6 +52,7 @@ #include <errno.h> #include <ctype.h> #include <err.h> +#include <pwd.h> #include <stdlib.h> #include <unistd.h> =20 @@ -144,8 +145,15 @@ char myname[MAXHOSTNAMELEN], *mydomain; int t, i, c, usedefault =3D 0; struct stat stb; + struct passwd *pwd; =20 - hdir =3D getenv("HOME"); + if (issetugid() !=3D 0 || (hdir =3D getenv("HOME")) =3D=3D NULL) { + pwd =3D getpwuid(getuid()); + if (pwd =3D=3D NULL) + return (0); + hdir =3D pwd->pw_dir; + } + if (hdir =3D=3D NULL) hdir =3D "."; if (strlen(hdir) + 8 > sizeof(buf)) Index: lib/libncp/ncpl_rcfile.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libncp/ncpl_rcfile.c,v retrieving revision 1.3 diff -u -r1.3 ncpl_rcfile.c --- lib/libncp/ncpl_rcfile.c 2000/05/26 02:00:20 1.3 +++ lib/libncp/ncpl_rcfile.c 2001/08/20 10:23:08 @@ -389,8 +389,15 @@ ncp_open_rcfile(void) { char *home, *fn; int error; + struct passwd *pwd; =20 - home =3D getenv("HOME"); + if (issetugid() !=3D 0 || (home =3D getenv("HOME")) =3D=3D NULL) { + pwd =3D getpwuid(getuid()); + if (pwd =3D=3D NULL) + return 0; + home =3D pwd->pw_dir; + } + if (home) { fn =3D malloc(strlen(home) + 20); sprintf(fn, "%s/.nwfsrc", home); Index: gnu/lib/libdialog/rc.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/gnu/lib/libdialog/rc.c,v retrieving revision 1.2 diff -u -r1.2 rc.c --- gnu/lib/libdialog/rc.c 1994/10/20 21:56:43 1.2 +++ gnu/lib/libdialog/rc.c 2001/08/20 07:55:27 @@ -86,8 +86,8 @@ int parse_rc(void) { int i, l =3D 1, parse, fg, bg, hl; - unsigned char str[MAX_LEN+1], *var, *value, *tempptr; - FILE *rc_file; + unsigned char str[MAX_LEN+1], *var, *value, *tempptr =3D NULL; + FILE *rc_file =3D NULL; =20 /* * @@ -103,12 +103,12 @@ * */ =20 - if ((tempptr =3D getenv("DIALOGRC")) !=3D NULL) + if (issetugid() =3D=3D 0 && (tempptr =3D getenv("DIALOGRC")) !=3D NULL) rc_file =3D fopen(tempptr, "rt"); =20 if (tempptr =3D=3D NULL || rc_file =3D=3D NULL) { /* step (a) failed?= */ /* try step (b) */ - if ((tempptr =3D getenv("HOME")) =3D=3D NULL) + if (issetugid() !=3D 0 || (tempptr =3D getenv("HOME")) =3D=3D NULL) return 0; /* step (b) failed, use default values */ =20 if (tempptr[0] =3D=3D '\0' || lastch(tempptr) =3D=3D '/') --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7kxslWry0BWjoQKURAszbAJ9kJr3vO/qc3EWEYI39cq9YxfJUzgCeOfcc 0ggDdqHpwaWx9a3rJx6Mz/U= =KMwF -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010902225445.A27902>