From owner-freebsd-audit  Sun Sep  2 22:54:56 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54])
	by hub.freebsd.org (Postfix) with ESMTP id 61E9637B403
	for <audit@FreeBSD.org>; Sun,  2 Sep 2001 22:54:46 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id DC56D66DE1; Sun,  2 Sep 2001 22:54:45 -0700 (PDT)
Date: Sun, 2 Sep 2001 22:54:45 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: audit@FreeBSD.org
Subject: issetugid checks revisited
Message-ID: <20010902225445.A27902@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG


--BXVAT5kNtrzKuDFl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I posted a broken version of this a few weeks ago.  I think this
updated version fixes all of the bugs..reviews, please?

Kris

Index: lib/libc/db/test/dbtest.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc/db/test/dbtest.c,v
retrieving revision 1.4
diff -u -r1.4 dbtest.c
--- lib/libc/db/test/dbtest.c	2000/08/04 10:50:21	1.4
+++ lib/libc/db/test/dbtest.c	2001/08/20 07:44:18
@@ -52,6 +52,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
+#include <paths.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -155,9 +156,8 @@
 	 * want it around, and it often screws up tests.
 	 */
 	if (fname =3D=3D NULL) {
-		p =3D getenv("TMPDIR");
-		if (p =3D=3D NULL)
-			p =3D "/var/tmp";
+		if (issetugid() !=3D 0 || (p =3D getenv("TMPDIR")) =3D=3D NULL);
+			p =3D _PATH_VARTMP;
 		(void)snprintf(buf, sizeof(buf), "%s/__dbtest", p);
 		fname =3D buf;
 		(void)unlink(buf);
Index: lib/libc/gen/exec.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc/gen/exec.c,v
retrieving revision 1.17
diff -u -r1.17 exec.c
--- lib/libc/gen/exec.c	2001/08/13 14:06:21	1.17
+++ lib/libc/gen/exec.c	2001/08/20 07:45:03
@@ -222,7 +222,7 @@
 	}
=20
 	/* Get the path we're searching. */
-	if (!(path =3D getenv("PATH")))
+	if (issetugid() !=3D 0 || (path =3D getenv("PATH")) =3D=3D NULL)
 		path =3D _PATH_DEFPATH;
 	cur =3D alloca(strlen(path) + 1);
 	if (cur =3D=3D NULL) {
Index: lib/libc/rpc/getnetpath.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc/rpc/getnetpath.c,v
retrieving revision 1.1
diff -u -r1.1 getnetpath.c
--- lib/libc/rpc/getnetpath.c	2001/03/19 12:49:51	1.1
+++ lib/libc/rpc/getnetpath.c	2001/08/19 04:35:18
@@ -105,7 +105,7 @@
     }
     np_sessionp->valid =3D NP_VALID;
     np_sessionp->ncp_list =3D NULL;
-    if ((npp =3D getenv(NETPATH)) =3D=3D NULL) {
+    if (issetugid() !=3D 0 || (npp =3D getenv(NETPATH)) =3D=3D NULL) {
 	np_sessionp->netpath =3D NULL;
     } else {
 	(void) endnetconfig(np_sessionp->nc_handlep);/* won't need nc session*/
Index: lib/libc/stdio/tmpfile.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc/stdio/tmpfile.c,v
retrieving revision 1.6
diff -u -r1.6 tmpfile.c
--- lib/libc/stdio/tmpfile.c	2001/07/07 04:08:32	1.6
+++ lib/libc/stdio/tmpfile.c	2001/08/20 07:45:29
@@ -61,8 +61,7 @@
 	char *buf;
 	const char *tmpdir;
=20
-	tmpdir =3D getenv("TMPDIR");
-	if (tmpdir =3D=3D NULL)
+	if (issetugid() !=3D 0 || (tmpdir =3D getenv("TMPDIR")) =3D=3D NULL)
 		tmpdir =3D _PATH_TMP;
=20
 	(void)asprintf(&buf, "%s%s%s", tmpdir,
Index: lib/libc_r/uthread/uthread_info.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libc_r/uthread/uthread_info.c,v
retrieving revision 1.20
diff -u -r1.20 uthread_info.c
--- lib/libc_r/uthread/uthread_info.c	2001/08/11 05:16:00	1.20
+++ lib/libc_r/uthread/uthread_info.c	2001/08/20 07:46:25
@@ -31,13 +31,14 @@
  *
  * $FreeBSD: src/lib/libc_r/uthread/uthread_info.c,v 1.20 2001/08/11 05:16=
:00 imp Exp $
  */
+#include <errno.h>
+#include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <fcntl.h>
 #include <string.h>
-#include <unistd.h>
+#include <paths.h>
 #include <pthread.h>
-#include <errno.h>
+#include <unistd.h>
 #include "pthread_private.h"
=20
 #ifndef NELEMENTS
@@ -85,15 +86,18 @@
 	int             fd;
 	int             i;
 	pthread_t       pthread;
-	char		tmpfile[128];
+	char		*tmpdir;
+	char		tmpfile[PATH_MAX];
 	pq_list_t	*pq_list;
=20
+	if (issetugid() !=3D 0 || (tmpdir =3D getenv("TMPDIR")) =3D=3D NULL)
+		tmpdir =3D _PATH_TMP;
 	for (i =3D 0; i < 100000; i++) {
-		snprintf(tmpfile, sizeof(tmpfile), "/tmp/uthread.dump.%u.%i",
-			getpid(), i);
+		snprintf(tmpfile, sizeof(tmpfile), "%s/uthread.dump.%u.%i",
+			tmpdir, getpid(), i);
 		/* Open the dump file for append and create it if necessary: */
 		if ((fd =3D __sys_open(tmpfile, O_RDWR | O_CREAT | O_EXCL,
-			0666)) < 0) {
+			0644)) < 0) {
 				/* Can't open the dump file. */
 				if (errno =3D=3D EEXIST)
 					continue;
Index: lib/libcompat/4.3/rexec.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libcompat/4.3/rexec.c,v
retrieving revision 1.6
diff -u -r1.6 rexec.c
--- lib/libcompat/4.3/rexec.c	2000/08/04 11:15:48	1.6
+++ lib/libcompat/4.3/rexec.c	2001/08/20 10:23:33
@@ -52,6 +52,7 @@
 #include <errno.h>
 #include <ctype.h>
 #include <err.h>
+#include <pwd.h>
 #include <stdlib.h>
 #include <unistd.h>
=20
@@ -144,8 +145,15 @@
 	char myname[MAXHOSTNAMELEN], *mydomain;
 	int t, i, c, usedefault =3D 0;
 	struct stat stb;
+	struct passwd *pwd;
=20
-	hdir =3D getenv("HOME");
+	if (issetugid() !=3D 0 || (hdir =3D getenv("HOME")) =3D=3D NULL) {
+		pwd =3D getpwuid(getuid());
+		if (pwd =3D=3D NULL)
+			return (0);
+		hdir =3D pwd->pw_dir;
+	}
+
 	if (hdir =3D=3D NULL)
 		hdir =3D ".";
 	if (strlen(hdir) + 8 > sizeof(buf))
Index: lib/libncp/ncpl_rcfile.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/lib/libncp/ncpl_rcfile.c,v
retrieving revision 1.3
diff -u -r1.3 ncpl_rcfile.c
--- lib/libncp/ncpl_rcfile.c	2000/05/26 02:00:20	1.3
+++ lib/libncp/ncpl_rcfile.c	2001/08/20 10:23:08
@@ -389,8 +389,15 @@
 ncp_open_rcfile(void) {
 	char *home, *fn;
 	int error;
+	struct passwd *pwd;
=20
-	home =3D getenv("HOME");
+	if (issetugid() !=3D 0 || (home =3D getenv("HOME")) =3D=3D NULL) {
+		pwd =3D getpwuid(getuid());
+		if (pwd =3D=3D NULL)
+			return 0;
+		home =3D pwd->pw_dir;
+	}
+
 	if (home) {
 		fn =3D malloc(strlen(home) + 20);
 		sprintf(fn, "%s/.nwfsrc", home);
Index: gnu/lib/libdialog/rc.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/gnu/lib/libdialog/rc.c,v
retrieving revision 1.2
diff -u -r1.2 rc.c
--- gnu/lib/libdialog/rc.c	1994/10/20 21:56:43	1.2
+++ gnu/lib/libdialog/rc.c	2001/08/20 07:55:27
@@ -86,8 +86,8 @@
 int parse_rc(void)
 {
   int i, l =3D 1, parse, fg, bg, hl;
-  unsigned char str[MAX_LEN+1], *var, *value, *tempptr;
-  FILE *rc_file;
+  unsigned char str[MAX_LEN+1], *var, *value, *tempptr =3D NULL;
+  FILE *rc_file =3D NULL;
=20
   /*
    *
@@ -103,12 +103,12 @@
    *
    */
=20
-  if ((tempptr =3D getenv("DIALOGRC")) !=3D NULL)
+  if (issetugid() =3D=3D 0 && (tempptr =3D getenv("DIALOGRC")) !=3D NULL)
     rc_file =3D fopen(tempptr, "rt");
=20
   if (tempptr =3D=3D NULL || rc_file =3D=3D NULL) {    /* step (a) failed?=
 */
     /* try step (b) */
-    if ((tempptr =3D getenv("HOME")) =3D=3D NULL)
+    if (issetugid() !=3D 0 || (tempptr =3D getenv("HOME")) =3D=3D NULL)
       return 0;    /* step (b) failed, use default values */
=20
     if (tempptr[0] =3D=3D '\0' || lastch(tempptr) =3D=3D '/')


--BXVAT5kNtrzKuDFl
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7kxslWry0BWjoQKURAszbAJ9kJr3vO/qc3EWEYI39cq9YxfJUzgCeOfcc
0ggDdqHpwaWx9a3rJx6Mz/U=
=KMwF
-----END PGP SIGNATURE-----

--BXVAT5kNtrzKuDFl--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message