Bugtraq mailing list archives
rxvt hole
From: marc () redhat com (Marc Ewing)
Date: Tue, 2 Jan 1996 20:58:30 -0500
OK, second attempt. This one should only retain privileges for the utmp stuff and /dev/ttyp* stuff, which is all it should need, as far as I can tell. If someone more knowlegeable than me gives this an OK, I'll release new rpms. Thanks, Marc -- --- rxvt/rxvt.h.marc Tue Jan 2 20:02:10 1996 +++ rxvt/rxvt.h Tue Jan 2 20:14:30 1996 @@ -21,3 +21,7 @@ extern void clean_exit(int); extern void cleanutent(void); extern void makeutent(char *); + +void save_privs(void); +void get_privs(void); +void release_privs(void); --- rxvt/rxvt.c.marc Tue Jan 2 20:02:14 1996 +++ rxvt/rxvt.c Tue Jan 2 20:46:04 1996 @@ -45,6 +45,10 @@ int i; char *shell; char **com_argv; + + /* Save then give up any suid/sgid privileges */ + save_privs(); + release_privs(); for (i = 0; i < argc; i++) if (strcmp(argv[i],"-e") == 0) --- rxvt/command.c.marc Tue Jan 2 20:09:00 1996 +++ rxvt/command.c Tue Jan 2 20:47:18 1996 @@ -222,6 +222,26 @@ } #endif +static uid_t saved_uid; +static gid_t saved_gid; + +void save_privs() +{ + saved_uid = geteuid(); + saved_gid = getegid(); +} + +void get_privs() +{ + seteuid(saved_uid); + seteuid(saved_gid); +} + +void release_privs() +{ + seteuid(getuid()); + setegid(getgid()); +} /* Catch a SIGCHLD signal and exit if the direct child has died. */ @@ -348,8 +368,10 @@ gid = gr->gr_gid; else gid = -1; + get_privs(); fchown(ttyfd,uid,gid); fchmod(ttyfd,0600); + release_privs(); #endif #ifdef TIOCCONS if (console) --- rxvt/utmp.c.marc Tue Jan 2 20:19:35 1996 +++ rxvt/utmp.c Tue Jan 2 20:43:55 1996 @@ -71,9 +71,11 @@ extern char ttynam[]; extern struct stat ttyfd_stat; + get_privs(); chmod(ttynam,ttyfd_stat.st_mode); chown(ttynam,ttyfd_stat.st_uid,ttyfd_stat.st_gid); + release_privs(); #endif if(madeutent) cleanutent(); @@ -228,12 +230,14 @@ FILE *ut; struct utmp u; + get_privs(); if((ut = fopen(UTMP,"r+")) == NULL) return; fseek(ut,utmp_pos,0); memset(&u,0,sizeof(u)); fwrite((char *)&u,sizeof(struct utmp),1,ut); fclose(ut); + release_privs(); } @@ -250,10 +254,12 @@ int write_utmp(struct utmp * u) { int pos; + get_privs(); utmpname(UTMP); setutent(); pututline(u); endutent(); + release_privs(); pos = (int)NULL; madeutent = 1; return(pos); @@ -306,6 +312,7 @@ int pid; struct utmp *u; + get_privs(); utmpname(UTMP); setutent(); pid = getpid(); @@ -333,6 +340,7 @@ endutent(); } } + release_privs(); } #endif /* BSD */
Current thread:
- rxvt hole Marc Ewing (Jan 02)