SECURITY.

Fixed macros for temporarily relinquishing and restoring setuid/setgid
privileges so that they never change the real user and group IDs of
the calling process.

The setre[ug]id() calls are still used in the REDUCE_PERM macro (with
the r[ug]id arguments of -1) so that the call changes the saved user
and group IDs of the process to that specified.

Also, the panic() and perr() functions had insufficient privileges to
delete the problematic file under /var/at.

2 files changed, 42 insertions, 40 deletions

diff --git a/usr.bin/at/panic.c b/usr.bin/at/panic.c
index 9cabc1d..cf6d041 100644
--- a/usr.bin/at/panic.c
+++ b/usr.bin/at/panic.c
@@ -39,6 +39,7 @@ static const char rcsid[] =
 /* Local headers */
 
 #include "panic.h"
+#include "privs.h"
 #include "at.h"
 
 /* External variables */
@@ -50,8 +51,11 @@ panic(char *a)
 {
 /* Something fatal has happened, print error message and exit.
  */
-	if (fcreated)
+	if (fcreated) {
+		PRIV_START
 		unlink(atfile);
+		PRIV_END
+	}
 
 	errx(EXIT_FAILURE, "%s", a);
 }
@@ -63,8 +67,11 @@ perr(char *a)
  */
 	int serrno = errno;
 
-	if (fcreated)
+	if (fcreated) {
+		PRIV_START
 		unlink(atfile);
+		PRIV_END
+	}
 
 	errno = serrno;
 	err(EXIT_FAILURE, "%s", a);
diff --git a/usr.bin/at/privs.h b/usr.bin/at/privs.h
index 2fce5c0..50dd6b1 100644
--- a/usr.bin/at/privs.h
+++ b/usr.bin/at/privs.h
@@ -28,17 +28,11 @@
 #ifndef _PRIVS_H
 #define _PRIVS_H
 
-#ifndef _USE_BSD
-#define _USE_BSD 1
 #include <unistd.h>
-#undef _USE_BSD
-#else
-#include <unistd.h>
-#endif
 
 /* Relinquish privileges temporarily for a setuid or setgid program
- * with the option of getting them back later.  This is done by swapping
- * the real and effective userid BSD style.  Call RELINQUISH_PRIVS once
+ * with the option of getting them back later.  This is done by
+ * utilizing POSIX saved user and group IDs.  Call RELINQUISH_PRIVS once
  * at the beginning of the main program.  This will cause all operations
  * to be executed with the real userid.  When you need the privileges
  * of the setuid/setgid invocation, call PRIV_START; when you no longer
@@ -76,38 +70,39 @@ extern
 gid_t real_gid, effective_gid;
 
 #define RELINQUISH_PRIVS { \
-			      real_uid = getuid(); \
-			      effective_uid = geteuid(); \
-			      real_gid = getgid(); \
-			      effective_gid = getegid(); \
-			      setreuid(effective_uid, real_uid); \
-			      setregid(effective_gid, real_gid); \
-		          }
+	real_uid = getuid(); \
+	effective_uid = geteuid(); \
+	real_gid = getgid(); \
+	effective_gid = getegid(); \
+	seteuid(real_uid); \
+	setegid(real_gid); \
+}
 
-#define RELINQUISH_PRIVS_ROOT(a,b) { \
-			      real_uid = (a); \
-			      effective_uid = geteuid(); \
-			      real_gid = (b); \
-			      effective_gid = getegid(); \
-			      setregid(effective_gid, real_gid); \
-			      setreuid(effective_uid, real_uid); \
-		          }
+#define RELINQUISH_PRIVS_ROOT(a, b) { \
+	real_uid = (a); \
+	effective_uid = geteuid(); \
+	real_gid = (b); \
+	effective_gid = getegid(); \
+	setegid(real_gid); \
+	seteuid(real_uid); \
+}
 
-#define PRIV_START {\
-		    setreuid(real_uid, effective_uid); \
-		    setregid(real_gid, effective_gid);
+#define PRIV_START { \
+	seteuid(effective_uid); \
+	setegid(effective_gid); \
+}
 
-#define PRIV_END \
-		    setregid(effective_gid, real_gid); \
-		    setreuid(effective_uid, real_uid); \
-		    }
+#define PRIV_END { \
+	setegid(real_gid); \
+	seteuid(real_uid); \
+}
 
-#define REDUCE_PRIV(a,b) {\
-			setreuid(real_uid, effective_uid); \
-			setregid(real_gid, effective_gid); \
-			effective_uid = (a); \
-			effective_gid = (b); \
-			setregid(effective_gid, real_gid); \
-			setreuid(effective_uid, real_uid); \
-		    }
+#define REDUCE_PRIV(a, b) { \
+	PRIV_START \
+	effective_uid = (a); \
+	effective_gid = (b); \
+	setreuid((uid_t)-1, effective_uid); \
+	setregid((gid_t)-1, effective_gid); \
+	PRIV_END \
+}
 #endif