Use setuid/seteuid around dangerous operations. Also a few buffer

overflow patches that were "near" to where these operations are taking
place.  The buffer overflows are from OpenBSD.  The setuid/seteuid patches
are from NetBSD by way of OpenBSD (they changed them a little), at least from
my read of the tree.

This is the first of a series of OpenBSD lpr/et al merges.  It (and them)
should be merged back into 2.2 and/or 2.1 (if requested) branches when they
have been shaken out in -current.
Obtained from: OpenBSD

1 files changed, 9 insertions, 1 deletions

diff --git a/usr.sbin/lpr/common_source/startdaemon.c b/usr.sbin/lpr/common_source/startdaemon.c
index 807a976..a876c1e 100644
--- a/usr.sbin/lpr/common_source/startdaemon.c
+++ b/usr.sbin/lpr/common_source/startdaemon.c
@@ -48,6 +48,8 @@ static char sccsid[] = "@(#)startdaemon.c	8.2 (Berkeley) 4/17/94";
 #include "lp.h"
 #include "pathnames.h"
 
+extern uid_t	uid, euid;
+
 static void perr __P((char *));
 
 /*
@@ -73,12 +75,18 @@ startdaemon(printer)
 #ifndef SUN_LEN
 #define SUN_LEN(unp) (strlen((unp)->sun_path) + 2)
 #endif
+	seteuid(euid);
 	if (connect(s, (struct sockaddr *)&un, SUN_LEN(&un)) < 0) {
+		seteuid(uid);
 		perr("connect");
 		(void) close(s);
 		return(0);
 	}
-	(void) sprintf(buf, "\1%s\n", printer);
+	seteuid(uid);
+	if (snprintf(buf, sizeof buf, "\1%s\n", printer) > sizeof buf-1) {
+		close(s);
+		return (0);
+	}
 	n = strlen(buf);
 	if (write(s, buf, n) != n) {
 		perr("write");