diff options
author | imp <imp@FreeBSD.org> | 1997-07-23 00:49:46 +0000 |
---|---|---|
committer | imp <imp@FreeBSD.org> | 1997-07-23 00:49:46 +0000 |
commit | f080009db57e6a7b246a2ab15d8a73e4563931b4 (patch) | |
tree | 3f6c130b47ee18671302ddcfcae8cef66be97455 /usr.sbin/lpr/common_source/startdaemon.c | |
parent | 5d2b7fa5ede6cefc6d4c6f7df3987bea7b9149b8 (diff) | |
download | FreeBSD-src-f080009db57e6a7b246a2ab15d8a73e4563931b4.zip FreeBSD-src-f080009db57e6a7b246a2ab15d8a73e4563931b4.tar.gz |
Use setuid/seteuid around dangerous operations. Also a few buffer
overflow patches that were "near" to where these operations are taking
place. The buffer overflows are from OpenBSD. The setuid/seteuid patches
are from NetBSD by way of OpenBSD (they changed them a little), at least from
my read of the tree.
This is the first of a series of OpenBSD lpr/et al merges. It (and them)
should be merged back into 2.2 and/or 2.1 (if requested) branches when they
have been shaken out in -current.
Obtained from: OpenBSD
Diffstat (limited to 'usr.sbin/lpr/common_source/startdaemon.c')
-rw-r--r-- | usr.sbin/lpr/common_source/startdaemon.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/usr.sbin/lpr/common_source/startdaemon.c b/usr.sbin/lpr/common_source/startdaemon.c index 807a976..a876c1e 100644 --- a/usr.sbin/lpr/common_source/startdaemon.c +++ b/usr.sbin/lpr/common_source/startdaemon.c @@ -48,6 +48,8 @@ static char sccsid[] = "@(#)startdaemon.c 8.2 (Berkeley) 4/17/94"; #include "lp.h" #include "pathnames.h" +extern uid_t uid, euid; + static void perr __P((char *)); /* @@ -73,12 +75,18 @@ startdaemon(printer) #ifndef SUN_LEN #define SUN_LEN(unp) (strlen((unp)->sun_path) + 2) #endif + seteuid(euid); if (connect(s, (struct sockaddr *)&un, SUN_LEN(&un)) < 0) { + seteuid(uid); perr("connect"); (void) close(s); return(0); } - (void) sprintf(buf, "\1%s\n", printer); + seteuid(uid); + if (snprintf(buf, sizeof buf, "\1%s\n", printer) > sizeof buf-1) { + close(s); + return (0); + } n = strlen(buf); if (write(s, buf, n) != n) { perr("write"); |