diff options
author | eadler <eadler@FreeBSD.org> | 2012-10-22 03:31:22 +0000 |
---|---|---|
committer | eadler <eadler@FreeBSD.org> | 2012-10-22 03:31:22 +0000 |
commit | 4bc19b04c5658de751c40ddf1399ab0dd1d895e7 (patch) | |
tree | 3aa86a2f61ac3b57647e44878110dc60da9069e7 /usr.sbin/lpr/lpc | |
parent | f4d42efdb90dc9f022d3764a5d1ddcfe4a846713 (diff) | |
download | FreeBSD-src-4bc19b04c5658de751c40ddf1399ab0dd1d895e7.zip FreeBSD-src-4bc19b04c5658de751c40ddf1399ab0dd1d895e7.tar.gz |
Check the return error of set[ug]id. While this can never fail in the
current version of FreeBSD, this isn't guarenteed by the API. Custom
security modules, or future implementations of the setuid and setgid
may fail.
PR: bin/172289
PR: bin/172290
PR: bin/172291
Submittud by: Erik Cederstrand <erik@cederstrand.dk>
Discussed by: freebsd-security
Approved by: cperciva
MFC after: 1 week
Diffstat (limited to 'usr.sbin/lpr/lpc')
-rw-r--r-- | usr.sbin/lpr/lpc/cmds.c | 59 | ||||
-rw-r--r-- | usr.sbin/lpr/lpc/lpc.c | 6 | ||||
-rw-r--r-- | usr.sbin/lpr/lpc/movejobs.c | 5 |
3 files changed, 36 insertions, 34 deletions
diff --git a/usr.sbin/lpr/lpc/cmds.c b/usr.sbin/lpr/lpc/cmds.c index 44516d8..f960f7c 100644 --- a/usr.sbin/lpr/lpc/cmds.c +++ b/usr.sbin/lpr/lpc/cmds.c @@ -54,6 +54,7 @@ __FBSDID("$FreeBSD$"); #include <signal.h> #include <fcntl.h> +#include <err.h> #include <errno.h> #include <dirent.h> #include <unistd.h> @@ -288,10 +289,10 @@ kill_qtask(const char *lf) pid_t pid; int errsav, killres, lockres, res; - seteuid(euid); + PRIV_START fp = fopen(lf, "r"); errsav = errno; - seteuid(uid); + PRIV_END res = KQT_NODAEMON; if (fp == NULL) { /* @@ -329,10 +330,10 @@ kill_qtask(const char *lf) goto killdone; } - seteuid(uid); + PRIV_END killres = kill(pid, SIGTERM); errsav = errno; - seteuid(uid); + PRIV_END if (killres == 0) { res = KQT_KILLOK; printf("\tdaemon (pid %d) killed\n", pid); @@ -376,9 +377,9 @@ upstat(struct printer *pp, const char *msg, int notifyuser) status_file_name(pp, statfile, sizeof statfile); umask(0); - seteuid(euid); + PRIV_START fd = open(statfile, O_WRONLY|O_CREAT|O_EXLOCK, STAT_FILE_MODE); - seteuid(uid); + PRIV_END if (fd < 0) { printf("\tcannot create status file: %s\n", strerror(errno)); return; @@ -683,9 +684,9 @@ clean_q(struct printer *pp) linerem = sizeof(line) - (lp - line); cln_foundcore = 0; - seteuid(euid); + PRIV_START nitems = scandir(pp->spool_dir, &queue, doselect, sortq); - seteuid(uid); + PRIV_END if (nitems < 0) { if (!didhead) { printf("%s:\n", pp->printer); @@ -795,9 +796,9 @@ unlinkf(char *name) * that case, we need to check the last-mod time of the symlink, and * not the file that the symlink is pointed at. */ - seteuid(euid); + PRIV_START res = lstat(name, &stbuf); - seteuid(uid); + PRIV_END if (res < 0) { printf("\terror return from stat(%s):\n", name); printf("\t %s\n", strerror(errno)); @@ -819,9 +820,9 @@ unlinkf(char *name) * symlink before unlink-ing the file itself */ if (S_ISLNK(stbuf.st_mode)) { - seteuid(euid); + PRIV_START res = readlink(name, linkbuf, sizeof(linkbuf)); - seteuid(uid); + PRIV_END if (res < 0) { printf("\terror return from readlink(%s):\n", name); printf("\t %s\n", strerror(errno)); @@ -841,9 +842,9 @@ unlinkf(char *name) printf("\t (which is a symlink to %s)\n", linkbuf); } } else { - seteuid(euid); + PRIV_START res = unlink(name); - seteuid(uid); + PRIV_END if (res < 0) printf("\tcannot remove %s (!)\n", name); else @@ -983,9 +984,9 @@ restart_q(struct printer *pp) /* make sure the queue is set to print jobs */ setres = set_qstate(SQS_STARTP, lf); - seteuid(euid); + PRIV_START startok = startdaemon(pp); - seteuid(uid); + PRIV_END if (!startok) printf("\tcouldn't restart daemon\n"); else @@ -1049,14 +1050,14 @@ start_q(struct printer *pp) setres = set_qstate(SQS_STARTP, lf); - seteuid(euid); + PRIV_START startok = startdaemon(pp); - seteuid(uid); + PRIV_END if (!startok) printf("\tcouldn't start daemon\n"); else printf("\tdaemon started\n"); - seteuid(uid); + PRIV_END } /* @@ -1178,12 +1179,12 @@ topq(int argc, char *argv[]) } printf("%s:\n", pp->printer); - seteuid(euid); + PRIV_START if (chdir(pp->spool_dir) < 0) { printf("\tcannot chdir to %s\n", pp->spool_dir); goto out; } - seteuid(uid); + PRIV_END nitems = getq(pp, &queue); if (nitems == 0) return; @@ -1207,12 +1208,12 @@ topq(int argc, char *argv[]) * Turn on the public execute bit of the lock file to * get lpd to rebuild the queue after the current job. */ - seteuid(euid); + PRIV_START if (changed && stat(pp->lock_file, &stbuf) >= 0) (void) chmod(pp->lock_file, stbuf.st_mode | LFM_RESET_QUE); out: - seteuid(uid); + PRIV_END } /* @@ -1227,9 +1228,9 @@ touch(struct jobqueue *jq) tvp[0].tv_sec = tvp[1].tv_sec = --mtime; tvp[0].tv_usec = tvp[1].tv_usec = 0; - seteuid(euid); + PRIV_START ret = utimes(jq->job_cfname, tvp); - seteuid(uid); + PRIV_END return (ret); } @@ -1286,9 +1287,9 @@ doarg(char *job) * Process item consisting of owner's name (example: henry). */ for (qq = queue + nitems; --qq >= queue; ) { - seteuid(euid); + PRIV_START fp = fopen((*qq)->job_cfname, "r"); - seteuid(uid); + PRIV_END if (fp == NULL) continue; while (getline(fp) > 0) @@ -1319,9 +1320,9 @@ up_q(struct printer *pp) setres = set_qstate(SQS_ENABLEQ+SQS_STARTP, lf); - seteuid(euid); + PRIV_START startok = startdaemon(pp); - seteuid(uid); + PRIV_END if (!startok) printf("\tcouldn't start daemon\n"); else diff --git a/usr.sbin/lpr/lpc/lpc.c b/usr.sbin/lpr/lpc/lpc.c index f9fb920..cc58bd9 100644 --- a/usr.sbin/lpr/lpc/lpc.c +++ b/usr.sbin/lpr/lpc/lpc.c @@ -93,7 +93,7 @@ main(int argc, char *argv[]) euid = geteuid(); uid = getuid(); - seteuid(uid); + PRIV_END progname = argv[0]; openlog("lpd", 0, LOG_LPR); @@ -405,9 +405,9 @@ setup_myprinter(char *pwanted, struct printer *pp, int sump_opts) printf("%s:\n", pp->printer); if (sump_opts & SUMP_CHDIR_SD) { - seteuid(euid); + PRIV_START cdres = chdir(pp->spool_dir); - seteuid(uid); + PRIV_END if (cdres < 0) { printf("\tcannot chdir to %s\n", pp->spool_dir); free_printer(pp); diff --git a/usr.sbin/lpr/lpc/movejobs.c b/usr.sbin/lpr/lpc/movejobs.c index 60c9b38..c349601 100644 --- a/usr.sbin/lpr/lpc/movejobs.c +++ b/usr.sbin/lpr/lpc/movejobs.c @@ -47,6 +47,7 @@ __FBSDID("$FreeBSD$"); #include <ctype.h> #include <dirent.h> /* just for MAXNAMLEN, for job_cfname in lp.h! */ +#include <err.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -147,9 +148,9 @@ touch_jqe(void *myinfo, struct jobqueue *jq, struct jobspec *jspec) touch_info = myinfo; tvp[0].tv_sec = tvp[1].tv_sec = ++touch_info->newtime; tvp[0].tv_usec = tvp[1].tv_usec = 0; - seteuid(euid); + PRIV_START ret = utimes(jq->job_cfname, tvp); - seteuid(uid); + PRIV_END if (ret == 0) { if (jspec->matcheduser) |