From 175ddbc728f1022832ab902756ecbf8a7f1d9c65 Mon Sep 17 00:00:00 2001
From: torstenb <torstenb@FreeBSD.org>
Date: Mon, 17 Jul 1995 21:19:09 +0000
Subject: lpr uses access(2) to determine if the parent directory of the file
 is writeable (by the real uid). if it is, lpr assumes that the file can be
 unlinked. lpr does not check for directories with S_ISVTX set

Reviewed by:	dima
---
 usr.sbin/lpr/lpr/lpr.c | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

(limited to 'usr.sbin/lpr')

diff --git a/usr.sbin/lpr/lpr/lpr.c b/usr.sbin/lpr/lpr/lpr.c
index 43c3656..bddf8ee 100644
--- a/usr.sbin/lpr/lpr/lpr.c
+++ b/usr.sbin/lpr/lpr/lpr.c
@@ -109,6 +109,7 @@ static char	*lmktemp __P((char *, int, int));
 static void	 mktemps __P((void));
 static int	 nfile __P((char *));
 static int	 test __P((char *));
+static int	 checkwriteperm __P((char*, char *));
 
 void
 main(argc, argv)
@@ -561,6 +562,7 @@ test(file)
 	char *file;
 {
 	struct exec execb;
+	char	*path;
 	register int fd;
 	register char *cp;
 
@@ -592,14 +594,15 @@ test(file)
 	(void) close(fd);
 	if (rflag) {
 		if ((cp = rindex(file, '/')) == NULL) {
-			if (access(".", 2) == 0)
+			if (checkwriteperm(file,".") == 0)
 				return(1);
 		} else {
 			if (cp == file) {
-				fd = access("/", 2);
+				fd = checkwriteperm(file,"/");
 			} else {
+				strcpy(path,file);
 				*cp = '\0';
-				fd = access(file, 2);
+				fd = checkwriteperm(path,file);
 				*cp = '/';
 			}
 			if (fd == 0)
@@ -615,6 +618,23 @@ error1:
 	return(-1);
 }
 
+static int
+checkwriteperm(file, directory)
+	char *file, *directory;
+{
+	struct	stat	stats;
+	if (access(directory, W_OK) == 0) {
+		stat(directory, &stats);
+		if (stats.st_mode & S_ISVTX) {
+			stat(file, &stats);
+			if(stats.st_uid == userid) {
+				return(0);
+			}
+		} else return(0);
+	}
+	return(-1);
+}
+
 /*
  * itoa - integer to string conversion
  */
-- 
cgit v1.1