[544] in linux-security and linux-alert archive
rxvt hole
daemon@ATHENA.MIT.EDU (Marc Ewing)
Tue Jan 2 21:52:31 1996
From: Marc Ewing <marc@redhat.com>
To: davem+@andrew.cmu.edu
Date: Tue, 2 Jan 1996 20:58:30 -0500 (EST)
Cc: linux-security@tarsier.cv.nrao.edu, bugtraq@crimelab.com,
nation@rocket.sanders.lockheed.com
OK, second attempt. This one should only retain privileges for the
utmp stuff and /dev/ttyp* stuff, which is all it should need, as far
as I can tell. If someone more knowlegeable than me gives this an
OK, I'll release new rpms.
Thanks,
Marc
--
--- rxvt/rxvt.h.marc Tue Jan 2 20:02:10 1996
+++ rxvt/rxvt.h Tue Jan 2 20:14:30 1996
@@ -21,3 +21,7 @@
extern void clean_exit(int);
extern void cleanutent(void);
extern void makeutent(char *);
+
+void save_privs(void);
+void get_privs(void);
+void release_privs(void);
--- rxvt/rxvt.c.marc Tue Jan 2 20:02:14 1996
+++ rxvt/rxvt.c Tue Jan 2 20:46:04 1996
@@ -45,6 +45,10 @@
int i;
char *shell;
char **com_argv;
+
+ /* Save then give up any suid/sgid privileges */
+ save_privs();
+ release_privs();
for (i = 0; i < argc; i++)
if (strcmp(argv[i],"-e") == 0)
--- rxvt/command.c.marc Tue Jan 2 20:09:00 1996
+++ rxvt/command.c Tue Jan 2 20:47:18 1996
@@ -222,6 +222,26 @@
}
#endif
+static uid_t saved_uid;
+static gid_t saved_gid;
+
+void save_privs()
+{
+ saved_uid = geteuid();
+ saved_gid = getegid();
+}
+
+void get_privs()
+{
+ seteuid(saved_uid);
+ seteuid(saved_gid);
+}
+
+void release_privs()
+{
+ seteuid(getuid());
+ setegid(getgid());
+}
/* Catch a SIGCHLD signal and exit if the direct child has died.
*/
@@ -348,8 +368,10 @@
gid = gr->gr_gid;
else
gid = -1;
+ get_privs();
fchown(ttyfd,uid,gid);
fchmod(ttyfd,0600);
+ release_privs();
#endif
#ifdef TIOCCONS
if (console)
--- rxvt/utmp.c.marc Tue Jan 2 20:19:35 1996
+++ rxvt/utmp.c Tue Jan 2 20:43:55 1996
@@ -71,9 +71,11 @@
extern char ttynam[];
extern struct stat ttyfd_stat;
+ get_privs();
chmod(ttynam,ttyfd_stat.st_mode);
chown(ttynam,ttyfd_stat.st_uid,ttyfd_stat.st_gid);
+ release_privs();
#endif
if(madeutent)
cleanutent();
@@ -228,12 +230,14 @@
FILE *ut;
struct utmp u;
+ get_privs();
if((ut = fopen(UTMP,"r+")) == NULL)
return;
fseek(ut,utmp_pos,0);
memset(&u,0,sizeof(u));
fwrite((char *)&u,sizeof(struct utmp),1,ut);
fclose(ut);
+ release_privs();
}
@@ -250,10 +254,12 @@
int write_utmp(struct utmp * u)
{
int pos;
+ get_privs();
utmpname(UTMP);
setutent();
pututline(u);
endutent();
+ release_privs();
pos = (int)NULL;
madeutent = 1;
return(pos);
@@ -306,6 +312,7 @@
int pid;
struct utmp *u;
+ get_privs();
utmpname(UTMP);
setutent();
pid = getpid();
@@ -333,6 +340,7 @@
endutent();
}
}
+ release_privs();
}
#endif /* BSD */
