Change userid when creating tracefiles rather than fiddling with

`access': it works rather better.  Also, insert some stdio buffer
flushing to ensure tracedumps are completely written.

diff --git a/src/become.c b/src/become.c
index 5af2c4f..00d4674 100644 (file)
--- a/src/become.c
+++ b/src/become.c
@@ -1,6 +1,6 @@
 /* -*-c-*-
  *
- * $Id: become.c,v 1.6 1997/09/05 13:47:44 mdw Exp $
+ * $Id: become.c,v 1.7 1997/09/08 13:43:20 mdw Exp $
  *
  * Main code for `become'
  *
@@ -29,7 +29,12 @@
 /*----- Revision history --------------------------------------------------*
  *
  * $Log: become.c,v $
- * Revision 1.6  1997/09/05 13:47:44  mdw
+ * Revision 1.7  1997/09/08 13:43:20  mdw
+ * Change userid when creating tracefiles rather than fiddling with
+ * `access': it works rather better.  Also, insert some stdio buffer
+ * flushing to ensure tracedumps are completely written.
+ *
+ * Revision 1.6  1997/09/05  13:47:44  mdw
  * Make the `-L' (trace-level) option's argument optional, like the long
  * version is.
  *
@@ -532,14 +537,29 @@ int main(int argc, char *argv[])
        if (optarg == 0 || strcmp(optarg, "-") == 0)
          fp = stdout;
        else {
-         if ((flags & f_setuid) && access(optarg, W_OK)) {
-           die("no write permission for trace file file `%s': %s",
-               optarg, strerror(errno));
+         uid_t eu = geteuid(), ru = getuid();
+
+#ifdef HAVE_SETREUID
+         if (setreuid(eu, ru))
+#else
+         if (seteuid(ru))
+#endif
+         {
+           die("couldn't temporarily give up privileges: %s",
+               strerror(errno));
          }
+
          if ((fp = fopen(optarg, "w")) == 0) {
            die("couldn't open trace file `%s' for writing: %s",
                optarg, strerror(errno));
          }
+
+#ifdef HAVE_SETREUID
+          if (setreuid(ru, eu))
+#else
+          if (seteuid(eu))
+#endif
+           die("couldn't regain privileges: %s", strerror(errno));
        }
        traceon(fp, TRACE_DFL);
        trace(TRACE_MISC, "become: tracing enabled");
@@ -833,15 +853,15 @@ done_options:
     static char *preserve[] = {
       "TERM", "DISPLAY", 0
     };
-    
+
     /* --- Variables to be expunged --- *
      *
-     * Any environment string which has one of the following as a prefix
-     * will be expunged from the environment passed to the called process.
-     * The first line lists variables which have been used to list search
-     * paths for shared libraries: by manipulating these, an attacker could
-     * replace a standard library with one of his own.  The second line lists
-     * other well-known dangerous environment variables.
+     * Any environment string which has one of the following as a prefix will
+     * be expunged from the environment passed to the called process.  The
+     * first line lists variables which have been used to list search paths
+     * for shared libraries: by manipulating these, an attacker could replace
+     * a standard library with one of his own.  The second line lists other
+     * well-known dangerous environment variables.
      */
 
     static char *banned[] = {
@@ -858,7 +878,7 @@ done_options:
     size_t sz;
     unsigned f;
     sym_iter i;
-      
+
     /* --- Stage one.  Preserve display-specific variables --- */
 
     for (pp = preserve; *pp; pp++) {
@@ -1034,7 +1054,7 @@ done_options:
       sprintf(rq.cmd, "%s/%s", p, todo[0]);
       if (stat(rq.cmd, &st) == 0 &&    /* Check it exists */
          st.st_mode & 0111 &&          /* Check it's executable */
-         (st.st_mode & S_IFMT) == S_IFREG) /* Check it's a file */
+         S_ISREG(st.st_mode))          /* Check it's a file */
        break;
     }
 
@@ -1156,6 +1176,7 @@ done_options:
   } else {
     if (setuid(rq.to) == -1)
       die("couldn't set uid: %s", strerror(errno));
+    fflush(0);
     execve(rq.cmd, todo, env);
     die("couldn't exec `%s': %s", rq.cmd, strerror(errno));
     return (127);