From c6885d5fb115915359f2af10dd1f83d7c7584ac2 Mon Sep 17 00:00:00 2001 From: mdw Date: Mon, 8 Sep 1997 13:43:20 +0000 Subject: [PATCH] Change userid when creating tracefiles rather than fiddling with `access': it works rather better. Also, insert some stdio buffer flushing to ensure tracedumps are completely written. --- src/become.c | 49 +++++++++++++++++++++++++++++++++++-------------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/src/become.c b/src/become.c index 5af2c4f..00d4674 100644 --- a/src/become.c +++ b/src/become.c @@ -1,6 +1,6 @@ /* -*-c-*- * - * $Id: become.c,v 1.6 1997/09/05 13:47:44 mdw Exp $ + * $Id: become.c,v 1.7 1997/09/08 13:43:20 mdw Exp $ * * Main code for `become' * @@ -29,7 +29,12 @@ /*----- Revision history --------------------------------------------------* * * $Log: become.c,v $ - * Revision 1.6 1997/09/05 13:47:44 mdw + * Revision 1.7 1997/09/08 13:43:20 mdw + * Change userid when creating tracefiles rather than fiddling with + * `access': it works rather better. Also, insert some stdio buffer + * flushing to ensure tracedumps are completely written. + * + * Revision 1.6 1997/09/05 13:47:44 mdw * Make the `-L' (trace-level) option's argument optional, like the long * version is. * @@ -532,14 +537,29 @@ int main(int argc, char *argv[]) if (optarg == 0 || strcmp(optarg, "-") == 0) fp = stdout; else { - if ((flags & f_setuid) && access(optarg, W_OK)) { - die("no write permission for trace file file `%s': %s", - optarg, strerror(errno)); + uid_t eu = geteuid(), ru = getuid(); + +#ifdef HAVE_SETREUID + if (setreuid(eu, ru)) +#else + if (seteuid(ru)) +#endif + { + die("couldn't temporarily give up privileges: %s", + strerror(errno)); } + if ((fp = fopen(optarg, "w")) == 0) { die("couldn't open trace file `%s' for writing: %s", optarg, strerror(errno)); } + +#ifdef HAVE_SETREUID + if (setreuid(ru, eu)) +#else + if (seteuid(eu)) +#endif + die("couldn't regain privileges: %s", strerror(errno)); } traceon(fp, TRACE_DFL); trace(TRACE_MISC, "become: tracing enabled"); @@ -833,15 +853,15 @@ done_options: static char *preserve[] = { "TERM", "DISPLAY", 0 }; - + /* --- Variables to be expunged --- * * - * Any environment string which has one of the following as a prefix - * will be expunged from the environment passed to the called process. - * The first line lists variables which have been used to list search - * paths for shared libraries: by manipulating these, an attacker could - * replace a standard library with one of his own. The second line lists - * other well-known dangerous environment variables. + * Any environment string which has one of the following as a prefix will + * be expunged from the environment passed to the called process. The + * first line lists variables which have been used to list search paths + * for shared libraries: by manipulating these, an attacker could replace + * a standard library with one of his own. The second line lists other + * well-known dangerous environment variables. */ static char *banned[] = { @@ -858,7 +878,7 @@ done_options: size_t sz; unsigned f; sym_iter i; - + /* --- Stage one. Preserve display-specific variables --- */ for (pp = preserve; *pp; pp++) { @@ -1034,7 +1054,7 @@ done_options: sprintf(rq.cmd, "%s/%s", p, todo[0]); if (stat(rq.cmd, &st) == 0 && /* Check it exists */ st.st_mode & 0111 && /* Check it's executable */ - (st.st_mode & S_IFMT) == S_IFREG) /* Check it's a file */ + S_ISREG(st.st_mode)) /* Check it's a file */ break; } @@ -1156,6 +1176,7 @@ done_options: } else { if (setuid(rq.to) == -1) die("couldn't set uid: %s", strerror(errno)); + fflush(0); execve(rq.cmd, todo, env); die("couldn't exec `%s': %s", rq.cmd, strerror(errno)); return (127); -- 2.11.0