summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRyan Mallon2013-10-08 14:53:29 +0200
committerDenys Vlasenko2013-10-08 14:53:29 +0200
commit1d30b3f1f66a0cd179f47082245079ef357b6a66 (patch)
tree2a5eaf34ebb770e2d4d499338e6a4c82a22d3086
parent5906a5c26c392b9687d14951a6da3a5195b576be (diff)
downloadbusybox-1d30b3f1f66a0cd179f47082245079ef357b6a66.zip
busybox-1d30b3f1f66a0cd179f47082245079ef357b6a66.tar.gz
wall,crontab: use xopen_as_uid_gid()
This fixes a narrow security race in crontab. function old new delta xopen_as_uid_gid - 80 +80 seteuid - 64 +64 setegid - 64 +64 setreuid - 37 +37 xseteuid - 22 +22 xsetegid - 22 +22 crontab_main 590 577 -13 setfsuid 33 - -33 setfsgid 33 - -33 wall_main 138 102 -36 open_as_user 109 - -109 text data bss dec hex filename 893539 497 7568 901604 dc1e4 busybox_old 893618 497 7568 901683 dc233 busybox_unstripped Signed-off-by: Ryan Mallon <rmallon@gmail.com> Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--miscutils/crontab.c27
-rw-r--r--miscutils/wall.c6
2 files changed, 2 insertions, 31 deletions
diff --git a/miscutils/crontab.c b/miscutils/crontab.c
index 4731d8d..aad242f 100644
--- a/miscutils/crontab.c
+++ b/miscutils/crontab.c
@@ -55,28 +55,6 @@ static void edit_file(const struct passwd *pas, const char *file)
bb_perror_msg_and_die("can't execute '%s'", ptr);
}
-static int open_as_user(const struct passwd *pas, const char *file)
-{
- pid_t pid;
- char c;
-
- pid = xvfork();
- if (pid) { /* PARENT */
- if (wait4pid(pid) == 0) {
- /* exitcode 0: child says it can read */
- return open(file, O_RDONLY);
- }
- return -1;
- }
-
- /* CHILD */
- /* initgroups, setgid, setuid */
- change_identity(pas);
- /* We just try to read one byte. If it works, file is readable
- * under this user. We signal that by exiting with 0. */
- _exit(safe_read(xopen(file, O_RDONLY), &c, 1) < 0);
-}
-
int crontab_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
int crontab_main(int argc UNUSED_PARAM, char **argv)
{
@@ -137,10 +115,7 @@ int crontab_main(int argc UNUSED_PARAM, char **argv)
if (!argv[0])
bb_show_usage();
if (NOT_LONE_DASH(argv[0])) {
- src_fd = open_as_user(pas, argv[0]);
- if (src_fd < 0)
- bb_error_msg_and_die("user %s cannot read %s",
- pas->pw_name, argv[0]);
+ src_fd = xopen_as_uid_gid(argv[0], O_RDONLY, pas->pw_uid, pas->pw_gid);
}
}
diff --git a/miscutils/wall.c b/miscutils/wall.c
index c74f4f2..bb709ee 100644
--- a/miscutils/wall.c
+++ b/miscutils/wall.c
@@ -41,11 +41,7 @@ int wall_main(int argc UNUSED_PARAM, char **argv)
/* The applet is setuid.
* Access to the file must be under user's uid/gid.
*/
- setfsuid(getuid());
- setfsgid(getgid());
- fd = xopen(argv[1], O_RDONLY);
- setfsuid(geteuid());
- setfsgid(getegid());
+ fd = xopen_as_uid_gid(argv[1], O_RDONLY, getuid(), getgid());
}
msg = xmalloc_read(fd, NULL);
if (ENABLE_FEATURE_CLEAN_UP && argv[1])