Synopsis: at(1) allows local users to read arbitrary files
NetBSD versions: 1.0, 1.1, 1.2, and 1.2.1, 1.3 and 1.3.1, 1.3.2.
Thanks to: Wolfgang Rupprecht and Matthew Green.
Reported in NetBSD Advisory: NetBSD-SA1998-004


Index: at.c
===================================================================
RCS file: /cvsroot/src/usr.bin/at/at.c,v
retrieving revision 1.7
retrieving revision 1.10
diff -c -r1.7 -r1.10
*** at.c        1997/10/18 12:23:37     1.7
--- at.c        1998/06/26 08:28:20     1.10
***************
*** 1,4 ****
! /*    $NetBSD: at.c,v 1.7 1997/10/18 12:23:37 lukem Exp $     */

 /*
  * at.c : Put file into atrun queue
--- 1,4 ----
! /*    $NetBSD: at.c,v 1.10 1998/06/26 08:28:20 mrg Exp $      */

 /*
  * at.c : Put file into atrun queue
***************
*** 64,77 ****

 /* File scope variables */
 #ifndef lint
! __RCSID("$NetBSD: at.c,v 1.7 1997/10/18 12:23:37 lukem Exp $");
 #endif

 char *no_export[] =
 {
       "TERM", "TERMCAP", "DISPLAY", "_"
 };
! static send_mail = 0;

 /* External variables */
 extern char **environ;
--- 64,77 ----

 /* File scope variables */
 #ifndef lint
! __RCSID("$NetBSD: at.c,v 1.10 1998/06/26 08:28:20 mrg Exp $");
 #endif

 char *no_export[] =
 {
       "TERM", "TERMCAP", "DISPLAY", "_"
 };
! static int send_mail = 0;

 /* External variables */
 extern char **environ;
***************
*** 249,261 ****
       PRIV_END

       /*
-        * We no longer need suid root; now we just need to be able to
-        * write to the directory, if necessary.
-        */
-
-           REDUCE_PRIV(effective_uid);
-
-       /*
        * We've successfully created the file; let's set the flag so it
        * gets removed in case of an interrupt or error.
        */
--- 249,254 ----
***************
*** 292,297 ****
--- 285,291 ----
               if (fpin == NULL)
                       perr("Cannot open input file");
       }
+
       fprintf(fp, "#! /bin/sh\n# mail %8s %d\n", mailname, send_mail);

       /* Write out the umask at the time of invocation */
***************
*** 361,369 ****
--- 355,368 ----
       /*
        * Set the x bit so that we're ready to start executing
        */
+
+       PRIV_START
+
       if (fchmod(fd2, S_IRUSR | S_IWUSR | S_IXUSR) < 0)
               perr("Cannot give away file");

+       PRIV_END
+
       close(fd2);
       fprintf(stderr, "Job %s will be executed using /bin/sh\n", ppos);
 }
***************
*** 388,394 ****

       PRIV_START

!           if (chdir(_PATH_ATJOBS) != 0)
               perr2("Cannot change to ", _PATH_ATJOBS);

       if ((spool = opendir(".")) == NULL)
--- 387,393 ----

       PRIV_START

!       if (chdir(_PATH_ATJOBS) != 0)
               perr2("Cannot change to ", _PATH_ATJOBS);

       if ((spool = opendir(".")) == NULL)
***************
*** 444,450 ****

       PRIV_START

!           if (chdir(_PATH_ATJOBS) != 0)
               perr2("Cannot change to ", _PATH_ATJOBS);

       for (i = optind; i < argc; i++) {
--- 443,449 ----

       PRIV_START

!       if (chdir(_PATH_ATJOBS) != 0)
               perr2("Cannot change to ", _PATH_ATJOBS);

       for (i = optind; i < argc; i++) {

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.