Synopsis: dump exposes 'tty' group
NetBSD versions: 1.5, 1.5.1
Thanks to: John Hawkinson
Reported in NetBSD Security Advisory: NetBSD-SA2001-014

Index: main.c
===================================================================
RCS file: /cvsroot/basesrc/sbin/dump/main.c,v
retrieving revision 1.25.6.3
retrieving revision 1.25.6.4
diff -c -p -r1.25.6.3 -r1.25.6.4
*** main.c      2001/05/15 21:55:58     1.25.6.3
--- main.c      2001/08/08 18:13:22     1.25.6.4
*************** __RCSID("$NetBSD: main.c,v 1.25.6.3 2001
*** 80,85 ****
--- 80,86 ----
 #include "dump.h"
 #include "pathnames.h"

+ gid_t egid;                   /* Retain tty privs for notification */
 int   notify = 0;             /* notify operator flag */
 int   blockswritten = 0;      /* number of blocks written on current tape */
 int   tapeno = 0;             /* current tape number */
*************** main(argc, argv)
*** 118,123 ****
--- 119,128 ----

       spcl.c_date = 0;
       (void)time((time_t *)&spcl.c_date);
+
+       /* Save setgid bit for use later */
+       egid = getegid();
+       setegid(getgid());

       tsize = 0;      /* Default later, based on 'c' option for cart tapes */
       if ((tape = getenv("TAPE")) == NULL)
Index: optr.c
===================================================================
RCS file: /cvsroot/basesrc/sbin/dump/optr.c,v
retrieving revision 1.13.10.1
retrieving revision 1.13.10.2
diff -c -p -r1.13.10.1 -r1.13.10.2
*** optr.c      2000/10/18 00:39:44     1.13.10.1
--- optr.c      2001/08/08 18:13:18     1.13.10.2
*************** void    alarmcatch __P((int));
*** 73,78 ****
--- 73,79 ----
 struct fstab *allocfsent __P((struct fstab *fs));
 int   datesort __P((const void *, const void *));
 static        void sendmes __P((char *, char *));
+ extern  gid_t egid;

 /*
  *    Query the operator; This previously-fascist piece of code
*************** broadcast(message)
*** 225,236 ****
--- 226,241 ----
       if (!notify || gp == NULL)
               return;

+       /* Restore 'tty' privs for the child's use only. */
+       setegid(egid);
       switch (pid = fork()) {
       case -1:
+               setegid(getgid());
               return;
       case 0:
               break;
       default:
+               setegid(getgid());
               while (wait(&s) != pid)
                       continue;
               return;

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.