From 1d1d4a4727577afb8709b756a78e0ab9ee43e9e6 Mon Sep 17 00:00:00 2001 From: Eitan Adler Date: Mon, 22 Oct 2012 03:31:22 +0000 Subject: [PATCH] Check the return error of set[ug]id. While this can never fail in the current version of FreeBSD, this isn't guarenteed by the API. Custom security modules, or future implementations of the setuid and setgid may fail. PR: bin/172289 PR: bin/172290 PR: bin/172291 Submittud by: Erik Cederstrand Discussed by: freebsd-security Approved by: cperciva MFC after: 1 week --- sbin/ping/ping.c | 3 +- sbin/ping6/ping6.c | 6 ++- usr.bin/at/privs.h | 20 ++++---- usr.sbin/lpr/common_source/common.c | 25 +++++----- usr.sbin/lpr/common_source/displayq.c | 41 ++++++++-------- usr.sbin/lpr/common_source/lp.h | 11 +++++ usr.sbin/lpr/common_source/net.c | 37 +++++++-------- usr.sbin/lpr/common_source/rmjob.c | 25 +++++----- usr.sbin/lpr/common_source/startdaemon.c | 4 +- usr.sbin/lpr/lpc/cmds.c | 59 ++++++++++++------------ usr.sbin/lpr/lpc/lpc.c | 6 +-- usr.sbin/lpr/lpc/movejobs.c | 5 +- usr.sbin/lpr/lpd/printjob.c | 3 +- usr.sbin/lpr/lpq/lpq.c | 2 +- usr.sbin/lpr/lpr/lpr.c | 34 +++++++------- usr.sbin/lpr/lprm/lprm.c | 3 +- 16 files changed, 153 insertions(+), 131 deletions(-) diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c index f8f62d1f8646..85d03483a5a3 100644 --- a/sbin/ping/ping.c +++ b/sbin/ping/ping.c @@ -255,7 +255,8 @@ main(int argc, char *const *argv) s = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); sockerrno = errno; - setuid(getuid()); + if (setuid(getuid()) != 0) + err(EX_NOPERM, "setuid() failed"); uid = getuid(); alarmtimeout = df = preload = tos = 0; diff --git a/sbin/ping6/ping6.c b/sbin/ping6/ping6.c index 711561ebb9ac..8c3e16bbdaa0 100644 --- a/sbin/ping6/ping6.c +++ b/sbin/ping6/ping6.c @@ -702,8 +702,10 @@ main(int argc, char *argv[]) } /* revoke root privilege */ - seteuid(getuid()); - setuid(getuid()); + if (seteuid(getuid()) != 0) + err(1, "seteuid() failed"); + if (setuid(getuid()) != 0) + err(1, "setuid() failed"); if ((options & F_FLOOD) && (options & F_INTERVAL)) errx(1, "-f and -i incompatible options"); diff --git a/usr.bin/at/privs.h b/usr.bin/at/privs.h index 3f70ce84e18d..297c2529ac47 100644 --- a/usr.bin/at/privs.h +++ b/usr.bin/at/privs.h @@ -72,8 +72,8 @@ gid_t real_gid, effective_gid; effective_uid = geteuid(); \ real_gid = getgid(); \ effective_gid = getegid(); \ - seteuid(real_uid); \ - setegid(real_gid); \ + if (seteuid(real_uid) != 0) err(1, "seteuid failed"); \ + if (setegid(real_gid) != 0) err(1, "setegid failed"); \ } #define RELINQUISH_PRIVS_ROOT(a, b) { \ @@ -81,26 +81,26 @@ gid_t real_gid, effective_gid; effective_uid = geteuid(); \ real_gid = (b); \ effective_gid = getegid(); \ - setegid(real_gid); \ - seteuid(real_uid); \ + if (setegid(real_gid) != 0) err(1, "setegid failed"); \ + if (seteuid(real_uid) != 0) err(1, "seteuid failed"); \ } #define PRIV_START { \ - seteuid(effective_uid); \ - setegid(effective_gid); \ + if (seteuid(effective_uid) != 0) err(1, "seteuid failed"); \ + if (setegid(effective_gid) != 0) err(1, "setegid failed"); \ } #define PRIV_END { \ - setegid(real_gid); \ - seteuid(real_uid); \ + if (setegid(real_gid) != 0) err(1, "setegid failed"); \ + if (seteuid(real_uid) != 0) err(1, "seteuid failed"); \ } #define REDUCE_PRIV(a, b) { \ PRIV_START \ effective_uid = (a); \ effective_gid = (b); \ - setreuid((uid_t)-1, effective_uid); \ - setregid((gid_t)-1, effective_gid); \ + if (setreuid((uid_t)-1, effective_uid) != 0) err(1, "setreuid failed"); \ + if (setregid((gid_t)-1, effective_gid) != 0) err(1, "setregid failed"); \ PRIV_END \ } #endif diff --git a/usr.sbin/lpr/common_source/common.c b/usr.sbin/lpr/common_source/common.c index c9c276d8c559..ce4a62dc70e3 100644 --- a/usr.sbin/lpr/common_source/common.c +++ b/usr.sbin/lpr/common_source/common.c @@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -125,14 +126,14 @@ getq(const struct printer *pp, struct jobqueue *(*namelist[])) DIR *dirp; int statres; - seteuid(euid); + PRIV_START if ((dirp = opendir(pp->spool_dir)) == NULL) { - seteuid(uid); + PRIV_END return (-1); } if (fstat(dirfd(dirp), &stbuf) < 0) goto errdone; - seteuid(uid); + PRIV_END /* * Estimate the array size by taking the size of the directory file @@ -149,9 +150,9 @@ getq(const struct printer *pp, struct jobqueue *(*namelist[])) while ((d = readdir(dirp)) != NULL) { if (d->d_name[0] != 'c' || d->d_name[1] != 'f') continue; /* daemon control files only */ - seteuid(euid); + PRIV_START statres = stat(d->d_name, &stbuf); - seteuid(uid); + PRIV_END if (statres < 0) continue; /* Doesn't exist */ entrysz = sizeof(struct jobqueue) - sizeof(q->job_cfname) + @@ -184,7 +185,7 @@ getq(const struct printer *pp, struct jobqueue *(*namelist[])) errdone: closedir(dirp); - seteuid(uid); + PRIV_END return (-1); } @@ -340,10 +341,10 @@ set_qstate(int action, const char *lfname) * Find what the current access-bits are. */ memset(&stbuf, 0, sizeof(stbuf)); - seteuid(euid); + PRIV_START statres = stat(lfname, &stbuf); errsav = errno; - seteuid(uid); + PRIV_END if ((statres < 0) && (errsav != ENOENT)) { printf("\tcannot stat() lock file\n"); return (SQS_STATFAIL); @@ -402,10 +403,10 @@ set_qstate(int action, const char *lfname) res = 0; if (statres >= 0) { /* The file already exists, so change the access. */ - seteuid(euid); + PRIV_START chres = chmod(lfname, chgbits); errsav = errno; - seteuid(uid); + PRIV_END res = SQS_CHGOK; if (chres < 0) res = SQS_CHGFAIL; @@ -424,10 +425,10 @@ set_qstate(int action, const char *lfname) * all the read/write bits are set as desired. */ oldmask = umask(S_IWOTH); - seteuid(euid); + PRIV_START fd = open(lfname, O_WRONLY|O_CREAT, newbits); errsav = errno; - seteuid(uid); + PRIV_END umask(oldmask); res = SQS_CREFAIL; if (fd >= 0) { diff --git a/usr.sbin/lpr/common_source/displayq.c b/usr.sbin/lpr/common_source/displayq.c index 061b3709d5bb..b4bd7ce40e44 100644 --- a/usr.sbin/lpr/common_source/displayq.c +++ b/usr.sbin/lpr/common_source/displayq.c @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -90,7 +91,7 @@ static const char *head1 = "Total Size\n"; static void alarmhandler(int _signo); static void filtered_write(char *_obuffer, int _wlen, FILE *_wstream); -static void warn(const struct printer *_pp); +static void daemonwarn(const struct printer *_pp); /* * Display the current state of the queue. Format = 1 if long format. @@ -119,24 +120,24 @@ displayq(struct printer *pp, int format) * Print out local queue * Find all the control files in the spooling directory */ - seteuid(euid); + PRIV_START if (chdir(pp->spool_dir) < 0) fatal(pp, "cannot chdir to spooling directory: %s", strerror(errno)); - seteuid(uid); + PRIV_END if ((nitems = getq(pp, &queue)) < 0) fatal(pp, "cannot examine spooling area\n"); - seteuid(euid); + PRIV_START ret = stat(pp->lock_file, &statb); - seteuid(uid); + PRIV_END if (ret >= 0) { if (statb.st_mode & LFM_PRINT_DIS) { if (pp->remote) printf("%s: ", local_host); printf("Warning: %s is down: ", pp->printer); - seteuid(euid); + PRIV_START fd = open(pp->status_file, O_RDONLY|O_SHLOCK); - seteuid(uid); + PRIV_END if (fd >= 0) { while ((i = read(fd, line, sizeof(line))) > 0) (void) fwrite(line, 1, i, stdout); @@ -153,11 +154,11 @@ displayq(struct printer *pp, int format) } if (nitems) { - seteuid(euid); + PRIV_START fp = fopen(pp->lock_file, "r"); - seteuid(uid); + PRIV_END if (fp == NULL) - warn(pp); + daemonwarn(pp); else { /* get daemon pid */ cp = current; @@ -171,12 +172,12 @@ displayq(struct printer *pp, int format) if (i <= 0) { ret = -1; } else { - seteuid(euid); + PRIV_START ret = kill(i, 0); - seteuid(uid); + PRIV_END } if (ret < 0) { - warn(pp); + daemonwarn(pp); } else { /* read current file name */ cp = current; @@ -191,9 +192,9 @@ displayq(struct printer *pp, int format) */ if (pp->remote) printf("%s: ", local_host); - seteuid(euid); + PRIV_START fd = open(pp->status_file, O_RDONLY|O_SHLOCK); - seteuid(uid); + PRIV_END if (fd >= 0) { while ((i = read(fd, line, sizeof(line))) > 0) @@ -360,7 +361,7 @@ filtered_write(char *wbuffer, int wlen, FILE *wstream) * Print a warning message if there is no daemon present. */ static void -warn(const struct printer *pp) +daemonwarn(const struct printer *pp) { if (pp->remote) printf("%s: ", local_host); @@ -391,10 +392,10 @@ inform(const struct printer *pp, char *cf) * There's a chance the control file has gone away * in the meantime; if this is the case just keep going */ - seteuid(euid); + PRIV_START if ((cfp = fopen(cf, "r")) == NULL) return; - seteuid(uid); + PRIV_END if (rank < 0) rank = 0; @@ -578,10 +579,10 @@ dump(const char *nfile, const char *datafile, int copies) } first = 0; - seteuid(euid); + PRIV_START if (*datafile && !stat(datafile, &lbuf)) totsize += copies * lbuf.st_size; - seteuid(uid); + PRIV_END } /* diff --git a/usr.sbin/lpr/common_source/lp.h b/usr.sbin/lpr/common_source/lp.h index b7ebff6476fa..ab7ce2ecd6e0 100644 --- a/usr.sbin/lpr/common_source/lp.h +++ b/usr.sbin/lpr/common_source/lp.h @@ -249,6 +249,17 @@ typedef enum { TR_SENDING, TR_RECVING, TR_PRINTING } tr_sendrecv; #define CMD_SHOWQ_LONG '\4' #define CMD_RMJOB '\5' +/* + * seteuid() macros. +*/ +#define PRIV_START { \ + if (seteuid(uid) != 0) err(1, "seteuid failed"); \ +} +#define PRIV_END { \ + if (seteuid(euid) != 0) err(1, "seteuid failed"); \ +} + + #include "lp.cdefs.h" /* A cross-platform version of */ __BEGIN_DECLS diff --git a/usr.sbin/lpr/common_source/net.c b/usr.sbin/lpr/common_source/net.c index 2a1e0c80a5df..0ac816a2d6dd 100644 --- a/usr.sbin/lpr/common_source/net.c +++ b/usr.sbin/lpr/common_source/net.c @@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$"); #include #include /* required for lp.h, not used here */ +#include #include #include #include @@ -91,7 +92,7 @@ getport(const struct printer *pp, const char *rhost, int rport) { struct addrinfo hints, *res, *ai; int s, timo = 1, lport = IPPORT_RESERVED - 1; - int err, refused = 0; + int error, refused = 0; /* * Get the host address and port number to connect to. @@ -102,10 +103,10 @@ getport(const struct printer *pp, const char *rhost, int rport) hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = 0; - err = getaddrinfo(rhost, (rport == 0 ? "printer" : NULL), + error = getaddrinfo(rhost, (rport == 0 ? "printer" : NULL), &hints, &res); - if (err) - fatal(pp, "%s\n", gai_strerror(err)); + if (error) + fatal(pp, "%s\n", gai_strerror(error)); if (rport != 0) ((struct sockaddr_in *) res->ai_addr)->sin_port = htons(rport); @@ -114,9 +115,9 @@ getport(const struct printer *pp, const char *rhost, int rport) */ ai = res; retry: - seteuid(euid); + PRIV_START s = rresvport_af(&lport, ai->ai_family); - seteuid(uid); + PRIV_END if (s < 0) { if (errno != EAGAIN) { if (ai->ai_next) { @@ -135,9 +136,9 @@ getport(const struct printer *pp, const char *rhost, int rport) return(-1); } if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0) { - err = errno; + error = errno; (void) close(s); - errno = err; + errno = error; /* * This used to decrement lport, but the current semantics * of rresvport do not provide such a function (in fact, @@ -184,8 +185,8 @@ checkremote(struct printer *pp) { char lclhost[MAXHOSTNAMELEN]; struct addrinfo hints, *local_res, *remote_res, *lr, *rr; - char *err; - int ncommonaddrs, error; + char *error; + int ncommonaddrs, errno; char h1[NI_MAXHOST], h2[NI_MAXHOST]; if (!pp->rp_matches_local) { /* Remote printer doesn't match local */ @@ -205,11 +206,11 @@ checkremote(struct printer *pp) hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE; - if ((error = getaddrinfo(lclhost, NULL, &hints, &local_res)) != 0) { - asprintf(&err, "unable to get official name " + if ((errno = getaddrinfo(lclhost, NULL, &hints, &local_res)) != 0) { + asprintf(&error, "unable to get official name " "for local machine %s: %s", - lclhost, gai_strerror(error)); - return err; + lclhost, gai_strerror(errno)); + return error; } /* get the official name of RM */ @@ -217,13 +218,13 @@ checkremote(struct printer *pp) hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE; - if ((error = getaddrinfo(pp->remote_host, NULL, + if ((errno = getaddrinfo(pp->remote_host, NULL, &hints, &remote_res)) != 0) { - asprintf(&err, "unable to get address list for " + asprintf(&error, "unable to get address list for " "remote machine %s: %s", - pp->remote_host, gai_strerror(error)); + pp->remote_host, gai_strerror(errno)); freeaddrinfo(local_res); - return err; + return error; } ncommonaddrs = 0; diff --git a/usr.sbin/lpr/common_source/rmjob.c b/usr.sbin/lpr/common_source/rmjob.c index 912a48ff70d3..d0327a232251 100644 --- a/usr.sbin/lpr/common_source/rmjob.c +++ b/usr.sbin/lpr/common_source/rmjob.c @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -110,12 +111,12 @@ rmjob(const char *printer) person = root; } - seteuid(euid); + PRIV_START if (chdir(pp->spool_dir) < 0) fatal(pp, "cannot chdir to spool directory"); if ((nitems = scandir(".", &files, iscf, NULL)) < 0) fatal(pp, "cannot access spool directory"); - seteuid(uid); + PRIV_END if (nitems) { /* @@ -124,9 +125,9 @@ rmjob(const char *printer) * (after which we have to restart the daemon). */ if (lockchk(pp, pp->lock_file) && chk(current)) { - seteuid(euid); + PRIV_START assassinated = kill(cur_daemon, SIGINT) == 0; - seteuid(uid); + PRIV_END if (!assassinated) fatal(pp, "cannot kill printer daemon"); } @@ -156,14 +157,14 @@ lockchk(struct printer *pp, char *slockf) register FILE *fp; register int i, n; - seteuid(euid); + PRIV_START if ((fp = fopen(slockf, "r")) == NULL) { if (errno == EACCES) fatal(pp, "%s: %s", slockf, strerror(errno)); else return(0); } - seteuid(uid); + PRIV_END if (!getline(fp)) { (void) fclose(fp); return(0); /* no daemon present */ @@ -195,10 +196,10 @@ process(const struct printer *pp, char *file) if (!chk(file)) return; - seteuid(euid); + PRIV_START if ((cfp = fopen(file, "r")) == NULL) fatal(pp, "cannot open %s", file); - seteuid(uid); + PRIV_END while (getline(cfp)) { switch (line[0]) { case 'U': /* unlink associated files */ @@ -218,9 +219,9 @@ do_unlink(char *file) if (from_host != local_host) printf("%s: ", local_host); - seteuid(euid); + PRIV_START ret = unlink(file); - seteuid(uid); + PRIV_END printf(ret ? "cannot dequeue %s\n" : "%s dequeued\n", file); } @@ -248,10 +249,10 @@ chk(char *file) /* * get the owner's name from the control file. */ - seteuid(euid); + PRIV_START if ((cfp = fopen(file, "r")) == NULL) return(0); - seteuid(uid); + PRIV_END while (getline(cfp)) { if (line[0] == 'P') break; diff --git a/usr.sbin/lpr/common_source/startdaemon.c b/usr.sbin/lpr/common_source/startdaemon.c index b175d7996189..a1398bb587f5 100644 --- a/usr.sbin/lpr/common_source/startdaemon.c +++ b/usr.sbin/lpr/common_source/startdaemon.c @@ -74,9 +74,9 @@ startdaemon(const struct printer *pp) #ifndef SUN_LEN #define SUN_LEN(unp) (strlen((unp)->sun_path) + 2) #endif - seteuid(euid); + PRIV_START connectres = connect(s, (struct sockaddr *)&un, SUN_LEN(&un)); - seteuid(uid); + PRIV_END if (connectres < 0) { warn("Unable to connect to %s", _PATH_SOCKETNAME); warnx("Check to see if the master 'lpd' process is running."); diff --git a/usr.sbin/lpr/lpc/cmds.c b/usr.sbin/lpr/lpc/cmds.c index 44516d8305fc..f960f7c315a6 100644 --- a/usr.sbin/lpr/lpc/cmds.c +++ b/usr.sbin/lpr/lpc/cmds.c @@ -54,6 +54,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -288,10 +289,10 @@ kill_qtask(const char *lf) pid_t pid; int errsav, killres, lockres, res; - seteuid(euid); + PRIV_START fp = fopen(lf, "r"); errsav = errno; - seteuid(uid); + PRIV_END res = KQT_NODAEMON; if (fp == NULL) { /* @@ -329,10 +330,10 @@ kill_qtask(const char *lf) goto killdone; } - seteuid(uid); + PRIV_END killres = kill(pid, SIGTERM); errsav = errno; - seteuid(uid); + PRIV_END if (killres == 0) { res = KQT_KILLOK; printf("\tdaemon (pid %d) killed\n", pid); @@ -376,9 +377,9 @@ upstat(struct printer *pp, const char *msg, int notifyuser) status_file_name(pp, statfile, sizeof statfile); umask(0); - seteuid(euid); + PRIV_START fd = open(statfile, O_WRONLY|O_CREAT|O_EXLOCK, STAT_FILE_MODE); - seteuid(uid); + PRIV_END if (fd < 0) { printf("\tcannot create status file: %s\n", strerror(errno)); return; @@ -683,9 +684,9 @@ clean_q(struct printer *pp) linerem = sizeof(line) - (lp - line); cln_foundcore = 0; - seteuid(euid); + PRIV_START nitems = scandir(pp->spool_dir, &queue, doselect, sortq); - seteuid(uid); + PRIV_END if (nitems < 0) { if (!didhead) { printf("%s:\n", pp->printer); @@ -795,9 +796,9 @@ unlinkf(char *name) * that case, we need to check the last-mod time of the symlink, and * not the file that the symlink is pointed at. */ - seteuid(euid); + PRIV_START res = lstat(name, &stbuf); - seteuid(uid); + PRIV_END if (res < 0) { printf("\terror return from stat(%s):\n", name); printf("\t %s\n", strerror(errno)); @@ -819,9 +820,9 @@ unlinkf(char *name) * symlink before unlink-ing the file itself */ if (S_ISLNK(stbuf.st_mode)) { - seteuid(euid); + PRIV_START res = readlink(name, linkbuf, sizeof(linkbuf)); - seteuid(uid); + PRIV_END if (res < 0) { printf("\terror return from readlink(%s):\n", name); printf("\t %s\n", strerror(errno)); @@ -841,9 +842,9 @@ unlinkf(char *name) printf("\t (which is a symlink to %s)\n", linkbuf); } } else { - seteuid(euid); + PRIV_START res = unlink(name); - seteuid(uid); + PRIV_END if (res < 0) printf("\tcannot remove %s (!)\n", name); else @@ -983,9 +984,9 @@ restart_q(struct printer *pp) /* make sure the queue is set to print jobs */ setres = set_qstate(SQS_STARTP, lf); - seteuid(euid); + PRIV_START startok = startdaemon(pp); - seteuid(uid); + PRIV_END if (!startok) printf("\tcouldn't restart daemon\n"); else @@ -1049,14 +1050,14 @@ start_q(struct printer *pp) setres = set_qstate(SQS_STARTP, lf); - seteuid(euid); + PRIV_START startok = startdaemon(pp); - seteuid(uid); + PRIV_END if (!startok) printf("\tcouldn't start daemon\n"); else printf("\tdaemon started\n"); - seteuid(uid); + PRIV_END } /* @@ -1178,12 +1179,12 @@ topq(int argc, char *argv[]) } printf("%s:\n", pp->printer); - seteuid(euid); + PRIV_START if (chdir(pp->spool_dir) < 0) { printf("\tcannot chdir to %s\n", pp->spool_dir); goto out; } - seteuid(uid); + PRIV_END nitems = getq(pp, &queue); if (nitems == 0) return; @@ -1207,12 +1208,12 @@ topq(int argc, char *argv[]) * Turn on the public execute bit of the lock file to * get lpd to rebuild the queue after the current job. */ - seteuid(euid); + PRIV_START if (changed && stat(pp->lock_file, &stbuf) >= 0) (void) chmod(pp->lock_file, stbuf.st_mode | LFM_RESET_QUE); out: - seteuid(uid); + PRIV_END } /* @@ -1227,9 +1228,9 @@ touch(struct jobqueue *jq) tvp[0].tv_sec = tvp[1].tv_sec = --mtime; tvp[0].tv_usec = tvp[1].tv_usec = 0; - seteuid(euid); + PRIV_START ret = utimes(jq->job_cfname, tvp); - seteuid(uid); + PRIV_END return (ret); } @@ -1286,9 +1287,9 @@ doarg(char *job) * Process item consisting of owner's name (example: henry). */ for (qq = queue + nitems; --qq >= queue; ) { - seteuid(euid); + PRIV_START fp = fopen((*qq)->job_cfname, "r"); - seteuid(uid); + PRIV_END if (fp == NULL) continue; while (getline(fp) > 0) @@ -1319,9 +1320,9 @@ up_q(struct printer *pp) setres = set_qstate(SQS_ENABLEQ+SQS_STARTP, lf); - seteuid(euid); + PRIV_START startok = startdaemon(pp); - seteuid(uid); + PRIV_END if (!startok) printf("\tcouldn't start daemon\n"); else diff --git a/usr.sbin/lpr/lpc/lpc.c b/usr.sbin/lpr/lpc/lpc.c index f9fb920dd540..cc58bd983841 100644 --- a/usr.sbin/lpr/lpc/lpc.c +++ b/usr.sbin/lpr/lpc/lpc.c @@ -93,7 +93,7 @@ main(int argc, char *argv[]) euid = geteuid(); uid = getuid(); - seteuid(uid); + PRIV_END progname = argv[0]; openlog("lpd", 0, LOG_LPR); @@ -405,9 +405,9 @@ setup_myprinter(char *pwanted, struct printer *pp, int sump_opts) printf("%s:\n", pp->printer); if (sump_opts & SUMP_CHDIR_SD) { - seteuid(euid); + PRIV_START cdres = chdir(pp->spool_dir); - seteuid(uid); + PRIV_END if (cdres < 0) { printf("\tcannot chdir to %s\n", pp->spool_dir); free_printer(pp); diff --git a/usr.sbin/lpr/lpc/movejobs.c b/usr.sbin/lpr/lpc/movejobs.c index 60c9b38d5708..c3496011aef3 100644 --- a/usr.sbin/lpr/lpc/movejobs.c +++ b/usr.sbin/lpr/lpc/movejobs.c @@ -47,6 +47,7 @@ __FBSDID("$FreeBSD$"); #include #include /* just for MAXNAMLEN, for job_cfname in lp.h! */ +#include #include #include #include @@ -147,9 +148,9 @@ touch_jqe(void *myinfo, struct jobqueue *jq, struct jobspec *jspec) touch_info = myinfo; tvp[0].tv_sec = tvp[1].tv_sec = ++touch_info->newtime; tvp[0].tv_usec = tvp[1].tv_usec = 0; - seteuid(euid); + PRIV_START ret = utimes(jq->job_cfname, tvp); - seteuid(uid); + PRIV_END if (ret == 0) { if (jspec->matcheduser) diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c index 61300547fd44..9771498acb3d 100644 --- a/usr.sbin/lpr/lpd/printjob.c +++ b/usr.sbin/lpr/lpd/printjob.c @@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -173,7 +174,7 @@ printjob(struct printer *pp) pp->log_file); (void) open(_PATH_DEVNULL, O_WRONLY); } - setgid(getegid()); + if(setgid(getegid()) != 0) err(1, "setgid() failed"); printpid = getpid(); /* for use with lprm */ setpgrp(0, printpid); diff --git a/usr.sbin/lpr/lpq/lpq.c b/usr.sbin/lpr/lpq/lpq.c index 33082e575c52..f39c81bc117c 100644 --- a/usr.sbin/lpr/lpq/lpq.c +++ b/usr.sbin/lpr/lpq/lpq.c @@ -88,7 +88,7 @@ main(int argc, char **argv) printer = NULL; euid = geteuid(); uid = getuid(); - seteuid(uid); + PRIV_END progname = *argv; if (gethostname(local_host, sizeof(local_host))) err(1, "gethostname"); diff --git a/usr.sbin/lpr/lpr/lpr.c b/usr.sbin/lpr/lpr/lpr.c index af7c807a1e08..394ccb063242 100644 --- a/usr.sbin/lpr/lpr/lpr.c +++ b/usr.sbin/lpr/lpr/lpr.c @@ -145,7 +145,7 @@ main(int argc, char *argv[]) printer = NULL; euid = geteuid(); uid = getuid(); - seteuid(uid); + PRIV_END if (signal(SIGHUP, SIG_IGN) != SIG_IGN) signal(SIGHUP, cleanup); if (signal(SIGINT, SIG_IGN) != SIG_IGN) @@ -326,10 +326,10 @@ main(int argc, char *argv[]) */ mktemps(pp); tfd = nfile(tfname); - seteuid(euid); + PRIV_START (void) fchown(tfd, pp->daemon_user, -1); /* owned by daemon for protection */ - seteuid(uid); + PRIV_END card('H', local_host); card('P', lpr_username); card('C', class); @@ -415,7 +415,7 @@ main(int argc, char *argv[]) * can be very significant when running services like * samba, pcnfs, CAP, et al. */ - seteuid(euid); + PRIV_START didlink = 0; /* * There are several things to check to avoid any @@ -453,11 +453,11 @@ main(int argc, char *argv[]) * safe. Otherwise, abandon the move and fall back * to the (usual) copy method. */ - seteuid(uid); + PRIV_END ret = access(dfname, R_OK); if (ret == 0) ret = unlink(arg); - seteuid(euid); + PRIV_START if (ret != 0) goto nohardlink; /* @@ -467,7 +467,7 @@ main(int argc, char *argv[]) */ chown(dfname, pp->daemon_user, getegid()); chmod(dfname, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); - seteuid(uid); + PRIV_END if (format == 'p') card('T', title ? title : arg); for (i = 0; i < ncopies; i++) @@ -479,7 +479,7 @@ main(int argc, char *argv[]) nohardlink: if (didlink) unlink(dfname); - seteuid(uid); /* restore old uid */ + PRIV_END /* restore old uid */ } /* end: if (f) */ if ((i = open(arg, O_RDONLY)) < 0) { @@ -498,7 +498,7 @@ main(int argc, char *argv[]) /* * Touch the control file to fix position in the queue. */ - seteuid(euid); + PRIV_START if ((tfd = open(tfname, O_RDWR)) >= 0) { char touch_c; @@ -518,7 +518,7 @@ main(int argc, char *argv[]) cleanup(0); } unlink(tfname); - seteuid(uid); + PRIV_END if (qflag) /* just q things up */ exit(0); if (!startdaemon(pp)) @@ -604,9 +604,9 @@ linked(const char *file) strncat(buf, file, sizeof(buf) - strlen(buf) - 1); file = buf; } - seteuid(euid); + PRIV_START ret = symlink(file, dfname); - seteuid(uid); + PRIV_END return(ret ? NULL : file); } @@ -638,7 +638,7 @@ nfile(char *n) register int f; int oldumask = umask(0); /* should block signals */ - seteuid(euid); + PRIV_START f = open(n, O_WRONLY | O_EXCL | O_CREAT, FILMOD); (void) umask(oldumask); if (f < 0) { @@ -649,7 +649,7 @@ nfile(char *n) printf("%s: cannot chown %s\n", progname, n); cleanup(0); /* cleanup does exit */ } - seteuid(uid); + PRIV_END if (++n[inchar] > 'z') { if (++n[inchar-2] == 't') { printf("too many files - break up the job\n"); @@ -674,7 +674,7 @@ cleanup(int signo __unused) signal(SIGQUIT, SIG_IGN); signal(SIGTERM, SIG_IGN); i = inchar; - seteuid(euid); + PRIV_START if (tfname) do unlink(tfname); @@ -846,7 +846,7 @@ mktemps(const struct printer *pp) char buf[BUFSIZ]; (void) snprintf(buf, sizeof(buf), "%s/.seq", pp->spool_dir); - seteuid(euid); + PRIV_START if ((fd = open(buf, O_RDWR|O_CREAT, 0664)) < 0) { printf("%s: cannot create %s\n", progname, buf); exit(1); @@ -855,7 +855,7 @@ mktemps(const struct printer *pp) printf("%s: cannot lock %s\n", progname, buf); exit(1); } - seteuid(uid); + PRIV_END n = 0; if ((len = read(fd, buf, sizeof(buf))) > 0) { for (cp = buf; len--; ) { diff --git a/usr.sbin/lpr/lprm/lprm.c b/usr.sbin/lpr/lprm/lprm.c index 741a8fae1361..35d88145adcc 100644 --- a/usr.sbin/lpr/lprm/lprm.c +++ b/usr.sbin/lpr/lprm/lprm.c @@ -58,6 +58,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -93,7 +94,7 @@ main(int argc, char *argv[]) printer = NULL; uid = getuid(); euid = geteuid(); - seteuid(uid); /* be safe */ + PRIV_END /* be safe */ progname = argv[0]; gethostname(local_host, sizeof(local_host)); openlog("lpd", 0, LOG_LPR);