If we're running setuid/setguid then don't open the host alias file to

prevent information leakage. Closes PR 2578 Submitted by: Julian Assange
svn path=/head/; revision=24196
1997-03-24 06:11:44 +00:00 · 1997-03-24 06:11:44 +00:00 · 79d71652cf · 2020-12-20 02:59:44 +00:00
commit 79d71652cf
parent 418d4a9817
1 changed files with 4 additions and 1 deletions
--- a/lib/libc/net/res_query.c
+++ b/lib/libc/net/res_query.c
@ -56,7 +56,7 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)res_query.c	8.1 (Berkeley) 6/4/93";
 static char orig_rcsid = "From: Id: res_query.c,v 8.9 1996/09/22 00:13:28 vixie Exp";
-static char rcsid[] = "$Id$";
+static char rcsid[] = "$Id: res_query.c,v 1.12 1997/02/22 15:00:34 peter Exp $";
 #endif /* LIBC_SCCS and not lint */

 #include <sys/types.h>
@ -358,6 +358,9 @@ hostalias(name)

 	if (_res.options & RES_NOALIASES)
 		return (NULL);
+	/* XXX issetguid() would be better here, but we don't have that. */
+	if (getuid() != geteuid() || getgid() != getegid())
+		return (NULL);
 	file = getenv("HOSTALIASES");
 	if (file == NULL || (fp = fopen(file, "r")) == NULL)
 		return (NULL);