Synopsis: dump exposes 'tty' group
NetBSD versions: 1.5, 1.5.1
Thanks to: John Hawkinson
Reported in NetBSD Security Advisory: NetBSD-SA2001-014
Index: main.c
===================================================================
RCS file: /cvsroot/basesrc/sbin/dump/main.c,v
retrieving revision 1.25.6.3
retrieving revision 1.25.6.4
diff -c -p -r1.25.6.3 -r1.25.6.4
*** main.c 2001/05/15 21:55:58 1.25.6.3
--- main.c 2001/08/08 18:13:22 1.25.6.4
*************** __RCSID("$NetBSD: main.c,v 1.25.6.3 2001
*** 80,85 ****
--- 80,86 ----
#include "dump.h"
#include "pathnames.h"
+ gid_t egid; /* Retain tty privs for notification */
int notify = 0; /* notify operator flag */
int blockswritten = 0; /* number of blocks written on current tape */
int tapeno = 0; /* current tape number */
*************** main(argc, argv)
*** 118,123 ****
--- 119,128 ----
spcl.c_date = 0;
(void)time((time_t *)&spcl.c_date);
+
+ /* Save setgid bit for use later */
+ egid = getegid();
+ setegid(getgid());
tsize = 0; /* Default later, based on 'c' option for cart tapes */
if ((tape = getenv("TAPE")) == NULL)
Index: optr.c
===================================================================
RCS file: /cvsroot/basesrc/sbin/dump/optr.c,v
retrieving revision 1.13.10.1
retrieving revision 1.13.10.2
diff -c -p -r1.13.10.1 -r1.13.10.2
*** optr.c 2000/10/18 00:39:44 1.13.10.1
--- optr.c 2001/08/08 18:13:18 1.13.10.2
*************** void alarmcatch __P((int));
*** 73,78 ****
--- 73,79 ----
struct fstab *allocfsent __P((struct fstab *fs));
int datesort __P((const void *, const void *));
static void sendmes __P((char *, char *));
+ extern gid_t egid;
/*
* Query the operator; This previously-fascist piece of code
*************** broadcast(message)
*** 225,236 ****
--- 226,241 ----
if (!notify || gp == NULL)
return;
+ /* Restore 'tty' privs for the child's use only. */
+ setegid(egid);
switch (pid = fork()) {
case -1:
+ setegid(getgid());
return;
case 0:
break;
default:
+ setegid(getgid());
while (wait(&s) != pid)
continue;
return;