svn commit: r211393 - head/lib/libutil

Mon Aug 16 11:48:06 UTC 2010

Dag-Erling Smørgrav <des at des.no> writes:
> Note that this commit semi-intentionally introduces another bug: in some
> cases, the user's limits will not be applied at all.  This is by far the
> lesser of two evils, and is easy (albeit time-consuming) to fix.

Specifically, each of the files listed below needs to be audited.  Those
that already call setusercontext() with the LOGIN_SETUSER flag set are
fine.  Those that don't need to do so either instead of or shortly after
calling setuid().

contrib/lukemftpd/src/ftpd.c:	setusercontext(NULL, getpwuid(0), 0,
contrib/lukemftpd/src/ftpd.c-		       LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK|LOGIN_SETMAC);
contrib/lukemftpd/src/ftpd.c-#endif
--
contrib/lukemftpd/src/ftpd.c:	setusercontext(lc, pw, 0,
contrib/lukemftpd/src/ftpd.c-		LOGIN_SETLOGIN|LOGIN_SETGROUP|LOGIN_SETPRIORITY|
contrib/lukemftpd/src/ftpd.c-		LOGIN_SETRESOURCES|LOGIN_SETUMASK|LOGIN_SETMAC);
--
contrib/sendmail/src/deliver.c:				    setusercontext(NULL, pwd, pwd->pw_uid,
contrib/sendmail/src/deliver.c-						   sucflags) == -1 &&
contrib/sendmail/src/deliver.c-				    suidwarn)
--
contrib/sendmail/src/deliver.c:					syserr("openmailer: setusercontext() failed");
contrib/sendmail/src/deliver.c-					exit(EX_TEMPFAIL);
contrib/sendmail/src/deliver.c-				}
--
crypto/openssh/openbsd-compat/port-irix.c:irix_setusercontext(struct passwd *pw)
crypto/openssh/openbsd-compat/port-irix.c-{
crypto/openssh/openbsd-compat/port-irix.c-#ifdef WITH_IRIX_PROJECT
--
crypto/openssh/session.c:		(void) setusercontext(lc, pw, pw->pw_uid,
crypto/openssh/session.c-		    LOGIN_SETENV|LOGIN_SETPATH);
crypto/openssh/session.c-		copy_environment(environ, &env, &envsize);
--
crypto/openssh/session.c:do_setusercontext(struct passwd *pw)
crypto/openssh/session.c-{
crypto/openssh/session.c-	char *chroot_path, *tmp;
--
crypto/openssh/session.c:		if (setusercontext(lc, pw, pw->pw_uid,
crypto/openssh/session.c-		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
crypto/openssh/session.c-			perror("unable to set user context");
--
crypto/openssh/session.c:		irix_setusercontext(pw);
crypto/openssh/session.c-# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
crypto/openssh/session.c-# ifdef _AIX
--
crypto/openssh/session.c:		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
crypto/openssh/session.c-			perror("unable to set user context (setuser)");
crypto/openssh/session.c-			exit(1);
--
crypto/openssh/session.c:		do_setusercontext(pw);
crypto/openssh/session.c-		child_close_fds();
crypto/openssh/session.c-		do_pwchange(s);
--
crypto/openssh/session.c:		do_setusercontext(pw);
crypto/openssh/session.c-		/*
crypto/openssh/session.c:		 * PAM session modules in do_setusercontext may have
crypto/openssh/session.c-		 * generated messages, so if this in an interactive
crypto/openssh/session.c-		 * login then display them too.
--
crypto/openssh/sshd.c:	do_setusercontext(privsep_pw);
crypto/openssh/sshd.c-#else
crypto/openssh/sshd.c-	gidset[0] = privsep_pw->pw_gid;
--
crypto/openssh/sshd.c:	do_setusercontext(authctxt->pw);
crypto/openssh/sshd.c-
crypto/openssh/sshd.c- skip:
--
libexec/atrun/atrun.c:	if (setusercontext(NULL, pentry, uid, LOGIN_SETALL &
libexec/atrun/atrun.c-		~(LOGIN_SETPRIORITY | LOGIN_SETPATH | LOGIN_SETENV)) != 0)
libexec/atrun/atrun.c:	    exit(EXIT_FAILURE);	/* setusercontext() logged the error */
libexec/atrun/atrun.c-#else /* LOGIN_CAP */
libexec/atrun/atrun.c-	if (initgroups(pentry->pw_name,pentry->pw_gid))
--
libexec/atrun/atrun.c:	if (setusercontext(NULL, pentry, uid, LOGIN_SETALL) != 0)
libexec/atrun/atrun.c:	    exit(EXIT_FAILURE);	/* setusercontext() logged the error */
libexec/atrun/atrun.c-#else /* LOGIN_CAP */
libexec/atrun/atrun.c-	if (initgroups(pentry->pw_name,pentry->pw_gid))
--
libexec/ftpd/ftpd.c:	setusercontext(NULL, getpwuid(0), 0,
libexec/ftpd/ftpd.c-		       LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK|
libexec/ftpd/ftpd.c-		       LOGIN_SETMAC);
--
libexec/ftpd/ftpd.c:	setusercontext(lc, pw, 0,
libexec/ftpd/ftpd.c-		LOGIN_SETLOGIN|LOGIN_SETGROUP|LOGIN_SETPRIORITY|
libexec/ftpd/ftpd.c-		LOGIN_SETRESOURCES|LOGIN_SETUMASK|LOGIN_SETMAC);
--
libexec/rshd/rshd.c:	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) {
libexec/rshd/rshd.c:		syslog(LOG_ERR, "setusercontext: %m");
libexec/rshd/rshd.c-		exit(1);
libexec/rshd/rshd.c-	}
--
libexec/rshd/rshd.c:	if (setusercontext(lc, pwd, pwd->pw_uid,
libexec/rshd/rshd.c-		LOGIN_SETALL & ~LOGIN_SETGROUP) < 0) {
libexec/rshd/rshd.c:		syslog(LOG_ERR, "setusercontext(): %m");
libexec/rshd/rshd.c-		exit(1);
libexec/rshd/rshd.c-	}
--
release/picobsd/tinyware/login/pico-login.c:	 * We need to do this before setusercontext() because that may
release/picobsd/tinyware/login/pico-login.c-	 * set or reset some environment variables.
release/picobsd/tinyware/login/pico-login.c-	 */
--
release/picobsd/tinyware/login/pico-login.c:	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) {
release/picobsd/tinyware/login/pico-login.c:                syslog(LOG_ERR, "setusercontext() failed - exiting");
release/picobsd/tinyware/login/pico-login.c-		exit(1);
release/picobsd/tinyware/login/pico-login.c-	}
--
release/picobsd/tinyware/login/pico-login.c:	if (setusercontext(lc, pwd, pwd->pw_uid,
release/picobsd/tinyware/login/pico-login.c-	    LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETGROUP)) != 0) {
release/picobsd/tinyware/login/pico-login.c:                syslog(LOG_ERR, "setusercontext() failed - exiting");
release/picobsd/tinyware/login/pico-login.c-		exit(1);
release/picobsd/tinyware/login/pico-login.c-	}
--
sbin/init/init.c:		setusercontext(lc, (struct passwd*)NULL, 0,
sbin/init/init.c-		    LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
sbin/init/init.c-		login_close(lc);
--
usr.bin/login/login.c:	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) {
usr.bin/login/login.c:		syslog(LOG_ERR, "setusercontext() failed - exiting");
usr.bin/login/login.c-		bail(NO_SLEEP_EXIT, 1);
usr.bin/login/login.c-	}
--
usr.bin/login/login.c:	if (setusercontext(lc, pwd, pwd->pw_uid,
usr.bin/login/login.c-	    LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETGROUP)) != 0) {
usr.bin/login/login.c:		syslog(LOG_ERR, "setusercontext() failed - exiting");
usr.bin/login/login.c-		exit(1);
usr.bin/login/login.c-	}
--
usr.bin/newgrp/newgrp.c:	setusercontext(lc, pwd, pwd->pw_uid,
usr.bin/newgrp/newgrp.c-	    LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV);
usr.bin/newgrp/newgrp.c-	login_close(lc);
--
usr.bin/su/su.c:	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0)
usr.bin/su/su.c:		err(1, "setusercontext");
usr.bin/su/su.c-
usr.bin/su/su.c-	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
--
usr.bin/su/su.c:		if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
usr.bin/su/su.c:			err(1, "setusercontext");
usr.bin/su/su.c-
usr.bin/su/su.c-		if (!asme) {
--
usr.bin/su/su.c:				setusercontext(lc, pwd, pwd->pw_uid,
usr.bin/su/su.c-					LOGIN_SETPATH | LOGIN_SETUMASK |
usr.bin/su/su.c-					LOGIN_SETENV);
--
usr.sbin/cron/cron/do_command.c:		    setusercontext(lc, pwd, e->uid,
usr.sbin/cron/cron/do_command.c-			    LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETENV)) == 0)
usr.sbin/cron/cron/do_command.c-			(void) endpwent();
--
usr.sbin/cron/cron/popen.c:			    setusercontext(lc, pwd, e->uid,
usr.sbin/cron/cron/popen.c-				    LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETENV)) == 0)
usr.sbin/cron/cron/popen.c-				(void) endpwent();
--
usr.sbin/daemon/daemon.c:	if (setusercontext(NULL, pw, pw->pw_uid, LOGIN_SETALL) != 0)
usr.sbin/daemon/daemon.c-		errx(1, "failed to set user environment");
usr.sbin/daemon/daemon.c-}
--
usr.sbin/inetd/inetd.c:				if (setusercontext(lc, pwd, pwd->pw_uid,
usr.sbin/inetd/inetd.c-				    LOGIN_SETALL & ~LOGIN_SETMAC)
usr.sbin/inetd/inetd.c-				    != 0) {
--
usr.sbin/inetd/inetd.c:					 "%s: can't setusercontext(..%s..): %m",
usr.sbin/inetd/inetd.c-					 sep->se_service, sep->se_user);
usr.sbin/inetd/inetd.c-					_exit(EX_OSERR);
--
usr.sbin/jail/jail.c:		if (setusercontext(lcap, pwd, pwd->pw_uid,
usr.sbin/jail/jail.c-		    LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0)
usr.sbin/jail/jail.c:			err(1, "setusercontext");
usr.sbin/jail/jail.c-		login_close(lcap);
usr.sbin/jail/jail.c-	}
--
usr.sbin/jexec/jexec.c:		if (setusercontext(lcap, pwd, pwd->pw_uid,
usr.sbin/jexec/jexec.c-		    LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0)
usr.sbin/jexec/jexec.c:			err(1, "setusercontext");
usr.sbin/jexec/jexec.c-		login_close(lcap);
usr.sbin/jexec/jexec.c-	}

DES
-- 
Dag-Erling Smørgrav - des at des.no