diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2003-03-11 04:36:56 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2003-03-11 04:36:56 +0000 |
| commit | 8eb239489f4a36a683798f638ae9d43f134137d3 (patch) | |
| tree | b5095c3617e86221fdb3a9c13dacd60fdba4d488 /usr.sbin | |
| parent | a4efa314cb682d103e603c39d665fbc3a83df45d (diff) | |
Make lpr and lprm setuid root but drop to daemon very early.
Functionally this is the same as when lpr and lprm were setuid
daemon but the executable are now owned by root which is safer.
deraadt@ OK
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/lpr/lpr/Makefile | 4 | ||||
| -rw-r--r-- | usr.sbin/lpr/lpr/lpr.c | 19 | ||||
| -rw-r--r-- | usr.sbin/lpr/lprm/Makefile | 4 | ||||
| -rw-r--r-- | usr.sbin/lpr/lprm/lprm.c | 27 |
4 files changed, 36 insertions, 18 deletions
diff --git a/usr.sbin/lpr/lpr/Makefile b/usr.sbin/lpr/lpr/Makefile index 4bc5e2b9b89..29f2cdd318e 100644 --- a/usr.sbin/lpr/lpr/Makefile +++ b/usr.sbin/lpr/lpr/Makefile @@ -1,10 +1,10 @@ # from: @(#)Makefile 8.1 (Berkeley) 6/6/93 -# $OpenBSD: Makefile,v 1.4 2002/06/08 01:53:43 millert Exp $ +# $OpenBSD: Makefile,v 1.5 2003/03/11 04:36:55 millert Exp $ PROG= lpr CFLAGS+=-I${.CURDIR}/../common_source SRCS= lpr.c startdaemon.c common.c common_vars.c -BINOWN= daemon +BINOWN= root BINGRP= daemon BINMODE=6555 BINDIR= /usr/bin diff --git a/usr.sbin/lpr/lpr/lpr.c b/usr.sbin/lpr/lpr/lpr.c index 1350ce378d8..ea100c8b796 100644 --- a/usr.sbin/lpr/lpr/lpr.c +++ b/usr.sbin/lpr/lpr/lpr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lpr.c,v 1.29 2003/03/08 23:28:15 millert Exp $ */ +/* $OpenBSD: lpr.c,v 1.30 2003/03/11 04:36:55 millert Exp $ */ /* $NetBSD: lpr.c,v 1.19 2000/10/11 20:23:52 is Exp $ */ /* @@ -50,7 +50,7 @@ static const char copyright[] = #if 0 static const char sccsid[] = "@(#)lpr.c 8.4 (Berkeley) 4/28/95"; #else -static const char rcsid[] = "$OpenBSD: lpr.c,v 1.29 2003/03/08 23:28:15 millert Exp $"; +static const char rcsid[] = "$OpenBSD: lpr.c,v 1.30 2003/03/11 04:36:55 millert Exp $"; #endif #endif /* not lint */ @@ -132,11 +132,20 @@ main(int argc, char **argv) int i, f, ch; struct stat stb; - effective_uid = geteuid(); + /* + * Simulate setuid daemon but with real and effective swapped. + * We don't want lpr to actually be setuid daemon since that + * requires that the lpr binary be owned by user daemon, which + * is potentially unsafe. + */ + if ((pw = getpwuid(DEFUID)) == NULL) + errx(1, "daemon uid (%u) not in password file", DEFUID); + effective_uid = pw->pw_uid; real_uid = getuid(); - effective_gid = getegid(); + effective_gid = pw->pw_gid; real_gid = getgid(); - PRIV_END; /* be safe */ + setresgid(effective_gid, real_gid, effective_gid); + setresuid(effective_uid, real_uid, effective_uid); if (signal(SIGHUP, SIG_IGN) != SIG_IGN) signal(SIGHUP, cleanup); diff --git a/usr.sbin/lpr/lprm/Makefile b/usr.sbin/lpr/lprm/Makefile index 42680d45f7a..556e16a7748 100644 --- a/usr.sbin/lpr/lprm/Makefile +++ b/usr.sbin/lpr/lprm/Makefile @@ -1,10 +1,10 @@ # @(#)Makefile 8.1 (Berkeley) 6/6/93 -# $OpenBSD: Makefile,v 1.5 2002/06/11 22:47:07 millert Exp $ +# $OpenBSD: Makefile,v 1.6 2003/03/11 04:36:55 millert Exp $ PROG= lprm CFLAGS+=-I${.CURDIR}/../common_source SRCS= lprm.c rmjob.c startdaemon.c common.c common_vars.c -BINOWN= daemon +BINOWN= root BINGRP= daemon BINMODE=6555 BINDIR= /usr/bin diff --git a/usr.sbin/lpr/lprm/lprm.c b/usr.sbin/lpr/lprm/lprm.c index fb3de97d42d..0604817fe7d 100644 --- a/usr.sbin/lpr/lprm/lprm.c +++ b/usr.sbin/lpr/lprm/lprm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lprm.c,v 1.13 2002/12/08 16:50:07 millert Exp $ */ +/* $OpenBSD: lprm.c,v 1.14 2003/03/11 04:36:55 millert Exp $ */ /* $$NetBSD: lprm.c,v 1.9 1999/08/16 03:12:32 simonb Exp $ */ /* @@ -45,7 +45,7 @@ static const char copyright[] = #if 0 static const char sccsid[] = "@(#)lprm.c 8.1 (Berkeley) 6/6/93"; #else -static const char rcsid[] = "$OpenBSD: lprm.c,v 1.13 2002/12/08 16:50:07 millert Exp $"; +static const char rcsid[] = "$OpenBSD: lprm.c,v 1.14 2003/03/11 04:36:55 millert Exp $"; #endif #endif /* not lint */ @@ -92,24 +92,33 @@ static __dead void usage(void); int main(int argc, char **argv) { - struct passwd *p; + struct passwd *pw; char *cp; long l; int ch; - effective_uid = geteuid(); + /* + * Simulate setuid daemon but with real and effective swapped. + * We don't want lpr to actually be setuid daemon since that + * requires that the lpr binary be owned by user daemon, which + * is potentially unsafe. + */ + if ((pw = getpwuid(DEFUID)) == NULL) + errx(1, "daemon uid (%u) not in password file", DEFUID); + effective_uid = pw->pw_uid; real_uid = getuid(); - effective_gid = getegid(); + effective_gid = pw->pw_gid; real_gid = getgid(); - PRIV_END; /* be safe */ + setresgid(effective_gid, real_gid, effective_gid); + setresuid(effective_uid, real_uid, effective_uid); gethostname(host, sizeof(host)); openlog("lprm", 0, LOG_LPR); - if ((p = getpwuid(real_uid)) == NULL) + if ((pw = getpwuid(real_uid)) == NULL) fatal("Who are you?"); - if (strlen(p->pw_name) >= sizeof(luser)) + if (strlen(pw->pw_name) >= sizeof(luser)) fatal("Your name is too long"); - strlcpy(luser, p->pw_name, sizeof(luser)); + strlcpy(luser, pw->pw_name, sizeof(luser)); person = luser; while ((ch = getopt(argc, argv, "P:w:-")) != -1) { switch (ch) { |