From caab6ab6c3ca15652cdbe11122ae56e8dbfbece1 Mon Sep 17 00:00:00 2001
From: Gilles Chehade <gilles@cvs.openbsd.org>
Date: Fri, 2 Oct 2015 00:41:26 +0000
Subject: in secure_file(), make uid checking on .forward files more strict to
 avoid users creating hardlink to root-owned files and leaking first line.

reported by Qualys Security
---
 usr.sbin/smtpd/util.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/usr.sbin/smtpd/util.c b/usr.sbin/smtpd/util.c
index 330878abf80..f40cc40148d 100644
--- a/usr.sbin/smtpd/util.c
+++ b/usr.sbin/smtpd/util.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: util.c,v 1.114 2015/08/16 20:53:19 gilles Exp $	*/
+/*	$OpenBSD: util.c,v 1.115 2015/10/02 00:41:25 gilles Exp $	*/
 
 /*
  * Copyright (c) 2000,2001 Markus Friedl.  All rights reserved.
@@ -500,9 +500,6 @@ valid_domainpart(const char *s)
 	return res_hnok(s);
 }
 
-/*
- * Check file for security. Based on usr.bin/ssh/auth.c.
- */
 int
 secure_file(int fd, char *path, char *userdir, uid_t uid, int mayread)
 {
@@ -520,7 +517,7 @@ secure_file(int fd, char *path, char *userdir, uid_t uid, int mayread)
 	/* Check the open file to avoid races. */
 	if (fstat(fd, &st) < 0 ||
 	    !S_ISREG(st.st_mode) ||
-	    (st.st_uid != 0 && st.st_uid != uid) ||
+	    st.st_uid != uid ||
 	    (st.st_mode & (mayread ? 022 : 066)) != 0)
 		return 0;
 
-- 
cgit v1.2.3