Hello, looking at the rexecd.c code I found a possible security problem, if the these calls fail the process keeps the original ones and contines its execution.
The first patch solves this problem, the second fixes a compiler warning. Cheers, Giuseppe >From 40f3fab918f65aa1f4ac9ed69290d97c3340650b Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano <[email protected]> Date: Thu, 9 Jul 2009 11:35:43 +0200 Subject: [PATCH 1/2] rexecd: check for errors of setegid/setuid/setgid/initgroups 2009-07-09 Giuseppe Scrivano <[email protected]> * rexecd/rexecd.c (doit): Add return value check after use setegid/setuid/setgid/initgroups. --- rexecd/rexecd.c | 29 ++++++++++++++++++++++++----- 1 files changed, 24 insertions(+), 5 deletions(-) diff --git a/rexecd/rexecd.c b/rexecd/rexecd.c index be8511b..f07e56e 100644 --- a/rexecd/rexecd.c +++ b/rexecd/rexecd.c @@ -27,7 +27,7 @@ * SUCH DAMAGE. */ -/* Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +/* Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. This file is part of GNU Inetutils. @@ -320,12 +320,31 @@ doit (int f, struct sockaddr_in *fromp) pwd->pw_shell = PATH_BSHELL; if (f > 2) close (f); - setegid ((gid_t) pwd->pw_gid); - setgid ((gid_t) pwd->pw_gid); + + if (setegid ((gid_t) pwd->pw_gid) < 0) + { + fprintf (stderr, "rexecd: setegid: %s\n", strerror (errno)); + exit (1); + } + + if (setgid ((gid_t) pwd->pw_gid) < 0) + { + fprintf (stderr, "rexecd: setgid: %s\n", strerror (errno)); + exit (1); + } #ifdef HAVE_INITGROUPS - initgroups (pwd->pw_name, pwd->pw_gid); + if (initgroups (pwd->pw_name, pwd->pw_gid) < 0) + { + fprintf (stderr, "rexecd: initgroups: %s\n", strerror (errno)); + exit (1); + } #endif - setuid ((uid_t) pwd->pw_uid); + if (setuid ((uid_t) pwd->pw_uid) < 0) + { + fprintf (stderr, "rexecd: setuid: %s\n", strerror (errno)); + exit (1); + } + if (chdir (pwd->pw_dir) < 0) { error ("No remote directory.\n"); -- 1.6.3.1 >From 35f1dba22e0d287b35115b8a7f4a19d6772d4f3b Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano <[email protected]> Date: Thu, 9 Jul 2009 11:41:02 +0200 Subject: [PATCH 2/2] rexecd: Fix a compiler warning. 2009-07-09 Giuseppe Scrivano <[email protected]> * rexecd/rexecd.c: Add prototype for `doit'. --- rexecd/rexecd.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/rexecd/rexecd.c b/rexecd/rexecd.c index f07e56e..826f7b4 100644 --- a/rexecd/rexecd.c +++ b/rexecd/rexecd.c @@ -99,6 +99,7 @@ void error (const char *fmt, ...); void usage (void); +int doit (int, struct sockaddr_in *); static const char *short_options = "hV"; static struct option long_options[] = { -- 1.6.3.1
