The wall applet is setuid and currently does no checking of the real user's read access to the message file. This allows the wall applet to be used to display files which are not readable by an unprivileged user. For example:
$ wall /etc/shadow $ wall /proc/vmallocinfo Fix this by temporarily dropping privileges before opening the file. Signed-off-by: Ryan Mallon <[email protected]> --- miscutils/wall.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/miscutils/wall.c b/miscutils/wall.c index 762f53b..0f9d046 100644 --- a/miscutils/wall.c +++ b/miscutils/wall.c @@ -22,7 +22,24 @@ int wall_main(int argc UNUSED_PARAM, char **argv) { struct utmp *ut; char *msg; - int fd = argv[1] ? xopen(argv[1], O_RDONLY) : STDIN_FILENO; + int fd = STDIN_FILENO; + + if (argv[1]) { + /* + * This applet is setuid. Temporarily drop privileges to the + * real user when opening the file. + */ + uid_t old_euid = geteuid(); + gid_t old_egid = getegid(); + + xsetegid(getgid()); + xseteuid(getuid()); + + fd = xopen(argv[1], O_RDONLY); + + xseteuid(old_euid); + xsetegid(old_egid); + } msg = xmalloc_read(fd, NULL); if (ENABLE_FEATURE_CLEAN_UP && argv[1]) -- 1.7.9.7 _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
