sure
but make sense to remove bad examples in tree
What bad examples? I've done this audit before.
As far as I know, the endpwent()'s in the tree are all there because of
setpwent() or setpassent() is called; or because of getpwent()'s
instead of getpwnam()'s, and in situations where there is a fork before
exit.
You are not submitting a diff which 'removes bad examples in the tree',
sorry, you are submitting a diff which is wrong. Your diff is the bad
example.
On Wed, Jun 02, 2010 at 08:33:10AM -0600, Theo de Raadt wrote:
endpwent() here to close file descriptor opened by getpwnam(),
since that all work with the password database was done.
But no file descriptor is open.
setpassent() was never called to keep the fd open.
It's even explained in the manual page.
Index: tftp-proxy.c
===
RCS file: /cvs/src//libexec/tftp-proxy/tftp-proxy.c,v
retrieving revision 1.6
diff -u tftp-proxy.c
--- tftp-proxy.c 13 Apr 2008 00:22:17 - 1.6
+++ tftp-proxy.c 2 Jun 2010 13:06:16 -
@@ -128,6 +128,7 @@
syslog(LOG_ERR, can't revoke privs: %m);
exit(1);
}
+ endpwent();
/* non-blocking io */
if (ioctl(fd, FIONBIO, on) 0) {
--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename=wrong_use_endpwent.diff
Index: privsep.c
===
RCS file: /cvs/src//usr.sbin/tcpdump/privsep.c,v
retrieving revision 1.28
diff -u privsep.c
--- privsep.c 17 Apr 2009 22:31:24 - 1.28
+++ privsep.c 2 Jun 2010 15:18:00 -
@@ -175,7 +175,6 @@
err(1, setresgid() failed);
if (setresuid(pw-pw_uid, pw-pw_uid, pw-pw_uid) == -1)
err(1, setresuid() failed);
- endpwent();
close(socks[0]);
priv_fd = socks[1];
Index: privsep.c
===
RCS file: /cvs/src//usr.sbin/syslogd/privsep.c,v
retrieving revision 1.34
diff -u privsep.c
--- privsep.c 23 Nov 2008 04:29:42 - 1.34
+++ privsep.c 2 Jun 2010 15:18:56 -
@@ -435,7 +435,6 @@
setresgid(pw-pw_gid, pw-pw_gid, pw-pw_gid) == -1 ||
setresuid(pw-pw_uid, pw-pw_uid, pw-pw_uid) == -1)
err(1, failure dropping privs);
- endpwent();
if (dup2(fd[0], STDIN_FILENO) == -1)
err(1, dup2 failed);
--xHFwDpU9dbj6ez1V--
