diff options
author | Tom Yu <tlyu@mit.edu> | 2006-08-08 19:26:40 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2006-08-08 19:26:40 +0000 |
commit | 7b141abe9aa72db8c7243d4f0a30b87e59789579 (patch) | |
tree | 75758af4fbe75e55f3ed8ded57f650014ffd6170 /src/appl | |
parent | 90ce1170a03c1451c1bbe15af6ca1ead326eeb83 (diff) | |
download | krb5-7b141abe9aa72db8c7243d4f0a30b87e59789579.zip krb5-7b141abe9aa72db8c7243d4f0a30b87e59789579.tar.gz krb5-7b141abe9aa72db8c7243d4f0a30b87e59789579.tar.bz2 |
fix MITKRB5-SA-2006-001: multiple local privilege escalation vulnerabilities
* src/appl/gssftp/ftpd/ftpd.c (getdatasock, passive):
* src/appl/bsd/v4rcp.c (main):
* src/appl/bsd/krcp.c (main):
* src/appl/bsd/krshd.c (doit):
* src/appl/bsd/login.c (main):
* src/clients/ksu/main.c (sweep_up):
* src/lib/krb4/kuserok.c (kuserok): Check return values from
setuid() and related functions to avoid privilege escalation
vulnerabilities. Fixes MITKRB5-SA-2006-001. [CVE-2006-3083,
VU#580124, CVE-2006-3084, VU#401660]
ticket: new
target_version: 1.5.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18420 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/appl')
-rw-r--r-- | src/appl/bsd/krcp.c | 16 | ||||
-rw-r--r-- | src/appl/bsd/krshd.c | 10 | ||||
-rw-r--r-- | src/appl/bsd/login.c | 5 | ||||
-rw-r--r-- | src/appl/bsd/v4rcp.c | 10 | ||||
-rw-r--r-- | src/appl/gssftp/ftpd/ftpd.c | 12 |
5 files changed, 41 insertions, 12 deletions
diff --git a/src/appl/bsd/krcp.c b/src/appl/bsd/krcp.c index 707985a..9cf85ed 100644 --- a/src/appl/bsd/krcp.c +++ b/src/appl/bsd/krcp.c @@ -620,7 +620,9 @@ int main(argc, argv) euid = geteuid(); if (euid == 0) { - (void) setuid(0); + if (setuid(0)) { + perror("rcp setuid 0"); errs++; exit(errs); + } if(krb5_seteuid(userid)) { perror("rcp seteuid user"); errs++; exit(errs); } @@ -638,11 +640,17 @@ int main(argc, argv) continue; rcmd_stream_init_normal(); #ifdef HAVE_SETREUID - (void) setreuid(0, userid); + if (setreuid(0, userid)) { + perror("rcp setreuid 0,user"); errs++; exit(errs); + } sink(1, argv+argc-1); - (void) setreuid(userid, 0); + if (setreuid(userid, 0)) { + perror("rcp setreuid user,0"); errs++; exit(errs); + } #else - (void) setuid(0); + if (setuid(0)) { + perror("rcp setuid 0"); errs++; exit(errs); + } if(seteuid(userid)) { perror("rcp seteuid user"); errs++; exit(errs); } diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 02ab132..0989158 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -1403,9 +1403,15 @@ void doit(f, fromp) * If we're on a system which keeps track of login uids, then * set the login uid. */ - setluid((uid_t) pwd->pw_uid); + if (setluid((uid_t) pwd->pw_uid) < 0) { + perror("setluid"); + _exit(1); + } #endif /* HAVE_SETLUID */ - (void) setuid((uid_t)pwd->pw_uid); + if (setuid((uid_t)pwd->pw_uid) < 0) { + perror("setuid"); + _exit(1); + } /* if TZ is set in the parent, drag it in */ { char **findtz = environ; diff --git a/src/appl/bsd/login.c b/src/appl/bsd/login.c index a3cdef7..861b9a5 100644 --- a/src/appl/bsd/login.c +++ b/src/appl/bsd/login.c @@ -1648,7 +1648,10 @@ int main(argc, argv) } #endif /* HAVE_SETLUID */ #ifdef _IBMR2 - setuidx(ID_LOGIN, pwd->pw_uid); + if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) { + perror("setuidx"); + sleepexit(1); + }; #endif /* This call MUST succeed */ diff --git a/src/appl/bsd/v4rcp.c b/src/appl/bsd/v4rcp.c index 2354a2c..67bf877 100644 --- a/src/appl/bsd/v4rcp.c +++ b/src/appl/bsd/v4rcp.c @@ -436,7 +436,10 @@ int main(argc, argv) kstream_set_buffer_mode (krem, 0); #endif /* KERBEROS && !NOENCRYPTION */ (void) response(); - (void) setuid(userid); + if (setuid(userid)) { + error("rcp: can't setuid(user)\n"); + exit(1); + } source(--argc, ++argv); exit(errs); @@ -452,7 +455,10 @@ int main(argc, argv) krem = kstream_create_from_fd (rem, 0, 0); kstream_set_buffer_mode (krem, 0); #endif /* KERBEROS && !NOENCRYPTION */ - (void) setuid(userid); + if (setuid(userid)) { + error("rcp: can't setuid(user)\n"); + exit(1); + } sink(--argc, ++argv); exit(errs); diff --git a/src/appl/gssftp/ftpd/ftpd.c b/src/appl/gssftp/ftpd/ftpd.c index 9a3639b..94b40dc 100644 --- a/src/appl/gssftp/ftpd/ftpd.c +++ b/src/appl/gssftp/ftpd/ftpd.c @@ -1367,7 +1367,9 @@ getdatasock(fmode) goto bad; sleep(tries); } - (void) krb5_seteuid((uid_t)pw->pw_uid); + if (krb5_seteuid((uid_t)pw->pw_uid)) { + fatal("seteuid user"); + } #ifdef IP_TOS #ifdef IPTOS_THROUGHPUT on = IPTOS_THROUGHPUT; @@ -1377,7 +1379,9 @@ getdatasock(fmode) #endif return (fdopen(s, fmode)); bad: - (void) krb5_seteuid((uid_t)pw->pw_uid); + if (krb5_seteuid((uid_t)pw->pw_uid)) { + fatal("seteuid user"); + } (void) close(s); return (NULL); } @@ -2186,7 +2190,9 @@ passive() (void) krb5_seteuid((uid_t)pw->pw_uid); goto pasv_error; } - (void) krb5_seteuid((uid_t)pw->pw_uid); + if (krb5_seteuid((uid_t)pw->pw_uid)) { + fatal("seteuid user"); + } len = sizeof(pasv_addr); if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) goto pasv_error; |