From 7c1b08c168ad9ef51cbe5c3f1981fa040cc90f9e Mon Sep 17 00:00:00 2001 From: John Kohl Date: Wed, 17 Apr 1991 14:30:52 +0000 Subject: [PATCH] add uid-checking code in replay cache git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1991 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/rcache/rc_io.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c index a79768f61..82366209a 100644 --- a/src/lib/krb5/rcache/rc_io.c +++ b/src/lib/krb5/rcache/rc_io.c @@ -11,7 +11,7 @@ */ #if !defined(lint) && !defined(SABER) -static char rcsid_rc_base_c[] = +static char rcsid_rc_io_c[] = "$Id$"; #endif /* !lint & !SABER */ @@ -118,6 +118,7 @@ char **fn; case EPERM: FREE(d->fn); return KRB5_RC_IO_PERM; break; case EACCES: FREE(d->fn); return KRB5_RC_IO_PERM; break; case EROFS: FREE(d->fn); return KRB5_RC_IO_PERM; break; + case EEXIST: FREE(d->fn); return KRB5_RC_IO_PERM; break; default: FREE(d->fn); return KRB5_RC_IO_UNKNOWN; break; } if (retval = krb5_rc_io_write(d, (krb5_pointer)&rc_vno, sizeof(rc_vno))) { @@ -135,14 +136,27 @@ char *fn; { krb5_int16 rc_vno; krb5_error_code retval; + struct stat statb; + GETDIR; if (!(d->fn = malloc(strlen(fn) + dirlen + 1))) return KRB5_RC_IO_MALLOC; (void) strcpy(d->fn,dir); (void) strcat(d->fn,"/"); (void) strcat(d->fn,fn); - d->fd = open(d->fn,O_RDWR,0600); - if (d->fd == -1) + if ((d->fd = stat(d->fn, &statb)) != -1) { + uid_t me; + + me = getuid(); + /* must be owned by this user, to prevent some security problems with + other users modifying replay cache stufff */ + if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) { + FREE(d->fn); + return KRB5_RC_IO_PERM; + } + d->fd = open(d->fn,O_RDWR,0600); + } + if (d->fd == -1) { switch(errno) { case EBADF: FREE(d->fn); return KRB5_RC_IO_UNKNOWN; break; @@ -157,6 +171,7 @@ char *fn; case EROFS: FREE(d->fn); return KRB5_RC_IO_PERM; break; default: FREE(d->fn); return KRB5_RC_IO_UNKNOWN; break; } + } if (retval = krb5_rc_io_read(d, (krb5_pointer) &rc_vno, sizeof(rc_vno))) { (void) close(d->fd); FREE(d->fn); -- 2.26.2