r18420@cathode-dark-space: tlyu | 2006-08-08 15:26:40 -0400
ticket: new
subject: fix MITKRB5-SA-2006-001: multiple local privilege escalation vulnerabilities
target_version: 1.5.1
tags: pullup
* src/appl/gssftp/ftpd/ftpd.c (getdatasock, passive):
* src/appl/bsd/v4rcp.c (main):
* src/appl/bsd/krcp.c (main):
* src/appl/bsd/krshd.c (doit):
* src/appl/bsd/login.c (main):
* src/clients/ksu/main.c (sweep_up):
* src/lib/krb4/kuserok.c (kuserok): Check return values from
setuid() and related functions to avoid privilege escalation
vulnerabilities. Fixes MITKRB5-SA-2006-001. [CVE-2006-3083,
VU#580124, CVE-2006-3084, VU#401660]
ticket: 4126
version_fixed: 1.4.4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-4@18422
dc483132-0cff-0310-8789-
dd5450dbe970
euid = geteuid();
if (euid == 0) {
- (void) setuid(0);
+ if (setuid(0)) {
+ perror("rcp setuid 0"); errs++; exit(errs);
+ }
if(krb5_seteuid(userid)) {
perror("rcp seteuid user"); errs++; exit(errs);
}
continue;
rcmd_stream_init_normal();
#ifdef HAVE_SETREUID
- (void) setreuid(0, userid);
+ if (setreuid(0, userid)) {
+ perror("rcp setreuid 0,user"); errs++; exit(errs);
+ }
sink(1, argv+argc-1);
- (void) setreuid(userid, 0);
+ if (setreuid(userid, 0)) {
+ perror("rcp setreuid user,0"); errs++; exit(errs);
+ }
#else
- (void) setuid(0);
+ if (setuid(0)) {
+ perror("rcp setuid 0"); errs++; exit(errs);
+ }
if(seteuid(userid)) {
perror("rcp seteuid user"); errs++; exit(errs);
}
* If we're on a system which keeps track of login uids, then
* set the login uid.
*/
- setluid((uid_t) pwd->pw_uid);
+ if (setluid((uid_t) pwd->pw_uid) < 0) {
+ perror("setluid");
+ _exit(1);
+ }
#endif /* HAVE_SETLUID */
- (void) setuid((uid_t)pwd->pw_uid);
+ if (setuid((uid_t)pwd->pw_uid) < 0) {
+ perror("setuid");
+ _exit(1);
+ }
/* if TZ is set in the parent, drag it in */
{
char **findtz = environ;
}
#endif /* HAVE_SETLUID */
#ifdef _IBMR2
- setuidx(ID_LOGIN, pwd->pw_uid);
+ if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) {
+ perror("setuidx");
+ sleepexit(1);
+ };
#endif
/* This call MUST succeed */
kstream_set_buffer_mode (krem, 0);
#endif /* KERBEROS && !NOENCRYPTION */
(void) response();
- (void) setuid(userid);
+ if (setuid(userid)) {
+ error("rcp: can't setuid(user)\n");
+ exit(1);
+ }
source(--argc, ++argv);
exit(errs);
krem = kstream_create_from_fd (rem, 0, 0);
kstream_set_buffer_mode (krem, 0);
#endif /* KERBEROS && !NOENCRYPTION */
- (void) setuid(userid);
+ if (setuid(userid)) {
+ error("rcp: can't setuid(user)\n");
+ exit(1);
+ }
sink(--argc, ++argv);
exit(errs);
goto bad;
sleep(tries);
}
- (void) krb5_seteuid((uid_t)pw->pw_uid);
+ if (krb5_seteuid((uid_t)pw->pw_uid)) {
+ fatal("seteuid user");
+ }
#ifdef IP_TOS
#ifdef IPTOS_THROUGHPUT
on = IPTOS_THROUGHPUT;
#endif
return (fdopen(s, fmode));
bad:
- (void) krb5_seteuid((uid_t)pw->pw_uid);
+ if (krb5_seteuid((uid_t)pw->pw_uid)) {
+ fatal("seteuid user");
+ }
(void) close(s);
return (NULL);
}
(void) krb5_seteuid((uid_t)pw->pw_uid);
goto pasv_error;
}
- (void) krb5_seteuid((uid_t)pw->pw_uid);
+ if (krb5_seteuid((uid_t)pw->pw_uid)) {
+ fatal("seteuid user");
+ }
len = sizeof(pasv_addr);
if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0)
goto pasv_error;
const char * cc_name;
struct stat st_temp;
- krb5_seteuid(0);
- krb5_seteuid(target_uid);
-
+ if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) {
+ com_err(prog_name, errno,
+ "while returning to source uid for destroying ccache");
+ exit(1);
+ }
+
cc_name = krb5_cc_get_name(context, cc);
if ( ! stat(cc_name, &st_temp)){
if ((retval = krb5_cc_destroy(context, cc))){
*/
if(getuid() == 0) {
uid_t old_euid = geteuid();
- seteuid(pwd->pw_uid);
+ if (seteuid(pwd->pw_uid) < 0)
+ return NOTOK;
fp = fopen(pbuf, "r");
- seteuid(old_euid);
+ if (seteuid(old_euid) < 0)
+ return NOTOK;
if ((fp) == NULL) {
return(NOTOK);
}
projects / krb5.git / commitdiff