Synopsis: at(1) allows local users to read arbitrary files
NetBSD versions: 1.0, 1.1, 1.2, and 1.2.1, 1.3 and 1.3.1, 1.3.2.
Thanks to: Wolfgang Rupprecht and Matthew Green.
Reported in NetBSD Advisory: NetBSD-SA1998-004


Index: at.c
===================================================================
RCS file: /cvsroot/src/usr.bin/at/at.c,v
retrieving revision 1.7
retrieving revision 1.10
diff -c -r1.7 -r1.10
*** at.c	1997/10/18 12:23:37	1.7
--- at.c	1998/06/26 08:28:20	1.10
***************
*** 1,4 ****
! /*	$NetBSD: at.c,v 1.7 1997/10/18 12:23:37 lukem Exp $	*/
  
  /*
   * at.c : Put file into atrun queue
--- 1,4 ----
! /*	$NetBSD: at.c,v 1.10 1998/06/26 08:28:20 mrg Exp $	*/
  
  /*
   * at.c : Put file into atrun queue
***************
*** 64,77 ****
  
  /* File scope variables */
  #ifndef lint
! __RCSID("$NetBSD: at.c,v 1.7 1997/10/18 12:23:37 lukem Exp $");
  #endif
  
  char *no_export[] =
  {
  	"TERM", "TERMCAP", "DISPLAY", "_"
  };
! static send_mail = 0;
  
  /* External variables */
  extern char **environ;
--- 64,77 ----
  
  /* File scope variables */
  #ifndef lint
! __RCSID("$NetBSD: at.c,v 1.10 1998/06/26 08:28:20 mrg Exp $");
  #endif
  
  char *no_export[] =
  {
  	"TERM", "TERMCAP", "DISPLAY", "_"
  };
! static int send_mail = 0;
  
  /* External variables */
  extern char **environ;
***************
*** 249,261 ****
  	PRIV_END
  
  	/*
- 	 * We no longer need suid root; now we just need to be able to
- 	 * write to the directory, if necessary.
- 	 */
- 
- 	    REDUCE_PRIV(effective_uid);
- 
- 	/*
  	 * We've successfully created the file; let's set the flag so it
  	 * gets removed in case of an interrupt or error.
  	 */
--- 249,254 ----
***************
*** 292,297 ****
--- 285,291 ----
  		if (fpin == NULL)
  			perr("Cannot open input file");
  	}
+ 
  	fprintf(fp, "#! /bin/sh\n# mail %8s %d\n", mailname, send_mail);
  
  	/* Write out the umask at the time of invocation */
***************
*** 361,369 ****
--- 355,368 ----
  	/*
  	 * Set the x bit so that we're ready to start executing
  	 */
+ 
+ 	PRIV_START
+ 
  	if (fchmod(fd2, S_IRUSR | S_IWUSR | S_IXUSR) < 0)
  		perr("Cannot give away file");
  
+ 	PRIV_END
+ 
  	close(fd2);
  	fprintf(stderr, "Job %s will be executed using /bin/sh\n", ppos);
  }
***************
*** 388,394 ****
  
  	PRIV_START
  
! 	    if (chdir(_PATH_ATJOBS) != 0)
  		perr2("Cannot change to ", _PATH_ATJOBS);
  
  	if ((spool = opendir(".")) == NULL)
--- 387,393 ----
  
  	PRIV_START
  
! 	if (chdir(_PATH_ATJOBS) != 0)
  		perr2("Cannot change to ", _PATH_ATJOBS);
  
  	if ((spool = opendir(".")) == NULL)
***************
*** 444,450 ****
  
  	PRIV_START
  
! 	    if (chdir(_PATH_ATJOBS) != 0)
  		perr2("Cannot change to ", _PATH_ATJOBS);
  
  	for (i = optind; i < argc; i++) {
--- 443,449 ----
  
  	PRIV_START
  
! 	if (chdir(_PATH_ATJOBS) != 0)
  		perr2("Cannot change to ", _PATH_ATJOBS);
  
  	for (i = optind; i < argc; i++) {