Synopsis: dump exposes 'tty' group NetBSD versions: 1.5, 1.5.1 Thanks to: John Hawkinson Reported in NetBSD Security Advisory: NetBSD-SA2001-014 Index: main.c =================================================================== RCS file: /cvsroot/basesrc/sbin/dump/main.c,v retrieving revision 1.25.6.3 retrieving revision 1.25.6.4 diff -c -p -r1.25.6.3 -r1.25.6.4 *** main.c 2001/05/15 21:55:58 1.25.6.3 --- main.c 2001/08/08 18:13:22 1.25.6.4 *************** __RCSID("$NetBSD: main.c,v 1.25.6.3 2001 *** 80,85 **** --- 80,86 ---- #include "dump.h" #include "pathnames.h" + gid_t egid; /* Retain tty privs for notification */ int notify = 0; /* notify operator flag */ int blockswritten = 0; /* number of blocks written on current tape */ int tapeno = 0; /* current tape number */ *************** main(argc, argv) *** 118,123 **** --- 119,128 ---- spcl.c_date = 0; (void)time((time_t *)&spcl.c_date); + + /* Save setgid bit for use later */ + egid = getegid(); + setegid(getgid()); tsize = 0; /* Default later, based on 'c' option for cart tapes */ if ((tape = getenv("TAPE")) == NULL) Index: optr.c =================================================================== RCS file: /cvsroot/basesrc/sbin/dump/optr.c,v retrieving revision 1.13.10.1 retrieving revision 1.13.10.2 diff -c -p -r1.13.10.1 -r1.13.10.2 *** optr.c 2000/10/18 00:39:44 1.13.10.1 --- optr.c 2001/08/08 18:13:18 1.13.10.2 *************** void alarmcatch __P((int)); *** 73,78 **** --- 73,79 ---- struct fstab *allocfsent __P((struct fstab *fs)); int datesort __P((const void *, const void *)); static void sendmes __P((char *, char *)); + extern gid_t egid; /* * Query the operator; This previously-fascist piece of code *************** broadcast(message) *** 225,236 **** --- 226,241 ---- if (!notify || gp == NULL) return; + /* Restore 'tty' privs for the child's use only. */ + setegid(egid); switch (pid = fork()) { case -1: + setegid(getgid()); return; case 0: break; default: + setegid(getgid()); while (wait(&s) != pid) continue; return;