[PATCH 3/3] wall: Temporarily drop privileges when opening files
Ryan Mallon
rmallon at gmail.com
Tue Oct 8 00:02:33 UTC 2013
The wall applet is setuid and currently does no checking of the real
user's read access to the message file. This allows the wall applet to
be used to display files which are not readable by an unprivileged
user. For example:
$ wall /etc/shadow
$ wall /proc/vmallocinfo
Fix this by temporarily dropping privileges before opening the file.
Signed-off-by: Ryan Mallon <rmallon at gmail.com>
---
miscutils/wall.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/miscutils/wall.c b/miscutils/wall.c
index 762f53b..0f9d046 100644
--- a/miscutils/wall.c
+++ b/miscutils/wall.c
@@ -22,7 +22,24 @@ int wall_main(int argc UNUSED_PARAM, char **argv)
{
struct utmp *ut;
char *msg;
- int fd = argv[1] ? xopen(argv[1], O_RDONLY) : STDIN_FILENO;
+ int fd = STDIN_FILENO;
+
+ if (argv[1]) {
+ /*
+ * This applet is setuid. Temporarily drop privileges to the
+ * real user when opening the file.
+ */
+ uid_t old_euid = geteuid();
+ gid_t old_egid = getegid();
+
+ xsetegid(getgid());
+ xseteuid(getuid());
+
+ fd = xopen(argv[1], O_RDONLY);
+
+ xseteuid(old_euid);
+ xsetegid(old_egid);
+ }
msg = xmalloc_read(fd, NULL);
if (ENABLE_FEATURE_CLEAN_UP && argv[1])
--
1.7.9.7
More information about the busybox
mailing list