Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/bin/sh Drop privileges when executed set{u, g}id unless -p is...
details: https://anonhg.NetBSD.org/src/rev/05a3ab1e38a5
branches: trunk
changeset: 338473:05a3ab1e38a5
user: christos <christos%NetBSD.org@localhost>
date: Tue May 26 21:35:15 2015 +0000
description:
Drop privileges when executed set{u,g}id unless -p is specified like other
shells do to avoid system() and popen() abuse.
diffstat:
bin/sh/main.c | 21 +++++++++++++++++++--
bin/sh/options.h | 6 ++++--
bin/sh/sh.1 | 19 +++++++++++++------
bin/sh/var.c | 22 +++++++++++++++-------
bin/sh/var.h | 3 ++-
5 files changed, 53 insertions(+), 18 deletions(-)
diffs (196 lines):
diff -r 9ad28c865a84 -r 05a3ab1e38a5 bin/sh/main.c
--- a/bin/sh/main.c Tue May 26 19:59:21 2015 +0000
+++ b/bin/sh/main.c Tue May 26 21:35:15 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: main.c,v 1.58 2014/05/31 14:42:18 christos Exp $ */
+/* $NetBSD: main.c,v 1.59 2015/05/26 21:35:15 christos Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -42,7 +42,7 @@
#if 0
static char sccsid[] = "@(#)main.c 8.7 (Berkeley) 7/19/95";
#else
-__RCSID("$NetBSD: main.c,v 1.58 2014/05/31 14:42:18 christos Exp $");
+__RCSID("$NetBSD: main.c,v 1.59 2015/05/26 21:35:15 christos Exp $");
#endif
#endif /* not lint */
@@ -106,6 +106,11 @@
struct stackmark smark;
volatile int state;
char *shinit;
+ uid_t uid;
+ gid_t gid;
+
+ uid = getuid();
+ gid = getgid();
setlocale(LC_ALL, "");
@@ -178,6 +183,18 @@
initpwd();
setstackmark(&smark);
procargs(argc, argv);
+
+ /*
+ * Limit bogus system(3) or popen(3) calls in setuid binaries,
+ * by requiring the -p flag
+ */
+ if (!pflag && (uid != geteuid() || gid != getegid())) {
+ setuid(uid);
+ setgid(gid);
+ /* PS1 might need to be changed accordingly. */
+ choose_ps1();
+ }
+
if (argv[0] && argv[0][0] == '-') {
state = 1;
read_profile("/etc/profile");
diff -r 9ad28c865a84 -r 05a3ab1e38a5 bin/sh/options.h
--- a/bin/sh/options.h Tue May 26 19:59:21 2015 +0000
+++ b/bin/sh/options.h Tue May 26 21:35:15 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: options.h,v 1.21 2015/01/02 19:56:20 christos Exp $ */
+/* $NetBSD: options.h,v 1.22 2015/05/26 21:35:15 christos Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -101,9 +101,11 @@
#define tabcomplete optlist[18].val
DEF_OPT( "fork", 'F' ) /* use fork(2) instead of vfork(2) */
#define usefork optlist[19].val
+DEF_OPT( "nopriv", 'p' ) /* preserve privs even if set{u,g}id */
+#define pflag optlist[20].val
#ifdef DEBUG
DEF_OPT( "debug", 0 ) /* enable debug prints */
-#define debug optlist[20].val
+#define debug optlist[21].val
#endif
#ifdef DEFINE_OPTIONS
diff -r 9ad28c865a84 -r 05a3ab1e38a5 bin/sh/sh.1
--- a/bin/sh/sh.1 Tue May 26 19:59:21 2015 +0000
+++ b/bin/sh/sh.1 Tue May 26 21:35:15 2015 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: sh.1,v 1.114 2014/06/01 17:46:06 christos Exp $
+.\" $NetBSD: sh.1,v 1.115 2015/05/26 21:35:15 christos Exp $
.\" Copyright (c) 1991, 1993
.\" The Regents of the University of California. All rights reserved.
.\"
@@ -31,7 +31,7 @@
.\"
.\" @(#)sh.1 8.6 (Berkeley) 5/4/95
.\"
-.Dd June 1, 2014
+.Dd May 26, 2015
.Dt SH 1
.Os
.Sh NAME
@@ -53,8 +53,8 @@
.Nm
.Fl c
.Bk -words
-.Op Fl aCefnuvxIimqVEb
-.Op Cm +aCefnuvxIimqVEb
+.Op Fl abCEefnuvxIimpqV
+.Op Cm +abCEefnuvxIimpqV
.Ek
.Bk -words
.Op Fl o Ar option_name
@@ -67,8 +67,8 @@
.Nm
.Fl s
.Bk -words
-.Op Fl aCefnuvxIimqVEb
-.Op Cm +aCefnuvxIimqVEb
+.Op Fl abCEefnuvxIimpqV
+.Op Cm +abCEefnuvxIimpqV
.Ek
.Bk -words
.Op Fl o Ar option_name
@@ -299,6 +299,13 @@
.It Fl b Em notify
Enable asynchronous notification of background job completion.
(Not implemented.)
+.It Fl p Em nopriv
+Do not attempt to reset effective uid if it does not match uid.
+This is not set by default to help avoid incorrect usage by setuid
+root programs via
+.Xr system 3
+or
+.Xr popen 3 .
.It "\ \ " Em cdprint
Make an interactive shell always print the new directory name when
changed by the
diff -r 9ad28c865a84 -r 05a3ab1e38a5 bin/sh/var.c
--- a/bin/sh/var.c Tue May 26 19:59:21 2015 +0000
+++ b/bin/sh/var.c Tue May 26 21:35:15 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: var.c,v 1.43 2013/11/01 16:49:02 christos Exp $ */
+/* $NetBSD: var.c,v 1.44 2015/05/26 21:35:15 christos Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -37,7 +37,7 @@
#if 0
static char sccsid[] = "@(#)var.c 8.3 (Berkeley) 5/4/95";
#else
-__RCSID("$NetBSD: var.c,v 1.43 2013/11/01 16:49:02 christos Exp $");
+__RCSID("$NetBSD: var.c,v 1.44 2015/05/26 21:35:15 christos Exp $");
#endif
#endif /* not lint */
@@ -190,11 +190,19 @@
if (find_var("PS1", &vpp, &vps1.name_len) == NULL) {
vps1.next = *vpp;
*vpp = &vps1;
- vps1.text = strdup(geteuid() ? "PS1=$ " : "PS1=# ");
vps1.flags = VSTRFIXED|VTEXTFIXED;
+ vps1.text = NULL;
+ choose_ps1();
}
}
+void
+choose_ps1(void)
+{
+ free(vps1.text);
+ vps1.text = strdup(geteuid() ? "PS1=$ " : "PS1=# ");
+}
+
/*
* Safe version of setvar, returns 1 on success 0 on failure.
*/
@@ -575,11 +583,11 @@
char *name;
const char *p;
int flag = argv[0][0] == 'r'? VREADONLY : VEXPORT;
- int pflag;
+ int pflg;
- pflag = nextopt("p") == 'p' ? 3 : 0;
- if (argc <= 1 || pflag) {
- showvars( pflag ? argv[0] : 0, flag, pflag );
+ pflg = nextopt("p") == 'p' ? 3 : 0;
+ if (argc <= 1 || pflg) {
+ showvars( pflg ? argv[0] : 0, flag, pflg );
return 0;
}
diff -r 9ad28c865a84 -r 05a3ab1e38a5 bin/sh/var.h
--- a/bin/sh/var.h Tue May 26 19:59:21 2015 +0000
+++ b/bin/sh/var.h Tue May 26 21:35:15 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: var.h,v 1.25 2011/06/18 21:18:46 christos Exp $ */
+/* $NetBSD: var.h,v 1.26 2015/05/26 21:35:15 christos Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -125,5 +125,6 @@
void listmklocal(struct strlist *, int);
void poplocalvars(void);
int unsetvar(const char *, int);
+void choose_ps1(void);
int setvarsafe(const char *, const char *, int);
void print_quoted(const char *);
Home |
Main Index |
Thread Index |
Old Index