Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/games/atc The patch below improves the security of the game ...



details:   https://anonhg.NetBSD.org/src/rev/431aa31f22ad
branches:  trunk
changeset: 474733:431aa31f22ad
user:      hubertf <hubertf%NetBSD.org@localhost>
date:      Sat Jul 17 19:57:03 1999 +0000

description:
The patch below improves the security of the game atc(6), by having it
open the score file at the start and then drop all setgid privileges
while keeping a (close-on-exec) file descriptor open to it.  In order
to allow this the static data files have to be made world readable.
In addition a potential buffer overrun with corrupted score files is
avoided by more careful use of scanf (note that SCORE_SCANF_FMT is
defined alongside the definition of the relevant structure).

Submitted in PR 8015 by Joseph Myers <jsm28%cam.ac.uk@localhost>

diffstat:

 games/atc/Makefile |   4 +-
 games/atc/extern.h |   3 +-
 games/atc/input.c  |   5 +-
 games/atc/log.c    |  88 ++++++++++++++++++++++++++++++++++++++---------------
 games/atc/main.c   |   8 +++-
 games/atc/struct.h |   4 +-
 6 files changed, 78 insertions(+), 34 deletions(-)

diffs (272 lines):

diff -r 31fc2c9fc859 -r 431aa31f22ad games/atc/Makefile
--- a/games/atc/Makefile        Sat Jul 17 19:48:40 1999 +0000
+++ b/games/atc/Makefile        Sat Jul 17 19:57:03 1999 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.21 1999/02/13 02:54:20 lukem Exp $
+#      $NetBSD: Makefile,v 1.22 1999/07/17 19:57:03 hubertf Exp $
 #      @(#)Makefile    8.1 (Berkeley) 5/31/93
 
 .include <bsd.own.mk>
@@ -19,7 +19,7 @@
 .if ${MKSHARE} != "no"
 FILES=${GAMES:S@^@${.CURDIR}/games/@g}
 FILESDIR=/usr/share/games/atc
-FILESMODE=440
+FILESMODE=444
 .endif
 
 lex.o: grammar.h
diff -r 31fc2c9fc859 -r 431aa31f22ad games/atc/extern.h
--- a/games/atc/extern.h        Sat Jul 17 19:48:40 1999 +0000
+++ b/games/atc/extern.h        Sat Jul 17 19:57:03 1999 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: extern.h,v 1.7 1998/11/10 13:43:30 hubertf Exp $       */
+/*     $NetBSD: extern.h,v 1.8 1999/07/17 19:57:03 hubertf Exp $       */
 
 /*-
  * Copyright (c) 1990, 1993
@@ -97,6 +97,7 @@
 int            next_plane __P((void));
 void           noise __P((void));
 int            number __P((char));
+void           open_score_file __P((void));
 void           planewin __P((void));
 int            pop __P((void));
 void           push __P((int, int));
diff -r 31fc2c9fc859 -r 431aa31f22ad games/atc/input.c
--- a/games/atc/input.c Sat Jul 17 19:48:40 1999 +0000
+++ b/games/atc/input.c Sat Jul 17 19:57:03 1999 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: input.c,v 1.11 1998/11/10 13:43:31 hubertf Exp $       */
+/*     $NetBSD: input.c,v 1.12 1999/07/17 19:57:03 hubertf Exp $       */
 
 /*-
  * Copyright (c) 1990, 1993
@@ -50,7 +50,7 @@
 #if 0
 static char sccsid[] = "@(#)input.c    8.1 (Berkeley) 5/31/93";
 #else
-__RCSID("$NetBSD: input.c,v 1.11 1998/11/10 13:43:31 hubertf Exp $");
+__RCSID("$NetBSD: input.c,v 1.12 1999/07/17 19:57:03 hubertf Exp $");
 #endif
 #endif not lint
 
@@ -316,7 +316,6 @@
                        {
                                char *shell, *base;
 
-                               setuid(getuid()); /* turn off setuid bit */
                                done_screen();
 
                                                 /* run user's favorite shell */
diff -r 31fc2c9fc859 -r 431aa31f22ad games/atc/log.c
--- a/games/atc/log.c   Sat Jul 17 19:48:40 1999 +0000
+++ b/games/atc/log.c   Sat Jul 17 19:57:03 1999 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: log.c,v 1.8 1998/11/10 13:43:31 hubertf Exp $  */
+/*     $NetBSD: log.c,v 1.9 1999/07/17 19:57:03 hubertf Exp $  */
 
 /*-
  * Copyright (c) 1990, 1993
@@ -50,13 +50,15 @@
 #if 0
 static char sccsid[] = "@(#)log.c      8.1 (Berkeley) 5/31/93";
 #else
-__RCSID("$NetBSD: log.c,v 1.8 1998/11/10 13:43:31 hubertf Exp $");
+__RCSID("$NetBSD: log.c,v 1.9 1999/07/17 19:57:03 hubertf Exp $");
 #endif
 #endif not lint
 
 #include "include.h"
 #include "pathnames.h"
 
+static FILE *score_fp;
+
 int
 compar(va, vb)
        const void *va, *vb;
@@ -101,44 +103,69 @@
        return (s);
 }
 
+void
+open_score_file()
+{
+       mode_t old_mask;
+       int score_fd;
+       int flags;
+
+       old_mask = umask(0);
+       score_fd = open(_PATH_SCORE, O_CREAT|O_RDWR, 0664);
+       umask(old_mask);
+       if (score_fd < 0) {
+               warn("open %s", _PATH_SCORE);
+               return;
+       }
+       if (score_fd < 3)
+               exit(1);
+       /* Set the close-on-exec flag.  If this fails for any reason, quit
+        * rather than leave the score file open to tampering.  */
+       flags = fcntl(score_fd, F_GETFD);
+       if (flags < 0)
+               err(1, "fcntl F_GETFD");
+       flags |= FD_CLOEXEC;
+       if (fcntl(score_fd, F_SETFD, flags) == -1)
+               err(1, "fcntl F_SETFD");
+       /*
+        * This is done to take advantage of stdio, while still 
+        * allowing a O_CREAT during the open(2) of the log file.
+        */
+       score_fp = fdopen(score_fd, "r+");
+       if (score_fp == NULL) {
+               warn("fdopen %s", _PATH_SCORE);
+               return;
+       }
+}
+
 int
 log_score(list_em)
        int list_em;
 {
-       int             i, fd, num_scores = 0, good, changed = 0, found = 0;
+       int             i, num_scores = 0, good, changed = 0, found = 0;
        struct passwd   *pw;
-       FILE            *fp;
        char            *cp;
        SCORE           score[100], thisscore;
        struct utsname  name;
+       long            offset;
 
-       umask(0);
-       fd = open(_PATH_SCORE, O_CREAT|O_RDWR, 0644);
-       if (fd < 0) {
-               warn("open %s", _PATH_SCORE);
+       if (score_fp == NULL) {
+               warnx("no score file available");
                return (-1);
        }
-       /*
-        * This is done to take advantage of stdio, while still 
-        * allowing a O_CREAT during the open(2) of the log file.
-        */
-       fp = fdopen(fd, "r+");
-       if (fp == NULL) {
-               warn("fdopen %s", _PATH_SCORE);
-               return (-1);
-       }
+
 #ifdef BSD
-       if (flock(fileno(fp), LOCK_EX) < 0)
+       if (flock(fileno(score_fp), LOCK_EX) < 0)
 #endif
 #ifdef SYSV
-       while (lockf(fileno(fp), F_LOCK, 1) < 0)
+       while (lockf(fileno(score_fp), F_LOCK, 1) < 0)
 #endif
        {
                warn("flock %s", _PATH_SCORE);
                return (-1);
        }
        for (;;) {
-               good = fscanf(fp, "%s %s %s %d %d %d",
+               good = fscanf(score_fp, SCORE_SCANF_FMT,
                        score[num_scores].name, 
                        score[num_scores].host, 
                        score[num_scores].game,
@@ -152,7 +179,7 @@
                if ((pw = (struct passwd *) getpwuid(getuid())) == NULL) {
                        fprintf(stderr, 
                                "getpwuid failed for uid %d.  Who are you?\n",
-                               getuid());
+                               (int)getuid());
                        return (-1);
                }
                strcpy(thisscore.name, pw->pw_name);
@@ -215,12 +242,23 @@
                        else
                                puts("You made the top players list!");
                        qsort(score, num_scores, sizeof (*score), compar);
-                       rewind(fp);
+                       rewind(score_fp);
                        for (i = 0; i < num_scores; i++)
-                               fprintf(fp, "%s %s %s %d %d %d\n",
+                               fprintf(score_fp, "%s %s %s %d %d %d\n",
                                        score[i].name, score[i].host, 
                                        score[i].game, score[i].planes,
                                        score[i].time, score[i].real_time);
+                       fflush(score_fp);
+                       if (ferror(score_fp))
+                               warn("error writing %s", _PATH_SCORE);
+                       /* It is just possible that updating an entry could
+                        * have reduced the length of the file, so we
+                        * truncate it.  The seeks are required for stream/fd
+                        * synchronisation by POSIX.1.  */
+                       offset = ftell(score_fp);
+                       lseek(fileno(score_fp), 0, SEEK_SET);
+                       ftruncate(fileno(score_fp), offset);
+                       rewind(score_fp);
                } else {
                        if (found)
                                puts("You didn't beat your previous score.");
@@ -230,12 +268,12 @@
                putchar('\n');
        }
 #ifdef BSD
-       flock(fileno(fp), LOCK_UN);
+       flock(fileno(score_fp), LOCK_UN);
 #endif
 #ifdef SYSV
        /* lock will evaporate upon close */
 #endif
-       fclose(fp);
+       fclose(score_fp);
        printf("%2s:  %-8s  %-8s  %-18s  %4s  %9s  %4s\n", "#", "name", "host", 
                "game", "time", "real time", "planes safe");
        puts("-------------------------------------------------------------------------------");
diff -r 31fc2c9fc859 -r 431aa31f22ad games/atc/main.c
--- a/games/atc/main.c  Sat Jul 17 19:48:40 1999 +0000
+++ b/games/atc/main.c  Sat Jul 17 19:57:03 1999 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: main.c,v 1.8 1998/11/10 13:43:31 hubertf Exp $ */
+/*     $NetBSD: main.c,v 1.9 1999/07/17 19:57:03 hubertf Exp $ */
 
 /*-
  * Copyright (c) 1990, 1993
@@ -55,7 +55,7 @@
 #if 0
 static char sccsid[] = "@(#)main.c     8.1 (Berkeley) 5/31/93";
 #else
-__RCSID("$NetBSD: main.c,v 1.8 1998/11/10 13:43:31 hubertf Exp $");
+__RCSID("$NetBSD: main.c,v 1.9 1999/07/17 19:57:03 hubertf Exp $");
 #endif
 #endif /* not lint */
 
@@ -78,6 +78,10 @@
        struct itimerval        itv;
 #endif
 
+       /* Open the score file then revoke setgid privileges */
+       open_score_file();
+       setregid(getgid(), getgid());
+
        start_time = seed = time(0);
 
        name = *av++;
diff -r 31fc2c9fc859 -r 431aa31f22ad games/atc/struct.h
--- a/games/atc/struct.h        Sat Jul 17 19:48:40 1999 +0000
+++ b/games/atc/struct.h        Sat Jul 17 19:57:03 1999 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: struct.h,v 1.3 1995/03/21 15:04:31 cgd Exp $   */
+/*     $NetBSD: struct.h,v 1.4 1999/07/17 19:57:03 hubertf Exp $       */
 
 /*-
  * Copyright (c) 1990, 1993
@@ -107,6 +107,8 @@
        int     real_time;
 } SCORE;
 
+#define SCORE_SCANF_FMT        "%9s %255s %255s %d %d %d"
+
 typedef struct displacement {
        int     dx;
        int     dy;



Home | Main Index | Thread Index | Old Index