[qmailadmin-cvs] qmailadmin ChangeLog, 1.15.2.109, 1.15.2.110 qmailadmin.c, 1.6.2.13, 1.6.2.14

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/qmailadmin/qmailadmin
In directory sc8-pr-cvs16.sourceforge.net:/tmp/cvs-serv27177

Modified Files:
      Tag: stable-1_2
	ChangeLog qmailadmin.c 
Log Message:
check return value of setuid() and setgid() and exit if either fail (security issue reported by Miguel Lourenco).

Index: qmailadmin.c
===================================================================
RCS file: /cvsroot/qmailadmin/qmailadmin/qmailadmin.c,v
retrieving revision 1.6.2.13
retrieving revision 1.6.2.14
diff -u -d -r1.6.2.13 -r1.6.2.14

--- qmailadmin.c	21 Sep 2007 23:27:39 -0000	1.6.2.13
+++ qmailadmin.c	8 Jan 2008 04:42:54 -0000	1.6.2.14
@@ -109,6 +109,24 @@
 char RealDir[156];
 char Lang[40];
 
+void qmailadmin_suid (gid_t Gid, uid_t Uid)
+{
+  if ( geteuid() == 0 ) {
+    if ( setgid(Gid) != 0 ) {
+      printf ("%s", html_text[318]);
+      perror("setgid");
+      vclose();
+      exit (EXIT_FAILURE);
+    }
+    if ( setuid(Uid) != 0 ) {
+      printf ("%s", html_text[319]);
+      perror("setuid");
+      vclose();
+      exit (EXIT_FAILURE);
+    }
+  }
+}
+
 int main(argc,argv)
  int argc;
  char *argv[];
@@ -148,10 +166,7 @@
 
     /* get the real uid and gid and change to that user */
     vget_assign(Domain,RealDir,sizeof(RealDir),&Uid,&Gid);
-    if ( geteuid() == 0 ) {
-      if ( setgid(Gid) != 0 ) perror("setgid");
-      if ( setuid(Uid) != 0 ) perror("setuid");
-    }
+    qmailadmin_suid (Gid, Uid);
 
     if ( chdir(RealDir) < 0 ) {
       fprintf(stderr, "<h2>%s %s</h2>\n", html_text[171], RealDir );
@@ -183,10 +198,7 @@
     } else if (*Username && *Password) {
       /* attempt to authenticate user */
       vget_assign (Domain, RealDir, sizeof(RealDir), &Uid, &Gid);
-      if ( geteuid() == 0 ) {
-        if ( setgid(Gid) != 0 ) perror("setgid");
-        if ( setuid(Uid) != 0 ) perror("setuid");
-      }
+      qmailadmin_suid (Gid, Uid);
 
       strcpy (User, Username);
       if ((dom = strchr (User, '@')) != NULL) {
@@ -238,10 +250,7 @@
        }
 
        vget_assign(Domain,RealDir,sizeof(RealDir),&Uid,&Gid);
-       if ( geteuid() == 0 ) {
-         if ( setgid(Gid) != 0 ) perror("setgid");
-         if ( setuid(Uid) != 0 ) perror("setuid");
-       }
+       qmailadmin_suid (Gid, Uid);
 
        /* Authenticate a user and domain admin */
        if ( strlen(Domain) > 0 ) {

Index: ChangeLog
===================================================================
RCS file: /cvsroot/qmailadmin/qmailadmin/ChangeLog,v
retrieving revision 1.15.2.109
retrieving revision 1.15.2.110
diff -u -d -r1.15.2.109 -r1.15.2.110
--- ChangeLog	8 Jan 2008 03:56:14 -0000	1.15.2.109
+++ ChangeLog	8 Jan 2008 04:42:54 -0000	1.15.2.110
@@ -3,6 +3,10 @@
 
 1.1.13 - unreleased
 
+	Tom Collins
+	- qmailadmin.c: check return value of setuid() and setgid() and 
+	  exit if either fail (security issue reported by Miguel Lourenco).
+
 1.2.12 - released 13-Nov-07
 
 	John Simpson



