Update of /cvsroot/qmailadmin/qmailadmin
In directory sc8-pr-cvs16.sourceforge.net:/tmp/cvs-serv27177
Modified Files:
Tag: stable-1_2
ChangeLog qmailadmin.c
Log Message:
check return value of setuid() and setgid() and exit if either fail (security issue reported by Miguel Lourenco).
Index: qmailadmin.c
===================================================================
RCS file: /cvsroot/qmailadmin/qmailadmin/qmailadmin.c,v
retrieving revision 1.6.2.13
retrieving revision 1.6.2.14
diff -u -d -r1.6.2.13 -r1.6.2.14
--- qmailadmin.c 21 Sep 2007 23:27:39 -0000 1.6.2.13
+++ qmailadmin.c 8 Jan 2008 04:42:54 -0000 1.6.2.14
@@ -109,6 +109,24 @@
char RealDir[156];
char Lang[40];
+void qmailadmin_suid (gid_t Gid, uid_t Uid)
+{
+ if ( geteuid() == 0 ) {
+ if ( setgid(Gid) != 0 ) {
+ printf ("%s", html_text[318]);
+ perror("setgid");
+ vclose();
+ exit (EXIT_FAILURE);
+ }
+ if ( setuid(Uid) != 0 ) {
+ printf ("%s", html_text[319]);
+ perror("setuid");
+ vclose();
+ exit (EXIT_FAILURE);
+ }
+ }
+}
+
int main(argc,argv)
int argc;
char *argv[];
@@ -148,10 +166,7 @@
/* get the real uid and gid and change to that user */
vget_assign(Domain,RealDir,sizeof(RealDir),&Uid,&Gid);
- if ( geteuid() == 0 ) {
- if ( setgid(Gid) != 0 ) perror("setgid");
- if ( setuid(Uid) != 0 ) perror("setuid");
- }
+ qmailadmin_suid (Gid, Uid);
if ( chdir(RealDir) < 0 ) {
fprintf(stderr, "<h2>%s %s</h2>\n", html_text[171], RealDir );
@@ -183,10 +198,7 @@
} else if (*Username && *Password) {
/* attempt to authenticate user */
vget_assign (Domain, RealDir, sizeof(RealDir), &Uid, &Gid);
- if ( geteuid() == 0 ) {
- if ( setgid(Gid) != 0 ) perror("setgid");
- if ( setuid(Uid) != 0 ) perror("setuid");
- }
+ qmailadmin_suid (Gid, Uid);
strcpy (User, Username);
if ((dom = strchr (User, '@')) != NULL) {
@@ -238,10 +250,7 @@
}
vget_assign(Domain,RealDir,sizeof(RealDir),&Uid,&Gid);
- if ( geteuid() == 0 ) {
- if ( setgid(Gid) != 0 ) perror("setgid");
- if ( setuid(Uid) != 0 ) perror("setuid");
- }
+ qmailadmin_suid (Gid, Uid);
/* Authenticate a user and domain admin */
if ( strlen(Domain) > 0 ) {
Index: ChangeLog
===================================================================
RCS file: /cvsroot/qmailadmin/qmailadmin/ChangeLog,v
retrieving revision 1.15.2.109
retrieving revision 1.15.2.110
diff -u -d -r1.15.2.109 -r1.15.2.110
--- ChangeLog 8 Jan 2008 03:56:14 -0000 1.15.2.109
+++ ChangeLog 8 Jan 2008 04:42:54 -0000 1.15.2.110
@@ -3,6 +3,10 @@
1.1.13 - unreleased
+ Tom Collins
+ - qmailadmin.c: check return value of setuid() and setgid() and
+ exit if either fail (security issue reported by Miguel Lourenco).
+
1.2.12 - released 13-Nov-07
John Simpson
|
