From nobody@FreeBSD.org  Tue Jan 16 21:47:14 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3B43016A407
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 16 Jan 2007 21:47:14 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 2B79013C43E
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 16 Jan 2007 21:47:14 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l0GLlDsT096590
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 16 Jan 2007 21:47:13 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l0GLlDSe096574;
	Tue, 16 Jan 2007 21:47:13 GMT
	(envelope-from nobody)
Message-Id: <200701162147.l0GLlDSe096574@www.freebsd.org>
Date: Tue, 16 Jan 2007 21:47:13 GMT
From: Bjoern Voigt<bjoern@cs.tu-berlin.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Comsat does not verify return values of getpwnam and setuid
X-Send-Pr-Version: www-3.0

>Number:         108020
>Category:       bin
>Synopsis:       comsat(8) does not verify return values of getpwnam and setuid
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 16 21:50:21 GMT 2007
>Closed-Date:    
>Last-Modified:  Tue Jan 16 22:52:05 GMT 2007
>Originator:     Bjoern Voigt
>Release:        6.2-PRERELEASE
>Organization:
>Environment:
FreeBSD mybox 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #2: Sun Nov 26 21:50:02 CET 2006     root@mybox:/usr/obj/lx/suse/var/ctm/src/sys/GENERIC.bv  i386
>Description:
I reviewed the code of comsat (/usr/src/libexec/comsat/comsat.c).

There are two potential problems in function jkfprintf():

[...]
        /* Set effective uid to user in case mail drop is on nfs */
        if ((p = getpwnam(user)) != NULL)
                (void) setuid(p->pw_uid);
[...]

1) If getpwnam() fails the function is continued without dropping privileges.
2) The return value of setuid() is not checked. The manual page says that
   setuid() could only fail for non-root. Anyway, it's no good style to
   ignore the result of setuid().
>How-To-Repeat:
Faked comsat requests could be generated with "nc" (netcat). A "bad" user
could send non-existing user names (getpwnam() will fail and setuid() will
not be called). He could also send file names which should not be readable
by the user with receives the biff messages. 

netcat could be used this way (tested with netcat from ports collection):

$ /usr/local/bin/nc -u localhost 512
user@0:/some/file
Control-c
(Mail for "user", offset byte 0, mailbox "/some/file")
>Fix:
getpwnam problem:
I suggest to return function jkfprintf() if getpwnam() fails.

setuid problem:
I suggest to return function jkfprintf() if getpwnam() fails and if getuid()
returns 0 (root). The check for user root may not be necessary since normal
users can not really switch the uid with setuid() if the program is not
installed with set-uid (as far as I know).

I could help with a patch and with testing.
>Release-Note:
>Audit-Trail:
>Unformatted:
