From nobody@FreeBSD.org  Tue Oct  2 22:23:25 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 0AB52106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  2 Oct 2012 22:23:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id D0E348FC15
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  2 Oct 2012 22:23:24 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q92MNODb022432
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 2 Oct 2012 22:23:24 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id q92MNOK7022431;
	Tue, 2 Oct 2012 22:23:24 GMT
	(envelope-from nobody)
Message-Id: <201210022223.q92MNOK7022431@red.freebsd.org>
Date: Tue, 2 Oct 2012 22:23:24 GMT
From: Erik Cederstrand <erik@cederstrand.dk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: bin/at: Check return value of setuid() and friends
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         172290
>Category:       bin
>Synopsis:       [patch] at(1): Check return value of setuid() and friends
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    eadler
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 02 22:30:11 UTC 2012
>Closed-Date:    Sun Feb 03 03:48:12 UTC 2013
>Last-Modified:  Sun Feb 03 03:48:12 UTC 2013
>Originator:     Erik Cederstrand
>Release:        CURRENT
>Organization:
>Environment:
>Description:
Similar to PR bin/172289, at(1) doesn't check the return value of setuid() and similar functions. If setuid() fails, which it can do for a number of reasons, root privileges are not dropped.
>How-To-Repeat:

>Fix:
Check return value of setuid and related functions and fail if necessary

Patch attached with submission follows:

Index: privs.h
===================================================================
--- privs.h	(revision 240960)
+++ privs.h	(working copy)
@@ -74,8 +74,8 @@
 	effective_uid = geteuid(); \
 	real_gid = getgid(); \
 	effective_gid = getegid(); \
-	seteuid(real_uid); \
-	setegid(real_gid); \
+	if (seteuid(real_uid) != 0) err(1, "seteuid failed"); \
+	if (setegid(real_gid) != 0) err(1, "setegid failed"); \
 }
 
 #define RELINQUISH_PRIVS_ROOT(a, b) { \
@@ -83,26 +83,26 @@
 	effective_uid = geteuid(); \
 	real_gid = (b); \
 	effective_gid = getegid(); \
-	setegid(real_gid); \
-	seteuid(real_uid); \
+	if (setegid(real_gid) != 0) err(1, "setegid failed"); \
+	if (seteuid(real_uid) != 0) err(1, "seteuid failed"); \
 }
 
 #define PRIV_START { \
-	seteuid(effective_uid); \
-	setegid(effective_gid); \
+	if (seteuid(effective_uid) != 0) err(1, "seteuid failed"); \
+	if (setegid(effective_gid) != 0) err(1, "setegid failed"); \
 }
 
 #define PRIV_END { \
-	setegid(real_gid); \
-	seteuid(real_uid); \
+	if (setegid(real_gid) != 0) err(1, "setegid failed"); \
+	if (seteuid(real_uid) != 0) err(1, "seteuid failed"); \
 }
 
 #define REDUCE_PRIV(a, b) { \
 	PRIV_START \
 	effective_uid = (a); \
 	effective_gid = (b); \
-	setreuid((uid_t)-1, effective_uid); \
-	setregid((gid_t)-1, effective_gid); \
+	if (setreuid((uid_t)-1, effective_uid) != 0) err(1, "setreuid failed"); \
+	if (setregid((gid_t)-1, effective_gid) != 0) err(1, "setregid failed"); \
 	PRIV_END \
 }
 #endif


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->eadler 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Wed Oct 3 00:00:23 UTC 2012 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172290 
State-Changed-From-To: open->analyzed 
State-Changed-By: eadler 
State-Changed-When: Thu Oct 11 14:14:12 UTC 2012 
State-Changed-Why:  
awaiting approval / review 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172290 
State-Changed-From-To: analyzed->patched 
State-Changed-By: eadler 
State-Changed-When: Thu Oct 25 23:23:13 UTC 2012 
State-Changed-Why:  
committed in HEAD 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172290 
State-Changed-From-To: patched->closed 
State-Changed-By: eadler 
State-Changed-When: Sun Feb 3 03:48:11 UTC 2013 
State-Changed-Why:  
I shall not MFC this PR 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172290 
>Unformatted:
