# HG changeset patch # User Chong Yidong # Date 1270221856 14400 # Node ID 2d36607da023a90dba9274de6742c59f6e82422d # Parent f54953a8f7e2bf829f67b738511aff5643056ef3 Fix permissions handling (CVE-2010-0825). * movemail.c (main): Check return values of setuid. Avoid possibility of symlink attack when movemail is setgid mail (CVE-2010-0825). diff -r f54953a8f7e2 -r 2d36607da023 lib-src/ChangeLog --- a/lib-src/ChangeLog Fri Apr 02 04:30:09 2010 +0200 +++ b/lib-src/ChangeLog Fri Apr 02 11:24:16 2010 -0400 @@ -1,3 +1,9 @@ +2010-04-02 Dan Rosenberg (tiny change) + + * movemail.c (main): Check return values of setuid. Avoid + possibility of symlink attack when movemail is setgid mail + (CVE-2010-0825). + 2010-03-19 Tetsurou Okazaki (tiny change) * Makefile.in (uninstall): Handle the case where archlibdir does diff -r f54953a8f7e2 -r 2d36607da023 lib-src/movemail.c --- a/lib-src/movemail.c Fri Apr 02 04:30:09 2010 +0200 +++ b/lib-src/movemail.c Fri Apr 02 11:24:16 2010 -0400 @@ -197,6 +197,9 @@ # define ARGSTR "p" #endif /* MAIL_USE_POP */ + uid_t real_gid = getgid(); + uid_t priv_gid = getegid(); + #ifdef WINDOWSNT /* Ensure all file i/o is in binary mode. */ _fmode = _O_BINARY; @@ -247,25 +250,6 @@ if (*outname == 0) fatal ("Destination file name is empty", 0, 0); - /* Check access to output file. */ - if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0) - pfatal_with_name (outname); - - /* Also check that outname's directory is writable to the real uid. */ - { - char *buf = (char *) xmalloc (strlen (outname) + 1); - char *p; - strcpy (buf, outname); - p = buf + strlen (buf); - while (p > buf && !IS_DIRECTORY_SEP (p[-1])) - *--p = 0; - if (p == buf) - *p++ = '.'; - if (access (buf, W_OK) != 0) - pfatal_with_name (buf); - free (buf); - } - #ifdef MAIL_USE_POP if (!strncmp (inname, "po:", 3)) { @@ -277,15 +261,12 @@ exit (status); } - setuid (getuid ()); + if (setuid (getuid ()) < 0) + fatal ("Failed to drop privileges", 0, 0); + #endif /* MAIL_USE_POP */ #ifndef DISABLE_DIRECT_ACCESS - - /* Check access to input file. */ - if (access (inname, R_OK | W_OK) != 0) - pfatal_with_name (inname); - #ifndef MAIL_USE_MMDF #ifndef MAIL_USE_SYSTEM_LOCK #ifdef MAIL_USE_MAILLOCK @@ -379,7 +360,8 @@ time_t touched_lock, now; #endif - setuid (getuid ()); + if (setuid (getuid ()) < 0 || setegid (real_gid) < 0) + fatal ("Failed to drop privileges", 0, 0); #ifndef MAIL_USE_MMDF #ifdef MAIL_USE_SYSTEM_LOCK @@ -405,6 +387,9 @@ if (outdesc < 0) pfatal_with_name (outname); + if (setegid (priv_gid) < 0) + fatal ("Failed to regain privileges", 0, 0); + /* This label exists so we can retry locking after a delay, if it got EAGAIN or EBUSY. */ retry_lock: @@ -498,6 +483,10 @@ pfatal_and_delete (outname); #endif + /* Prevent symlink attacks truncating other users' mailboxes */ + if (setegid (real_gid) < 0) + fatal ("Failed to drop privileges", 0, 0); + /* Check to make sure no errors before we zap the inbox. */ if (close (outdesc) != 0) pfatal_and_delete (outname); @@ -529,6 +518,10 @@ } #endif /* not MAIL_USE_SYSTEM_LOCK */ + /* End of mailbox truncation */ + if (setegid (priv_gid) < 0) + fatal ("Failed to regain privileges", 0, 0); + #ifdef MAIL_USE_MAILLOCK /* This has to occur in the child, i.e., in the process that acquired the lock! */