# HG changeset patch # User Chong Yidong # Date 1270221984 14400 # Node ID 9523f7085efdf17ea24450872706b648ff505aff # Parent bab2864dbba7ca5ece63ee15661068f33952882d Fix permissions handling (CVE-2010-0825). * movemail.c (main): Check return values of setuid. Avoid possibility of symlink attack when movemail is setgid mail (CVE-2010-0825). diff -r bab2864dbba7 -r 9523f7085efd lib-src/ChangeLog --- a/lib-src/ChangeLog Fri Apr 02 17:18:25 2010 +0200 +++ b/lib-src/ChangeLog Fri Apr 02 11:26:24 2010 -0400 @@ -1,3 +1,9 @@ +2010-04-02 Dan Rosenberg (tiny change) + + * movemail.c (main): Check return values of setuid. Avoid + possibility of symlink attack when movemail is setgid mail + (CVE-2010-0825). + 2010-04-02 Dan Nicolaescu Remove extern errno declarations. diff -r bab2864dbba7 -r 9523f7085efd lib-src/movemail.c --- a/lib-src/movemail.c Fri Apr 02 17:18:25 2010 +0200 +++ b/lib-src/movemail.c Fri Apr 02 11:26:24 2010 -0400 @@ -194,6 +194,9 @@ # define ARGSTR "p" #endif /* MAIL_USE_POP */ + uid_t real_gid = getgid(); + uid_t priv_gid = getegid(); + #ifdef WINDOWSNT /* Ensure all file i/o is in binary mode. */ _fmode = _O_BINARY; @@ -244,25 +247,6 @@ if (*outname == 0) fatal ("Destination file name is empty", 0, 0); - /* Check access to output file. */ - if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0) - pfatal_with_name (outname); - - /* Also check that outname's directory is writable to the real uid. */ - { - char *buf = (char *) xmalloc (strlen (outname) + 1); - char *p; - strcpy (buf, outname); - p = buf + strlen (buf); - while (p > buf && !IS_DIRECTORY_SEP (p[-1])) - *--p = 0; - if (p == buf) - *p++ = '.'; - if (access (buf, W_OK) != 0) - pfatal_with_name (buf); - free (buf); - } - #ifdef MAIL_USE_POP if (!strncmp (inname, "po:", 3)) { @@ -274,15 +258,12 @@ exit (status); } - setuid (getuid ()); + if (setuid (getuid ()) < 0) + fatal ("Failed to drop privileges", 0, 0); + #endif /* MAIL_USE_POP */ #ifndef DISABLE_DIRECT_ACCESS - - /* Check access to input file. */ - if (access (inname, R_OK | W_OK) != 0) - pfatal_with_name (inname); - #ifndef MAIL_USE_MMDF #ifndef MAIL_USE_SYSTEM_LOCK #ifdef MAIL_USE_MAILLOCK @@ -376,7 +357,8 @@ time_t touched_lock, now; #endif - setuid (getuid ()); + if (setuid (getuid ()) < 0 || setegid (real_gid) < 0) + fatal ("Failed to drop privileges", 0, 0); #ifndef MAIL_USE_MMDF #ifdef MAIL_USE_SYSTEM_LOCK @@ -402,6 +384,9 @@ if (outdesc < 0) pfatal_with_name (outname); + if (setegid (priv_gid) < 0) + fatal ("Failed to regain privileges", 0, 0); + /* This label exists so we can retry locking after a delay, if it got EAGAIN or EBUSY. */ retry_lock: @@ -495,6 +480,10 @@ pfatal_and_delete (outname); #endif + /* Prevent symlink attacks truncating other users' mailboxes */ + if (setegid (real_gid) < 0) + fatal ("Failed to drop privileges", 0, 0); + /* Check to make sure no errors before we zap the inbox. */ if (close (outdesc) != 0) pfatal_and_delete (outname); @@ -526,6 +515,10 @@ } #endif /* not MAIL_USE_SYSTEM_LOCK */ + /* End of mailbox truncation */ + if (setegid (priv_gid) < 0) + fatal ("Failed to regain privileges", 0, 0); + #ifdef MAIL_USE_MAILLOCK /* This has to occur in the child, i.e., in the process that acquired the lock! */