rpms / cernlib

Clone
Source Code
GIT

Files

  1.   26bd2ff728f7379d601547339a5c9ccabe87d798
  2.   049-fix-kuesvr-security-hole
Blob Blame History Raw 
diff -ur src.orig/packlib/kuip/code_kuip/kedit.c src/packlib/kuip/code_kuip/kedit.c
--- src.orig/packlib/kuip/code_kuip/kedit.c	1997-03-17 11:54:57.000000000 -0500
+++ src/packlib/kuip/code_kuip/kedit.c	2005-03-03 18:37:53.000000000 -0500
@@ -24,6 +24,7 @@
 
 static char *editor_cmd  = NULL; /* command which envoked edit server */
 static char *editor_file = NULL; /* file which was edited */
+static char  editor_tmp[22];     /* file to use as a lock file */
 
 
 /*
@@ -164,8 +165,26 @@
 
   if( use_server && kc_flags.use_server ) {
 #if defined(UNIX) && !defined(CERNLIB_WINNT)
+    int fid;
+    
+    /* Try to securely create the temporary file for the edit server.
+     * Has to be done in the parent process because the server has no
+     * way of passing back the name of a created temp file. */
+    strcpy( editor_tmp, "/usr/tmp/kuesvrXXXXXX" );
+    fid = mkstemp( editor_tmp );
+    if (fid == -1) {
+      strcpy( editor_tmp, "/tmp/kuesvrXXXXXX" );
+      fid = mkstemp( editor_tmp );
+      if (fid == -1) {
+	perror( "mkstemp" );
+	return status;
+      }
+    }
+    close( fid );
+    
     line = strdup( "kuesvr -p " );
     line = mstricat( line, getpid() );
+    line = mstr2cat( line, " -t ", editor_tmp );
     line = mstr4cat( line, " -c ", ku_path(), " -e '",
                     kc_value.set_host_editor );
     if( (p = strrchr( line, '&' )) != NULL )
@@ -355,6 +374,15 @@
 }
 
 
+void ku_shut()
+{
+#ifdef USE_EDIT_SERVER
+  if( kc_flags.use_server )
+    remove( editor_tmp );
+#endif
+}
+
+
 void F77_ENTRY_C(Kupad,chfile)
 /* { */
   char *file = fstrdup( chfile, len_chfile );
@@ -523,7 +551,7 @@
 #ifdef USE_EDIT_SERVER
 
   if( kjmpaddr.user_edit_F != NULL && kc_flags.editor_exit != 0 ) {
-    char lock_file[64];
+    char *lock_file = editor_tmp;
     int fid;
     int len;
     int nbytes;
@@ -534,27 +562,16 @@
 #ifdef UNIX
 
     /* /tmp cannot be locked on Sun if allocated on swap space */
-    sprintf( lock_file, "/usr/tmp/kuesvr.%d", (int)getpid() );
     fid = open( lock_file, O_RDONLY );
     if( fid == -1 ) {
-      /* we could be using an old server writing to /tmp */
-      fid = open( &lock_file[4], O_RDONLY );
-      if( fid == -1 ) {
-        perror( "kugsvr: open /tmp read-only" );
-        return;
-      }
-      close( fid );
-      fid = open( &lock_file[4], O_RDWR );
-      if( fid == -1 ) {
-        perror( "kugsvr: open /tmp read-write" );
-        return;
-      }
+      perror( "kugsvr: open tempfile read-only" );
+      return;
     }
     else {
       close( fid );
       fid = open( lock_file, O_RDWR );
       if( fid == -1 ) {
-        perror( "kugsvr: open /usr/tmp read-write" );
+        perror( "kugsvr: open tempfile read-write" );
         return;
       }
     }
diff -ur src.orig/packlib/kuip/code_kuip/kuwhat.c src/packlib/kuip/code_kuip/kuwhat.c
--- src.orig/packlib/kuip/code_kuip/kuwhat.c	1999-03-10 12:11:52.000000000 -0500
+++ src/packlib/kuip/code_kuip/kuwhat.c	2005-03-03 17:10:47.000000000 -0500
@@ -676,18 +676,6 @@
 }
 
 
-void ku_shut()
-{
-#ifdef USE_EDIT_SERVER
-  if( kc_flags.use_server ) {
-    char lock_file[64];
-    sprintf( lock_file, "/usr/tmp/kuesvr.%d", (int)getpid() );
-    if( remove( lock_file ) != 0 )
-      remove( &lock_file[4] );  /* old kuesvr used /tmp instead of /usr/tmp */
-  }
-#endif
-}
-
 #ifdef WIN32
 void fpcheck( void )
 {
diff -ur src.orig/packlib/kuip/programs/kuesvr/kuesvr.c src/packlib/kuip/programs/kuesvr/kuesvr.c
--- src.orig/packlib/kuip/programs/kuesvr/kuesvr.c	1996-03-08 10:33:05.000000000 -0500
+++ src/packlib/kuip/programs/kuesvr/kuesvr.c	2005-03-03 18:37:58.000000000 -0500
@@ -15,6 +15,7 @@
 char *editor = "vi";
 char *cmd    = '\0';
 char *file   = '\0';
+char *sfile  = '\0';
 
 
 main(int argc, char **argv)
@@ -22,7 +23,6 @@
    int     c, fid;
    char   *arg;
    char    shcmd[512];
-   char    sfile[128];
    char    msg[BUFSIZ];
    time_t  mtime;
    struct stat buf;
@@ -49,8 +49,13 @@
                   arg = *++argv;
                cmd = arg;
                break;
+	    case 't':
+	       if (*++arg == 0)
+		  arg = *++argv;
+	       sfile = arg;
+	       break;
             default:
-               fprintf(stderr,"Usage: kuesvr -p pid -c cmd [-e editor] file\n");
+               fprintf(stderr,"Usage: kuesvr -p pid -c cmd -t tmpfile [-e editor] file\n");
                exit(1);
          }
       } else {
@@ -59,8 +64,8 @@
       }
    }
 
-   if (!pid || !file || !cmd) {
-      fprintf(stderr,"Usage: kuesvr -p pid -c cmd [-e editor] file\n");
+   if (!pid || !file || !cmd || !sfile) {
+      fprintf(stderr,"Usage: kuesvr -p pid -c cmd -t tmpfile [-e editor] file\n");
       exit(1);
    }
 
@@ -74,31 +79,14 @@
    stat(file, &buf);
 
    /* open kuip edit server message file */
-   sprintf(sfile, "/usr/tmp/kuesvr.%d", pid);
-   /*
-    * Try first /usr/tmp and then /tmp for lock file.
-    * The lockf() call can fail if the directory is NFS mounted and
-    * the lockd daemon is not running.
-    */
- again:
-   fid = open(sfile, O_CREAT|O_APPEND|O_WRONLY, 0644);
+   fid = open(sfile, O_CREAT|O_APPEND|O_WRONLY, 0600);
    if (fid == -1) {
-      if (sfile[1] == 'u') {
-         strcpy(sfile, sfile+4);
-         goto again;
-      }
       perror("open");
       exit(1);
    }
 
    /* lock the file */
    if (lockf(fid, F_LOCK, (off_t)0) == -1) {
-      if (sfile[1] == 'u') {
-         close(fid);
-         remove(sfile);
-         strcpy(sfile, sfile+4);
-         goto again;
-      }
       perror("lockf");
       exit(1);
    }
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.