dtspcd: fix symlink vulnerability, a couple warnings
authorJon Trulson <jon@radscan.com>
Sun, 27 May 2012 00:57:11 +0000 (18:57 -0600)
committerJon Trulson <jon@radscan.com>
Sun, 27 May 2012 00:57:11 +0000 (18:57 -0600)
cde/programs/dtspcd/main.c

index 7b49d2b6d21bae28c178e8cd2adaa7dd49920276..729a5198fbaf73a768994f99cc8d5edf2734a930 100644 (file)
@@ -151,7 +151,7 @@ XeChar HomeDir[MAXPATHLEN + 6];
 XeChar ShellDir[MAXPATHLEN + 7];
 XeString *default_environment;
 
-int client_validated=NULL;
+int client_validated=0;
 int SPCD_Abort_Okay = FALSE;
 
 SPC_Connection_Ptr client_connection;
@@ -185,7 +185,7 @@ static int exit_timeout = SPCD_DEFAULT_TIMEOUT;
 static int request_pending = SPCD_NO_REQUEST_PENDING;
 
 /*----------------------------------------------------------------------+*/
-int main(unsigned int argc, XeString *argv)
+int main(int argc, XeString *argv)
 /*----------------------------------------------------------------------+*/
 {
   /* Parse the command line and set globals accordingly. */
@@ -647,9 +647,12 @@ int Client_Register(protocol_request_ptr prot)
   /* file in the temp directory?                       */
 
   if(lstat(tmpfile, &buf)==ERROR) {
+    int terrno = errno;
     SPC_Write_Protocol_Request(client_connection, NULL, LOGFILE_REPLY,
                               FAILED_FILE_NAME, NULL, NULL);
-    SPC_Format_Log("+++> FAILURE: stat authentication file '%s'.", tmpfile);
+    SPC_Format_Log("+++> FAILURE: lstat authentication file '%s'.", tmpfile);
+    SPC_Format_Log("+++> FAILURE: lstat() returned error '%s'\n", 
+                   strerror(terrno));
     if (free_netfile)
       tt_free(netfile);
     XeFree(tmpfile);
@@ -657,6 +660,18 @@ int Client_Register(protocol_request_ptr prot)
     return(SPC_ERROR);
   }
 
+  if (S_ISLNK(buf.st_mode))
+    {                          /* somebody is jerkin us around */
+      SPC_Write_Protocol_Request(client_connection, NULL, LOGFILE_REPLY,
+                                 FAILED_FILE_NAME, NULL, NULL);
+      SPC_Format_Log("+++> FAILURE: lstat authentication file '%s' is a symlink! Possible compromise attempt.", tmpfile);
+      if (free_netfile)
+        tt_free(netfile);
+      XeFree(tmpfile);
+      SPC_Error(SPC_Bad_Authentication);
+      return(SPC_ERROR);
+    }
+
   /*
    * If the file does not have the setuid bit set then return failure.
    *