[Pinfo-devel] r154 - pinfo/branches/cxx/src

Nathanael Nerode neroden-guest at costa.debian.org
Sat Sep 3 19:19:07 UTC 2005 

Author: neroden-guest
Date: 2005-09-03 19:19:07 +0000 (Sat, 03 Sep 2005)
New Revision: 154

Modified:
   pinfo/branches/cxx/src/pinfo.cxx
   pinfo/branches/cxx/src/pinforc.in
   pinfo/branches/cxx/src/utils.cxx
Log:
Move the dropping of root privs up higher, making it possible to run
pinfo as root again.  This opens up the possibility of spoofing and DoS
attacks against root's usage of pinfo by anyone who compromises 'nobody',
but that danger existed for everyone before my temp file changes.  So net
improvement.

Also change default "no group" group to "nogroup", which it is in Linux
and *BSD.


Modified: pinfo/branches/cxx/src/pinfo.cxx
===================================================================
--- pinfo/branches/cxx/src/pinfo.cxx	2005-09-03 18:58:29 UTC (rev 153)
+++ pinfo/branches/cxx/src/pinfo.cxx	2005-09-03 19:19:07 UTC (rev 154)
@@ -134,7 +134,6 @@
 				exit(0);
 			case 'm':
 				{
-					checksu();
 					if (verbose)
 						printf(_("Looking for man page...\n"));
 					string man_filename_string = "";
@@ -204,6 +203,12 @@
 	char *type = 0;
 	int tag_table_pos = -1;
 
+	/* Drop root privileges immediately (otherwise we can't read
+	 * our own temp files).  Yes, it's bad to create temp files
+	 * as 'nobody'; it means use by root is subject to races,
+	 * DoS, etc.  FIXME. */
+	checksu();
+
 	/* take care of SIGSEGV, SIGTERM, SIGINT */
 	install_signal_handlers();
 
@@ -254,7 +259,6 @@
 	FILE** idptr = &id;
 	getopts(argc, argv, filename_string, idptr);
 
-	checksu();
 	initpaths();
 
 	if (argc > 1) {

Modified: pinfo/branches/cxx/src/pinforc.in
===================================================================
--- pinfo/branches/cxx/src/pinforc.in	2005-09-03 18:58:29 UTC (rev 153)
+++ pinfo/branches/cxx/src/pinforc.in	2005-09-03 19:19:07 UTC (rev 154)
@@ -91,7 +91,7 @@
 PRINTUTILITY=lpr
 MANLINKS=1:8:2:3:4:5:6:7:9:n:p:o:3X11:3Xt:3x:3X
 SAFE-USER=nobody
-SAFE-GROUP=nobody
+SAFE-GROUP=nogroup
 #
 # Remember, HIGHLIGHTREGEXP may be slow (thus it's commented by default)
 #

Modified: pinfo/branches/cxx/src/utils.cxx
===================================================================
--- pinfo/branches/cxx/src/utils.cxx	2005-09-03 18:58:29 UTC (rev 153)
+++ pinfo/branches/cxx/src/utils.cxx	2005-09-03 19:19:07 UTC (rev 154)
@@ -33,7 +33,7 @@
 #include <ctype.h>
 
 string safe_user = "nobody";
-string safe_group = "nobody";
+string safe_group = "nogroup";
 
 #ifndef HAVE_CURS_SET
 void

More information about the Pinfo-devel mailing list