* timedc is no longer setuid-root and is only usable by root due to the

use of a raw socket for ICMP; thus there is also no need to differ between privileged and unprivileged commands. * Switch to user "nobody" after allocating the raw socket. * Close all file descriptors above 2 (just in case).
2007-01-27 17:57:45 +00:00 · 2007-01-27 17:57:45 +00:00 · 0f2ebef2a8
parent 78b99d6807
commit 0f2ebef2a8
4 changed files with 55 additions and 33 deletions
--- a/usr.sbin/timed/timedc/Makefile
+++ b/usr.sbin/timed/timedc/Makefile
@ -1,11 +1,9 @@
-#	$NetBSD: Makefile,v 1.10 2007/01/25 23:25:20 cbiere Exp $
+#	$NetBSD: Makefile,v 1.11 2007/01/27 17:57:45 cbiere Exp $
 #	from: @(#)Makefile	5.4 (Berkeley) 5/11/93

 PROG=	timedc
 SRCS=	cmds.c cmdtab.c timedc.c byteorder.c measure.c cksum.c tspname.c
 MAN=	timedc.8
-BINOWN=	root
-BINMODE=4555
 .PATH:	${.CURDIR}/../timed

 .include <bsd.prog.mk>
--- a/usr.sbin/timed/timedc/cmdtab.c
+++ b/usr.sbin/timed/timedc/cmdtab.c
@ -1,4 +1,4 @@
-/*	$NetBSD: cmdtab.c,v 1.6 2003/08/07 11:25:47 agc Exp $	*/
+/*	$NetBSD: cmdtab.c,v 1.7 2007/01/27 17:57:45 cbiere Exp $	*/

 /*
 * Copyright (c) 1983, 1993
@ -34,27 +34,27 @@
 #if 0
 static char sccsid[] = "@(#)cmdtab.c	8.1 (Berkeley) 6/6/93";
 #else
-__RCSID("$NetBSD: cmdtab.c,v 1.6 2003/08/07 11:25:47 agc Exp $");
+__RCSID("$NetBSD: cmdtab.c,v 1.7 2007/01/27 17:57:45 cbiere Exp $");
 #endif
 #endif /* not lint */

 #include "timedc.h"

-char	clockdiffhelp[] =	"measures clock differences between machines";
-char	helphelp[] =		"gets help on commands";
-char	msitehelp[] =		"finds location of master";
-char	quithelp[] =		"exits timedc";
-char	testinghelp[] =		"causes election timers to expire";
-char	tracinghelp[] =		"turns tracing on or off";
+const char	clockdiffhelp[] =	"measures clock differences between machines";
+const char	helphelp[] =		"gets help on commands";
+const char	msitehelp[] =		"finds location of master";
+const char	quithelp[] =		"exits timedc";
+const char	testinghelp[] =		"causes election timers to expire";
+const char	tracinghelp[] =		"turns tracing on or off";

-struct cmd cmdtab[] = {
-	{ "clockdiff",	clockdiffhelp,	clockdiff,	0 },
-	{ "election",	testinghelp,	testing,	1 },
-	{ "help",	helphelp,	help,		0 },
-	{ "msite",	msitehelp,	msite,		0 },
-	{ "quit",	quithelp,	quit,		0 },
-	{ "trace",	tracinghelp,	tracing,	1 },
-	{ "?",		helphelp,	help,		0 },
+const struct cmd cmdtab[] = {
+	{ "clockdiff",	clockdiffhelp,	clockdiff	},
+	{ "election",	testinghelp,	testing		},
+	{ "help",	helphelp,	help		},
+	{ "msite",	msitehelp,	msite		},
+	{ "quit",	quithelp,	quit 		},
+	{ "trace",	tracinghelp,	tracing 	},
+	{ "?",		helphelp,	help		},
 };

 int	NCMDS = sizeof (cmdtab) / sizeof (cmdtab[0]);
--- a/usr.sbin/timed/timedc/timedc.c
+++ b/usr.sbin/timed/timedc/timedc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: timedc.c,v 1.17 2007/01/25 23:47:13 christos Exp $	*/
+/*	$NetBSD: timedc.c,v 1.18 2007/01/27 17:57:45 cbiere Exp $	*/

 /*-
 * Copyright (c) 1985, 1993 The Regents of the University of California.
@ -40,7 +40,7 @@ __COPYRIGHT(
 #if 0
 static char sccsid[] = "@(#)timedc.c	8.1 (Berkeley) 6/6/93";
 #else
-__RCSID("$NetBSD: timedc.c,v 1.17 2007/01/25 23:47:13 christos Exp $");
+__RCSID("$NetBSD: timedc.c,v 1.18 2007/01/27 17:57:45 cbiere Exp $");
 #endif
 #endif /* not lint */

@ -52,6 +52,8 @@ __RCSID("$NetBSD: timedc.c,v 1.17 2007/01/25 23:47:13 christos Exp $");
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
+#include <fcntl.h>
+#include <pwd.h>
 #include <err.h>

 int trace = 0;
@ -63,12 +65,14 @@ char	*margv[MAX_MARGV];
 char	cmdline[200];
 jmp_buf	toplevel;
 static struct cmd *getcmd(char *);
+static int drop_privileges(void);

 int
 main(int argc, char *argv[])
 {
 	struct cmd *c;

+	fcntl(3, F_CLOSEM);
 	openlog("timedc", 0, LOG_AUTH);

 	/*
@ -76,7 +80,8 @@ main(int argc, char *argv[])
 	 */
 	if (priv_resources() < 0)
 		errx(1, "Could not get privileged resources");
-	(void) setuid(getuid());
+	if (drop_privileges() < 0)
+		errx(1, "Could not drop privileges");

 	if (--argc > 0) {
 		c = getcmd(*++argv);
@ -88,10 +93,6 @@ main(int argc, char *argv[])
 			printf("?Invalid command\n");
 			exit(1);
 		}
-		if (c->c_priv && getuid()) {
-			printf("?Privileged command\n");
-			exit(1);
-		}
 		(*c->c_handler)(argc, argv);
 		exit(0);
 	}
@ -124,10 +125,6 @@ main(int argc, char *argv[])
 			printf("?Invalid command\n");
 			continue;
 		}
-		if (c->c_priv && getuid()) {
-			printf("?Privileged command\n");
-			continue;
-		}
 		(*c->c_handler)(margc, margv);
 	}
 	return 0;
@ -262,3 +259,31 @@ help(int argc, char *argv[])
 				c->c_name, c->c_help);
 	}
 }
+
+static int
+drop_privileges(void)
+{
+	const struct passwd *pw;
+	uid_t uid;
+	gid_t gid;
+
+	if ((pw = getpwnam("nobody")) == NULL) {
+		warnx("getpwnam(\"nobody\") failed");
+		return -1;
+	}
+	uid = pw->pw_uid;
+	gid = pw->pw_gid;
+	if (setgroups(1, &gid)) {
+		warn("setgroups");
+		return -1;
+	}
+	if (setgid(gid)) {
+		warn("setgid");
+		return -1;
+	}
+	if (setuid(uid)) {
+		warn("setuid");
+		return -1;
+	}
+	return 0;
+}
--- a/usr.sbin/timed/timedc/timedc.h
+++ b/usr.sbin/timed/timedc/timedc.h
@ -1,4 +1,4 @@
-/*	$NetBSD: timedc.h,v 1.11 2007/01/25 23:47:13 christos Exp $	*/
+/*	$NetBSD: timedc.h,v 1.12 2007/01/27 17:57:45 cbiere Exp $	*/

 /*-
 * Copyright (c) 1985, 1993 The Regents of the University of California.
@ -51,11 +51,10 @@
 #define NONSTDTIME	3
 #define HOSTDOWN 	0x7fffffff

-struct	cmd {
+struct cmd {
 	const char *c_name;		/* command name */
 	const char *c_help;		/* help message */
 	void	(*c_handler)(int, char **); /* routine to do the work */
-	int	c_priv;			/* privileged command */
 };

 #include "timedc-extern.h"