Subject: bin/926: adventure tries to save while setuid games
To: None <gnats-admin@NetBSD.ORG>
From: Kenneth Stailey <kstailey@leidecker.gsfc.nasa.gov>
List: netbsd-bugs
Date: 03/29/1995 13:35:07
>Number:         926
>Category:       bin
>Synopsis:       adventure tries to save while setuid games
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Mar 29 13:35:07 1995
>Originator:     Kenneth Stailey
>Organization:
self
>Release:        NetBSD 1.0A March 18th tarballs
>Environment:
System: NetBSD pluto 1.0A NetBSD 1.0A (PLUTO) #25: Tue Mar 28 13:17:39 EST 1995 ken@pluto:/usr/src/sys/arch/i386/compile/PLUTO i386


>Description:
	'adventure' is run via 'dm' which makes it setuid 'games'.
	Since it saves its state to let you resume later it must
	change back to the real uid to avoid letting you clobber
	any file that 'games' owns.
>How-To-Repeat:
	run adventure, use 'save' command
>Fix:

--- save.c.DIST	Wed Mar 29 15:03:59 1995
+++ save.c	Wed Mar 29 15:06:44 1995
@@ -123,18 +123,26 @@
 	char *s;
 	long sum;
 	int i;
+	int euid = -1;
 
 	crc_start();
 	for (p = save_array; p->address != NULL; p++)
 		sum = crc(p->address, p->width);
 	srandom((int) sum);
 
-	if ((out = fopen(outfile, "wb")) == NULL)
+	if (getuid() != geteuid()) { /* if running setuid */
+	  euid = geteuid();
+	  seteuid(getuid());	/* go back to being you */
+	}
+	if ((out = fopen(outfile, "w")) == NULL)
 	{
 	    fprintf(stderr,
 		"Hmm.  The name \"%s\" appears to be magically blocked.\n",
 		outfile);
 	    return 1;
+	}
+	if (euid != -1) {
+	  seteuid(euid);
 	}
 	fwrite(&sum, sizeof(sum), 1, out);      /* Here's the random() key */
 	for (p = save_array; p->address != NULL; p++)

--PAA04172.796508306/pluto.spacenet.com--


>Audit-Trail:
>Unformatted: