[src/trunk]: src/usr.sbin/lpr/common_source Fix possible security problem (eu...

[wiz <wiz%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e6eb8c4a4cd5
branches:  trunk
changeset: 508066:e6eb8c4a4cd5
user:      wiz <wiz%NetBSD.org@localhost>
date:      Thu Apr 05 13:30:02 2001 +0000

description:
Fix possible security problem (euid swapout in error handling).
Based on a similar patch in OpenBSD, reported there by
j%ida.interface-business.de@localhost.
Fix the second occurrance of a similar problem in that file, too, though.

diffstat:

 usr.sbin/lpr/common_source/common.c |  13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diffs (45 lines):

diff -r e5284c38429b -r e6eb8c4a4cd5 usr.sbin/lpr/common_source/common.c
--- a/usr.sbin/lpr/common_source/common.c       Thu Apr 05 12:49:47 2001 +0000
+++ b/usr.sbin/lpr/common_source/common.c       Thu Apr 05 13:30:02 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: common.c,v 1.21 2000/08/09 14:28:50 itojun Exp $       */
+/*     $NetBSD: common.c,v 1.22 2001/04/05 13:30:02 wiz Exp $  */
 
 /*
  * Copyright (c) 1983, 1993
@@ -43,7 +43,7 @@
 #if 0
 static char sccsid[] = "@(#)common.c   8.5 (Berkeley) 4/28/95";
 #else
-__RCSID("$NetBSD: common.c,v 1.21 2000/08/09 14:28:50 itojun Exp $");
+__RCSID("$NetBSD: common.c,v 1.22 2001/04/05 13:30:02 wiz Exp $");
 #endif
 #endif /* not lint */
 
@@ -235,11 +235,12 @@
        u_int nitems, arraysz;
 
        seteuid(euid);
-       if ((dirp = opendir(SD)) == NULL)
+       dirp = opendir(SD);
+       seteuid(uid);
+       if (dirp == NULL)
                return(-1);
        if (fstat(dirp->dd_fd, &stbuf) < 0)
                goto errdone;
-       seteuid(uid);
 
        /*
         * Estimate the array size by taking the size of the directory file
@@ -255,8 +256,10 @@
                if (d->d_name[0] != 'c' || d->d_name[1] != 'f')
                        continue;       /* daemon control files only */
                seteuid(euid);
-               if (stat(d->d_name, &stbuf) < 0)
+               if (stat(d->d_name, &stbuf) < 0) {
+                       seteuid(uid);
                        continue;       /* Doesn't exist */
+               }
                seteuid(uid);
                q = (struct queue *)malloc(sizeof(time_t)+strlen(d->d_name)+1);
                if (q == NULL)