Package: webfs / 1.21+ds1-12

70_group_access.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Description: Two cases of potential access escalation.
 For reading access to a file, the checking of group access
 was incorrectly implemented, using a mixture of user and
 group identities.
 .
 The supplementary group list was only reset in case an explicit
 group change had been requested, thus opening for potential
 access escalation. The code is changed to always reset the
 supplementary group list. This new default behaviour seems
 to best go with the philosophy of the original software.
 .
 Testing could not unveil any noticeable side effect of this
 latter additional change.
Author: Mats Erik Andersson <debian@gisladisker.se>
Forwarded: no
Last-Update: 2010-04-14
X-Upstream: The upstream code has been unchanged since June, 2004.
X-Comment: Bug in 'ls.c' first observed by Matthew Monaco for Arch Linux.
--- webfs-1.21+ds1.debian/ls.c
+++ webfs-1.21+ds1/ls.c
@@ -194,7 +194,9 @@ ls(time_t now, char *hostname, char *fil
     struct myfile  **files = NULL;
     struct myfile  **re1;
     char           *h1,*h2,*re2,*buf = NULL;
-    int            count,len,size,i,uid,gid;
+    int            count,len,size,i;
+    uid_t          uid;
+    gid_t          gid;
     char           line[1024];
     char           *pw = NULL, *gr = NULL;

@@ -244,7 +246,7 @@ ls(time_t now, char *hostname, char *fil
 	    if (files[count]->s.st_uid == uid &&
 		files[count]->s.st_mode & 0400)
 		files[count]->r = 1;
-	    else if (files[count]->s.st_uid == gid &&
+	    else if (files[count]->s.st_gid == gid &&
 		     files[count]->s.st_mode & 0040)
 		files[count]->r = 1; /* FIXME: check additional groups */
 	    else if (files[count]->s.st_mode & 0004)
--- webfs-1.21+ds1.debian/webfsd.c
+++ webfs-1.21+ds1/webfsd.c
@@ -259,8 +259,8 @@ fix_ug(void)
     /* set group */
     if (getegid() != gr->gr_gid || getgid() != gr->gr_gid) {
 	setgid(gr->gr_gid);
-	setgroups(0, NULL);
     }
+    setgroups(0, NULL);
     if (getegid() != gr->gr_gid || getgid() != gr->gr_gid) {
 	xerror(LOG_ERR,"setgid failed",NULL);
 	exit(1);
@@ -790,7 +790,7 @@ main(int argc, char *argv[])
     struct addrinfo          ask,*res;
     struct sockaddr_storage  ss;
     int c, opt, rc, ss_len, pid=0, v4 = 1, v6 = 1;
-    int uid,euid;
+    uid_t uid,euid;
     char host[INET6_ADDRSTRLEN+1];
     char serv[16];
     char mypid[12];