From 9097dd8738d8ca5d3cb9feeac142ed4e871a7925 Mon Sep 17 00:00:00 2001 From: Michael Spang Date: Sun, 4 Feb 2007 00:46:05 -0500 Subject: [PATCH] Update of setuid cleanup code. --- bin/addhomedir | 11 +++++++++-- bin/ceo | 22 +++++++++++++++------- bin/ceoquery | 20 ++++++++++++++------ misc/setuid-prog.c | 8 ++++---- 4 files changed, 42 insertions(+), 19 deletions(-) diff --git a/bin/addhomedir b/bin/addhomedir index ea5b2b9..3abb27f 100755 --- a/bin/addhomedir +++ b/bin/addhomedir @@ -11,17 +11,24 @@ import os, sys, re, pwd, getopt, stat CONFIG_FILE = '/etc/csc/accounts.cf' safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG' - 'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGE', 'LC_MONETARY', + 'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGES', 'LC_MONETARY', 'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK', 'SSH_CLIENT'] for key in os.environ.keys(): - if not key in safe_environment: + if key not in safe_environment: del os.environ[key] os.environ['PATH'] = '/usr/sbin:/sbin:/usr/bin:/bin' os.umask(0) +try: + os.setreuid(0, 0) + os.setregid(0, 0) +except OSError: + print "You must be root to use this command." + sys.exit(1) + for pathent in sys.path[:]: if not pathent.find('/usr') == 0: sys.path.remove(pathent) diff --git a/bin/ceo b/bin/ceo index 3be2dd6..e77f1b7 100755 --- a/bin/ceo +++ b/bin/ceo @@ -3,20 +3,28 @@ import os, sys safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG' - 'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGE', 'LC_MONETARY', + 'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGES', 'LC_MONETARY', 'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK', 'SSH_CLIENT'] - + for key in os.environ.keys(): if key not in safe_environment: del os.environ[key] -os.environ['PATH'] = '/bin:/usr/bin' +os.environ['PATH'] = '/usr/sbin:/usr/bin:/sbin:/bin' -for dir in sys.path[:]: - if not dir.find('/usr') == 0: - while dir in sys.path: - sys.path.remove(dir) +for pathent in sys.path[:]: + if not pathent.find('/usr') == 0: + sys.path.remove(pathent) + +euid = os.geteuid() +egid = os.getegid() +try: + os.setreuid(euid, euid) + os.setregid(egid, egid) +except OSError, e: + print str(e) + sys.exit(1) import csc.apps.legacy.main csc.apps.legacy.main.run() diff --git a/bin/ceoquery b/bin/ceoquery index 9da0dd7..629bb14 100755 --- a/bin/ceoquery +++ b/bin/ceoquery @@ -5,7 +5,7 @@ ceoquery - a script to lookup member and account information import os, sys safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG' - 'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGE', 'LC_MONETARY', + 'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGES', 'LC_MONETARY', 'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK', 'SSH_CLIENT'] @@ -13,12 +13,20 @@ for key in os.environ.keys(): if key not in safe_environment: del os.environ[key] -os.environ['PATH'] = '/bin:/usr/bin' +os.environ['PATH'] = '/usr/sbin:/usr/bin:/sbin:/bin' -for dir in sys.path[:]: - if not dir.find('/usr') == 0: - while dir in sys.path: - sys.path.remove(dir) +for pathent in sys.path[:]: + if not pathent.find('/usr') == 0: + sys.path.remove(pathent) + +euid = os.geteuid() +egid = os.getegid() +try: + os.setreuid(euid, euid) + os.setregid(egid, egid) +except OSError, e: + print str(e) + sys.exit(1) from csc.adm import members, terms diff --git a/misc/setuid-prog.c b/misc/setuid-prog.c index d850b47..88055e4 100644 --- a/misc/setuid-prog.c +++ b/misc/setuid-prog.c @@ -159,10 +159,10 @@ main(int argc, char **argv) exit(1); } - if (setregid(egid, egid) < 0) - perror("setregid"); - if (setreuid(euid, euid) < 0) - perror("setreuid"); + //if (setregid(egid, egid) < 0) + // perror("setregid"); + //if (setreuid(euid, euid) < 0) + // perror("setreuid"); clean_environ();