Update of setuid cleanup code.

bin/addhomedir

@@ -11,17 +11,24 @@ import os, sys, re, pwd, getopt, stat
 CONFIG_FILE = '/etc/csc/accounts.cf'
 
 safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG'
-    'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGE', 'LC_MONETARY',
+    'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGES', 'LC_MONETARY',
     'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK',
     'SSH_CLIENT']
 
 for key in os.environ.keys():
-    if not key in safe_environment:
+    if key not in safe_environment:
         del os.environ[key]
 
 os.environ['PATH'] = '/usr/sbin:/sbin:/usr/bin:/bin'
 os.umask(0)
 
+try:
+    os.setreuid(0, 0)
+    os.setregid(0, 0)
+except OSError:
+    print "You must be root to use this command."
+    sys.exit(1)
+
 for pathent in sys.path[:]:
     if not pathent.find('/usr') == 0:
         sys.path.remove(pathent)

bin/ceo

@@ -3,7 +3,7 @@
 import os, sys
 
 safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG'
-    'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGE', 'LC_MONETARY',
+    'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGES', 'LC_MONETARY',
     'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK',
     'SSH_CLIENT']
 
@@ -11,12 +11,20 @@ for key in os.environ.keys():
     if key not in safe_environment:
         del os.environ[key]
 
-os.environ['PATH'] = '/bin:/usr/bin'
+os.environ['PATH'] = '/usr/sbin:/usr/bin:/sbin:/bin'
 
-for dir in sys.path[:]:
-    if not dir.find('/usr') == 0:
-        while dir in sys.path:
-            sys.path.remove(dir)
+for pathent in sys.path[:]:
+    if not pathent.find('/usr') == 0:
+        sys.path.remove(pathent)
+
+euid = os.geteuid()
+egid = os.getegid()
+try:
+    os.setreuid(euid, euid)
+    os.setregid(egid, egid)
+except OSError, e:
+    print str(e)
+    sys.exit(1)
 
 import csc.apps.legacy.main
 csc.apps.legacy.main.run()

bin/ceoquery

@@ -5,7 +5,7 @@ ceoquery - a script to lookup member and account information
 import os, sys
 
 safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG'
-    'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGE', 'LC_MONETARY',
+    'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGES', 'LC_MONETARY',
     'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK',
     'SSH_CLIENT']
 
@@ -13,12 +13,20 @@ for key in os.environ.keys():
     if key not in safe_environment:
         del os.environ[key]
 
-os.environ['PATH'] = '/bin:/usr/bin'
+os.environ['PATH'] = '/usr/sbin:/usr/bin:/sbin:/bin'
 
-for dir in sys.path[:]:
-    if not dir.find('/usr') == 0:
-        while dir in sys.path:
-            sys.path.remove(dir)
+for pathent in sys.path[:]:
+    if not pathent.find('/usr') == 0:
+        sys.path.remove(pathent)
+
+euid = os.geteuid()
+egid = os.getegid()
+try:
+    os.setreuid(euid, euid)
+    os.setregid(egid, egid)
+except OSError, e:
+    print str(e)
+    sys.exit(1)
 
 from csc.adm import members, terms
 

misc/setuid-prog.c

@@ -159,10 +159,10 @@ main(int argc, char **argv)
 		exit(1);
 	}
 
-	if (setregid(egid, egid) < 0)
-		perror("setregid");
-	if (setreuid(euid, euid) < 0)
-		perror("setreuid");
+	//if (setregid(egid, egid) < 0)
+	//	perror("setregid");
+	//if (setreuid(euid, euid) < 0)
+	//	perror("setreuid");
 
 	clean_environ();