[Midnightbsd-cvs] src: lib/libutil: PTY handling patch.

[laffer1 at midnightbsd.org]

Log Message:
-----------
PTY handling patch.  

This is text from the FreeBSD advisory on the same issue:
If openpty(3) is called as non-root user the newly created
pseudo-terminal is world readable and writeable.  While this is
documented to be the case, script(1) still uses openpty(3) and
script(1) may be used by non-root users [CVE-2008-0217].

The ptsname(3) function incorrectly extracts two characters from the
name of a device node in /dev without verifying that it's actually
operating on a valid pty which the calling user owns.  pt_chown uses
the bad result from ptsname(3) to change ownership of a pty to the
user calling pt_chown [CVE-2008-0216].

Modified Files:
--------------
    src/lib/libc/stdlib:
        grantpt.c (r1.1.1.1 -> r1.2)
    src/lib/libutil:
        pty.c (r1.1.1.1 -> r1.2)

-------------- next part --------------
Index: grantpt.c
===================================================================
RCS file: /home/cvs/src/lib/libc/stdlib/grantpt.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L lib/libc/stdlib/grantpt.c -L lib/libc/stdlib/grantpt.c -u -r1.1.1.1 -r1.2
--- lib/libc/stdlib/grantpt.c
+++ lib/libc/stdlib/grantpt.c
@@ -214,24 +214,30 @@
 ptsname(int fildes)
 {
 	static char slave[] = _PATH_DEV PTS_PREFIX "XY";
-	char *retval;
+	const char *master;
 	struct stat sbuf;
 
-	retval = NULL;
-
-	if (_fstat(fildes, &sbuf) == 0) {
-		if (!ISPTM(sbuf))
-			errno = EINVAL;
-		else {
-			(void)snprintf(slave, sizeof(slave),
-				       _PATH_DEV PTS_PREFIX "%s",
-				       devname(sbuf.st_rdev, S_IFCHR) +
-				       strlen(PTM_PREFIX));
-			retval = slave;
-		}
-	}
-
-	return (retval);
+	/* All master pty's must be char devices. */
+	if (_fstat(fildes, &sbuf) == -1)
+		goto invalid;
+	if (!S_ISCHR(sbuf.st_mode))
+		goto invalid;
+
+	/* Check to see if this device is a pty(4) master. */
+	master = devname(sbuf.st_rdev, S_IFCHR);
+	if (strlen(master) != strlen(PTM_PREFIX "XY"))
+		goto invalid;
+	if (strncmp(master, PTM_PREFIX, strlen(PTM_PREFIX)) != 0)
+		goto invalid;
+
+	/* It is, so generate the corresponding pty(4) slave name. */
+	(void)snprintf(slave, sizeof(slave), _PATH_DEV PTS_PREFIX "%s",
+	    master + strlen(PTM_PREFIX));
+	return (slave);
+
+invalid:
+	errno = EINVAL;
+	return (NULL);
 }
 
 /*
@@ -240,18 +246,14 @@
 int
 unlockpt(int fildes)
 {
-	int retval;
-	struct stat sbuf;
 
 	/*
 	 * Unlocking a master/slave pseudo-terminal pair has no meaning in a
 	 * non-streams PTY environment.  However, we do ensure fildes is a
 	 * valid master pseudo-terminal device.
 	 */
-	if ((retval = _fstat(fildes, &sbuf)) == 0 && !ISPTM(sbuf)) {
-		errno = EINVAL;
-		retval = -1;
-	}
+	if (ptsname(fildes) == NULL)
+		return (-1);
 
-	return (retval);
+	return (0);
 }
Index: pty.c
===================================================================
RCS file: /home/cvs/src/lib/libutil/pty.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L lib/libutil/pty.c -L lib/libutil/pty.c -u -r1.1.1.1 -r1.2
--- lib/libutil/pty.c
+++ lib/libutil/pty.c
@@ -76,8 +76,7 @@
 					break; /* try the next pty group */
 			} else {
 				line[5] = 't';
-				(void) chown(line, getuid(), ttygid);
-				(void) chmod(line, S_IRUSR|S_IWUSR|S_IWGRP);
+				(void) grantpt(master);
 				(void) revoke(line);
 				if ((slave = open(line, O_RDWR, 0)) != -1) {
 					*amaster = master;