From: spiros thanasoulas Subject: Re: lpd control missing chdir after chroot To: Florian Obser Cc: tech@openbsd.org Date: Fri, 22 Mar 2024 11:48:06 -0600 On Fri, Mar 22, 2024 at 06:27:04PM +0100, Florian Obser wrote: > Amazing that anything works, ever... > > I got an OK from tb but I'm not going to commit this, I think we can just fix the whole function in one go. > > Don't have time for it now though. ouch i can't believe i hadn't spotted this bug which was right in front of my eyes :\ ! here is an updated diff which also chroots to /var/empty because the way it was set up id would chroot to /root which was the home of the daemon user. Index: control.c =================================================================== RCS file: /cvs/src/usr.sbin/lpd/control.c,v retrieving revision 1.2 diff -u -p -r1.2 control.c --- control.c 28 Dec 2022 21:30:17 -0000 1.2 +++ control.c 22 Mar 2024 17:44:35 -0000 @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -71,13 +72,15 @@ control(int debug, int verbose) if ((pw = getpwnam(LPD_USER)) == NULL) fatalx("unknown user " LPD_USER); + if (chroot(_PATH_VAREMPTY) == -1) + fatal("%s: chroot", __func__); + if (chdir("/") == -1) + fatal("%s: chdir", __func__); + if (setgroups(1, &pw->pw_gid) || setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) fatal("cannot drop privileges"); - - if (chroot(pw->pw_dir) == 1) - fatal("%s: chroot", __func__); if (pledge("stdio unix recvfd sendfd", NULL) == -1) fatal("%s: pledge", __func__); > > On 22 March 2024 18:22:45 CET, Theo Buehler wrote: > >On Fri, Mar 22, 2024 at 06:18:18PM +0100, Alexander Bluhm wrote: > >> On Fri, Mar 22, 2024 at 05:58:16PM +0100, Florian Obser wrote: > >> > this seems reasonable. > >> > OK florian or I can commit it if someone wants to OK it... > >> > >> It calls chroot() after setresuid(). How can that work? > >> frontend() does it in correct order. > > > >It "works" because the return value check is wrong: == 1 vs == -1. > >(I missed that before seeing your mail). > > > >> > >> > On 2024-03-22 10:40 -06, spiros thanasoulas wrote: > >> > > Hey list! > >> > > I had sent this about a month ago and didn't get any > >> > > feedback, so giving it a second shot. > >> > > lpd control is missing chdiring after chroot. any comments? > >> > > Thanks :) > >> > > > >> > > On Tue, Feb 13, 2024 at 09:52:47AM -0700, spiros thanasoulas wrote: > >> > >> This adds it in the same fashion as it appears in frontend.c > >> > >> > >> > > > >> > > Index: control.c > >> > > =================================================================== > >> > > RCS file: /cvs/src/usr.sbin/lpd/control.c,v > >> > > retrieving revision 1.2 > >> > > diff -u -p -u -p -r1.2 control.c > >> > > --- control.c 28 Dec 2022 21:30:17 -0000 1.2 > >> > > +++ control.c 13 Feb 2024 16:47:43 -0000 > >> > > @@ -78,6 +78,8 @@ control(int debug, int verbose) > >> > > > >> > > if (chroot(pw->pw_dir) == 1) > >> > > fatal("%s: chroot", __func__); > >> > > + if (chdir("/") == -1) > >> > > + fatal("%s: chdir", __func__); > >> > > > >> > > if (pledge("stdio unix recvfd sendfd", NULL) == -1) > >> > > fatal("%s: pledge", __func__); > >> > > > >> > > >> > -- > >> > In my defence, I have been left unsupervised. > >> > > > > -- > Sent from a mobile device. Please excuse poor formatting. >