The only place we really need to drop setgid is when opening an
arbitrary file, e.g. "crontab /foo/bar", which prevents the user
from viewing other people's crontab files. Now that TMPDIR support
is gone things are a bit simpler...
- todd
Index: crontab.c
===================================================================
RCS file: /cvs/src/usr.sbin/cron/crontab.c,v
retrieving revision 1.79
diff -u -p -u -r1.79 crontab.c
--- crontab.c 2 Nov 2015 20:09:02 -0000 1.79
+++ crontab.c 2 Nov 2015 20:21:48 -0000
@@ -314,15 +314,7 @@ edit_cmd(void)
fprintf(stderr, "path too long\n");
goto fatal;
}
- if (setegid(user_gid) < 0) {
- perror("setegid(user_gid)");
- exit(EXIT_FAILURE);
- }
t = mkstemp(Filename);
- if (setegid(crontab_gid) < 0) {
- perror("setegid(crontab_gid)");
- exit(EXIT_FAILURE);
- }
if (t == -1) {
perror(Filename);
goto fatal;
@@ -347,15 +339,7 @@ edit_cmd(void)
fprintf(stderr, "%s: error while writing new crontab to %s\n",
ProgramName, Filename);
fatal:
- if (setegid(user_gid) < 0) {
- perror("setegid(user_gid)");
- exit(EXIT_FAILURE);
- }
unlink(Filename);
- if (setegid(crontab_gid) < 0) {
- perror("setegid(crontab_gid)");
- exit(EXIT_FAILURE);
- }
exit(EXIT_FAILURE);
}
@@ -376,19 +360,11 @@ edit_cmd(void)
goto fatal;
}
if (timespeccmp(&ts[1], &statbuf.st_mtim, ==)) {
- if (setegid(user_gid) < 0) {
- perror("setegid(user_gid)");
- exit(EXIT_FAILURE);
- }
if (lstat(Filename, &xstatbuf) == 0 &&
statbuf.st_ino != xstatbuf.st_ino) {
fprintf(stderr, "%s: crontab temp file moved, editor "
"may create backup files improperly\n", ProgramName);
}
- if (setegid(crontab_gid) < 0) {
- perror("setegid(crontab_gid)");
- exit(EXIT_FAILURE);
- }
fprintf(stderr, "%s: no changes made to crontab\n",
ProgramName);
goto remove;
@@ -429,15 +405,7 @@ edit_cmd(void)
goto fatal;
}
remove:
- if (setegid(user_gid) < 0) {
- perror("setegid(user_gid)");
- exit(EXIT_FAILURE);
- }
unlink(Filename);
- if (setegid(crontab_gid) < 0) {
- perror("setegid(crontab_gid)");
- exit(EXIT_FAILURE);
- }
done:
log_it(RealUser, Pid, "END EDIT", User);
}
