101 lines
2.8 KiB
Diff
101 lines
2.8 KiB
Diff
diff -up emacs-23.1/lib-src/movemail.c.movemail emacs-23.1/lib-src/movemail.c
|
|
--- emacs-23.1/lib-src/movemail.c.movemail 2010-03-31 19:18:05.611899443 +0200
|
|
+++ emacs-23.1/lib-src/movemail.c 2010-03-31 19:24:29.738754553 +0200
|
|
@@ -176,7 +176,9 @@ main (argc, argv)
|
|
int nread;
|
|
int status;
|
|
int c, preserve_mail = 0;
|
|
-
|
|
+ uid_t real_gid, priv_gid;
|
|
+ real_gid = getgid();
|
|
+ priv_gid = getegid();
|
|
#ifndef MAIL_USE_SYSTEM_LOCK
|
|
struct stat st;
|
|
long now;
|
|
@@ -247,25 +249,6 @@ main (argc, argv)
|
|
if (*outname == 0)
|
|
fatal ("Destination file name is empty", 0, 0);
|
|
|
|
- /* Check access to output file. */
|
|
- if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0)
|
|
- pfatal_with_name (outname);
|
|
-
|
|
- /* Also check that outname's directory is writable to the real uid. */
|
|
- {
|
|
- char *buf = (char *) xmalloc (strlen (outname) + 1);
|
|
- char *p;
|
|
- strcpy (buf, outname);
|
|
- p = buf + strlen (buf);
|
|
- while (p > buf && !IS_DIRECTORY_SEP (p[-1]))
|
|
- *--p = 0;
|
|
- if (p == buf)
|
|
- *p++ = '.';
|
|
- if (access (buf, W_OK) != 0)
|
|
- pfatal_with_name (buf);
|
|
- free (buf);
|
|
- }
|
|
-
|
|
#ifdef MAIL_USE_POP
|
|
if (!strncmp (inname, "po:", 3))
|
|
{
|
|
@@ -277,15 +260,11 @@ main (argc, argv)
|
|
exit (status);
|
|
}
|
|
|
|
- setuid (getuid ());
|
|
+ if (setuid (getuid ()) < 0)
|
|
+ fatal ("Failed to drop privileges", 0, 0);
|
|
#endif /* MAIL_USE_POP */
|
|
|
|
#ifndef DISABLE_DIRECT_ACCESS
|
|
-
|
|
- /* Check access to input file. */
|
|
- if (access (inname, R_OK | W_OK) != 0)
|
|
- pfatal_with_name (inname);
|
|
-
|
|
#ifndef MAIL_USE_MMDF
|
|
#ifndef MAIL_USE_SYSTEM_LOCK
|
|
#ifdef MAIL_USE_MAILLOCK
|
|
@@ -379,7 +358,8 @@ main (argc, argv)
|
|
time_t touched_lock, now;
|
|
#endif
|
|
|
|
- setuid (getuid ());
|
|
+ if (setuid (getuid ()) < 0 || setegid (real_gid) < 0)
|
|
+ fatal("Failed to drop privileges", 0, 0);
|
|
|
|
#ifndef MAIL_USE_MMDF
|
|
#ifdef MAIL_USE_SYSTEM_LOCK
|
|
@@ -405,6 +385,9 @@ main (argc, argv)
|
|
if (outdesc < 0)
|
|
pfatal_with_name (outname);
|
|
|
|
+ if (setegid (priv_gid) < 0)
|
|
+ fatal("Failed to regain privileges", 0, 0);
|
|
+
|
|
/* This label exists so we can retry locking
|
|
after a delay, if it got EAGAIN or EBUSY. */
|
|
retry_lock:
|
|
@@ -502,6 +485,10 @@ main (argc, argv)
|
|
if (close (outdesc) != 0)
|
|
pfatal_and_delete (outname);
|
|
|
|
+ /* Prevent symlink attacks truncating other users' mailboxes */
|
|
+ if (setegid (real_gid) < 0)
|
|
+ fatal("Failed to drop privileges", 0, 0);
|
|
+
|
|
#ifdef MAIL_USE_SYSTEM_LOCK
|
|
if (! preserve_mail)
|
|
{
|
|
@@ -529,6 +516,10 @@ main (argc, argv)
|
|
}
|
|
#endif /* not MAIL_USE_SYSTEM_LOCK */
|
|
|
|
+ /* End of mailbox truncation */
|
|
+ if (setegid (priv_gid) < 0)
|
|
+ fatal("Failed to regain privileges", 0, 0);
|
|
+
|
|
#ifdef MAIL_USE_MAILLOCK
|
|
/* This has to occur in the child, i.e., in the process that
|
|
acquired the lock! */
|