Check the return value of setuid, and make sure that it worked.
authorPaul Mackerras <paulus@samba.org>
Sun, 4 Jun 2006 07:02:37 +0000 (07:02 +0000)
committerPaul Mackerras <paulus@samba.org>
Sun, 4 Jun 2006 07:02:37 +0000 (07:02 +0000)
Fixes CVE-2006-2194.

pppd/plugins/winbind.c

index 8d8e981db190c8c74075094778a0f6e33866c52f..bb05acd87dce10a5d2a4adee6feaac68da576fd0 100644 (file)
@@ -296,15 +296,18 @@ unsigned int run_ntlm_auth(const char *username,
 
        if (forkret == 0) {
                /* child process */
+               uid_t uid;
+
                close(child_out[0]);
                close(child_in[1]);
 
                /* run winbind as the user that invoked pppd */
                setgid(getgid());
-               setuid(getuid());
+               uid = getuid();
+               if (setuid(uid) == -1 || getuid() != uid)
+                       fatal("pppd/winbind: could not setuid to %d: %m", uid);
                execl("/bin/sh", "sh", "-c", ntlm_auth, NULL);  
-               perror("pppd/winbind: could not exec /bin/sh");
-               exit(1);
+               fatal("pppd/winbind: could not exec /bin/sh: %m");
        }
 
         /* parent */