write: fix setuid related regression

The write(1) is commonly a setuid binary, because common users cannot by
default write to each others terminals.  Since the commit in reference, that
is part of releases v2.24 to v2.28, the write(1) has used access(2) to check
capability to write to a destination terminal.  The catch is that access(2)
uses real UID and GID to when performing the accessibility.  The obvious
correction is to avoid access(2) when in context of setuid binaries.

As a smaller fix, but equally important fix, ensure the 'msgsok' variable is
initialized to indicate no access.  Uninitialized variable will almost
certainly do wrong thing at the time of check.

Breaking-commit: 0233a8ea18bec17dd59cfe1fec8281
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Signed-off-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Wayne Pollock <profwaynepollock@gmail.com>

diff --git a/term-utils/write.c b/term-utils/write.c
index 238040be2a0b3ba32bf853bbb9cd6940f50505dd..14594f5d9e93f445452099cbc0235af3aed84e6f 100644 (file)
--- a/term-utils/write.c
+++ b/term-utils/write.c
@@ -97,7 +97,7 @@ int main(int argc, char **argv)
 {
        time_t atime;
        uid_t myuid;
-       int msgsok, myttyfd, c;
+       int msgsok = 0, myttyfd, c;
        char tty[PATH_MAX], *mytty;
 
        static const struct option longopts[] = {
@@ -151,7 +151,7 @@ int main(int argc, char **argv)
                if (!msgsok)
                        errx(EXIT_FAILURE,
                             _("you have write permission turned off"));
-
+               msgsok = 0;
        } else
                mytty = "<no tty>";
 
@@ -230,7 +230,7 @@ void search_utmp(char *user, char *tty, char *mytty, uid_t myuid)
        struct utmp u;
        struct utmp *uptr;
        time_t bestatime, atime;
-       int nloggedttys, nttys, msgsok, user_is_me;
+       int nloggedttys, nttys, msgsok = 0, user_is_me;
        char atty[sizeof(u.ut_line) + 1];
 
        utmpname(_PATH_UTMP);
@@ -300,10 +300,10 @@ int term_chk(char *tty, int *msgsokP, time_t * atimeP, int showerror)
                        warn("%s", path);
                return 1;
        }
-
-       *msgsokP = !access(path, W_OK);
-       if (!root_access && *msgsokP)
-               *msgsokP = s.st_mode & S_IWGRP;
+       if (getuid() == 0)      /* root can always write */
+               *msgsokP = 1;
+       else
+               *msgsokP = (s.st_mode & S_IWGRP) && (getegid() == s.st_gid);
        *atimeP = s.st_atime;
        return 0;
 }