From: Karel Zak Date: Mon, 7 Jul 2008 13:22:22 +0000 (+0200) Subject: write: doesn't check for tty group X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ced94242e11e2ac121c9dae5c707bac5b47e501a;p=util-linux write: doesn't check for tty group write(1) selects a wrong tty, because there is not a proper check of tty group ownership: $ write kzak write: kzak is logged in more than once; writing to tty7 write: /dev/tty7: Permission denied $ ls -la /dev/tty7 crw--w---- 1 root root 4, 7 2008-07-04 00:32 /dev/tty7 ^^^^ $ ls -la /usr/bin/write -rwxr-sr-x 1 root tty 11864 2008-04-02 16:24 /usr/bin/write ^ ^^^ We have to check for tty group owner, because we don't have permissions to write to arbitrary tty. Fixed version: $ write kzak write: kzak is logged in more than once; writing to pts/6 ^^^^ Message from test@nb on pts/7 at 15:22 ... ^C $ ls -la /dev/pts/6 crw--w---- 1 kzak tty 136, 6 2008-07-07 15:35 /dev/pts/6 ^^^ Addresses-Red-Hat-Bugzilla: #454252 Signed-off-by: Karel Zak --- diff --git a/misc-utils/write.c b/misc-utils/write.c index 46b8f0ac..276fe96d 100644 --- a/misc-utils/write.c +++ b/misc-utils/write.c @@ -72,6 +72,8 @@ static void done(int); int term_chk(char *, int *, time_t *, int); int utmp_chk(char *, char *); +static gid_t myegid; + int main(int argc, char **argv) { time_t atime; @@ -83,6 +85,8 @@ main(int argc, char **argv) { bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); + myegid = getegid(); + /* check that sender has write enabled */ if (isatty(fileno(stdin))) myttyfd = fileno(stdin); @@ -267,7 +271,9 @@ int term_chk(char *tty, int *msgsokP, time_t *atimeP, int showerror) "write: %s: %s\n", path, strerror(errno)); return(1); } - *msgsokP = (s.st_mode & (S_IWRITE >> 3)) != 0; /* group write bit */ + + /* group write bit and group ownership */ + *msgsokP = (s.st_mode & (S_IWRITE >> 3)) && myegid == s.st_gid; *atimeP = s.st_atime; return(0); }