6314245 racy chown/chmod in lpsched

5 files changed, 29 insertions, 15 deletions

diff --git a/usr/src/cmd/lp/cmd/lpsched/disp1.c b/usr/src/cmd/lp/cmd/lpsched/disp1.c
index 7f7c6dc66d..7473af6013 100644
--- a/usr/src/cmd/lp/cmd/lpsched/disp1.c
+++ b/usr/src/cmd/lp/cmd/lpsched/disp1.c
@@ -117,8 +117,7 @@ void s_print_request ( char * m, MESG * md )
     {
 	req_file = reqpath(file, &idno);
 	path = makepath(Lp_Tmp, req_file, (char *)0);
-	(void) Chmod(path, 0600);
-	(void) Chown(path, Lp_Uid, Lp_Gid);
+	(void) chownmod(path, Lp_Uid, Lp_Gid, 0600);
 	Free (path);
     
 	if (!(r = Getrequest(req_file)))
@@ -301,8 +300,7 @@ void s_print_request ( char * m, MESG * md )
 			 * IPP job attribute file exists for this job so
 			 * change permissions and ownership of the file
 			 */
-			(void) Chmod(path, 0600);
-			(void) Chown(path, Lp_Uid, Lp_Gid);
+			(void) chownmod(path, Lp_Uid, Lp_Gid, 0600);
 			Free(path);
 		}
 		else
@@ -444,8 +442,7 @@ void s_end_change_request(char *m, MESG *md)
 	status = MNOSTART;
     else {
 	path = makepath(Lp_Tmp, rp->req_file, (char *)0);
-	(void) Chmod(path, 0600);
-	(void) Chown(path, Lp_Uid, Lp_Gid);
+	(void) chownmod(path, Lp_Uid, Lp_Gid, 0600);
 	Free (path);
 
 	rp->request->outcome &= ~(RS_CHANGING);
diff --git a/usr/src/cmd/lp/cmd/lpsched/files.c b/usr/src/cmd/lp/cmd/lpsched/files.c
index 50276a3c76..71459be435 100644
--- a/usr/src/cmd/lp/cmd/lpsched/files.c
+++ b/usr/src/cmd/lp/cmd/lpsched/files.c
@@ -19,15 +19,15 @@
  *
  * CDDL HEADER END
  */
-/*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
-/*	  All Rights Reserved  	*/
-
 
 /*
  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
+/*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
+/*	  All Rights Reserved  	*/
+
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 #include "lpsched.h"
@@ -75,8 +75,7 @@ off_t chfiles ( char * * list, uid_t uid, gid_t gid )	/* funcdef */
 		list[-1] = file = newfile;
 	    }
 	    
-	    (void) Chmod(file, 0600);
-	    (void) Chown(file, uid, gid);
+	    (void) chownmod(file, uid, gid, 0600);
 	}
 
 	if (Stat(file, &stbuf) == -1)
@@ -395,7 +394,7 @@ _alloc_files (
 			return (0);
 		} else {
 			Close (fd);
-			Chown (file, uid, gid);
+			(void) chownmod(file, uid, gid, 0600);
 		}
 	}
 
@@ -423,7 +422,7 @@ _alloc_files (
 			else
 			{
 				Close(fd);
-				Chown(file, uid, gid);
+				(void) chownmod(file, uid, gid, 0600);
 			}
 
 			Free(file);
diff --git a/usr/src/cmd/lp/cmd/lpsched/lpfsck.c b/usr/src/cmd/lp/cmd/lpsched/lpfsck.c
index a538e4454c..0fcb973f71 100644
--- a/usr/src/cmd/lp/cmd/lpsched/lpfsck.c
+++ b/usr/src/cmd/lp/cmd/lpsched/lpfsck.c
@@ -322,8 +322,7 @@ proto(int type, int rm_ok, ...)
 	mode = va_arg(ap, mode_t);
 	uid = va_arg(ap, uid_t);
 	gid = va_arg(ap, gid_t);
-	Chmod (path, mode);
-	Chown (path, uid, gid);
+	(void) chownmod(path, uid, gid, mode);
 
 	Free (path);
 	return;
diff --git a/usr/src/cmd/lp/include/lp.h b/usr/src/cmd/lp/include/lp.h
index b3da071110..32d4ce85ca 100644
--- a/usr/src/cmd/lp/include/lp.h
+++ b/usr/src/cmd/lp/include/lp.h
@@ -595,6 +595,9 @@ void		(*lp_alloc_fail_handler)( void );
 #define	next_dir(base, ptr)	next_x(base, ptr, S_IFDIR)
 #define	next_file(base, ptr)	next_x(base, ptr, S_IFREG)
 
+extern int chownmod(char *path, uid_t owner, gid_t group, mode_t mode);
+
+
 char *		next_x  ( char * , long * , unsigned int );
 
 #endif
diff --git a/usr/src/cmd/lp/lib/lp/files.c b/usr/src/cmd/lp/lib/lp/files.c
index 34dc6bda13..d85484f547 100644
--- a/usr/src/cmd/lp/lib/lp/files.c
+++ b/usr/src/cmd/lp/lib/lp/files.c
@@ -60,6 +60,22 @@ is_printer_uri(char *value)
 	return (0);
 }
 
+/*
+ * To avoid a race condition, chown() should always be called before
+ * chmod().
+ */
+int
+chownmod(char *path, uid_t owner, gid_t group, mode_t mode)
+{
+	int rc;
+
+	if ((rc = Chown(path, owner, group)) == 0)
+		rc = Chmod(path, mode);
+
+	return (rc);
+}
+
+
 int
 fdprintf(int fd, char *fmt, ...)
 {