dccproc-1.0.53 inserting "p=/home/username/.dcc/whiteclnt.dccw ..."

Vernon Schryver vjs@calcite.rhyolite.com
Wed Apr 17 02:37:10 UTC 2002

> From: Chris Shenton <chris@Shenton.Org>

> Built dccproc from sources and installed.  It appears to be inserting
> a debugging line which confuses my MUA when I use the "-w" flag.

> ...
> p=/home/chris/.dcc/whiteclnt.dccw p+=is/.dcc/whiteclnt.dccw

> Is this a misfeature or errant debug statement? is there a way to
> disable it so my MUA doesn't get so confused?

Oops.  I'm sorry about that.  That results from the debugging printf
you round and that I meant to remove.

] From: Chris Shenton <chris@Shenton.Org>

] ...
]             if (strncmp(p, DCC_HOMEDIR, sizeof(DCC_HOMEDIR)-1)
]                 || strchr(p+sizeof(DCC_HOMEDIR), '/')) {
]                     printf("p=%s p+=%s\n", p, p+sizeof(DCC_HOMEDIR));
]                     return 0;
]             }

] ...
] but I'm not sure what it's checking for.  

It occurred to me that with a setUID=0 dccproc, you could play games
like `dccproc -h /etc -w passwd` or `dccproc -w /etc/shadow`
The games wouldn't be much fun because I don't see how you could do
anything really harmful, because the only files created have the unlike
suffix of ".dccw".  However, they would cause consternation and shouldn't
be allowed.

So the DCC client code refuses to use setUID privileges to open
whitelist files unless their path is in a subdirectory of the compiled-in
DCC home directory.  For 1.0.54, I've changed that code to:

        if (strncmp(p, DCC_HOMEDIR, sizeof(DCC_HOMEDIR)-1)
            || strstr(p+sizeof(DCC_HOMEDIR)-1, "/../"))
                return 0;

] I see it created in my homedir a new whiteclnt.dccw, but it was owned
] by root, causing a subsequent attempt to complain in the logs about
] permission denied. Not sure why yet, could be stupidity on my part as
] I get this tested. Or it could be cuz that's the name of the dcc user
] I have defaulted to for now in the dcc config file; setuid
] executable...

What's the name of the dcc user, root? 
What is the compiled-in DCC home directory?
How is the whitelist file specified, with -w /home/chris/.dcc/whiteclnt ?
If it couldn't open it later, it shouldn't have been able to create it
I just tried what I understand to be the bad case, and the created
whiteclnt.dccw is owned by the real instead of the setUID UID of dccproc.

] To avoid "/" in my abs pathname triggering the "p=..." output, I
] copied my personal "whiteclnt" to the system location
] /var/dcc/whiteclnt, and tried again:
]   chris@thanatos(276> cat /tmp/email2 |dccproc -Q -w whiteclnt

Why is `cat` used?  If it's not because that's a better simulation of
the operational environment, there is `dccproc -i /tmp/mail2`

] It appears to create the new "whiteclnt.dccw" but the logs show
] an unusual complaint:
]   Apr 16 20:56:45 thanatos dccproc[89438]: size of whitelist /var/dcc/whiteclnt.dccw, 53608, is impossible
] ...

Did you copy to whiteclnt or whitelcnt.dccw ?
The latter is generated from the former.  Among the sanity checks
to prevent fun and games with symbolic links as well as simple mistakes
are checks that the size of the generated file is likely.
The result of that message is should be that the .dccw file is deleted
and rebuilt.

Vernon Schryver    vjs@rhyolite.com

More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.