chsh, chfn, vipw: fix filenames collision

The utils when compiled WITHOUT libuser then mkostemp()ing "/etc/%s.XXXXXX" where the filename prefix is argv[0] basename. An attacker could repeatedly execute the util with modified argv[0] and after many many attempts mkostemp() may generate suffix which makes sense. The result maybe temporary file with name like rc.status ld.so.preload or krb5.keytab, etc. Note that distros usually use libuser based ch{sh,fn} or stuff from shadow-utils. It's probably very minor security bug. Addresses: CVE-2015-5224 Signed-off-by: Karel Zak <kzak@redhat.com>
author: Karel Zak <kzak@redhat.com> 2015-08-24 10:05:55 +0200
committer: Karel Zak <kzak@redhat.com> 2015-08-24 10:05:55 +0200
commit: bde91c85bdc77975155058276f99d2e0f5eab5a9 (patch)
tree: c9bf09e5f6ff82913d7b61561e3dfa134d2be199 /include/fileutils.h
parent: 3db75b1a8e0f40b9b0d788e7549f93d031c34fea (diff)
download: util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/include/fileutils.h b/include/fileutils.h
index e0e2ecee12..be6d1f7f9b 100644
--- a/include/fileutils.h
+++ b/include/fileutils.h
@@ -7,14 +7,14 @@
 
 #include "c.h"
 
-extern int xmkstemp(char **tmpname, char *dir);
+extern int xmkstemp(char **tmpname, const char *dir, const char *prefix);
 
-static inline FILE *xfmkstemp(char **tmpname, char *dir)
+static inline FILE *xfmkstemp(char **tmpname, const char *dir, const char *prefix)
 {
 	int fd;
 	FILE *ret;
 
-	fd = xmkstemp(tmpname, dir);
+	fd = xmkstemp(tmpname, dir, prefix);
 	if (fd == -1)
 		return NULL;
author	Karel Zak <kzak@redhat.com>	2015-08-24 10:05:55 +0200
committer	Karel Zak <kzak@redhat.com>	2015-08-24 10:05:55 +0200
commit	bde91c85bdc77975155058276f99d2e0f5eab5a9 (patch)
tree	c9bf09e5f6ff82913d7b61561e3dfa134d2be199 /include/fileutils.h
parent	3db75b1a8e0f40b9b0d788e7549f93d031c34fea (diff)
download	util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.tar.gz