Fix a security problem where the ktrace.out file could have been written

over a file owned by someone else.

Pointed out by:	wosch
Reviewed by:	sef, imp, proff@suburbia.net, bde

2 files changed, 16 insertions, 5 deletions

diff --git a/usr.bin/ktrace/ktrace.1 b/usr.bin/ktrace/ktrace.1
index 3fe47e4722bb..48a2e646e284 100644
--- a/usr.bin/ktrace/ktrace.1
+++ b/usr.bin/ktrace/ktrace.1
@@ -75,7 +75,7 @@ to decode it.
 The options are as follows:
 .Bl -tag -width indent
 .It Fl a
-Append to the trace file instead of truncating it.
+Append to the trace file instead of recreating it.
 .It Fl C
 Disable tracing on all user owned processes, and, if executed by root, all
 processes in the system.
diff --git a/usr.bin/ktrace/ktrace.c b/usr.bin/ktrace/ktrace.c
index 10db42e79473..8ff4d692979c 100644
--- a/usr.bin/ktrace/ktrace.c
+++ b/usr.bin/ktrace/ktrace.c
@@ -42,7 +42,7 @@ static char copyright[] =
 static char sccsid[] = "@(#)ktrace.c	8.1 (Berkeley) 6/6/93";
 #endif
 static const char rcsid[] =
-	"$Id$";
+	"$Id: ktrace.c,v 1.8 1997/02/22 19:55:27 peter Exp $";
 #endif /* not lint */
 
 #include <sys/param.h>
@@ -72,6 +72,7 @@ main(argc, argv)
 	int append, ch, fd, inherit, ops, pid, pidset, trpoints;
 	char *tracefile;
 	mode_t omask;
+	struct stat sb;
 
 	clear = NOTSET;
 	append = ops = pidset = inherit = 0;
@@ -140,9 +141,19 @@ main(argc, argv)
 	}
 
 	omask = umask(S_IRWXG|S_IRWXO);
-	if ((fd = open(tracefile, O_CREAT | O_WRONLY | (append ? 0 : O_TRUNC),
-	    DEFFILEMODE)) < 0)
-		err(1, tracefile);
+	if (append) {
+		if ((fd = open(tracefile, O_CREAT | O_WRONLY, DEFFILEMODE)) < 0)
+			err(1, tracefile);
+		if (fstat(fd, &sb) != 0 || sb.st_uid != getuid())
+			errx(1, "Refuse to append to %s not owned by you.",
+			    tracefile);
+	} else {
+		if (unlink(tracefile) == -1 && errno != ENOENT)
+			err(1, "unlink %s", tracefile);
+		if ((fd = open(tracefile, O_CREAT | O_EXCL | O_WRONLY,
+		    DEFFILEMODE)) < 0)
+			err(1, tracefile);
+	}
 	(void)umask(omask);
 	(void)close(fd);