oops, we do need privs. do the right seteuid() thing.

3 files changed, 26 insertions, 6 deletions

diff --git a/larn/header.h b/larn/header.h
index 01b7487b..f6162229 100644
--- a/larn/header.h
+++ b/larn/header.h
@@ -1,7 +1,9 @@
-/*	$NetBSD: header.h,v 1.7 1995/04/24 12:23:54 cgd Exp $	*/
+/*	$NetBSD: header.h,v 1.8 1996/05/22 00:36:04 mrg Exp $	*/
 
 /*	header.h		Larn is copyrighted 1986 by Noah Morgan. */
 
+#include <sys/types.h>
+
 #define MAXLEVEL 11
 	/*	max # levels in the dungeon			*/
 #define MAXVLEVEL 3
@@ -346,6 +348,7 @@ extern short diroffx[],diroffy[],hitflag,hit2flag,hit3flag,hitp[MAXX][MAXY];
 extern short iarg[MAXX][MAXY],ivenarg[],lasthx,lasthy,lastnum,lastpx,lastpy;
 extern short nobeep,oldx,oldy,playerx,playery;
 extern int dayplay,enable_scroll,srcount,yrepcount,userid,wisid,lfd,fd;
+extern uid_t uid, euid;
 extern long initialtime,outstanding_taxes,skill[],gtime,c[],cbak[];
 extern unsigned long randx;
 extern struct cel *cell;
diff --git a/larn/main.c b/larn/main.c
index a17c2099..e691471d 100644
--- a/larn/main.c
+++ b/larn/main.c
@@ -1,5 +1,5 @@
 #ifndef lint
-static char rcsid[] = "$NetBSD: main.c,v 1.8 1996/05/21 23:19:20 mrg Exp $";
+static char rcsid[] = "$NetBSD: main.c,v 1.9 1996/05/22 00:36:09 mrg Exp $";
 #endif /* not lint */
 
 /*	main.c		*/
@@ -13,6 +13,7 @@ int srcount=0;	/* line counter for showstr()	*/
 int dropflag=0; /* if 1 then don't lookforobject() next round */
 int rmst=80;	/*	random monster creation counter		*/
 int userid;		/* the players login user id number */
+uid_t uid, euid;	/* used for security */
 char nowelcome=0,nomove=0; /* if (nomove) then don't count next iteration as a move */
 static char viewflag=0;
 	/*	if viewflag then we have done a 99 stay here and don't showcell in the main loop */
@@ -48,7 +49,9 @@ main(argc,argv)
 	char *ptr=0,*ttype;
 	struct passwd *pwe;
 
-	setuid(getuid());	/* give up "games" if we have it */
+	euid = geteuid();
+	uid = getuid();
+	seteuid(uid);	/* give up "games" if we have it */
 /*
  *	first task is to identify the player
  */
diff --git a/larn/scores.c b/larn/scores.c
index 8a2fac26..3a96271c 100644
--- a/larn/scores.c
+++ b/larn/scores.c
@@ -1,5 +1,5 @@
 #ifndef lint
-static char rcsid[] = "$NetBSD: scores.c,v 1.5 1995/04/24 12:24:08 cgd Exp $";
+static char rcsid[] = "$NetBSD: scores.c,v 1.6 1996/05/22 00:36:14 mrg Exp $";
 #endif /* not lint */
 
 /* scores.c			 Larn is copyrighted 1986 by Noah Morgan.
@@ -101,7 +101,12 @@ static char *whydead[] = {
  */
 readboard()
 	{
-	if (lopen(scorefile)<0)
+	int i;
+
+	seteuid(euid);
+	i = lopen(scorefile);
+	seteuid(uid);
+	if (i<0)
 	  { lprcat("Can't read scoreboard\n"); lflush(); return(-1); }
 	lrfill((char*)sco,sizeof(sco));		lrfill((char*)winr,sizeof(winr));
 	lrclose();  lcreat((char*)0);  return(0);
@@ -114,8 +119,13 @@ readboard()
  */
 writeboard()
 	{
+	int i;
+
 	set_score_output();
-	if (lcreat(scorefile)<0)
+	seteuid(euid);
+	i = lcreat(scorefile);
+	seteuid(uid);
+	if (i<0)
 	  { lprcat("Can't write scoreboard\n"); lflush(); return(-1); }
 	lwrite((char*)sco,sizeof(sco));		lwrite((char*)winr,sizeof(winr));
 	lwclose();  lcreat((char*)0);  return(0);
@@ -135,7 +145,9 @@ makeboard()
 		winr[i].order = sco[i].order = i;
 		}
 	if (writeboard()) return(-1);
+	seteuid(euid);
 	chmod(scorefile,0660);
+	seteuid(uid);
 	return(0);
 	}
 
@@ -512,7 +524,9 @@ invalid:
 				lprcat("\nCan't open record file:  I can't post your score.\n");
 				sncbr();  resetscroll();  lflush();  exit();
 				}
+			seteuid(euid);
 			chmod(logfile,0660);
+			seteuid(uid);
 			}
 		strcpy(logg.who,loginname);
 		logg.score = c[GOLD];		logg.diff = c[HARDGAME];