Thanks to Steve Kemp who reported this issue as Debian bug #548684.
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548684>
Instead of specifying hostnames on the command line, read them from
I<filename>. If I<filename> is B<->, read from C<STDIN>.
+This option is only available if the real user ID (as returned by L<getuid(2)>)
+and the effective user ID (as returned by L<geteuid(2)>) match. This is meant
+to avoid security issues when I<oping> is installed with the SUID-bit.
+
=back
=head1 SEE ALSO
# include <string.h>
# include <errno.h>
# include <assert.h>
+# include <unistd.h>
#else
# error "You don't have the standard C99 header files installed"
#endif /* STDC_HEADERS */
exit (status);
}
+static _Bool is_setuid (void)
+{
+ return (getuid () != geteuid ());
+}
+
static int read_options (int argc, char **argv)
{
int optchar;
break;
case 'f':
+ if (is_setuid ())
+ {
+ fprintf (stderr, "For security reasons the `-f' option "
+ "is disabled if real and effective "
+ "user IDs don't match. Sorry.\n");
+ }
+ else
{
if (opt_filename != NULL)
free (opt_filename);
projects / liboping.git / commitdiff