COMMAND

    delegate

SYSTEMS AFFECTED

    Those running delegate

PROBLEM

    Olaf Seibert found following.  Delegate is a multi-protocol  proxy
    deamon (ftp,  http, telnet,  etc).   Olaf noticed  that it creates
    lots of  files and  directories in  the DGROOT  directory that are
    writable for everybody (NetBSD as testing platform).  This was the
    configuration:

	-P21
	SERVER=ftp://ftp.[removed]
	PERMIT=[removed]
	DGROOT=/tmp/delegate
	OWNER=delegate

    Delegate is started from inetd.conf:

	ftp             stream  tcp     wait    delegate /usr/local/bin/delegated
		/usr/local/bin/delegated +=/etc/delegated.conf

    Output of ls -alR /tmp/delegate:

	total 14
	drwxrwxrwx  7 delegate  wheel  512 Jun 30 16:01 .
	drwxrwxrwt  4 root      wheel  512 Jun 30 16:07 ..
	drwxrwxrwx  5 delegate  wheel  512 Jun 30 16:01 act
	drwxrwxrwx  3 delegate  wheel  512 Jun 30 16:01 etc
	drwxrwxrwx  3 delegate  wheel  512 Jun 30 16:01 log
	drwxr-xr-x  3 delegate  wheel  512 Jun 30 16:06 tmp
	drwxrwxrwx  2 delegate  wheel  512 Jun 30 16:06 work

    [lots removed]

	delegate/tmp/resolvy/ab3f2cfb31e801face8fa9c06c38ab4b/byname:
	total 8
	drwxrwxrwx  2 delegate  wheel  512 Jun 30 16:01 .
	drwxrwxrwx  4 delegate  wheel  512 Jun 30 16:01 ..
	-rw-rw-rw-  1 delegate  wheel   50 Jun 30 16:01 09
	-rw-rw-rw-  1 delegate  wheel   49 Jun 30 16:01 12

    This is  of course  not good  from a  security viewpoint.  Another
    thing: If you  start delegate as  root, and it  changes to another
    user,  some  of  these  directories  are  made  as root, and later
    delegate claims it cannot create some other files.

SOLUTION

    Nothing  yet.   This  is  an  un-official  fix for delegate 5.9.1.
    This   patch   changes   mode   777   ->   775,   and   it    puts
    "OWNER=delegate/delegate" option for  delegated.  Latest  delegate
    version is 5.9.3.

    diff -ur -x *.[oa] -x *.exe -x *.go delegate5.9.1.org/rary/file.c delegate5.9.1/rary/file.c
    --- delegate5.9.1.org/rary/file.c       Mon Mar 15 18:33:28 1999
    +++ delegate5.9.1/rary/file.c   Thu Apr 15 09:56:29 1999
    @@ -372,7 +372,7 @@
			    tmpdir = "/tmp";
	    }
	    if( !fileIsdir(tmpdir) )
    -               mkdir(tmpdir,0777);
    +               mkdir(tmpdir,0775);

	    if( path == NULL )
		    path = pathb;
    diff -ur -x *.[oa] -x *.exe -x *.go delegate5.9.1.org/resolvy/rescache.c delegate5.9.1/resolvy/rescache.c
    --- delegate5.9.1.org/resolvy/rescache.c        Mon Jan 11 03:47:49 1999
    +++ delegate5.9.1/resolvy/rescache.c    Thu Apr 15 09:57:43 1999
    @@ -65,8 +65,8 @@

	    if( fp == NULL && *mode != 'r' ){
		    mkdir(tmpdir,0755);
    -               if( mkdir(cdirs,0777) == 0 ) chmod(cdirs,0777);/*ignore umask*/
    -               if( mkdir(cdirg,0777) == 0 ){chmod(cdirg,0777);
    +               if( mkdir(cdirs,0775) == 0 ) chmod(cdirs,0775);/*ignore umask*/
    +               if( mkdir(cdirg,0775) == 0 ){chmod(cdirg,0775);
			    RES_getconf(conf);
			    sprintf(idfile,"%s/config",cdirg);
			    cfp = fopen(idfile,"w");
    @@ -81,7 +81,7 @@
			    fputs(conf,cfp);
			    fclose(cfp);
		    }
    -               if( mkdir(cdir1,0777) == 0 ) chmod(cdir1,0777);
    +               if( mkdir(cdir1,0775) == 0 ) chmod(cdir1,0775);

		    if( (fp = fopen(cpath,mode)) == NULL ){
			    cache_cantopen = time(0);
    @@ -89,7 +89,7 @@
		    }
	    }
	    if( fp != NULL && *mode != 'r' )
    -               chmod(cpath,0666);
    +               chmod(cpath,0664);

	    return fp;
     }
    @@ -184,7 +184,7 @@
				    debug(DBG_FORCE,"CACHE cant del.? %s\n",cpath);
			    if( rename(newpath,cpath) == 0 ){
				    debug(DBG_ANY,"CACHE truncated %s\n",cpath);
    -                               chmod(cpath,0666);
    +                               chmod(cpath,0664);
			    }
			    if( unlink(newpath) == 0 )
				    debug(DBG_FORCE,"CACHE salvaged %s\n",newpath);
    diff -ur -x *.[oa] -x *.exe -x *.go delegate5.9.1.org/src/cache.c delegate5.9.1/src/cache.c
    --- delegate5.9.1.org/src/cache.c       Fri Jul 10 18:22:56 1998
    +++ delegate5.9.1/src/cache.c   Thu Apr 15 09:54:02 1999
    @@ -174,7 +174,7 @@

	    if( dp = strrchr(file,'/') ){
		    *dp = 0;
    -               mkdirR(file,0777);
    +               mkdirR(file,0775);
		    *dp = '/';
	    }

    @@ -731,7 +731,7 @@
	    fclose(cachefp);

	    if( gotok ){
    -               if( renameR(xcpath,cpath,0777) == 0 )
    +               if( renameR(xcpath,cpath,0775) == 0 )
			    sv1log("CACHE: got = [%d] %s\n",size,cpath);
		    else    sv1log("CACHE: can't link %s => %s\n",cpath,xcpath);
	    }else{
    diff -ur -x *.[oa] -x *.exe -x *.go delegate5.9.1.org/src/delegated.c delegate5.9.1/src/delegated.c
    --- delegate5.9.1.org/src/delegated.c   Mon Mar 15 19:18:15 1999
    +++ delegate5.9.1/src/delegated.c       Thu Apr 15 09:54:16 1999
    @@ -3473,7 +3473,7 @@
			    fprintf(stderr,"WORKDIR=%s\n",wdir);
	    }

    -       mkdirR(wdir,0777);
    +       mkdirR(wdir,0775);
	    getcwd(cwd,sizeof(cwd));
	    originWD = strdup(cwd);

    diff -ur -x *.[oa] -x *.exe -x *.go delegate5.9.1.org/src/editconf.c delegate5.9.1/src/editconf.c
    --- delegate5.9.1.org/src/editconf.c    Tue Oct  6 15:51:05 1998
    +++ delegate5.9.1/src/editconf.c        Thu Apr 15 09:55:18 1999
    @@ -370,7 +370,7 @@
			    fprintf(stderr,"#### %s\n",msg);
			    YesOrNo(stderr,stdin,"#### Create Cachedir",yn);
			    if( yn[0] == 'y' )
    -                       if( mkdirR(sdir,0777) == 0 ){
    +                       if( mkdirR(sdir,0775) == 0 ){
				    fprintf(stderr,"#### Created: %s\n",sdir);
				    sv1log("#### CACHEDIR created: %s\n",sdir);
				    return 0;
    diff -ur -x *.[oa] -x *.exe -x *.go delegate5.9.1.org/src/log.c delegate5.9.1/src/log.c
    --- delegate5.9.1.org/src/log.c Mon Mar 15 19:39:35 1999
    +++ delegate5.9.1/src/log.c     Thu Apr 15 09:55:35 1999
    @@ -410,7 +410,7 @@
     loglog("AGEFILE(%x,%s,%s,%s,%s) %d\n",ofp,file,current,mode,tmpdir,was_active);

	    unlink(current);
    -       linkR(file,current,0777); /* should use symbolic link ? */
    +       linkR(file,current,0775); /* should use symbolic link ? */

     REOPEN:
	    nfp = fopen(file,mode);
    diff -ur -x *.[oa] -x *.exe -x *.go delegate5.9.1.org/src/nntp.c delegate5.9.1/src/nntp.c
    --- delegate5.9.1.org/src/nntp.c        Fri Mar  5 17:08:41 1999
    +++ delegate5.9.1/src/nntp.c    Thu Apr 15 09:55:57 1999
    @@ -5266,7 +5266,7 @@

	    if( 0 < xsize ){
		    sprintf(apath1,"%s#",apath);
    -               if( linkR(xapath,apath1,0777) != 0 ){
    +               if( linkR(xapath,apath1,0775) != 0 ){
			    sv1log("#### linkR(%s,%s) failed(%d).\n",
				    xapath,apath1,errno);
			    return afp;
    @@ -5295,7 +5295,7 @@
	    }else{
		    if( xsize == 0 )
			    unlink(xapath);
    -               linkR(apath,xapath,0777);
    +               linkR(apath,xapath,0775);
		    sv1log("LINKED-2 [%s] from [%s]\n",apath,xapath);
	    }

    diff -ur -x *.[oa] -x *.exe -x *.go delegate5.9.1.org/src/uns.c delegate5.9.1/src/uns.c
    --- delegate5.9.1.org/src/uns.c Tue Aug  4 22:41:29 1998
    +++ delegate5.9.1/src/uns.c     Thu Apr 15 09:56:11 1999
    @@ -165,7 +165,7 @@
		    if( dp = strrpbrk(dir,"/\\") )
			    *dp = 0;
		    if( !fileIsdir(dir) ){
    -                       mkdirR(dir,0777);
    +                       mkdirR(dir,0775);
			    if( !fileIsdir(dir) )
				    errlog("bind_un: cannot mkdir %s\n",dir);
		    }