Various security related deltas from OpenBSD

dirs.c:
	From OpenBSD 1.2, 1.3, 1.5, 1.8, 1.10, 1.11, 1.12
	1.2:
		use unique temporary files; netbsd pr#2544;
		lukem@supp.cpr.itg.telecom.com.au
	1.3:
		updated patch from lukem@supp.cpr.itg.telecom.com.au
		to also make -r and -R work again
	1.5:
		mktemp open & fdopen
	1.8:
		/tmp// -> /tmp/
	1.10:
		Fix strncpy usage and correct strncat length field,
		from Theo.  Also change some occurrence of MAXPATHLEN
		with sizeof(foo).
	1.11:
		does noone know how to use strncat correctly?
	1.12:
		use mkstemp()
	From NetBSD:
		Use open rather than create so we can specify
		exclusive open mode.

main.c:
	From OpenBSD 1.2, 1.5
	1.2:
		From NetBSD: support $TAPE.
	1.5
		Set umask to be read only by owner until we set real
		file permissions.
tape.c:
	From NetBSD:
		Use open rather than create so we can specify
		exclusive open mode.

3 files changed, 43 insertions, 17 deletions

diff --git a/sbin/restore/dirs.c b/sbin/restore/dirs.c
index b092eab361fc..a4038eb1f63e 100644
--- a/sbin/restore/dirs.c
+++ b/sbin/restore/dirs.c
@@ -104,9 +104,9 @@ struct rstdirdesc {
 static long	seekpt;
 static FILE	*df, *mf;
 static RST_DIR	*dirp;
-static char	dirfile[32] = "#";	/* No file */
-static char	modefile[32] = "#";	/* No file */
-static char	dot[2] = ".";		/* So it can be modified */
+static char	dirfile[MAXPATHLEN] = "#";	/* No file */
+static char	modefile[MAXPATHLEN] = "#";	/* No file */
+static char	dot[2] = ".";			/* So it can be modified */
 
 /*
  * Format of old style directories.
@@ -142,11 +142,18 @@ extractdirs(genmode)
 	register struct dinode *ip;
 	struct inotab *itp;
 	struct direct nulldir;
+	int fd;
 
 	vprintf(stdout, "Extract directories from tape\n");
-	(void) sprintf(dirfile, "%s/rstdir%d", _PATH_TMP, dumpdate);
-	df = fopen(dirfile, "w");
-	if (df == NULL) {
+	(void) sprintf(dirfile, "%srstdir%d", _PATH_TMP, dumpdate);
+	if (command != 'r' && command != 'R') {
+		(void *) strcat(dirfile, "-XXXXXX");
+		fd = mkstemp(dirfile);
+	} else
+		fd = open(dirfile, O_RDWR|O_CREAT|O_EXCL, 0666);
+	if (fd == -1 || (df = fdopen(fd, "w")) == NULL) {
+		if (fd != -1)
+			close(fd);
 		fprintf(stderr,
 		    "restore: %s - cannot create directory temporary\n",
 		    dirfile);
@@ -154,9 +161,15 @@ extractdirs(genmode)
 		done(1);
 	}
 	if (genmode != 0) {
-		(void) sprintf(modefile, "%s/rstmode%d", _PATH_TMP, dumpdate);
-		mf = fopen(modefile, "w");
-		if (mf == NULL) {
+		(void) sprintf(modefile, "%srstmode%d", _PATH_TMP, dumpdate);
+		if (command != 'r' && command != 'R') {
+			(void *) strcat(modefile, "-XXXXXX");
+			fd = mkstemp(modefile);
+		} else
+			fd = open(modefile, O_RDWR|O_CREAT|O_EXCL, 0666);
+		if (fd == -1 || (mf = fdopen(fd, "w")) == NULL) {
+			if (fd != -1)
+				close(fd);
 			fprintf(stderr,
 			    "restore: %s - cannot create modefile \n",
 			    modefile);
@@ -239,8 +252,9 @@ treescan(pname, ino, todo)
 	 * begin search through the directory
 	 * skipping over "." and ".."
 	 */
-	(void) strncpy(locname, pname, MAXPATHLEN);
-	(void) strncat(locname, "/", MAXPATHLEN);
+	(void) strncpy(locname, pname, sizeof(locname) - 1);
+	locname[sizeof(locname) - 1] = '\0';
+	(void) strncat(locname, "/", sizeof(locname) - strlen(locname));
 	namelen = strlen(locname);
 	rst_seekdir(dirp, itp->t_seekpt, itp->t_seekpt);
 	dp = rst_readdir(dirp); /* "." */
@@ -260,9 +274,9 @@ treescan(pname, ino, todo)
 	 */
 	while (dp != NULL && dp->d_ino != 0) {
 		locname[namelen] = '\0';
-		if (namelen + dp->d_namlen >= MAXPATHLEN) {
+		if (namelen + dp->d_namlen >= sizeof(locname)) {
 			fprintf(stderr, "%s%s: name exceeds %d char\n",
-				locname, dp->d_name, MAXPATHLEN);
+				locname, dp->d_name, sizeof(locname) - 1);
 		} else {
 			(void) strncat(locname, dp->d_name, (int)dp->d_namlen);
 			treescan(locname, dp->d_ino, todo);
@@ -585,7 +599,13 @@ setdirmodes(flags)
 	char *cp;
 
 	vprintf(stdout, "Set directory mode, owner, and times.\n");
-	(void) sprintf(modefile, "%s/rstmode%d", _PATH_TMP, dumpdate);
+	if (command == 'r' || command == 'R')
+		(void) sprintf(modefile, "%srstmode%d", _PATH_TMP, dumpdate);
+	if (modefile[0] == '#') {
+		panic("modefile not defined\n");
+		fprintf(stderr, "directory mode, owner, and times not set\n");
+		return;
+	}
 	mf = fopen(modefile, "r");
 	if (mf == NULL) {
 		fprintf(stderr, "fopen: %s\n", strerror(errno));
@@ -640,7 +660,7 @@ genliteraldir(name, ino)
 	itp = inotablookup(ino);
 	if (itp == NULL)
 		panic("Cannot find directory inode %d named %s\n", ino, name);
-	if ((ofile = creat(name, 0666)) < 0) {
+	if ((ofile = open(name, O_WRONLY | O_CREAT | O_TRUNC, 0666)) < 0) {
 		fprintf(stderr, "%s: ", name);
 		(void) fflush(stderr);
 		fprintf(stderr, "cannot create file: %s\n", strerror(errno));
diff --git a/sbin/restore/main.c b/sbin/restore/main.c
index 936116e319b8..a45994552353 100644
--- a/sbin/restore/main.c
+++ b/sbin/restore/main.c
@@ -82,13 +82,18 @@ main(argc, argv)
 {
 	int ch;
 	ino_t ino;
-	char *inputdev = _PATH_DEFTAPE;
+	char *inputdev;
 	char *symtbl = "./restoresymtable";
 	char *p, name[MAXPATHLEN];
 
+	/* Temp files should *not* be readable.  We set permissions later. */
+	(void) umask(077);
+
 	if (argc < 2)
 		usage();
 
+	if ((inputdev = getenv("TAPE")) == NULL)
+		inputdev = _PATH_DEFTAPE;
 	obsolete(&argc, &argv);
 	while ((ch = getopt(argc, argv, "b:cdf:himNRrs:tvxy")) != EOF)
 		switch(ch) {
diff --git a/sbin/restore/tape.c b/sbin/restore/tape.c
index fcf41e85ea2c..7aae76daa715 100644
--- a/sbin/restore/tape.c
+++ b/sbin/restore/tape.c
@@ -583,7 +583,8 @@ extractfile(name)
 			skipfile();
 			return (GOOD);
 		}
-		if ((ofile = creat(name, 0666)) < 0) {
+		if ((ofile = open(name, O_WRONLY | O_CREAT | O_TRUNC,
+		    0666)) < 0) {
 			fprintf(stderr, "%s: cannot create file: %s\n",
 			    name, strerror(errno));
 			skipfile();