From owner-freebsd-current  Fri Jul 19 13:42: 5 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 16F3C37B400
	for <current@freebsd.org>; Fri, 19 Jul 2002 13:42:01 -0700 (PDT)
Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5734F43E5E
	for <current@freebsd.org>; Fri, 19 Jul 2002 13:42:00 -0700 (PDT)
	(envelope-from julian@vicor.com)
Received: from vicor.com (julian.vicor-nb.com [208.206.78.97])
	by mail.vicor-nb.com (Postfix) with ESMTP id E0F355921E
	for <current@freebsd.org>; Fri, 19 Jul 2002 13:41:59 -0700 (PDT)
Message-ID: <3D387997.E1BA4770@vicor.com>
Date: Fri, 19 Jul 2002 13:41:59 -0700
From: Julian Elischer <julian@vicor.com>
Organization: VICOR
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386)
X-Accept-Language: en, hu
MIME-Version: 1.0
To: current@freebsd.org
Subject: [Fwd: FreeBSD/Linux kernel setgid implementation]
Content-Type: multipart/mixed;
 boundary="------------022721E5C99A812BF9C70B1B"
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.
--------------022721E5C99A812BF9C70B1B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


forwarded from bugtraq..
--------------022721E5C99A812BF9C70B1B
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Received: by bigwoop.vicor-nb.com (mbox julian)
 (with Cubic Circle's cucipop (v1.31 1998/05/13) Fri Jul 19 13:30:00 2002)
X-From_: bugtraq-return-5635-julian=vicor-nb.com@securityfocus.com  Fri Jul 19 13:09:55 2002
Return-Path: <bugtraq-return-5635-julian=vicor-nb.com@securityfocus.com>
Delivered-To: julian@vicor-nb.com
Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [66.38.151.26])
	by mail.vicor-nb.com (Postfix) with ESMTP id 3E28A5921E
	for <julian@vicor-nb.com>; Fri, 19 Jul 2002 13:09:55 -0700 (PDT)
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id CB6D58F2D9; Fri, 19 Jul 2002 13:07:58 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31811 invoked from network); 19 Jul 2002 18:53:36 -0000
Date: Fri, 19 Jul 2002 22:19:39 +0200
From: FozZy <fozzy@dmpfrance.com>
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com
Subject: Re: Linux kernel setgid implementation flaw
Message-Id: <20020719221939.49ab857d.fozzy@dmpfrance.com>
In-Reply-To: <20020719164849.222FCBC073@spike.porcupine.org>
References: <20020719141554.694f07e1.fozzy@dmpfrance.com>
	<20020719164849.222FCBC073@spike.porcupine.org>
Organization: Hackademy / Hackerz Voice
X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-unknown-openbsd3.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mozilla-Status2: 00000000

Thanks, it's a great paper. Unix developpers: it should be worth taking a look at it.

Indeed, with their rigourous methodology, the authors did detect this error in the setgid linux manpage on Red Hat 7.2. I just wonder if they reported it (the manpage on www.linux.org is still inaccurate at the moment).
This paper also reports a real example of a program with the setgid flag only, that thinks it can drop all privileges by calling setgid(getgid()). It is OK on FreeBSD, but not on Linux...

Another interesting example is a setuid program with a non-root owner that want to drop its privileges. (I use here the word "privilege" in an extensive and empiric "having access to objects on the system that are forbidden to the current user"). Well, on Linux and Solaris, this program will not properly drop privileges by the usual way: calling setgid() then setuid(). The saved uid and gid will remain the owner's ones.

And much more interesting stuff... :)


FozZy

On Fri, 19 Jul 2002 12:48:49 -0400 (EDT)
wietse@porcupine.org (Wietse Venema) wrote:

> FYI,
> 
> The August USENIX Security conference has a good paper that examines
> in depth the semantics of UID and GID setting calls for Solaris,
> FreeBSD and Linux. The differences are quite remarkable.
> 
> 	Wietse
> 
> Setuid Demystified, by Hao Chen, David Wagner, UC Berkeley; Drew
> Dean, SRI International
> www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf 


--------------022721E5C99A812BF9C70B1B--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message