Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Oct 2012 12:31:21 +0200
From:      Erik Cederstrand <erik@cederstrand.dk>
To:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Opinion on checking return value of setuid(getuid())?
Message-ID:  <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk>
next in thread | raw e-mail | index | archive | help 
I'm looking through the clang analyzer reports and found this one: =
http://scan.freebsd.your.org/freebsd-head/sbin.ping/2012-09-30-amd64/repor=
t-R9ZgC6.html#EndPath

It's complaining that, if setuid() fails for some reason, the process =
will continue with root privileges because the process is suid root.

At first glance, it seems unnecessary to check the return value of =
"setuid(getuid())" since the user should always be able to drop =
privileges to itself. So I filed this bug with LLVM: =
http://llvm.org/bugs/show_bug.cgi?id=3D13979

It turns out that setuid() *may* fail if the user hits its process =
limit. Apparently FreeBSD doesn't check the limit in the specific =
setuid(getuid()) case (I can't find the code anywhere right now) so this =
is not an issue, but Linux does. However, if FreeBSD decides to change =
the setuid() implementation at some point, the issue may surface again.

A simple fix would be something like:

Index: /freebsd/repos/head_scratch/src/sbin/ping/ping.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- /freebsd/repos/head_scratch/src/sbin/ping/ping.c	(revision =
240960)
+++ /freebsd/repos/head_scratch/src/sbin/ping/ping.c	(working copy)
@@ -255,7 +255,8 @@
 	s =3D socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
 	sockerrno =3D errno;
=20
-	setuid(getuid());
+	if (setuid(getuid()) !=3D 0)
+        err(EX_NOPERM, "setuid() failed");
 	uid =3D getuid();
=20
 	alarmtimeout =3D df =3D preload =3D tos =3D 0;


There's an alternative approach for NetBSD with a patch to kern_exec.c =
here: =
http://mail-index.netbsd.org/tech-security/2008/01/12/msg000026.html but =
I have no idea if this applies to FreeBSD.

I'd like an opinion on which way to go before filing PRs because we have =
around 200 of these warnings in the FreeBSD repo.

Thanks,
Erik=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9DD86238-51C8-4F38-B7EB-BD773039888B>