From owner-freebsd-hackers Sun Nov 26 17:30:37 1995 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id RAA18975 for hackers-outgoing; Sun, 26 Nov 1995 17:30:37 -0800 Received: from crh.cl.msu.edu (crh.cl.msu.edu [35.8.1.24]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id RAA18970 for ; Sun, 26 Nov 1995 17:30:33 -0800 Received: (from henrich@localhost) by crh.cl.msu.edu (8.6.12/8.6.12) id UAA01244 for freebsd-hackers@freebsd.org; Sun, 26 Nov 1995 20:30:25 -0500 From: Charles Henrich Message-Id: <199511270130.UAA01244@crh.cl.msu.edu> Subject: Security bug? To: freebsd-hackers@freebsd.org Date: Sun, 26 Nov 1995 20:30:19 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 3685 Sender: owner-hackers@freebsd.org Precedence: bulk I am attempting to track down this bug, and Its driving me crazy. I have modified the NCSA web server to change its uid to whomever is authenticating to it. If the person authenticating is root, I force a change ownership to a different uid via setuid() seteuid() setgid() and setegid() calls. The problem, is after all the set[ug]* calls, I am still able to execute programs that I shouldnt even be able to read! The players: >From /etc/group adminweb:*:50: admin:*:200:Rcrh >From /etc/passwd Rcrh:*:0:0:Charles Henrich (root):/root:/usr/local/bin/tcsh adminweb:*:50:50:Admin Web:/usr/local/adminweb:/usr/local/bin/tcsh The test code: -rwxr-x--- 1 root admin 8808 Nov 26 20:00 test The web fallback code looks like (this is executing all the way through, user_id and group_id are both 50). ------------------------------------------------------------------------------- log_error("Im still root, changing to user/group in cfg file\n"); if (setgid(group_id) == -1) die(CONF_ERROR,"unable to change gid", stdout); if (setegid(group_id) == -1) die(CONF_ERROR,"unable to change egid", stdout); if (setuid(user_id) == -1) die(CONF_ERROR,"unable to change uid", stdout); if (seteuid(user_id) == -1) die(CONF_ERROR,"unable to change euid", stdout); ------------------------------------------------------------------------------- The test program does nothing more than two printf() calls, one a web header, the other the uid:euid gid:egid pairs. The results look like so: ------------------------------------------------------------------------------- Content-type: text/html 50:50 50:50 ------------------------------------------------------------------------------- I also had placed some printf() calls before the execle() call in the web server, and it too reported the current gid,egid,uid,euid were all set to 50. Given this, how was the exec ablt to run the test code that is only executable by root or folks in the admin group, which the adminweb ID clearly isnt? The web server code is as follows: >From http_include.c: ------------------------------------------------------------------------------- int p[2],x; FILE *f; char errstr[MAX_STRING_LEN]; if(pipe(p) == -1) die(SERVER_ERROR,"httpd: could not create IPC pipe",out); if((ipid = fork()) == -1) die(SERVER_ERROR,"httpd: could not fork new process",out); if(!ipid) { char *argv0; ------- [SNIP] ------- (Some environment setup code) close(p[0]); if(p[1] != STDOUT_FILENO) { dup2(p[1],STDOUT_FILENO); close(p[1]); } error_log2stderr(); if(!(argv0 = strrchr(SHELL_PATH,'/'))) argv0=SHELL_PATH; ---> At this point we are at 50:50 50:50 if(execle(SHELL_PATH,argv0,"-c",s,(char *)0,in_headers_env) == -1) { fprintf(stderr,"httpd: exec of %s failed, errno is %d\n", SHELL_PATH,errno); exit(1); } } close(p[1]); if(!(f=fdopen(p[0],"r"))) { waitpid(ipid,NULL,0); return -1; } send_fd(f,out,kill_include_child); fclose(f); waitpid(ipid,NULL,0); return 0; } ------------------------------------------------------------------------------- I should also note that the process starts off initially with the uid:euid gid:egid combo of 0:0 50:0 (possibly 0:50, I cant recall at the moment). In any case, if any of you have made it this far, any ideas? -Crh Charles Henrich Michigan State University henrich@crh.cl.msu.edu http://rs560.msu.edu/~henrich/