From owner-freebsd-arch@FreeBSD.ORG Thu Jun 7 22:04:38 2007 Return-Path: X-Original-To: freebsd-arch@FreeBSD.org Delivered-To: freebsd-arch@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 20BC716A41F for ; Thu, 7 Jun 2007 22:04:38 +0000 (UTC) (envelope-from mwm-dated-1182116140.3f7bff@mired.org) Received: from mired.org (vpn.mired.org [66.92.153.74]) by mx1.freebsd.org (Postfix) with SMTP id A3EA413C448 for ; Thu, 7 Jun 2007 22:04:35 +0000 (UTC) (envelope-from mwm-dated-1182116140.3f7bff@mired.org) Received: (qmail 53259 invoked by uid 1001); 7 Jun 2007 21:35:40 -0000 Received: by bhuda.mired.org (tmda-sendmail, from uid 1001); Thu, 07 Jun 2007 17:35:39 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18024.31275.733694.236655@bhuda.mired.org> Date: Thu, 7 Jun 2007 17:35:39 -0400 To: Stanislav Sedov In-Reply-To: <20070607213650.c02130bf.stas@FreeBSD.org> References: <20070607213650.c02130bf.stas@FreeBSD.org> X-Mailer: VM 7.19 under Emacs 21.3.1 X-Primary-Address: mwm@mired.org X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`; h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ X-Delivery-Agent: TMDA/1.1.11 (Ladyburn) From: Mike Meyer Cc: freebsd-hackers@FreeBSD.org, timur@gnu.org, freebsd-arch@FreeBSD.org Subject: Re: setegid bug X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jun 2007 22:04:38 -0000 In <20070607213650.c02130bf.stas@FreeBSD.org>, Stanislav Sedov typed: > Recently several FreeBSD samba users reported a scary problem with > samba (http://bugzilla.samba.org/?id=3990). Further research in > cooperation with Timur Bakeyev (timur) showed, that we have a little > problem with setegid implementation. In FreeBSD (and even in > 4.4BSD-Lite2) egid of the process is merely groups[0], so calling > seteuid function we simply override the first of supplementary groups. > However, POSIX says that not rgid, not any of supplementary groups > should bot be rewritten in setegid call. > > Probably, some of old-school committers remembered the initial > intention of making egid equal to groups[0]? Probably, I have missed > something? The old school in this case is UC Berkeley. I found this behavior in 4.1BSD. Since it lets you violate ass-backwards group security settings (wherein you create a group "undesirables", and have files owned by that group with group bits 0 to keep them out) by removing yourself from that group, I reported it as a security bug to CSRG. Mike's response was that the security model was the bug, not this problem. I suspect it was done that way in the initial implementation, and nobody has ever felt that it should be fixed. http://www.mired.org/consulting.html Independent Network/Unix/Perforce consultant, email for more information.