From owner-freebsd-security  Tue Dec 10 17:21:28 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id RAA20078
          for security-outgoing; Tue, 10 Dec 1996 17:21:28 -0800 (PST)
Received: from Zero-Cool.Hades.Org (root@d1b20.uk.pi.net [194.73.76.48])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id RAA19737
          for <freebsd-security@freebsd.org>; Tue, 10 Dec 1996 17:18:43 -0800 (PST)
Received: (from scot@localhost) by Zero-Cool.Hades.Org (8.7.5/8.7.3) id BAA06780; Wed, 11 Dec 1996 01:18:40 GMT
Date: Wed, 11 Dec 1996 01:10:00 +0000 (GMT)
From: Scot Elliott <scot@Hades.Org>
Reply-To: pumpkin@uk.pi.net
To: secutiry@freebsd.org
Subject: Re: Running sendmail non-suid
In-Reply-To: <199612102027.MAA14200@itchy.atlas.com>
Message-ID: <Pine.BSF.3.91.961210233636.6465C-100000@Zero-Cool.Hades.Org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
ReSent-Date: Wed, 11 Dec 1996 01:18:33 +0000 (GMT)
ReSent-From: Scot Elliott <scot@Hades.Org>
ReSent-To: FreeBSD Security list <freebsd-security@freebsd.org>
ReSent-Message-ID: <Pine.BSF.3.91.961211011833.6762B@Zero-Cool.Hades.Org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 10 Dec 1996, Brant Katkansky wrote:
> 
> One thing I'd like to know is this: Once a process has changed it's effective
> UID to something other than root, can it ever change it's effective UID?
> 
> -- Brant Katkansky (bmk@pobox.com, brantk@atlas.com)
>    Software Engineer, ADC
> 
> 

It depends on how the root process set it's effective user-id... if it 
used setuid() then all the ids' (effective, real and saved-set) will be 
set to the new id, and the process will then not be able to change back 
to root... [this is what login(1) does when a user logs in.]

If the set-uid-root executable called seteuid() to set its effective 
user-id back to that of the real-user id, then the then-unprivilaged 
program can set it's effective-id back to root at any time using a 
seteuid() call, because the origional seteuid() did not reset the 
saved-set-used-id.  This is kind of the point - a set-user-id program can 
use it's extra privilages only when it requires them, and keep to those 
of the origional user at other times.


Scot.


---------------------------------------------------------------------------
| Scot Elliott	                    |   Please note that any opinions     |
| MEng Computing IV.                |   expressed are mine, and not those |
| Imperial College, London          |   of the department or college.     |
---------------------------------------------------------------------------
| e-mail: s.elliott@ic.ac.uk        |   IRC nick: PlumbrBoy               |
|         pumpkin@uk.pi.net         |   "You are everything in my fridge" |
---------------------------------------------------------------------------