From owner-freebsd-bugs Sun May 30 22:44: 7 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from rf900.physics.usyd.edu.au (rf900.physics.usyd.edu.au [129.78.129.109]) by hub.freebsd.org (Postfix) with ESMTP id 3202214ED0 for ; Sun, 30 May 1999 22:44:00 -0700 (PDT) (envelope-from dawes@rf900.physics.usyd.edu.au) Received: (from dawes@localhost) by rf900.physics.usyd.edu.au (8.9.1a/8.9.1) id PAA25312; Mon, 31 May 1999 15:43:46 +1000 (EST) Message-ID: <19990531154346.K24275@rf900.physics.usyd.edu.au> Date: Mon, 31 May 1999 15:43:46 +1000 From: David Dawes To: Bruce Evans , aron@cs.rice.edu, freebsd-bugs@freebsd.org Subject: Re: kern/11915: access system call says file is readable when its not References: <199905310517.PAA01594@godzilla.zeta.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199905310517.PAA01594@godzilla.zeta.org.au>; from Bruce Evans on Mon, May 31, 1999 at 03:17:45PM +1000 Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 31, 1999 at 03:17:45PM +1000, Bruce Evans wrote: >> As for how I ran into this. Well, it seems XOpenDisplay() library call >> in X11 uses access() to determine whether it can read a user's >> .Xauthority file. > >If so, then XOpenDisplay() is a potential security hole and should never >be used :-). See access.2. As far as I can see (and I can only guess at the original intention), it uses access(2) to decide whether it can bail out based on the real uid. It doesn't buy any security for a setuid application, but I think that's really the responsibility of the application. Xterm handles this, for example. >> My home directory is NFS mounted on my >> desktop machine and the NFS server maps the "root" of my machine into >> "nobody". So setuid programs (like xterm and Eterm) have a potential >> problem - they run with the effective userid of >> root and when they try to open my .Xauthority file, the NFS server >> refuses access. For this reason, Eterm temporarily swaps the real userid >> and effective userid (thus real userid becomes root and effective userid >> becomes my user id) before issuing XOpenDisplay(). However, because of >> thie problem with access() even this fails. It could perhaps be argued that the access(2) call be removed, but xterm demonstrates that it doesn't have to be a problem (when saved uids are supported). Here's what xterm does: #ifdef HAS_SAVED_IDS_AND_SETEUID uid_t euid = geteuid(); gid_t egid = getegid(); uid_t ruid = getuid(); gid_t rgid = getgid(); if (setegid(rgid) == -1) (void) fprintf(stderr, "setegid(%d): %s\n", (int) rgid, strerror(errno)); if (seteuid(ruid) == -1) (void) fprintf(stderr, "seteuid(%d): %s\n", (int) ruid, strerror(errno)); #endif ... XtAppInitialize( ... ); ... #ifdef HAS_SAVED_IDS_AND_SETEUID if (seteuid(euid) == -1) (void) fprintf(stderr, "seteuid(%d): %s\n", (int) euid, strerror(errno)); if (setegid(egid) == -1) (void) fprintf(stderr, "setegid(%d): %s\n", (int) egid, strerror(errno)); #endif BTW, the code for accessing the .Xauthority file is in libXau: XauGetAuthByAddr() and XauGetBestAuthByAddr(). >I use the same (NFS) configuration. xterm seems to handle it correctly. Yep. David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message