From owner-freebsd-current Mon Jan 17 21: 0:20 2000 Delivered-To: freebsd-current@freebsd.org Received: from nagual.pp.ru (deep-thought.demos.su [195.133.1.74]) by hub.freebsd.org (Postfix) with ESMTP id F34CF15143; Mon, 17 Jan 2000 21:00:11 -0800 (PST) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.9.3/8.9.3) id IAA59955; Tue, 18 Jan 2000 08:00:10 +0300 (MSK) (envelope-from ache) Date: Tue, 18 Jan 2000 08:00:09 +0300 From: "Andrey A. Chernov" To: current@freebsd.org, peter@freebsd.org, bde@freebsd.org, sheldonh@freebsd.org Subject: Security hole with new setresuid call Message-ID: <20000118080009.A59938@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i Organization: Biomechanoid Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Newly introduced seresuid call add security hole too. Compare following checks. First one comes from setreuid: if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid) || (euid != (uid_t)-1 && euid != pc->pc_ucred->cr_uid && euid != pc->p_ruid && euid != pc->p_svuid)) && setresuid: if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid && ruid != pc->pc_ucred->cr_uid) || ^^^^^^^^^^^^^^^^^^^^^^^^^^ (euid != (uid_t)-1 && euid != pc->p_ruid && euid != pc->p_svuid && euid != pc->pc_ucred->cr_uid) || (suid != (uid_t)-1 && suid != pc->p_ruid && suid != pc->p_svuid && suid != pc->pc_ucred->cr_uid)) && As I see you can now additionly set ruid to euid which is not allowed in setreuid call. Supposed POSIX_APPENDIX_B_4_2_2 clause should be either ifdefed or removed as in setreuid. -- Andrey A. Chernov http://nagual.pp.ru/~ache/ MTH/SH/HE S-- W-- N+ PEC>+ D A a++ C G>+ QH+(++) 666+>++ Y To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message