Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Jan 2000 14:12:02 +0800
From:      Peter Wemm <peter@netplex.com.au>
To:        "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc:        current@freebsd.org, bde@freebsd.org, sheldonh@freebsd.org
Subject:   Re: Security hole with new setresuid call 
Message-ID:  <20000118061202.50F8D1CD4@overcee.netplex.com.au>
In-Reply-To: Message from "Andrey A. Chernov" <ache@nagual.pp.ru>  of "Tue, 18 Jan 2000 08:00:09 %2B0300." <20000118080009.A59938@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Andrey A. Chernov" wrote:
> Newly introduced seresuid call add security hole too. Compare following
> checks. First one comes from
> 
> setreuid:
> 
> 	if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid) |
    |
> 	     (euid != (uid_t)-1 && euid != pc->pc_ucred->cr_uid &&
> 	     euid != pc->p_ruid && euid != pc->p_svuid)) &&
> 
> setresuid:
> 
> 	if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid &&
> 	      ruid != pc->pc_ucred->cr_uid) ||
> 	      ^^^^^^^^^^^^^^^^^^^^^^^^^^
> 	     (euid != (uid_t)-1 && euid != pc->p_ruid && euid != pc->p_svuid &&
> 	      euid != pc->pc_ucred->cr_uid) ||
> 	     (suid != (uid_t)-1 && suid != pc->p_ruid && suid != pc->p_svuid &&
> 	      suid != pc->pc_ucred->cr_uid)) &&
> 
> As I see you can now additionly set ruid to euid which is not allowed in
> setreuid call. Supposed POSIX_APPENDIX_B_4_2_2 clause should be either ifdefe
    d
> or removed as in setreuid.

.. and why is this a security hole?  setresuid(geteuid(), geteuid(), geteuid())
is equivalent to setuid(geteuid())..

For what it's worth, this is the Linux version:

                if ((ruid != (uid_t) -1) && (ruid != current->uid) &&
                    (ruid != current->euid) && (ruid != current->suid))
                        return -EPERM;
                if ((euid != (uid_t) -1) && (euid != current->uid) &&
                    (euid != current->euid) && (euid != current->suid))
                        return -EPERM;
                if ((suid != (uid_t) -1) && (suid != current->uid) &&
                    (suid != current->euid) && (suid != current->suid))
                        return -EPERM;

.. which is functionally equivalent to what we have.

Cheers,
-Peter
--
Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au
"All of this is for nothing if we don't go to the stars" - JMS/B5



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000118061202.50F8D1CD4>