From owner-freebsd-current Mon Jan 17 22:12:20 2000 Delivered-To: freebsd-current@freebsd.org Received: from overcee.netplex.com.au (overcee.netplex.com.au [202.12.86.7]) by hub.freebsd.org (Postfix) with ESMTP id B06E7151DE; Mon, 17 Jan 2000 22:12:07 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (localhost [127.0.0.1]) by overcee.netplex.com.au (Postfix) with ESMTP id 50F8D1CD4; Tue, 18 Jan 2000 14:12:02 +0800 (WST) (envelope-from peter@netplex.com.au) X-Mailer: exmh version 2.1.1 10/15/1999 To: "Andrey A. Chernov" Cc: current@freebsd.org, bde@freebsd.org, sheldonh@freebsd.org Subject: Re: Security hole with new setresuid call In-Reply-To: Message from "Andrey A. Chernov" of "Tue, 18 Jan 2000 08:00:09 +0300." <20000118080009.A59938@nagual.pp.ru> Date: Tue, 18 Jan 2000 14:12:02 +0800 From: Peter Wemm Message-Id: <20000118061202.50F8D1CD4@overcee.netplex.com.au> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Andrey A. Chernov" wrote: > Newly introduced seresuid call add security hole too. Compare following > checks. First one comes from > > setreuid: > > if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid) | | > (euid != (uid_t)-1 && euid != pc->pc_ucred->cr_uid && > euid != pc->p_ruid && euid != pc->p_svuid)) && > > setresuid: > > if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid && > ruid != pc->pc_ucred->cr_uid) || > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > (euid != (uid_t)-1 && euid != pc->p_ruid && euid != pc->p_svuid && > euid != pc->pc_ucred->cr_uid) || > (suid != (uid_t)-1 && suid != pc->p_ruid && suid != pc->p_svuid && > suid != pc->pc_ucred->cr_uid)) && > > As I see you can now additionly set ruid to euid which is not allowed in > setreuid call. Supposed POSIX_APPENDIX_B_4_2_2 clause should be either ifdefe d > or removed as in setreuid. .. and why is this a security hole? setresuid(geteuid(), geteuid(), geteuid()) is equivalent to setuid(geteuid()).. For what it's worth, this is the Linux version: if ((ruid != (uid_t) -1) && (ruid != current->uid) && (ruid != current->euid) && (ruid != current->suid)) return -EPERM; if ((euid != (uid_t) -1) && (euid != current->uid) && (euid != current->euid) && (euid != current->suid)) return -EPERM; if ((suid != (uid_t) -1) && (suid != current->uid) && (suid != current->euid) && (suid != current->suid)) return -EPERM; .. which is functionally equivalent to what we have. Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message