From owner-freebsd-bugs  Wed Jan 15 12:50: 6 2003
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 85AFA37B401
	for <freebsd-bugs@hub.freebsd.org>; Wed, 15 Jan 2003 12:50:03 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8850443EB2
	for <freebsd-bugs@hub.freebsd.org>; Wed, 15 Jan 2003 12:50:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h0FKo2NS017297
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 15 Jan 2003 12:50:02 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h0FKo2aq017296;
	Wed, 15 Jan 2003 12:50:02 -0800 (PST)
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B893137B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 15 Jan 2003 12:40:03 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 60C7643EB2
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 15 Jan 2003 12:40:03 -0800 (PST)
	(envelope-from seanc@FreeBSD.org)
Received: from freefall.freebsd.org (seanc@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h0FKe3NS014773
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 15 Jan 2003 12:40:03 -0800 (PST)
	(envelope-from seanc@freefall.freebsd.org)
Received: (from seanc@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h0FKe3Rg014772;
	Wed, 15 Jan 2003 12:40:03 -0800 (PST)
Message-Id: <200301152040.h0FKe3Rg014772@freefall.freebsd.org>
Date: Wed, 15 Jan 2003 12:40:03 -0800 (PST)
From: Sean Chittenden <seanc@FreeBSD.org>
Reply-To: Sean Chittenden <seanc@FreeBSD.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/47119: Unable to su to root after root run's a command that runs as a different user
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         47119
>Category:       kern
>Synopsis:       Unable to su to root after root run's a command that runs as a different user
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 15 12:50:02 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Sean Chittenden
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD dsl093-135-251.sfo2.dsl.speakeasy.net 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Sun Jan 12 12:32:11 PST 2003 root@dsl093-135-251.sfo2.dsl.speakeasy.net:/usr/obj/usr/src/sys/DELLAPTOP i386

>Description:
	Run the following program.  Once run, and root exist, a member of the
	wheel group won't be able to su to root again.
>How-To-Repeat:
$ gcc -o su_test su_test.c
$ su
# ./su_test
running as user 80 now
# exit
$ su
su: Sorry

/* BEGIN su_test.c */
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <pwd.h>

int main() {
  struct passwd* pwd;
  uid_t uid;
  gid_t gid;
  int ngroups;
  char *user = "www";

  pwd = getpwnam(user);
  uid = pwd->pw_uid;
  gid = pwd->pw_gid;

  if (chdir(pwd->pw_dir) < 0) {
    perror( "chdir" );
    exit(1);
  }

  setsid();

  if (chroot("/") < 0) {
    perror( "chroot" );
    exit(1);
  }

  if (chdir("/") < 0) {
    perror("chroot chdir");
    exit(1);
  }

  if (setgroups(0, (const gid_t*) 0) < 0) {
    perror("setgroups");
    exit(1);
  }

  if (setgid(gid) < 0) {
    perror("setgid");
    exit(1);
  }

  setlogin(user);

  if (setuid(uid) < 0) {
    perror("setuid");
    exit(1);
  }

  uid = getuid();
  printf("running as user %d now\n", uid);

  exit(0);
}
/* END su_test.c */

>Fix:

	


>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message