From owner-freebsd-bugs Mon Feb 17 19:20:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id TAA08626 for bugs-outgoing; Mon, 17 Feb 1997 19:20:06 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id TAA08592; Mon, 17 Feb 1997 19:20:03 -0800 (PST) Resent-Date: Mon, 17 Feb 1997 19:20:03 -0800 (PST) Resent-Message-Id: <199702180320.TAA08592@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, Tor.Egge@idt.ntnu.no Received: from pat.idt.unit.no (0@pat.idt.unit.no [129.241.103.5]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA08284 for ; Mon, 17 Feb 1997 19:16:20 -0800 (PST) Received: from presis.idt.ntnu.no (tegge@presis.idt.ntnu.no [129.241.111.173]) by pat.idt.unit.no (8.8.5/8.8.5) with ESMTP id EAA07911 for ; Tue, 18 Feb 1997 04:15:31 +0100 (MET) Received: (from tegge@localhost) by presis.idt.ntnu.no (8.8.5/8.8.5) id EAA15772; Tue, 18 Feb 1997 04:15:22 +0100 (MET) Message-Id: <199702180315.EAA15772@presis.idt.ntnu.no> Date: Tue, 18 Feb 1997 04:15:22 +0100 (MET) From: Tor Egge Reply-To: Tor.Egge@idt.ntnu.no To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/2757: execve() does not handle the P_SUGID flag correctly. Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2757 >Category: kern >Synopsis: execve() does not handle the P_SUGID process flag correctly. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 17 19:20:01 PST 1997 >Last-Modified: >Originator: Tor Egge >Organization: Norwegian University of Science and Technology, Trondheim, Norway >Release: FreeBSD 3.0-CURRENT i386 >Environment: FreeBSD presis.idt.ntnu.no 3.0-CURRENT FreeBSD 3.0-CURRENT #0: Sun Feb 2 18:59:48 MET 1997 root@ikke.idt.unit.no:/usr/src/sys-UP/compile/PRESIS i386 >Description: execve() clears the P_SUGID process flag in execve() if the binary executed does not have suid or sgid permission bits set. This also happens when the effective uid is different from the real uid or the effective gid is different from the real gid. Under these circumstances, the process still has set id privileges and the P_SUGID flag should not be cleared. >How-To-Repeat: >Fix: Index: kern_exec.c =================================================================== RCS file: /export/akg1/cvs/src/sys/kern/kern_exec.c,v retrieving revision 1.49 diff -c -r1.49 kern_exec.c *** kern_exec.c 1997/01/14 06:43:19 1.49 --- kern_exec.c 1997/01/26 16:36:08 *************** *** 285,291 **** p->p_ucred->cr_groups[0] = attr.va_gid; p->p_flag |= P_SUGID; } else { ! p->p_flag &= ~P_SUGID; } /* --- 285,293 ---- p->p_ucred->cr_groups[0] = attr.va_gid; p->p_flag |= P_SUGID; } else { ! if (p->p_ucred->cr_uid == p->p_cred->p_ruid && ! p->p_ucred->cr_gid == p->p_cred->p_rgid) ! p->p_flag &= ~P_SUGID; } /* >Audit-Trail: >Unformatted: