Date: Mon, 31 May 1999 15:43:46 +1000 From: David Dawes <dawes@rf900.physics.usyd.edu.au> To: Bruce Evans <bde@zeta.org.au>, aron@cs.rice.edu, freebsd-bugs@freebsd.org Subject: Re: kern/11915: access system call says file is readable when its not Message-ID: <19990531154346.K24275@rf900.physics.usyd.edu.au> In-Reply-To: <199905310517.PAA01594@godzilla.zeta.org.au>; from Bruce Evans on Mon, May 31, 1999 at 03:17:45PM %2B1000 References: <199905310517.PAA01594@godzilla.zeta.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 31, 1999 at 03:17:45PM +1000, Bruce Evans wrote:
>> As for how I ran into this. Well, it seems XOpenDisplay() library call
>> in X11 uses access() to determine whether it can read a user's
>> .Xauthority file.
>
>If so, then XOpenDisplay() is a potential security hole and should never
>be used :-). See access.2.
As far as I can see (and I can only guess at the original intention),
it uses access(2) to decide whether it can bail out based on the real
uid. It doesn't buy any security for a setuid application, but I think
that's really the responsibility of the application. Xterm handles
this, for example.
>> My home directory is NFS mounted on my
>> desktop machine and the NFS server maps the "root" of my machine into
>> "nobody". So setuid programs (like xterm and Eterm) have a potential
>> problem - they run with the effective userid of
>> root and when they try to open my .Xauthority file, the NFS server
>> refuses access. For this reason, Eterm temporarily swaps the real userid
>> and effective userid (thus real userid becomes root and effective userid
>> becomes my user id) before issuing XOpenDisplay(). However, because of
>> thie problem with access() even this fails.
It could perhaps be argued that the access(2) call be removed, but xterm
demonstrates that it doesn't have to be a problem (when saved uids are
supported). Here's what xterm does:
#ifdef HAS_SAVED_IDS_AND_SETEUID
uid_t euid = geteuid();
gid_t egid = getegid();
uid_t ruid = getuid();
gid_t rgid = getgid();
if (setegid(rgid) == -1)
(void) fprintf(stderr, "setegid(%d): %s\n",
(int) rgid, strerror(errno));
if (seteuid(ruid) == -1)
(void) fprintf(stderr, "seteuid(%d): %s\n",
(int) ruid, strerror(errno));
#endif
...
XtAppInitialize( ... );
...
#ifdef HAS_SAVED_IDS_AND_SETEUID
if (seteuid(euid) == -1)
(void) fprintf(stderr, "seteuid(%d): %s\n",
(int) euid, strerror(errno));
if (setegid(egid) == -1)
(void) fprintf(stderr, "setegid(%d): %s\n",
(int) egid, strerror(errno));
#endif
BTW, the code for accessing the .Xauthority file is in libXau:
XauGetAuthByAddr() and XauGetBestAuthByAddr().
>I use the same (NFS) configuration. xterm seems to handle it correctly.
Yep.
David
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990531154346.K24275>