Date: Tue, 18 Jan 2000 08:00:09 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: current@freebsd.org, peter@freebsd.org, bde@freebsd.org, sheldonh@freebsd.org Subject: Security hole with new setresuid call Message-ID: <20000118080009.A59938@nagual.pp.ru>
next in thread | raw e-mail | index | archive | help
Newly introduced seresuid call add security hole too. Compare following checks. First one comes from setreuid: if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid) || (euid != (uid_t)-1 && euid != pc->pc_ucred->cr_uid && euid != pc->p_ruid && euid != pc->p_svuid)) && setresuid: if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid && ruid != pc->pc_ucred->cr_uid) || ^^^^^^^^^^^^^^^^^^^^^^^^^^ (euid != (uid_t)-1 && euid != pc->p_ruid && euid != pc->p_svuid && euid != pc->pc_ucred->cr_uid) || (suid != (uid_t)-1 && suid != pc->p_ruid && suid != pc->p_svuid && suid != pc->pc_ucred->cr_uid)) && As I see you can now additionly set ruid to euid which is not allowed in setreuid call. Supposed POSIX_APPENDIX_B_4_2_2 clause should be either ifdefed or removed as in setreuid. -- Andrey A. Chernov http://nagual.pp.ru/~ache/ MTH/SH/HE S-- W-- N+ PEC>+ D A a++ C G>+ QH+(++) 666+>++ Y To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000118080009.A59938>