From owner-freebsd-current Wed Mar 1 20:43:49 2000 Delivered-To: freebsd-current@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B0A2837BE4B; Wed, 1 Mar 2000 20:43:47 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id AED562E815A for ; Wed, 1 Mar 2000 20:43:47 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 1 Mar 2000 20:43:47 -0800 (PST) From: Kris Kennaway To: current@freebsd.org Subject: HEADS UP! IPC security (Re: cvs commit: src/sys/kern sysv_ipc.c (fwd)) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG 4.0 had a security bug which would let any user EXCEPT root delete a SYSV semaphore (the sense of a test was reversed). No other releases were affected - rebuild your kernels if this is an issue. Good catch, Brian! For "revision 1.8" in the below read "revision 1.9" (Jan 30, 1999). ---------- Forwarded message ---------- Date: Wed, 1 Mar 2000 21:03:22 -0500 (EST) From: Brian Dean To: kris@freebsd.org Cc: phk@freebsd.org Subject: Re: cvs commit: src/sys/kern sysv_ipc.c [SNIP - KK] The bug is very easily tested/verified: just create a semaphore, then, as root, try to delete it. If the bug is there, you will get "Operation not permitted". Then try to delete it using an account other than the one that created it, which is supposed to fail, but works fine. It appears that it might have cropped up at version 1.8 sys/kern/sysv_ipc.c. At version 1.8, the check: if (cred->cr_uid == 0) was replaced with: if (suser(cred, (u_short *)NULL)) I'm pretty sure this is what did it, since suser() returns 0 if you _are_ superuser, and an error otherwise (even back then, I checked). [END SNIP] Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message