Date: Wed, 1 Mar 2000 20:43:47 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: current@freebsd.org Subject: HEADS UP! IPC security (Re: cvs commit: src/sys/kern sysv_ipc.c (fwd)) Message-ID: <Pine.BSF.4.21.0003012040060.4968-100000@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
4.0 had a security bug which would let any user EXCEPT root delete a SYSV
semaphore (the sense of a test was reversed). No other releases were
affected - rebuild your kernels if this is an issue. Good catch, Brian!
For "revision 1.8" in the below read "revision 1.9" (Jan 30, 1999).
---------- Forwarded message ----------
Date: Wed, 1 Mar 2000 21:03:22 -0500 (EST)
From: Brian Dean <brdean@unx.sas.com>
To: kris@freebsd.org
Cc: phk@freebsd.org
Subject: Re: cvs commit: src/sys/kern sysv_ipc.c
[SNIP - KK]
The bug is very easily tested/verified: just create a semaphore, then,
as root, try to delete it. If the bug is there, you will get
"Operation not permitted". Then try to delete it using an account
other than the one that created it, which is supposed to fail, but
works fine.
It appears that it might have cropped up at version 1.8
sys/kern/sysv_ipc.c. At version 1.8, the check:
if (cred->cr_uid == 0)
was replaced with:
if (suser(cred, (u_short *)NULL))
I'm pretty sure this is what did it, since suser() returns 0 if you
_are_ superuser, and an error otherwise (even back then, I checked).
[END SNIP]
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0003012040060.4968-100000>