Bugtraq mailing list archives
Incorrect behaviour of setre[ug]id in OpenBSD
From: ww () STYX ORG (Will Waites)
Date: Thu, 22 Oct 1998 18:25:39 -0400
setreuid(3) and setregid(3) were system calls in 4.3BSD that temporarily swapped (or permanently set) the real and effective user ids of the current process. It no longer appeared in 4.4BSD. It is now implemented as a 4.3BSD compatibility function in libc under OpenBSD -- I'm not certain about (Net|Free)BSD. Although the man page says that root can arbitrarily change its uid, the OpenBSD implementation bails with an EPERM if the real uid to be changed to is not equal to the current effective uid -- i.e. a program running as root cannot use setreuid() to relinquish permissions. Putting aside a diatribe on how programs should check the return values of system calls, there exist programs that run as root that do not check the return values of setreuid (or even setuid) since they correctly expect that such calls cannot fail if they have root permissions. One such program is zmailer which calls seteuid() to relinquish permissions in order to perform local mail delivery as the user receiving the mail (i.e. when mail is forwarded to a pipe). This is trivial to exploit to create and append to arbitrary root owned files. Will -- | Will Waites | "Man is a political and a social animal, and he | | ww () styx org | normally enjoys hearing fantastic answers in | | www.styx.org/~ww | preference to none." -- Joseph Heller | |--------------------------------------------------------------------| | Finger ww () styx org for PGP Public Key |
Current thread:
- SVGATextMode 1.8 /tmp race Adrian Voinea (Oct 21)
- License Manager's lockfiles (Solaris 2.5.1) Joel Eriksson (Oct 21)
- Re : 13 tiny bytes to show the huge sillyness of our great common ga (Oct 23)
- Re: License Manager's lockfiles (Solaris 2.5.1) pedward () WEBCOM COM (Oct 23)
- Re: License Manager's lockfiles (Solaris 2.5.1) Roger Harrison ? (Oct 23)
- Re: License Manager's lockfiles (Solaris 2.5.1) Peter Marelas (Oct 24)
- Re: SVGATextMode 1.8 /tmp race dumped (Oct 22)
- Re: SVGATextMode 1.8 /tmp race Ben Collins (Oct 22)
- Re: SVGATextMode 1.8 /tmp race Marcelo Roccasalva (Oct 23)
- Incorrect behaviour of setre[ug]id in OpenBSD Will Waites (Oct 22)
- Re: Incorrect behaviour of setre[ug]id in OpenBSD Will Waites (Oct 23)
- slocate v1.4 klindsay (Oct 24)
- Re: Incorrect behaviour of setre[ug]id in OpenBSD matthew green (Oct 24)
- HP 11.0 sulog Problem Ron Youngclaus (Oct 26)
- License Manager's lockfiles (Solaris 2.5.1) Joel Eriksson (Oct 21)