Bugtraq mailing list archives
Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)
From: shadows () WHITEFANG COM (Thamer Al-Herbish)
Date: Fri, 8 Jan 1999 17:36:11 -0800
On Sat, 9 Jan 1999, Darren Reed wrote:
On Tue, 5 Jan 1999, D. J. Bernstein wrote:Venema further claims that ``a set-uid posting program cannot guarantee user identification.'' That claim is false. The user id is provided by the standard UNIX getuid() system call.Just to be pedantic, Venema is correct. "User identification" is a lot more than just a getuid() system call as I'm sure you would be well aware. If I find some other avenue to obtain a different uid to the one I normally use, i.e. exploit some other setuid-root program, getuid() will (if I've done my homework) thereafter fail to identity correctly which user is sending the email.
No. The real user ID is inherited by a child process, as well as the effectiver user ID. Unless you can switch these credentials, with setreuid(), in the exploited SUID process, your real user ID is still inherited. Run this as a SUID program: int main(int argc,char *argv[]) { execl("/usr/bin/id","id",0); perror(); } Granted that "id" is in /usr/bin/id.
Maybe getuid() is the "best" you can do, maybe not. A lot of the OS's these days have some sort of audit id which is sometimes less flexible than uid's when it comes to change.
To be extra pedantic use getlogin() to double check. getlogin cannot lie unless you are root and did a setlogin(). -- Thamer Al-Herbish PGP public key: shadows () whitefang com http://www.whitefang.com/pgpkey.txt [ Maintainer of the Raw IP Networking FAQ http://www.whitefang.com/rin/ ]
Current thread:
- Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 05)
- setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Ian R. Justman (Jan 06)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Darren Reed (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Nick Maclaren (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Mark Crosbie (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Pete Kruckenberg (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Thamer Al-Herbish (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Len Budney (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Thamer Al-Herbish (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Kragen Sitaker (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Darren Reed (Jan 08)
- setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Ian R. Justman (Jan 06)
- ff.core exploit on Solaris (2.)7 Daniel J. Frasnelli (Jan 08)
- Re: ff.core exploit on Solaris (2.)7 Casper Dik (Jan 15)
- L0pht tmp tool and (mini) Advisory Dr. Mudge (Jan 08)
- <Possible follow-ups>
- Re: Anonymous Qmail Denial of Service Antonomasia (Jan 07)
- Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 09)
- Re: Anonymous Qmail Denial of Service Wietse Venema (Jan 10)
- Keeping Solaris up-to-date John RIddoch (Jan 11)
- Keeping any up-to-date? Randolf-Heiko Skerka (Jan 13)