Bugtraq mailing list archives
Re: Tracing by uid u after root does setuid(u)
From: James-Mathiesen () DESHAW COM (James Mathiesen)
Date: Fri, 15 Jan 1999 09:04:58 -0500
Since the patch, programs that are set-uid, call set*uid or set*gid cannot be traced and cannot dump core. (Which upset yet another batch of customers so there's an option in Solaris 7 to make set-uid programs dump core if the kernel is so configured)
What's the option? There are a number of times when I would have loved the ability to enable this temporarily. One interesting thing about the Solaris implementation of proc(4) is that it actually does go back and stat the executable when it is checking if it is readable rather than saving the information during exec(). There are definitely some minor security implications here, which I haven't thought about much. And there's yet another interesting behavior related to this: 1) Compile an executable such as main() { sleep(10000); } And place it on an NFS server. 2) Run the executable from an NFS client under a non-root uid 3) On the NFS server unlink the executable (or use another NFS client, anything so the inode is gone instead of becoming a .nfsXXXX) 4) On the NFS client try to open /proc/<pid> using the same UID which is running the program. This process will go into a tight loop in kernel mode repeatedly stat'ing the executable from step 2 despite getting ESTALE from the NFS server on each try. Fortunately the operation is interruptable. Step 4 has to be a proc operation which requires checking the mode of the executable. From 2.6 proc(4): For security reasons, except for the psinfo, usage, lpsinfo, lusage, lwpsinfo, and lwpusage files, which are world-read- able, and except for the super-user, an open of a /proc file fails unless both the user-ID and group-ID of the caller match those of the traced process and the process's object file is readable by the caller. Except for the world-read- able files just mentioned, files corresponding to setuid and setgid processes can be opened only by the super-user. This appears to still be the case in 2.7. I actually tried to get Sun to accept the looping as a bug with 2.5.1, but did not succeed. I've never quite gotten the hang of interacting with engineering. Probably just saving the readable status during exec() would be the most correct solution. james
Current thread:
- Re: Anonymous Qmail Denial of Service, (continued)
- Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 09)
- Re: Anonymous Qmail Denial of Service Wietse Venema (Jan 10)
- Keeping Solaris up-to-date John RIddoch (Jan 11)
- Keeping any up-to-date? Randolf-Heiko Skerka (Jan 13)
- Re: Keeping any up-to-date? Ciaran Deignan (Jan 15)
- Re: Keeping any up-to-date? Peter May (Jan 15)
- Administrivia Aleph One (Jan 12)
- Tracing by uid u after root does setuid(u) D. J. Bernstein (Jan 12)
- Re: Tracing by uid u after root does setuid(u) Wietse Venema (Jan 13)
- Re: Tracing by uid u after root does setuid(u) Casper Dik (Jan 13)
- Re: Tracing by uid u after root does setuid(u) James Mathiesen (Jan 15)
- Re: Tracing by uid u after root does setuid(u) Gene Spafford (Jan 13)
- Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 09)
- Solaris 7 naming... Isaac (Jan 12)
- [(PM) PM3s Die - Comfirmed DoS Attack (fwd)] David TILLOY (Jan 13)
- Government report suggests backdoors for law enforcement Darren Reed (Jan 13)