Re: Minor security flaw with pam_xauth

[Solar Designer <solar () openwall com>]

On Tue, Sep 21, 2010 at 03:22:07PM -0400, Josh Bressers wrote:
> > > The same commit also introduces previously-missing privilege switching
> > > into pam_env and pam_mail.  Unfortunately, this pam_env and pam_mail
> > > fix is incomplete: it only switches the fsuid (should also switch fsgid
> > > (or egid) and groups), and it fails to check the return value from
> > > setfsuid() (doing so would require duplicate calls to setfsuid(), like
> > > we do in libtcb, or switching of euid instead - yet it is desirable).
...
> Let's use CVE-2010-3430 for the missing setfsgid.

...and the missing setgroups().

> Use CVE-2010-3431 for the missing return checks on setfsuid.

OK.  BTW, I think this is not exploitable on current kernels, at least
not via RLIMIT_NPROC (it does not apply to fsuid), yet it is desirable
to check the return value from such syscalls.

What about the completely missing privilege switching in pre-1.1.2 (the
bug found by Sebastian)?  I don't recall if it already had a CVE id
assigned or not.

Alexander