Bugtraq mailing list archives
RFD: libsuid
From: vax () linkdead paranoia com (VaX#n8)
Date: Sat, 24 Aug 1996 04:37:47 -0500
There are a few common goofs when making s[ug]id binaries. I needn't run them down for you. Thinking about race conditions in the way most mailers write to files in publicly-writeable dirs led to a fairly long solution -- perhaps worthy of putting in a library function. If nothing like this has been done before, and we can think of a few more things to add, I'd like to organize it. I'd really like any ideas you had for functions in this library, and of course if you donate code proper attributions will be given. If I get enough material, I'd like to distribute it under the BSD copyright, except for any GNU autoconf bits of course. No religious flames please; I love free software. Really. Here are a few ideas just off the top of my head (bear with me, I haven't done much research on these): "change to this uid, irrevocably" (on systems which require odious saved-setuid semantics that don't allow irrevocable loss of privelege, fail an assertion and/or coredump. Avoids e.g. suidperl mistakes) "open this file, safely" (even in world-write dirs; avoid e.g. old local mailer race conditions and Solaris 2.5 kcms* mistakes) "tidy up the environment" (sort of ill-defined, but would reset key envars to sane things) (could be expanded to do things like check PATH for directories/files not meeting some "safety" criteria... etc) Some other tools might be interesting (perhaps not possible :)... A partial C-parser which looks for buffers on the stack and str{cpy,printf}s into it -- or even more generally something which tries to decide if you are ever checking boundary conditions... or taking the sizeof()... ...anything we can do to minimize fandango-on-stack bugs... I have a feeling certain functions will be OS-dependent and thus will require something like GNU Autoconf. That's cool, I'm familiar with it.
Current thread:
- Re: BUG in /bin/bash, (continued)
- Re: BUG in /bin/bash Earle Ake (Aug 22)
- IE 3.0? InterAccess Support Manager (Aug 22)
- Re: IE 3.0? Dave Andersen (Aug 23)
- More on the UnixWare problem Todd Vierling (Aug 23)
- resolv+ and finger... C. Hodges (Aug 23)
- Vulnerability in the Xt library Aleph One (Aug 24)
- Re: Vulnerability in the Xt library Stefan `Sec` Zehl (Aug 25)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 27)
- Re: Vulnerability in the Xt library Casper Dik (Aug 28)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 28)
- RFD: libsuid VaX#n8 (Aug 24)
- More on UnixWare 2.x vulnerability Todd Vierling (Aug 24)
- Re: (WORKAROUND) More on UnixWare 2.x vulnerability Hannu Laurila (Aug 24)
- polyglots (multi-language programs) John Nemeth (Aug 24)