Re: Incorrect behaviour of setre[ug]id in OpenBSD

[ww () STYX ORG (Will Waites)]

Apologies, in my original post I neglected to mention version numbers
(it had been a long day). The incorrect behaviour is present in
OpenBSD 2.3, and the current source. I don't know about earlier
versions. Also, (Free|Net)BSD seem to implement setreuid() and
setregid in the kernel, so presumably they are not vulnerable.

The problem is in the following two files:

src/lib/libc/compat-43/__setreuid.c
src/lib/libc/compat-43/__setregid.c

I have quickly cobbled together a couple of patches that are avaliable
in ftp.styx.org in /pub/openbsd_patches. To apply,

$ cd /usr/src/lib/libc/compat-43
$ patch -p0 < /wherever/__setreuid.c.patch
$ patch -p0 < /wherever/__setregid.c.patch

and then recompile libc.

Bear in mind that these are /not/ official OpenBSD patches, and I can
take no responsibility to what they may or may not do to your
system -- but they should work as advertised in the man page with the
following exception: if setreuid(ruid, euid) is called by root, and
ruid is not 0, and euid != ruid, the call will fail after doing a
setuid(ruid).

Cheers,
Will
--
| Will Waites      | "Man is a political and a social animal, and he |
| ww () styx org      |  normally enjoys hearing fantastic answers in   |
| www.styx.org/~ww |  preference to none." -- Joseph Heller          |
|--------------------------------------------------------------------|
| Finger ww () styx org for PGP Public Key |