Incorrect behaviour of setre[ug]id in OpenBSD

[ww () STYX ORG (Will Waites)]

setreuid(3) and setregid(3) were system calls in 4.3BSD that
temporarily swapped (or permanently set) the real and effective user
ids of the current process. It no longer appeared in 4.4BSD. It is now
implemented as a 4.3BSD compatibility function in libc under OpenBSD
-- I'm not certain about (Net|Free)BSD.

Although the man page says that root can arbitrarily change its uid,
the OpenBSD implementation bails with an EPERM if the real uid to be
changed to is not equal to the current effective uid -- i.e. a program
running as root cannot use setreuid() to relinquish permissions.

Putting aside a diatribe on how programs should check the return
values of system calls, there exist programs that run as root that do
not check the return values of setreuid (or even setuid) since they
correctly expect that such calls cannot fail if they have root
permissions. One such program is zmailer which calls seteuid() to
relinquish permissions in order to perform local mail delivery as the
user receiving the mail (i.e. when mail is forwarded to a pipe). This
is trivial to exploit to create and append to arbitrary root owned
files.

Will
--
| Will Waites      | "Man is a political and a social animal, and he |
| ww () styx org      |  normally enjoys hearing fantastic answers in   |
| www.styx.org/~ww |  preference to none." -- Joseph Heller          |
|--------------------------------------------------------------------|
| Finger ww () styx org for PGP Public Key |