[1425] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Linux rcp bug

daemon@ATHENA.MIT.EDU (Kimmo Jukarainen)
Tue Feb 4 21:04:09 1997

Date: Wed, 5 Feb 1997 00:52:40 +0200 (EET)
From: Kimmo Jukarainen <kimju@edu.lahti.fi>
To: linux-security@redhat.com
To: Undisclosed.recipients:;@redhat.com
In-Reply-To: <Pine.GSO.3.95q.970203205902.9134A-100000@piglet.cc.utexas.edu>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

> [Mod: This is a misconfiguration of a site. nobody's uid should not be -1 

Maybe a little bit of an explanation is needed here..

The problem is that when doing seteuid(65535) it doesn't return an error
code _and_ leaves euid=0. As the result, processes trying to be secure by
running as "nobody" when "nobody"'s uid is 65535 will end up running as
root.

The fix? Just use different uid for "nobody", 65534 for example..

This hole has been known for a quite long time now. I remember seeing it
first time about two years ago. It just makes me wonder how many systems
still have "nobody", or even worse, a real user hanging around with 
uid 65535.

--
/* Kimmo Jukarainen * kimju@edu.lahti.fi */


home help back first fref pref prev next nref lref last post