[1425] in linux-security and linux-alert archive
[linux-security] Re: Linux rcp bug
daemon@ATHENA.MIT.EDU (Kimmo Jukarainen)
Tue Feb 4 21:04:09 1997
Date: Wed, 5 Feb 1997 00:52:40 +0200 (EET)
From: Kimmo Jukarainen <kimju@edu.lahti.fi>
To: linux-security@redhat.com
To: Undisclosed.recipients:;@redhat.com
In-Reply-To: <Pine.GSO.3.95q.970203205902.9134A-100000@piglet.cc.utexas.edu>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
> [Mod: This is a misconfiguration of a site. nobody's uid should not be -1
Maybe a little bit of an explanation is needed here..
The problem is that when doing seteuid(65535) it doesn't return an error
code _and_ leaves euid=0. As the result, processes trying to be secure by
running as "nobody" when "nobody"'s uid is 65535 will end up running as
root.
The fix? Just use different uid for "nobody", 65534 for example..
This hole has been known for a quite long time now. I remember seeing it
first time about two years ago. It just makes me wonder how many systems
still have "nobody", or even worse, a real user hanging around with
uid 65535.
--
/* Kimmo Jukarainen * kimju@edu.lahti.fi */