[214] in linux-security and linux-alert archive
Nobody could be anybody
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Fri Apr 21 13:28:33 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Fri, 21 Apr 1995 16:20:00 +0200 (MET DST)
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
I just came across a problem when checking a new Slackware 2.2
installation on a friend's machine. In /etc/passwd, it assigns user
nobody a uid of -1 and a gid of 100 (i.e. users). While the latter may
be questionable, the former is plain wrong because the seteuid system
call, when given a uid of -1, does nothing (well, it returns the
current effective uid, but that's it).
I can't say if this problem exists in other distributions, too.
I have checked if this affects servers started by inetd under the nobody
account. They seem to be safe because inetd performs a setuid call that
does not treat -1 specially.
I don't know if this opens up any actual holes, but there *are* a couple
of programs that set their euid to nobody for certain purposes. smail
is one of them, another is rpc.rwalld. This problem also affects root
squashing in nfsd-2.1 and nfsd-2.2alpha when using the seteuid method
of setting the client's uid/gid instead of setfsuid.
The obvious fix is to change nobody's uid to -2 (which is the common
value as far as I know). While you're at it, you may also want to change
its group id to -2 as well.
Regards
Olaf
- - --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBL5e+z+FnVHXv40etAQFzUgQAk3/pd+fbPcD00THmKZ86kwk47OXMJ/al
5Mo9eJ48Y/ofkwcwsJHg6TCqoKLUPma2eUczgevAWuxyJMBanod6HkirGeUU2wI7
eLyF/o+V9YM0s/uah3EfeGyMzgH4Li8mXg/+qRCvRic3N3Kk3qMP72qftQJht4Kf
KYQoXFij2FM=
=w2Xh
-----END PGP SIGNATURE-----
