[314] in linux-security and linux-alert archive
Re: chfn problem with Linux
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Aug 9 04:34:32 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 9 Aug 1995 00:13:53 +0200 (MET DST)
[Quoting from a message forwarded to linux-security by Nick Kralevich]
ftlofaro@unlv.edu (Frank T Lofaro) wrote on alt.hackers:
> A poster mentioned here the chfn could be used to hose a linux box.
> He didn't say, but it looked like one could hose the system by
> killing/suspending chfn right after opening /etc/passwd in truncate
> mode. I ran a trace on chfn.
This problem affects kill in general. The kernel allows a process
to send a signal to another process as long as the _sending_ process's
euid matches the signalled process's effective or real uid (cf.
kill_prog in kernel/exit.c).
I believe this should be the other way round. Quoting from the HP
kill(2) manpage: ``The real or effective uid of the sending process
must match the real or saved uid of the receiving process, unless the
effective uid of the sending process is super-user.'' However, a comment
in Lewine's POSIX book says that killing another process is also allowed
when its ruid matches...
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
