[315] in linux-security and linux-alert archive
Re: chfn problem with Linux
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Sat Aug 12 14:19:27 1995
Date: Wed, 9 Aug 1995 13:42:47 -0400
From: "Theodore Ts'o" <tytso@MIT.EDU>
To: okir@monad.swb.de
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Olaf Kirch's message of Wed, 9 Aug 1995 00:13:53 +0200 (MET DST),
<m0sfwuI-00005BC@monad.swb.de>
From: okir@monad.swb.de (Olaf Kirch)
Date: Wed, 9 Aug 1995 00:13:53 +0200 (MET DST)
[Quoting from a message forwarded to linux-security by Nick Kralevich]
ftlofaro@unlv.edu (Frank T Lofaro) wrote on alt.hackers:
> A poster mentioned here the chfn could be used to hose a linux box.
> He didn't say, but it looked like one could hose the system by
> killing/suspending chfn right after opening /etc/passwd in truncate
> mode. I ran a trace on chfn.
This problem affects kill in general.
I disagree that this is a problem with kill --- what if there is a
system crash right after chfn opens /etc/passwd in truncate mode? This
is actually a bug in chfn; a well-written chfn (1) locks /etc/passwd to
prevent race condition with other programs that modifies /etc/passwd (2)
writes a new copy of the password file to /etc/passwd.new, and then (3)
uses the rename(2) system call to atomically move /etc/passwd.new to
/etc/passwd.
I believe this should be the other way round. Quoting from the HP
kill(2) manpage: ``The real or effective uid of the sending process
must match the real or saved uid of the receiving process, unless the
effective uid of the sending process is super-user.'' However, a comment
in Lewine's POSIX book says that killing another process is also allowed
when its ruid matches...
Well, quoting straight from the source (POSIX.1):
"For a process to have permission to send a signal to a process
designated by pid, the real or effective user ID of the sending
process must match the real or effective user ID of the
receiving process, unless the sending process has appropriate
privileges [translation: has root privs, or the equivalent if
POSIX.6 process priveleges are supported]. If
{_POSIX_SAVED_IDS} is defined, the saved set-user-ID of the
receiving process shall be checked in place of its effective
user ID." (POSIX.1, section 3.3.2.2, lines 591--595)
- Ted
