[3182] in bugtraq
Re: [linux-security] Re: Possible bufferoverflow condition in
daemon@ATHENA.MIT.EDU (Nick Andrew)
Sat Aug 17 18:44:41 1996
Date: Fri, 16 Aug 1996 11:14:16 +1000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Nick Andrew <nick@zeta.org.au>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199608151646.LAA23929@primus.paranoia.com> from
"don@paranoia.com" at Aug 15, 96 11:46:09 am
Forwarding a message from don@paranoia.com:
> The problem in mount, aside from the obvious buffer overrun, is that the
> most basic maxim for coding privileged programs was ignored--again. All
> privileged programs should run without those privileges enabled except
> during execution of the critical code that needs them.
>
> For example:
>
> main()
> {
> ... /* variable decls */
> seteuid( getuid() );
> ... /* non-privileged code, including sprintf() */
> seteuid( 0 );
> [...]
This doesn't aid security in the case of running code from the stack, since
the inserted code can easily do 'seteuid(0)' at any time.
Dropping privileges is useful when one is trying to avoid filesystem races
and it's a cheap way of getting the kernel to do your program's checking
for it. However, any program which can regain root privileges and have
its instruction execution compromised is a path to root for crackers.
> "The only thing necessary for the triumph of evil is for good men to do
> nothing." -- Edmund Burke
"My purpose is not to make the world a better place in which to live, but
instead to live in it" -- (paraphrased from) Henry David Thoreau
Nick.
--
Kralizec Dialup Internet System Data: +61-2-9837-1183, 9837-1868
Zeta Microcomputer Software Fax: +61-2-9837-3753 Voice: 9837-1397
P.O. Box 177, Riverstone NSW 2765 http://www.kralizec.net.au/
