[3296] in bugtraq
possible security bug if uid of nobody is 65535 or -1
daemon@ATHENA.MIT.EDU (Ian Goldberg)
Wed Aug 28 01:20:31 1996
Date: Tue, 27 Aug 1996 21:11:31 -0700
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Ian Goldberg <iang@cs.berkeley.edu>
X-To: bugtraq@crimelab.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
-----BEGIN PGP SIGNED MESSAGE-----
I've seen the user "nobody" on some systems have a uid of -1 or 65535.
(Slackware Linux is such an example.) On most such systems, this will
have interesting interactions with syscalls like setreuid() and chown(),
for which an argument of -1 means "no change".
A program that is setuid root, but uses setreuid() to swap its real and
effective uids will thus remain root if run by the "nobody" user.
Also note that it is easy to run programs as nobody on systems on which
CGI scripts are available (the default is to run them as nobody).
- Ian
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMiPGz0ZRiTErSPb1AQHB4gP/bZQ9rDz4E+eaCzzFenDHf7Mwb/+F7nUH
JFtZqG43ohONgDmNMl2hHA925sJTsCJ/53e43Bnbn6rtUoEmdkkuMLbJ4XrMPOf3
UQSaAeJw0Datlyb/NM4+ka/23GzPc6TH2OAyAv3Hz+vOOVdtzsrPctW8/pMGT2HQ
ZD4YQUsCMBA=
=h2Hb
-----END PGP SIGNATURE-----
