[4209] in bugtraq
Re: [linux-security] Re: tftpd bug (was: "Secure" tftpd source
daemon@ATHENA.MIT.EDU (David Holland)
Tue Mar 25 10:18:40 1997
Date: Tue, 25 Mar 1997 02:30:39 -0500
Reply-To: David Holland <dholland@EECS.HARVARD.EDU>
From: David Holland <dholland@EECS.HARVARD.EDU>
X-To: imp@VILLAGE.ORG
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <E0w9Gwd-0005eK-00@rover.village.org> from "Warner Losh" at Mar
24, 97 02:06:19 pm
> In message <Pine.SUN.3.94.970324024042.15592A@dfw.dfw.net> Aleph One writes:
> : tftpd in FreeBSD distribution uses chroot() and sets its uid to nobody.
> : I don't think, it does anything reasonable with groups.
>
> FreeBSD's inherits the groups from the calling process, which is
> inetd. I don't know if this is reasonable or not, but I think that it
> means that the group will be daemon. tftpd doesn't do anything with
> groups.
While we're at it: many inetds don't clear the groups list when they
start up, so that if you kill and restart inetd from your root shell
inetd subprocesses may inherit additional (probably privileged)
groups.
I don't know if FreeBSD's inetd suffers from this problem, but the
currently released Linux one does. (The next release won't; if there's
interest I can post the patch.)
The impact of this problem is fortunately fairly limited, and there's
not usually any real reason for root to be in a whole stack of groups.
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino
