[4756] in bugtraq
Re: Core file anomalies under BSDi 3.0
daemon@ATHENA.MIT.EDU (Stacey Son)
Sat Jun 21 00:44:32 1997
Date: Fri, 20 Jun 1997 17:17:25 -0600
Reply-To: Stacey Son <sson@ISERVER.COM>
From: Stacey Son <sson@ISERVER.COM>
X-To: Nir Soffer <scorpios@cs.huji.ac.il>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 19 Jun 1997 20:42:33 +0300."
<Pine.BSI.3.96.970619203128.27848A-100000@beep.cs.huji.ac.il>
[Stuff Deleted]
> A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
> program with priviliges isn't neccesary.
It seems BSDI broke this in 3.0. BSD/OS 2.1 does not have this
problem as far as I can tell. Below is a quick workaround until BSDI
comes out with something. Apply the patch to kern/kern_sig.c. A real
fix would require setting the P_SUGID flag in the exec handler in
kern_exec.c.
> B.) BSDi _does_ however, check if the file exists, so it's quite
> impossible to overwrite files.
Not exactly. Try "ln -s /etc/master.passwd /tmp/lpr.core", for
example. :-0 It seems if the permissions are 0600 on the file you link
to it will overwrite the file.
Regards,
stacey@iserver.com
---snip--snip------------------------------------------------------------
*** kern_sig.c.orig Tue Oct 15 12:23:05 1996
--- kern_sig.c Fri Jun 20 16:26:08 1997
***************
*** 1198,1206 ****
* Don't dump if not root and the process has used set user or
* group privileges.
*/
! if (p->p_flag & P_SUGID &&
! (error = suser(p->p_ucred, &p->p_acflag)) != 0)
! return (error);
/* Don't dump if will exceed file size limit. */
if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=
--- 1198,1208 ----
* Don't dump if not root and the process has used set user or
* group privileges.
*/
! if ((p->p_flag & P_SUGID || p->p_cred->p_ruid != p->p_ucred->cr_uid) &&
! /*(error = suser(p->p_ucred, &p->p_acflag)) != 0)
! return (error);*/
! p->p_cred->p_ruid)
! return EPERM;
/* Don't dump if will exceed file size limit. */
if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=
