[8249] in bugtraq
Re: Incorrect behaviour of setre[ug]id in OpenBSD
daemon@ATHENA.MIT.EDU (Will Waites)
Fri Oct 23 14:00:14 1998
Date: Fri, 23 Oct 1998 10:26:01 -0400
Reply-To: ww@STYX.ORG
From: Will Waites <ww@STYX.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19981022222550Z42630-29290+6@styx.org> (message from Will Waites
on Thu, 22 Oct 1998 18:25:39 -0400)
Apologies, in my original post I neglected to mention version numbers
(it had been a long day). The incorrect behaviour is present in
OpenBSD 2.3, and the current source. I don't know about earlier
versions. Also, (Free|Net)BSD seem to implement setreuid() and
setregid in the kernel, so presumably they are not vulnerable.
The problem is in the following two files:
src/lib/libc/compat-43/__setreuid.c
src/lib/libc/compat-43/__setregid.c
I have quickly cobbled together a couple of patches that are avaliable
in ftp.styx.org in /pub/openbsd_patches. To apply,
$ cd /usr/src/lib/libc/compat-43
$ patch -p0 < /wherever/__setreuid.c.patch
$ patch -p0 < /wherever/__setregid.c.patch
and then recompile libc.
Bear in mind that these are /not/ official OpenBSD patches, and I can
take no responsibility to what they may or may not do to your
system -- but they should work as advertised in the man page with the
following exception: if setreuid(ruid, euid) is called by root, and
ruid is not 0, and euid != ruid, the call will fail after doing a
setuid(ruid).
Cheers,
Will
--
| Will Waites | "Man is a political and a social animal, and he |
| ww@styx.org | normally enjoys hearing fantastic answers in |
| www.styx.org/~ww | preference to none." -- Joseph Heller |
|--------------------------------------------------------------------|
| Finger ww@styx.org for PGP Public Key |
