[15332] in bugtraq
Re: local root on linux 2.2.15
daemon@ATHENA.MIT.EDU (Wojciech Purczynski)
Wed Jun 14 16:17:30 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006121451250.2163-100000@alfa.elzabsoft.pl>
Date: Mon, 12 Jun 2000 15:06:18 +0200
Reply-To: Wojciech Purczynski <wp@ELZABSOFT.PL>
From: Wojciech Purczynski <wp@ELZABSOFT.PL>
X-To: Philip Guenther <guenther@GAC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200006082018.PAA18599@solen.gac.edu>
On Thu, 8 Jun 2000, Philip Guenther wrote:
> Question: given this bug, is it now the community expectation that every
> program that setuids from 0 to non-zero should check for the presence of
> this kernel bug?
Procmail is _not_ affected by saved UID bug because it doesn't try to drop
privileges and then regain them by switching back to UID 0.
However, Procmail is buggy because it tries to drop privileges using
setreuid system call which fails with EPERM. Procmail ignores that and
continues running with privileges it shouldn't have.
> The sendmail people have enhance sendmail in just such a fashion and
> I'm wondering whether I, as current maintainer of procmail, should do
> so to procmail. Are we going to see new versions of perl, screen,
> xterm, nxterm, and rxvt (all of which are setuid root on the Linux
> system in front of me) that contain code to detect this? I suspect so,
> and I'll add the requisite code to procmail for the next version.
IMHO, all those setuid-root programs should be fixed if they ignore return
values of system calls.
-wp
+--------------------------------------------------------------------+
| Wojciech Purczynski wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
| GSM: +48604432981 Linux Administrator SMS: wp-sms@elzabsoft.pl |
+------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+
