[15353] in bugtraq
Re: local root on linux 2.2.15
daemon@ATHENA.MIT.EDU (Wojciech Purczynski)
Thu Jun 15 14:41:29 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006150831540.9096-100000@alfa.elzabsoft.pl>
Date: Thu, 15 Jun 2000 08:51:57 +0200
Reply-To: Wojciech Purczynski <wp@ELZABSOFT.PL>
From: Wojciech Purczynski <wp@ELZABSOFT.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NDBBIOPEKLHMHCDKLPLPKEIFCPAA.jeffd@evcom.net>
On Wed, 14 Jun 2000, Jeff Dafoe wrote:
> =====
> Note that checking the return value from setuid() is insufficient;
> the setuid(getuid()) succeeds even when the process does not have
> "appropriate privileges."
> =====
I don't mean the bug in kernel not setting saved UID.
I mean that if process has CAP_SETUID bit cleared and its UID=EUID=0 it
is unable to change its UID and drop privileges. In this scenario process
doesn't need to do setuid(0) after setuid(500) (like sendmail does) to
restore its privilege which normally fails.
As example we may look at procmail. If it is executed from sendmail as
local-mailer with UID=EUID=0 it tried to do setreuid(500, -1) followed by
setuid(500). Both these functions return -EPERM. Procmail ignores the
error value and continues running and forwarding our mail with root
privileges.
+--------------------------------------------------------------------+
| Wojciech Purczynski wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
| GSM: +48604432981 Linux Administrator SMS: wp-sms@elzabsoft.pl |
+------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+
