[15400] in bugtraq
Re: Splitvt exploit
daemon@ATHENA.MIT.EDU (Joey Hess)
Tue Jun 20 14:16:04 2000
Mail-Followup-To: Andrey Savochkin <saw@saw.sw.com.sg>,
BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000616163323.T20973@kitenet.net>
Date: Fri, 16 Jun 2000 16:33:23 -0700
Reply-To: Joey Hess <joey@KITENET.NET>
From: Joey Hess <joey@KITENET.NET>
X-To: Andrey Savochkin <saw@saw.sw.com.sg>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000616173820.A18725@saw.sw.com.sg>; from saw@saw.sw.com.sg on
Fri, Jun 16, 2000 at 05:38:20PM +0800
Andrey Savochkin wrote:
> > + /* Same for gid (program may be setgid utmp on some
> > + * systems). */
> > + (void) setgid(getgid());
> >
> > /* Run the requested program, with possible leading dash. */
> > execvp(((*argv[0] == '-') ? argv[0]+1 : argv[0]), argv);
>
> I don't know what splitvt is, but shouldn't setgid go _before_ setuid call
> for dropping privileges?
Yes it should, although in reality it's not going to change anything
(splitvt has no conceivable reason to be setuid and setgid at the same
time). Someone pointed that out yesterday and I've changed my
patch. I guess I'll post this to bugtraq too since several people have
pointed that out now.
--
see shy jo
