[26235] in bugtraq
Re: Linux kernel setgid implementation flaw
daemon@ATHENA.MIT.EDU (FozZy)
Fri Jul 19 16:26:51 2002
Date: Fri, 19 Jul 2002 22:19:39 +0200
From: FozZy <fozzy@dmpfrance.com>
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com
Message-Id: <20020719221939.49ab857d.fozzy@dmpfrance.com>
In-Reply-To: <20020719164849.222FCBC073@spike.porcupine.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Thanks, it's a great paper. Unix developpers: it should be worth taking a look at it.
Indeed, with their rigourous methodology, the authors did detect this error in the setgid linux manpage on Red Hat 7.2. I just wonder if they reported it (the manpage on www.linux.org is still inaccurate at the moment).
This paper also reports a real example of a program with the setgid flag only, that thinks it can drop all privileges by calling setgid(getgid()). It is OK on FreeBSD, but not on Linux...
Another interesting example is a setuid program with a non-root owner that want to drop its privileges. (I use here the word "privilege" in an extensive and empiric "having access to objects on the system that are forbidden to the current user"). Well, on Linux and Solaris, this program will not properly drop privileges by the usual way: calling setgid() then setuid(). The saved uid and gid will remain the owner's ones.
And much more interesting stuff... :)
FozZy
On Fri, 19 Jul 2002 12:48:49 -0400 (EDT)
wietse@porcupine.org (Wietse Venema) wrote:
> FYI,
>
> The August USENIX Security conference has a good paper that examines
> in depth the semantics of UID and GID setting calls for Solaris,
> FreeBSD and Linux. The differences are quite remarkable.
>
> Wietse
>
> Setuid Demystified, by Hao Chen, David Wagner, UC Berkeley; Drew
> Dean, SRI International
> www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
