Bugtraq mailing list archives
HP-UX setprivgrp()
From: esilva () netcom com (Eduardo E. Silva)
Date: Thu, 7 Nov 1996 11:34:20 -0800
I just ran into this while doing routine security checks on HP-UX B.10.01 from man 2 chown on hp-ux 10.01: "...Only processes with an effective user ID equal to the file owner or a user having appropriate privileges can change the ownership of a file. If privilege groups are supported, the owner of a file can change the ownership only as a member of a privilege group allowing CHOWN, as set up by the setprivgrp command (see setprivgrp(1M)). All users get the CHOWN privilege by default..." $ date Thu Nov 7 11:17:24 PST 1996 $ getprivgrp global privileges: CHOWN $ pwd /home/esilva $ id uid=112(esilva) gid=999(tmp) $ mkdir tmp $ chown esilva tmp $ chmod 6777 tmp $ ls -ldi tmp 45696 drwsrwsrwx 2 esilva tmp 24 Nov 7 11:12 tmp $ chown root tmp $ ls -ldi tmp 45696 drwsrwsrwx 2 root tmp 24 Nov 7 11:12 tmp $ cd tmp $ touch hello $ ls -ldi hello 45697 -rw-rw-rw- 1 esilva tmp 0 Nov 7 11:12 hello $ chmod 6777 hello $ chown root hello $ ls -ldi hello 45697 -rwxrwxrwx 1 root tmp 0 Nov 7 11:12 hello Maybe a race condition can be won between the times the setuid bits are changed by chown(). -Ed -- _ /\o/\ Thanks! / <_> \ /^^/ \^^\ -Ed /___\
Current thread:
- HP-UX setprivgrp() Eduardo E. Silva (Nov 07)
- <Possible follow-ups>
- Re: HP-UX setprivgrp() Dominique Quatravaux (Nov 07)
- Re: HP-UX setprivgrp() Valdis.Kletnieks () vt edu (Nov 08)
- Bos: Firewall-1 ping bug...? Eduardo E. Silva (Nov 08)
- Re: HP-UX setprivgrp() dsiebert () icaen uiowa edu (Nov 08)
- Syslogd and Solaris 2.4 Denis Campeau (Nov 08)
- Syslogd and Solaris 2.4 Scriptors of DOOM (Nov 09)
- CIAC Bulletin H-03: HP-UX suid Vulnerabilities Bill Orvis (Nov 09)
- CIAC Bulletin F-04: HP-UX Ping Vulnerability Bill Orvis (Nov 09)
- Re: HP-UX setprivgrp() Valdis.Kletnieks () vt edu (Nov 08)