Bugtraq mailing list archives
HP-UX setprivgrp()
From: esilva () netcom com (Eduardo E. Silva)
Date: Thu, 7 Nov 1996 11:34:20 -0800
I just ran into this while doing routine security checks on HP-UX B.10.01
from man 2 chown on hp-ux 10.01:
"...Only processes with an effective user ID equal to the file owner or a
user having appropriate privileges can change the ownership of a file.
If privilege groups are supported, the owner of a file can change the
ownership only as a member of a privilege group allowing CHOWN, as set
up by the setprivgrp command (see setprivgrp(1M)). All users get the
CHOWN privilege by default..."
$ date
Thu Nov 7 11:17:24 PST 1996
$ getprivgrp
global privileges: CHOWN
$ pwd
/home/esilva
$ id
uid=112(esilva) gid=999(tmp)
$ mkdir tmp
$ chown esilva tmp
$ chmod 6777 tmp
$ ls -ldi tmp
45696 drwsrwsrwx 2 esilva tmp 24 Nov 7 11:12 tmp
$ chown root tmp
$ ls -ldi tmp
45696 drwsrwsrwx 2 root tmp 24 Nov 7 11:12 tmp
$ cd tmp
$ touch hello
$ ls -ldi hello
45697 -rw-rw-rw- 1 esilva tmp 0 Nov 7 11:12 hello
$ chmod 6777 hello
$ chown root hello
$ ls -ldi hello
45697 -rwxrwxrwx 1 root tmp 0 Nov 7 11:12 hello
Maybe a race condition can be won between the times the setuid bits
are changed by chown().
-Ed
--
_
/\o/\
Thanks! / <_> \
/^^/ \^^\
-Ed /___\
Current thread:
- HP-UX setprivgrp() Eduardo E. Silva (Nov 07)
- <Possible follow-ups>
- Re: HP-UX setprivgrp() Dominique Quatravaux (Nov 07)
- Re: HP-UX setprivgrp() Valdis.Kletnieks () vt edu (Nov 08)
- Bos: Firewall-1 ping bug...? Eduardo E. Silva (Nov 08)
- Re: HP-UX setprivgrp() dsiebert () icaen uiowa edu (Nov 08)
- Syslogd and Solaris 2.4 Denis Campeau (Nov 08)
- Syslogd and Solaris 2.4 Scriptors of DOOM (Nov 09)
- CIAC Bulletin H-03: HP-UX suid Vulnerabilities Bill Orvis (Nov 09)
- CIAC Bulletin F-04: HP-UX Ping Vulnerability Bill Orvis (Nov 09)
- Re: HP-UX setprivgrp() Valdis.Kletnieks () vt edu (Nov 08)