Bugtraq mailing list archives
Re: Core file anomalies under BSDi 3.0
From: sson () ISERVER COM (Stacey Son)
Date: Fri, 20 Jun 1997 17:17:25 -0600
[Stuff Deleted]
A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid program with priviliges isn't neccesary.
It seems BSDI broke this in 3.0. BSD/OS 2.1 does not have this problem as far as I can tell. Below is a quick workaround until BSDI comes out with something. Apply the patch to kern/kern_sig.c. A real fix would require setting the P_SUGID flag in the exec handler in kern_exec.c.
B.) BSDi _does_ however, check if the file exists, so it's quite impossible to overwrite files.
Not exactly. Try "ln -s /etc/master.passwd /tmp/lpr.core", for example.:-0 It seems if the permissions are 0600 on the file you link to it will overwrite the file. Regards, stacey () iserver com ---snip--snip------------------------------------------------------------ *** kern_sig.c.orig Tue Oct 15 12:23:05 1996 --- kern_sig.c Fri Jun 20 16:26:08 1997 *************** *** 1198,1206 **** * Don't dump if not root and the process has used set user or * group privileges. */ ! if (p->p_flag & P_SUGID && ! (error = suser(p->p_ucred, &p->p_acflag)) != 0) ! return (error); /* Don't dump if will exceed file size limit. */ if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >= --- 1198,1208 ---- * Don't dump if not root and the process has used set user or * group privileges. */ ! if ((p->p_flag & P_SUGID || p->p_cred->p_ruid != p->p_ucred->cr_uid) && ! /*(error = suser(p->p_ucred, &p->p_acflag)) != 0) ! return (error);*/ ! p->p_cred->p_ruid) ! return EPERM; /* Don't dump if will exceed file size limit. */ if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=
Current thread:
- Re: Netscape Admin Servers /tmp/deamonstat Matthew Archibald (Jun 17)
- Re: Netscape Admin Servers /tmp/deamonstat Joe Zbiciak (Jun 17)
- Solaris 2.5.1 party piece Alan Cox (Jun 19)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- Re: Core file anomalies under BSDi 3.0 Theo de Raadt (Jun 20)
- Re: Core file anomalies under BSDi 3.0 Ariel Biener (Jun 20)
- http://www.news.com/News/Item/0,4,11759,00.html Aleph One (Jun 20)
- Re: http://www.news.com/News/Item/0,4,11759,00.html Raymond Dijkxhoorn (Jun 21)
- Re: Core file anomalies under BSDi 3.0 Stacey Son (Jun 20)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- /cgi-bin/handler - more notes Razvan Dragomirescu (Jun 19)
- Re: Solaris 2.5.1 party piece Doug Hughes (Jun 19)
- Re: Solaris 2.5.1 party piece Bojan Zdrnja (Jun 20)
- Re: Solaris 2.5.1 party piece Joe Gross (Jun 20)
- <Possible follow-ups>
- Re: Netscape Admin Servers /tmp/deamonstat Corinne Posse (Jun 17)
- Re: Netscape Admin Servers /tmp/deamonstat Valdis.Kletnieks () VT EDU (Jun 18)
- Re: your mail J. Joseph Max Katz (Jun 18)
- Re: your mail yeti (Jun 19)
- WE FOUND IT! (fwd) Jason R Mastaler (Jun 18)
- Re: Netscape Admin Servers /tmp/deamonstat Valdis.Kletnieks () VT EDU (Jun 18)