Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Core file anomalies under BSDi 3.0

From: sson () ISERVER COM (Stacey Son)
Date: Fri, 20 Jun 1997 17:17:25 -0600

[Stuff Deleted]


A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
program with priviliges isn't neccesary.


It seems BSDI broke this in 3.0.  BSD/OS 2.1 does not have this
problem as far as I can tell.  Below is a quick workaround until BSDI
comes out with something.  Apply the patch to kern/kern_sig.c.  A real
fix would require setting the P_SUGID flag in the exec handler in
kern_exec.c.


B.) BSDi _does_ however, check if the file exists, so it's quite
impossible to overwrite files.


Not exactly.  Try "ln -s /etc/master.passwd /tmp/lpr.core", for
example.:-0 It seems if the permissions are 0600 on the file you link
to it will overwrite the file.

Regards,

stacey () iserver com

---snip--snip------------------------------------------------------------
*** kern_sig.c.orig     Tue Oct 15 12:23:05 1996
--- kern_sig.c  Fri Jun 20 16:26:08 1997
***************
*** 1198,1206 ****
         * Don't dump if not root and the process has used set user or
         * group privileges.
         */
!       if (p->p_flag & P_SUGID &&
!           (error = suser(p->p_ucred, &p->p_acflag)) != 0)
!               return (error);

        /* Don't dump if will exceed file size limit. */
        if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=
--- 1198,1208 ----
         * Don't dump if not root and the process has used set user or
         * group privileges.
         */
!       if ((p->p_flag & P_SUGID || p->p_cred->p_ruid != p->p_ucred->cr_uid) &&
!           /*(error = suser(p->p_ucred, &p->p_acflag)) != 0)
!               return (error);*/
!           p->p_cred->p_ruid)
!               return EPERM;

        /* Don't dump if will exceed file size limit. */
        if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=
Previous By Date Next
Previous By Thread Next

Current thread: