Re: Linux kernel setgid implementation flaw

[FozZy <fozzy () dmpfrance com>]

Thanks, it's a great paper. Unix developpers: it should be worth taking a look at it.

Indeed, with their rigourous methodology, the authors did detect this error in the setgid linux manpage on Red Hat 7.2. 
I just wonder if they reported it (the manpage on www.linux.org is still inaccurate at the moment).
This paper also reports a real example of a program with the setgid flag only, that thinks it can drop all privileges 
by calling setgid(getgid()). It is OK on FreeBSD, but not on Linux...

Another interesting example is a setuid program with a non-root owner that want to drop its privileges. (I use here the 
word "privilege" in an extensive and empiric "having access to objects on the system that are forbidden to the current 
user"). Well, on Linux and Solaris, this program will not properly drop privileges by the usual way: calling setgid() 
then setuid(). The saved uid and gid will remain the owner's ones.

And much more interesting stuff... :)


FozZy

On Fri, 19 Jul 2002 12:48:49 -0400 (EDT)
wietse () porcupine org (Wietse Venema) wrote:

> FYI,
>
> The August USENIX Security conference has a good paper that examines
> in depth the semantics of UID and GID setting calls for Solaris,
> FreeBSD and Linux. The differences are quite remarkable.
>
>       Wietse
>
> Setuid Demystified, by Hao Chen, David Wagner, UC Berkeley; Drew
> Dean, SRI International
> www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf