Bugtraq mailing list archives
Re: Linux kernel setgid implementation flaw
From: FozZy <fozzy () dmpfrance com>
Date: Fri, 19 Jul 2002 22:19:39 +0200
Thanks, it's a great paper. Unix developpers: it should be worth taking a look at it. Indeed, with their rigourous methodology, the authors did detect this error in the setgid linux manpage on Red Hat 7.2. I just wonder if they reported it (the manpage on www.linux.org is still inaccurate at the moment). This paper also reports a real example of a program with the setgid flag only, that thinks it can drop all privileges by calling setgid(getgid()). It is OK on FreeBSD, but not on Linux... Another interesting example is a setuid program with a non-root owner that want to drop its privileges. (I use here the word "privilege" in an extensive and empiric "having access to objects on the system that are forbidden to the current user"). Well, on Linux and Solaris, this program will not properly drop privileges by the usual way: calling setgid() then setuid(). The saved uid and gid will remain the owner's ones. And much more interesting stuff... :) FozZy On Fri, 19 Jul 2002 12:48:49 -0400 (EDT) wietse () porcupine org (Wietse Venema) wrote:
FYI, The August USENIX Security conference has a good paper that examines in depth the semantics of UID and GID setting calls for Solaris, FreeBSD and Linux. The differences are quite remarkable. Wietse Setuid Demystified, by Hao Chen, David Wagner, UC Berkeley; Drew Dean, SRI International www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
Current thread:
- Linux kernel setgid implementation flaw FozZy (Jul 18)
- Re: Linux kernel setgid implementation flaw FozZy (Jul 19)
- Re: Linux kernel setgid implementation flaw Wietse Venema (Jul 19)
- Re: Linux kernel setgid implementation flaw FozZy (Jul 19)
- Re: Linux kernel setgid implementation flaw Wietse Venema (Jul 19)
- Re: Linux kernel setgid implementation flaw FozZy (Jul 19)