[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: dropping setuid/setgid privileges
From: |
James Youngman |
Subject: |
Re: dropping setuid/setgid privileges |
Date: |
Tue, 9 Jun 2009 09:45:42 +0100 |
On Tue, Jun 9, 2009 at 4:40 AM, Sam Steingold<address@hidden> wrote:
> int foo () {
> if (foo_low() == NEED_ABORT) {
> fprintf(stderr,"life sucks\n");
> abort();
> }}
>
A problem with code snippets like that in a security context is this attack:
cd /tmp
prog="root::0:0:root::"
ln -s /usr/bin/setuid-program "$prog"
PATH=$PATH:.
"$prog"
some-set-of-arguments-causing-foo-to-be-too-low-or-maybe-just-a-usage-error
2>&-
If the program is designed to open a controlled file (for example
/etc/passwd) and uses argv[0] in error messages (GNU programs usually
don't) then the function above will have emitted the value of $prog
into the controlled file. The gnulib module fd-safer protects us
against such problems, but only if the program uses it. (For
context, this resulted in local root exploits on Solaris [and a minor
privilege escalation on OpenBSD] even though the problem has been
known for over 20 years; see
http://seclists.org/bugtraq/2002/Apr/0332.html)
In the specific case of the snippet above, it doesn't print argv[0].
That will protect us against this specific attack, but in the general
case unless we consistently used fd_safer() or something like it, it's
not safe to print anything in a setuid program that opens files for
writing, even after privileges have been dropped.
James.
- Re: dropping setuid/setgid privileges, (continued)
- Re: dropping setuid/setgid privileges, Sergey Poznyakoff, 2009/06/11
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/11
- Re: dropping setuid/setgid privileges, James Youngman, 2009/06/11
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/11
- Re: dropping setuid/setgid privileges, James Youngman, 2009/06/12
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/12
Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/08
- Re: dropping setuid/setgid privileges, Sam Steingold, 2009/06/08
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/08
- Re: dropping setuid/setgid privileges, Sam Steingold, 2009/06/08
- Re: dropping setuid/setgid privileges,
James Youngman <=
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/09
- Re: dropping setuid/setgid privileges, Sam Steingold, 2009/06/09
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/09