Re: dropping setuid/setgid privileges

[James Youngman]

On Tue, Jun 9, 2009 at 4:40 AM, Sam Steingold<address@hidden> wrote:

> int foo () {
>  if (foo_low() == NEED_ABORT) {
>   fprintf(stderr,"life sucks\n");
>  abort();
> }}
>

A problem with code snippets like that in a security context is this attack:

cd /tmp
prog="root::0:0:root::"
ln -s /usr/bin/setuid-program "$prog"
PATH=$PATH:.
"$prog" 
some-set-of-arguments-causing-foo-to-be-too-low-or-maybe-just-a-usage-error
2>&-

If the program is designed to open a controlled file (for example
/etc/passwd) and uses argv[0] in error messages (GNU programs usually
don't) then the function above will have emitted the value of $prog
into the controlled file.    The gnulib module fd-safer protects us
against such problems, but only if the program uses it.   (For
context, this resulted in local root exploits on Solaris [and a minor
privilege escalation on OpenBSD] even though the problem has been
known for over 20 years; see
http://seclists.org/bugtraq/2002/Apr/0332.html)

In the specific case of the snippet above, it doesn't print argv[0].
That will protect us against this specific attack, but in the general
case unless we consistently used fd_safer() or something like it, it's
not safe to print anything in a setuid program that opens files for
writing, even after privileges have been dropped.

James.