On Tue, Jun 9, 2009 at 4:40 AM, Sam Steingold<s...@gnu.org> wrote:
> int foo () {
> if (foo_low() == NEED_ABORT) {
> fprintf(stderr,"life sucks\n");
> abort();
> }}
>
A problem with code snippets like that in a security context is this attack:
cd /tmp
prog="root::0:0:root::"
ln -s /usr/bin/setuid-program "$prog"
PATH=$PATH:.
"$prog"
some-set-of-arguments-causing-foo-to-be-too-low-or-maybe-just-a-usage-error
2>&-
If the program is designed to open a controlled file (for example
/etc/passwd) and uses argv[0] in error messages (GNU programs usually
don't) then the function above will have emitted the value of $prog
into the controlled file. The gnulib module fd-safer protects us
against such problems, but only if the program uses it. (For
context, this resulted in local root exploits on Solaris [and a minor
privilege escalation on OpenBSD] even though the problem has been
known for over 20 years; see
http://seclists.org/bugtraq/2002/Apr/0332.html)
In the specific case of the snippet above, it doesn't print argv[0].
That will protect us against this specific attack, but in the general
case unless we consistently used fd_safer() or something like it, it's
not safe to print anything in a setuid program that opens files for
writing, even after privileges have been dropped.
James.
