Security hole with new setresuid call

Andrey A. Chernov Mon, 17 Jan 2000 21:00:05 -0800

Newly introduced seresuid call add security hole too. Compare following
checks. First one comes from

setreuid:

        if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid) ||
             (euid != (uid_t)-1 && euid != pc->pc_ucred->cr_uid &&
             euid != pc->p_ruid && euid != pc->p_svuid)) &&

setresuid:

        if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid &&
              ruid != pc->pc_ucred->cr_uid) ||
              ^^^^^^^^^^^^^^^^^^^^^^^^^^
             (euid != (uid_t)-1 && euid != pc->p_ruid && euid != pc->p_svuid &&
              euid != pc->pc_ucred->cr_uid) ||
             (suid != (uid_t)-1 && suid != pc->p_ruid && suid != pc->p_svuid &&
              suid != pc->pc_ucred->cr_uid)) &&

As I see you can now additionly set ruid to euid which is not allowed in
setreuid call. Supposed POSIX_APPENDIX_B_4_2_2 clause should be either ifdefed
or removed as in setreuid.

-- 
Andrey A. Chernov
http://nagual.pp.ru/~ache/
MTH/SH/HE S-- W-- N+ PEC>+ D A a++ C G>+ QH+(++) 666+>++ Y


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Security hole with new setresuid call

Reply via email to