4.0 had a security bug which would let any user EXCEPT root delete a SYSV
semaphore (the sense of a test was reversed). No other releases were
affected - rebuild your kernels if this is an issue. Good catch, Brian!
For "revision 1.8" in the below read "revision 1.9" (Jan 30, 1999).
---------- Forwarded message ----------
Date: Wed, 1 Mar 2000 21:03:22 -0500 (EST)
From: Brian Dean <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: cvs commit: src/sys/kern sysv_ipc.c
[SNIP - KK]
The bug is very easily tested/verified: just create a semaphore, then,
as root, try to delete it. If the bug is there, you will get
"Operation not permitted". Then try to delete it using an account
other than the one that created it, which is supposed to fail, but
works fine.
It appears that it might have cropped up at version 1.8
sys/kern/sysv_ipc.c. At version 1.8, the check:
if (cred->cr_uid == 0)
was replaced with:
if (suser(cred, (u_short *)NULL))
I'm pretty sure this is what did it, since suser() returns 0 if you
_are_ superuser, and an error otherwise (even back then, I checked).
[END SNIP]
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <[EMAIL PROTECTED]>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
