Proposed change to setre[ug]id()

Stephen R. van den Berg (srb@cuci.nl)
Tue, 18 Jun 1996 17:12:21 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: really kuznet@ms2.inr.ac.ru: "Re: SIOCGIFADDR bug?"
Previous message: Nicholas J. Leon: "[PATCH] DES LOOP Support"
In reply to: Stephen R. van den Berg: "Re: BEWARE! Linux seteuid is broken!"
Next in thread: H. Peter Anvin: "Re: Proposed change to setre[ug]id()"
Maybe reply: H. Peter Anvin: "Re: Proposed change to setre[ug]id()"
Maybe reply: Thomas Koenig: "Re: Proposed change to setre[ug]id()"

These changes make the setre[ug]id() calls more flexible, and functionally
compatible with other UNICES (and comes closer to HP/UX, which even has
a setresuid() system call).

I would assert that if this change introduces security problems, then
that means that you don't trust the code you wrote in the first
place. That already is a bad assumption, so you shouldn't be using this
untrustworthy program under suid/sgid privileges anyway.

The same kind of "security" as previously attained with the old version
of the setreuid() is automatically available after execing (which is the
way god intended it to be al along :-), because at that time, the
saved ids will be overwritten by the effective ids.

--- /usr/src/linux1.3.ref/kernel/sys.c Thu Jun 6 21:22:29 1996
+++ sys.c Tue Jun 18 17:01:37 1996
@@ -240,7 +245,8 @@

if (rgid != (gid_t) -1) {
if ((old_rgid == rgid) ||
- (current->egid==rgid) ||
+ (old_egid == rgid) ||
+ (current->sgid == rgid) ||
suser())
current->gid = rgid;
else
@@ -248,7 +254,7 @@
}
if (egid != (gid_t) -1) {
if ((old_rgid == egid) ||
- (current->egid == egid) ||
+ (old_egid == egid) ||
(current->sgid == egid) ||
suser())
current->fsgid = current->egid = egid;
@@ -257,9 +263,6 @@
return(-EPERM);
}
}
- if (rgid != (gid_t) -1 ||
- (egid != (gid_t) -1 && egid != old_rgid))
- current->sgid = current->egid;
current->fsgid = current->egid;
if (current->egid != old_egid)
current->dumpable = 0;
@@ -449,7 +452,8 @@

if (ruid != (uid_t) -1) {
if ((old_ruid == ruid) ||
- (current->euid==ruid) ||
+ (old_euid == ruid) ||
+ (current->suid == ruid) ||
suser())
current->uid = ruid;
else
@@ -457,7 +461,7 @@
}
if (euid != (uid_t) -1) {
if ((old_ruid == euid) ||
- (current->euid == euid) ||
+ (old_euid == euid) ||
(current->suid == euid) ||
suser())
current->fsuid = current->euid = euid;
@@ -466,9 +470,6 @@
return(-EPERM);
}
}
- if (ruid != (uid_t) -1 ||
- (euid != (uid_t) -1 && euid != old_ruid))
- current->suid = current->euid;
current->fsuid = current->euid;
if (current->euid != old_euid)
current->dumpable = 0;

-- 
Sincerely,                                                          srb@cuci.nl
           Stephen R. van den Berg (AKA BuGless).
Auto repair rates: basic labor $40/hour; if you wait, $60; if you watch, $80;
if you ask questions, $100; if you help, $120; if you laugh, $140.

Next message: really kuznet@ms2.inr.ac.ru: "Re: SIOCGIFADDR bug?"
Previous message: Nicholas J. Leon: "[PATCH] DES LOOP Support"
In reply to: Stephen R. van den Berg: "Re: BEWARE! Linux seteuid is broken!"
Next in thread: H. Peter Anvin: "Re: Proposed change to setre[ug]id()"
Maybe reply: H. Peter Anvin: "Re: Proposed change to setre[ug]id()"
Maybe reply: Thomas Koenig: "Re: Proposed change to setre[ug]id()"