Problems with NFS write of setuid executeables

Max Weninger (max@takefive.co.at)
Fri, 16 Apr 1999 17:04:47 +0200 (CEST)

Hi,

I discovered a problem when writing on NFS mounted directories using a
"setuid" executeable. (Exactly it is a problem when using RCS) I am not
sure where this problem is located.
So any help would be nice.

My environment:

RedHat 5.2 on AlphaLinux
2.2.5 with latest NFSv3 patch
glibc-2.0.7
egcs-1.1.2

The following simple program test a sequence
-fopen
-fwrite
-fclose

On first a local and second on a NFS mounted directory.
(The same way it is done from RCS)

----------------------------------------------------

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

int main(int argc, char ** argv)
{
FILE *f;
int res;
char testString[1024]="just a test";
int len;
uid_t uid, ruid;

len=strlen(testString);
uid=getuid();
ruid=geteuid();
seteuid(ruid);

f=fopen("/tmp/test_out.txt","w");
if(f==0){
printf("fopen failed\n");
return -1;
}
seteuid(uid);

res=fwrite(testString,1,len,f);
if(res!=len){
printf("fwrite failed\n");
return -1;
}
fflush(f);

seteuid(ruid);

res=fclose(f);
if(res!=0){
printf("fclose failed\n");
return -1;
}

unlink("/tmp/test_out.txt");
seteuid(uid);
printf("ok\n");

seteuid(ruid);
f=fopen("/mnt/Projects/SNiFF+/Repository/sniffng/config/templates/RCS/test_out.txt","w");
if(f==0){
printf("fopen failed\n");
return -1;
}
seteuid(uid);

res=fwrite(testString,1,len,f);
if(res!=len){
printf("fwrite failed\n");
return -1;
}
fflush(f);

seteuid(ruid);

res=fclose(f);
if(res!=0){
printf("fclose failed\n");
return -1;
}

unlink("/mnt/Projects/SNiFF+/Repository/sniffng/config/templates/RCS/test_out.txt");
seteuid(uid);
printf("ok\n");
}

---------------------------------------------------------------------------------------------

The executeable is "setuid" for the user wsadm(uid=135)

-rwsr-xr-x 1 wsadm t5-dev 15915 Apr 16 16:42 test_nfs*

It gives the following strace output when started for user e.g. max
(uid=111)

------------------------------------------------------------------------------------

setreuid(4294967295, 135) = 0
open("/tmp/test_out.txt", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
setreuid(4294967295, 111) = 0

write(3, "just a test", 11) = 11

setreuid(4294967295, 135) = 0
close(3) = 0
setreuid(4294967295, 111) = 0

setreuid(4294967295, 135) = 0
open("/mnt/Projects/SNiFF+/Repository/sniffng/config/templates/RCS/test_out.txt", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
setreuid(4294967295, 111) = 0

write(3, "just a test", 11) = 11

setreuid(4294967295, 135) = 0

>>>>>>>>>>>> close(3) = -1 EACCES (Permission denied)

write(1, "fclose failed\n", 14fclose failed
) = 14

exit(-1) = ?

-------------------------------------------------------------------

The second close(3) failed on the NFS directory

The mount options are:
lucky:/export4 on /mnt type nfs (rw,addr=193.81.18.250)

The intresting is that when i remove the fflush(f) before the fclose
it works

......
setreuid(4294967295, 135) = 0
open("/mnt/Projects/SNiFF+/Repository/sniffng/config/templates/RCS/test_out.txt", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
setreuid(4294967295, 111) = 0

setreuid(4294967295, 135) = 0
write(3, "just a test", 11) = 11
close(3) = 0
.....

Then the write call comes AFTER the setreuid call

Regards

Max

-- 
_______________________________________________________________
     \                  
    o/\_          DI Max Weninger
   <\__,\         Email (max@takefive.co.at)     
    ">.  |         
     ` .-|        TakeFive Software - Jakob-Haringer-Str. 8
        . \       A-5020 Salzburg - AUSTRIA
         . \      Tel: +43 662 4579150 - Fax: +43 662 4579156
         .-|      
_________._|____________________________________________________




-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/