System V.2.2 setuid() broken
John F. Haugh II
jfh at rpp386.UUCP
Thu Jul 14 15:06:07 AEST 1988
In article <1305 at basser.oz> boyd at basser.oz (Boyd Roberts) writes:
>I'm root and I run a non-root setuid executable. Then I want
>to fork() a shell and do the usual:
>
> setuid(getuid())
>
>Of course, I get EPERM, because setuid() is broken. Now is this
>a generic System V bug. I think it is. Clarification please?
no, according to SETUID(2), you got the correct behaviour, and on
close examination, that is the CORRECT behavior.
consider, running the a.out SUID sets the EFFECTIVE UID to the
non-root user. getuid(2) returns the REAL UID which equals
ROOT. and from the manual
Setuid (setgid) will fail if the real user (group) ID
of the calling process is not equal to uid (gid) and
its effective user ID is not super-user. [ EPERM ]
the real user ID is ROOT and the uid is ROOT. however, the
effective user ID is not ROOT, so the call fails with EPERM.
this `feature' prevents a trojan horse from doing a
if (getuid () == 0) {
setuid (0);
chown ("/bin/sh", 0, 0);
chmod ("/bin/sh", 04711);
}
thereby giving you the famed password free su command.
- john.
--
John F. Haugh II +--------- Cute Chocolate Quote ---------
HASA, "S" Division | "USENET should not be confused with
UUCP: killer!rpp386!jfh | something that matters, like CHOCOLATE"
DOMAIN: jfh at rpp386.uucp | -- with my apologizes
More information about the Comp.unix.wizards
mailing list