[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dropping setuid/setgid privileges

From: James Youngman
Subject: Re: dropping setuid/setgid privileges
Date: Tue, 9 Jun 2009 09:45:42 +0100

On Tue, Jun 9, 2009 at 4:40 AM, Sam Steingold<address@hidden> wrote:

> int foo () {
>  if (foo_low() == NEED_ABORT) {
>   fprintf(stderr,"life sucks\n");
>  abort();
> }}

A problem with code snippets like that in a security context is this attack:

cd /tmp
ln -s /usr/bin/setuid-program "$prog"

If the program is designed to open a controlled file (for example
/etc/passwd) and uses argv[0] in error messages (GNU programs usually
don't) then the function above will have emitted the value of $prog
into the controlled file.    The gnulib module fd-safer protects us
against such problems, but only if the program uses it.   (For
context, this resulted in local root exploits on Solaris [and a minor
privilege escalation on OpenBSD] even though the problem has been
known for over 20 years; see

In the specific case of the snippet above, it doesn't print argv[0].
That will protect us against this specific attack, but in the general
case unless we consistently used fd_safer() or something like it, it's
not safe to print anything in a setuid program that opens files for
writing, even after privileges have been dropped.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]