mailing list archives
Re: First Patch :)
From: aleph1 () NATIONWIDE NET (Aleph One)
Date: Fri, 29 May 1998 13:49:15 -0500
Interesting patch. To clear things up this patch does two things:
1) It stops processes from being able to exec() other programs with
an uid different from that of the original user unless the process
has been marked as secure.
2) It stops processes from being able to fork() with an uid different from
that of the original user unless the process has been marked as secure.
In both cases the process is allowed to continue with the exec() and fork()
but the uid and euid are forced to the original users uid. A file is
marked as secure by flipping a bit on its inode.
This minimizes the actions an attacker can do if they compromise a
setuid program that is not marked as secure. They will not be able to
fork() or exec() while maintaining their privilege. This also greatly
resticts the program itself. I wonder how many suid programs don't fork()
or exec() while maintaining privilege for some reason. If the are many it
defeats the purpose of the patch as you will have to mark them all as
But for a quick glance the patch seems to break 'su'. For example, joe
want to su to tom from his shell. His uid is 10, and tom's 20.
Process RUID UID EUID Secure
sh 10 10 10 0
The shell forks and execs su. All his uid's match so there is no problem.
su is market a 'secure'.
su 10 10 0 1
Now su changes uid's to tom's. Notice that in the code the RUID
is only ever changed if it already 0, so it doesn't change.
su 10 20 20 1
Now su exec's sh. su is a 'secure' process so it's ok to exec with
different a different uid and euid than ruid. The secure flag is set to 2
to indicate a child of a secure program.
sh 10 20 20 2
Now what happens if we try to run 'ls'? Well the sh forks first.
But wait. Our uid and euid are different from the ruid and fork won't
allow that. So ls ends up running under our old uid!
ls 10 10 10 0
You need to work a bit more on the semantics. The RUID must be reset
at some point if you want to be able to 'su' from accounts other than root..
Aleph One / aleph1 () dfw net
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01