Re: Potential security problem with mtr

> Since the saved uid survives across fork() and exec(), any buffer
> overrun or similar bug in mtr is just as bad as if mtr had never done
> the seteuid() at all.

Saved-uid should get dropped on exec(), shouldn't it?

> The mtr code uses setuid() on HPUX, which according to the comments in
> the mtr code doesn't have the seteuid() call. It does seteuid() on all
> other systems though. It is unclear why the mtr authors favoured
> seteuid() before setuid() on platforms that have it.

Just FYI, HP-UX has setresuid() which allows you to change any
of the 3. Hence, seteuid() could be written (since days long
gone by) as 'setresuid(-1,uid,-1)'. Now, as to _why_ they chose
to add a setregid() system call, instead of making it a libc stub
to setresgid(), I still don't understand...

lamont
Received on Mar 06 2000