Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Potential security problem with mtr
From: lamont () SECURITY HP COM (LaMont Jones)
Date: Fri, 3 Mar 2000 13:12:24 -0700


Since the saved uid survives across fork() and exec(), any buffer
overrun or similar bug in mtr is just as bad as if mtr had never done
the seteuid() at all.

Saved-uid should get dropped on exec(), shouldn't it?

The mtr code uses setuid() on HPUX, which according to the comments in
the mtr code doesn't have the seteuid() call. It does seteuid() on all
other systems though. It is unclear why the mtr authors favoured
seteuid() before setuid() on platforms that have it.

Just FYI, HP-UX has setresuid() which allows you to change any
of the 3.  Hence, seteuid() could be written (since days long
gone by) as 'setresuid(-1,uid,-1)'.  Now, as to _why_ they chose
to add a setregid() system call, instead of making it a libc stub
to setresgid(), I still don't understand...

lamont


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]