Pointer to a process's credential structure?

[fritchie () stolaf edu (Scott Lystig Fritchie)]

Hi --

Browsing through some archived "bugtraq" messages I discovered a
really nifty way to change the effective and real userid of any
process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x).
That particular hole is demonstrably exploitable under Solaris 2.3
(and I assume Solaris 2.4), except for one little problem....

... obtaining a pointer to the process's user credentials structure.
SunOS 4.1.x was kind enough to supply "pstat", but that's missing
under Solaris 2.x.  We've been scratching our head trying to find a
Solaris utility that would do the same thing, but can't find one.

Obtaining the magic address is pretty simple using:

        kvm_t *kernel;
        proc_t *ourproc;

        if (! (kernel = kvm_open(NULL, NULL, NULL, O_RDONLY, argv[0]))) {
                perror("kvm_open");
                exit(2);
        }
        if (! (ourproc = kvm_getproc(kernel, pid))) {
                perror("kvm_getproc");
                exit(3);
        }
        printf("p_cred = %lx\n", ourproc->p_cred);

... but it won't work without permission to open /dev/kmem.

It's probably a good idea to enable the hardware password feature on
our Solaris consoles anyway (or is it?), but if there's a program
bundled with Solaris that will spit out that address, there's an added
reason for doing so.  :-)

-Scott
---
Scott E. Lystig Fritchie, UNIX Systems Manager
Academic Computing Center, St. Olaf College
1510 St. Olaf Ave., Northfield, MN  55057
fritchie () stolaf edu ... 507/646.3407