[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#7799: Potential Security Hole: bug with setuid/seteuid?


This is at least a bug.  It may also have security implications, though I
don't know about that.

It appears that Linux's setuid code allows a setuid program to access both
real and effective uid files at once (without switching between the two). 
This is contrary to how it should be implemented.

Here is a short C program to demonstrate:

#include <stdlib.h>
#include <unistd.h>

void main(void)
uid_t uid = geteuid();
  system("mail jgoerzen < /etc/issue");

(Note: the seteuid() call can be replaced with setuid() and get the same

Compile, chown to root.root, and chmod to 6711 (or similar).

When running this, I send myself a mail.   It should be indicated as being
from root, but instead, the From: line reads "jgoerzen"!

There is the same problem when using "su -".
 (eg su -, then mail jgoerzen: still sets "From" line to jgoerzen)

This hardly seems to be correct behavior.

John Goerzen

Reply to: