Bug#7799: Potential Security Hole: bug with setuid/seteuid?

To: submit@bugs.debian.org
Subject: Bug#7799: Potential Security Hole: bug with setuid/seteuid?
From: John Goerzen <jgoerzen@happy.cs.twsu.edu>
Date: Mon, 3 Mar 1997 13:52:06 -0600
Message-id: <[🔎] 19970303135206.23815@happy.cs.twsu.edu>
Reply-to: John Goerzen <jgoerzen@happy.cs.twsu.edu>, 7799@bugs.debian.org

Hello,

This is at least a bug.  It may also have security implications, though I
don't know about that.

It appears that Linux's setuid code allows a setuid program to access both
real and effective uid files at once (without switching between the two). 
This is contrary to how it should be implemented.

Here is a short C program to demonstrate:

#include <stdlib.h>
#include <unistd.h>

void main(void)
{
uid_t uid = geteuid();
  seteuid(uid);
  system("mail jgoerzen < /etc/issue");
}

(Note: the seteuid() call can be replaced with setuid() and get the same
results).

Compile, chown to root.root, and chmod to 6711 (or similar).

When running this, I send myself a mail.   It should be indicated as being
from root, but instead, the From: line reads "jgoerzen"!

There is the same problem when using "su -".
 (eg su -, then mail jgoerzen: still sets "From" line to jgoerzen)

This hardly seems to be correct behavior.

John Goerzen

Reply to:

Follow-Ups:
- Re: Bug#7799: Potential Security Hole: bug with setuid/seteuid?
  - From: Vincent Renardias <vincent@waw.com>

Prev by Date: Re: Uploaded ckermit 192-4 (source i386) to master
Next by Date: Re: problem with folder locking: procmail and pine
Previous by thread: list server changes
Next by thread: Re: Bug#7799: Potential Security Hole: bug with setuid/seteuid?
Index(es):
- Date
- Thread