Bug#7799: Potential Security Hole: bug with setuid/seteuid?
Hello,
This is at least a bug. It may also have security implications, though I
don't know about that.
It appears that Linux's setuid code allows a setuid program to access both
real and effective uid files at once (without switching between the two).
This is contrary to how it should be implemented.
Here is a short C program to demonstrate:
#include <stdlib.h>
#include <unistd.h>
void main(void)
{
uid_t uid = geteuid();
seteuid(uid);
system("mail jgoerzen < /etc/issue");
}
(Note: the seteuid() call can be replaced with setuid() and get the same
results).
Compile, chown to root.root, and chmod to 6711 (or similar).
When running this, I send myself a mail. It should be indicated as being
from root, but instead, the From: line reads "jgoerzen"!
There is the same problem when using "su -".
(eg su -, then mail jgoerzen: still sets "From" line to jgoerzen)
This hardly seems to be correct behavior.
John Goerzen
Reply to: