[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: discarding root privileges in suid perl

On Mon, Oct 16, 2000 at 11:59:18PM -0700, Mike Markley wrote:
> What kernel version is this? Wasn't there something weird with a recent
> 2.2.x kernel dropping privs (manifested in a sendmail exploit)? I don't
> remember details...

That required capabilities; this isn't related.

I would expect this to be something to do with saved userids... see
setresuid(2) for more information:

       Unprivileged user processes (i.e., processes with each  of
       real,  effective and saved user ID nonzero) may change the
       real, effective and saved user ID, each  to  one  of:  the
       current  uid,  the  current  effective  uid or the current
       saved uid.

       The super-user may set real, effective and saved  user  ID
       to arbitrary values.

It's not clear what happens when saved uid is zero and the others are
nonzero, but I bet that's what you're seeing.  Note that saved uid is
-not- preserved across exec() IIRC.  So if you drop priviledges and
then run a script that tries to get them back, it will fail, even if
the parent could.

> On Tue, Oct 17, 2000 at 02:32:21PM +1100, Brian May <bam@debian.org> spake forth:
> > >>>>> "Miquel" == Miquel van Smoorenburg <miquels@cistron.nl> writes:
> > 
> >     Miquel> In article <84lmvpg3bz.fsf@snoopy.apana.org.au>, Brian May
> >     Miquel> <bam@debian.org> wrote:
> >     >> According to "man perlsec", line 300+, the following code
> >     >> should destroy extra privileges in a suid root perl script:
> >     >> 
> >     >> $EUID = $UID; $EGID = $GID; # initgroups() also called!
> > 
> >     Miquel> You need to 'use English' for the $EUID etc variables to
> >     Miquel> work.  Otherwise use $>, $<, etc. See 'man perlvar'
> > 
> > Already done. I also use strict, to ensure mistakes like this cannot
> > happen.
> > 
> > As for this problem, I suspect perl or libc6 might be caching the old
> > permissions somewhere, but I don't understand how or why.
> > 
> > Otherwise, it should normally be impossible for a non-root program (ie
> > UID!=root and EUID!=root) to suddenly obtain root privileges.
> > -- 
> > Brian May <bam@debian.org>
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> -- 
> Mike Markley <mike@markley.org>
> PGP: 0xA9592D4D 62 A7 11 E2 23 AD 4F 57  27 05 1A 76 56 92 D5 F6
> GPG: 0x3B047084 7FC7 0DC0 EF31 DF83 7313  FE2B 77A8 F36A 3B04 7084
> 
> Emotions are alien to me.  I'm a scientist.
> - Spock, "This Side of Paradise", stardate 3417.3
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 


Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan@debian.org         |  |       dmj+@andrew.cmu.edu      |
\--------------------------------/  \--------------------------------/
Reply to: