Interesting patch. To clear things up this patch does two things: 1) It stops processes from being able to exec() other programs with an uid different from that of the original user unless the process has been marked as secure. 2) It stops processes from being able to fork() with an uid different from that of the original user unless the process has been marked as secure. In both cases the process is allowed to continue with the exec() and fork() but the uid and euid are forced to the original users uid. A file is marked as secure by flipping a bit on its inode. This minimizes the actions an attacker can do if they compromise a setuid program that is not marked as secure. They will not be able to fork() or exec() while maintaining their privilege. This also greatly resticts the program itself. I wonder how many suid programs don't fork() or exec() while maintaining privilege for some reason. If the are many it defeats the purpose of the patch as you will have to mark them all as 'secure'. But for a quick glance the patch seems to break 'su'. For example, joe want to su to tom from his shell. His uid is 10, and tom's 20. Process RUID UID EUID Secure sh 10 10 10 0 The shell forks and execs su. All his uid's match so there is no problem. su is market a 'secure'. su 10 10 0 1 Now su changes uid's to tom's. Notice that in the code the RUID is only ever changed if it already 0, so it doesn't change. su 10 20 20 1 Now su exec's sh. su is a 'secure' process so it's ok to exec with different a different uid and euid than ruid. The secure flag is set to 2 to indicate a child of a secure program. sh 10 20 20 2 Now what happens if we try to run 'ls'? Well the sh forks first. But wait. Our uid and euid are different from the ruid and fork won't allow that. So ls ends up running under our old uid! ls 10 10 10 0 You need to work a bit more on the semantics. The RUID must be reset at some point if you want to be able to 'su' from accounts other than root.. Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:55:28 PDT