>ncurses version 4.1 fails to drop priviledges before opening the
>termcap database and you can set any file(s) you like. I am not sure
>any setuid program allows an exploit but this is not good in any case.
>Here is a patch that stops that game. (Using the patch requires
>autoconf because I have not supplied diffs against the configure
>script).
It seems to me that the below fix is broken; what happens if:
- the program already swapped uids? (using setreuid(euid,ruid)?
- you introduce a security hole
- the program swapped using saved uids (using setreuid(-1. ruid))
- fine with setfsuid
- but with saved uids, you reset the saved euid to ruid.
(you throw way the privileges you had for good.)
Juggling with uids in the library is hard; you don't know what the
original uids were and you really have no way to find out.
>+#ifdef HAVE_SETFSUID
>+ /* drop privs to make sure file allowed */
>+ fsuid=setfsuid(getuid());
>+ fsgid=setfsgid(getgid());
>+#else
>+ fsuid=getuid();
>+ fsgid=getgid();
>+#ifdef HAVE_SETREUID
>+ /* Swap real and effective uid */
>+ setreuid(geteuid(), getuid());
>+ serregid(getegid(), getgid());
>+#else
>+ seteuid(getuid()); /* Saved ids or broken */
>+ setegid(getgid());
>+#endif /* HAVE_SETREUID */
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:42 PDT