>ncurses version 4.1 fails to drop priviledges before opening the >termcap database and you can set any file(s) you like. I am not sure >any setuid program allows an exploit but this is not good in any case. >Here is a patch that stops that game. (Using the patch requires >autoconf because I have not supplied diffs against the configure >script). It seems to me that the below fix is broken; what happens if: - the program already swapped uids? (using setreuid(euid,ruid)? - you introduce a security hole - the program swapped using saved uids (using setreuid(-1. ruid)) - fine with setfsuid - but with saved uids, you reset the saved euid to ruid. (you throw way the privileges you had for good.) Juggling with uids in the library is hard; you don't know what the original uids were and you really have no way to find out. >+#ifdef HAVE_SETFSUID >+ /* drop privs to make sure file allowed */ >+ fsuid=setfsuid(getuid()); >+ fsgid=setfsgid(getgid()); >+#else >+ fsuid=getuid(); >+ fsgid=getgid(); >+#ifdef HAVE_SETREUID >+ /* Swap real and effective uid */ >+ setreuid(geteuid(), getuid()); >+ serregid(getegid(), getgid()); >+#else >+ seteuid(getuid()); /* Saved ids or broken */ >+ setegid(getgid()); >+#endif /* HAVE_SETREUID */
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:42 PDT