Apologies, in my original post I neglected to mention version numbers (it had been a long day). The incorrect behaviour is present in OpenBSD 2.3, and the current source. I don't know about earlier versions. Also, (Free|Net)BSD seem to implement setreuid() and setregid in the kernel, so presumably they are not vulnerable. The problem is in the following two files: src/lib/libc/compat-43/__setreuid.c src/lib/libc/compat-43/__setregid.c I have quickly cobbled together a couple of patches that are avaliable in ftp.styx.org in /pub/openbsd_patches. To apply, $ cd /usr/src/lib/libc/compat-43 $ patch -p0 < /wherever/__setreuid.c.patch $ patch -p0 < /wherever/__setregid.c.patch and then recompile libc. Bear in mind that these are /not/ official OpenBSD patches, and I can take no responsibility to what they may or may not do to your system -- but they should work as advertised in the man page with the following exception: if setreuid(ruid, euid) is called by root, and ruid is not 0, and euid != ruid, the call will fail after doing a setuid(ruid). Cheers, Will -- | Will Waites | "Man is a political and a social animal, and he | | wwat_private | normally enjoys hearing fantastic answers in | | www.styx.org/~ww | preference to none." -- Joseph Heller | |--------------------------------------------------------------------| | Finger wwat_private for PGP Public Key |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:34 PDT