setreuid(3) and setregid(3) were system calls in 4.3BSD that temporarily swapped (or permanently set) the real and effective user ids of the current process. It no longer appeared in 4.4BSD. It is now implemented as a 4.3BSD compatibility function in libc under OpenBSD -- I'm not certain about (Net|Free)BSD. Although the man page says that root can arbitrarily change its uid, the OpenBSD implementation bails with an EPERM if the real uid to be changed to is not equal to the current effective uid -- i.e. a program running as root cannot use setreuid() to relinquish permissions. Putting aside a diatribe on how programs should check the return values of system calls, there exist programs that run as root that do not check the return values of setreuid (or even setuid) since they correctly expect that such calls cannot fail if they have root permissions. One such program is zmailer which calls seteuid() to relinquish permissions in order to perform local mail delivery as the user receiving the mail (i.e. when mail is forwarded to a pipe). This is trivial to exploit to create and append to arbitrary root owned files. Will -- | Will Waites | "Man is a political and a social animal, and he | | wwat_private | normally enjoys hearing fantastic answers in | | www.styx.org/~ww | preference to none." -- Joseph Heller | |--------------------------------------------------------------------| | Finger wwat_private for PGP Public Key |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:48 PDT