Thanks, it's a great paper. Unix developpers: it should be worth taking a look at it. Indeed, with their rigourous methodology, the authors did detect this error in the setgid linux manpage on Red Hat 7.2. I just wonder if they reported it (the manpage on www.linux.org is still inaccurate at the moment). This paper also reports a real example of a program with the setgid flag only, that thinks it can drop all privileges by calling setgid(getgid()). It is OK on FreeBSD, but not on Linux... Another interesting example is a setuid program with a non-root owner that want to drop its privileges. (I use here the word "privilege" in an extensive and empiric "having access to objects on the system that are forbidden to the current user"). Well, on Linux and Solaris, this program will not properly drop privileges by the usual way: calling setgid() then setuid(). The saved uid and gid will remain the owner's ones. And much more interesting stuff... :) FozZy On Fri, 19 Jul 2002 12:48:49 -0400 (EDT) wietseat_private (Wietse Venema) wrote: > FYI, > > The August USENIX Security conference has a good paper that examines > in depth the semantics of UID and GID setting calls for Solaris, > FreeBSD and Linux. The differences are quite remarkable. > > Wietse > > Setuid Demystified, by Hao Chen, David Wagner, UC Berkeley; Drew > Dean, SRI International > www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 12:09:53 PDT