LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-24-2006, 08:35 PM   #1
emme0032
LQ Newbie
 
Registered: Jul 2006
Posts: 13

Rep: Reputation: 0
setuid failure


I've been trying to figure out how failed calls to setuid causes insecurities. So far all ive been able to find is.. If a program doesnt check the return status, there is no way to tell 100% that priveleges were dropped.

But what things will cause this failure? Ive heard if the process limit has been reached it will fail, but what other things too?(and is that correct)
 
Old 11-25-2006, 04:15 PM   #2
randyding
Member
 
Registered: May 2004
Posts: 552

Rep: Reputation: 31
Its not optional, you must check return codes of system calls and handle errors if there are any.
The man page for setuid() lists two possible errno values and why they would happen.
Is there something other than what's listed in the man page that you are trying to find out?

Last edited by randyding; 11-25-2006 at 04:17 PM.
 
Old 11-26-2006, 10:17 PM   #3
emme0032
LQ Newbie
 
Registered: Jul 2006
Posts: 13

Original Poster
Rep: Reputation: 0
A good example of my confusion comes from reading:
http://www.cs.berkeley.edu/~daw/pape...d-usenix02.pdf

It states that on solaris 8 and the current linux of the time during writing.. A call to setuid(getuid()) will not fully drop privileges unless the program is running as root. If you are not running as root, the saved uid will remain the same after that call.. Allowing an attacker to restore privileges.

I tested it locally on an old solaris 8 machine. It doesnt seem to be true. setuid(getuid()) fully drops the privileges. So i dont see why such a big deal was made about it. Unless the kernels are very old.. But in that case the kernels are probably vulnerable to other direct exploits.
 
Old 11-26-2006, 11:03 PM   #4
randyding
Member
 
Registered: May 2004
Posts: 552

Rep: Reputation: 31
It sounds like you understand it just fine, but I want to emphasize one important point just to be sure, that setuid(getuid()) does nothing when you run the program as root.

Edit: I should have been more clear, if you are logged in as root and run the program, or if you are starting the program from an init.d script, that's when it will do nothing. If the program's setuid flag is set then in will drop priv. only if its run by a non-root user.

Last edited by randyding; 11-26-2006 at 11:06 PM.
 
Old 11-27-2006, 08:51 AM   #5
emme0032
LQ Newbie
 
Registered: Jul 2006
Posts: 13

Original Poster
Rep: Reputation: 0
Yep, that makes sense.
So lets say im using a solaris 8 machine, that acts the way described by the paper above..
How would I successfully drop my priv if iwas a setuid NON-root user.

Since setuid(getuid()) will not drop my saved privileges.
 
Old 11-27-2006, 08:38 PM   #6
randyding
Member
 
Registered: May 2004
Posts: 552

Rep: Reputation: 31
Heh, I should but didn't read the paper yet. Its 20 pages and when I get home from work I don't feel like reading that much.

On linux, the setuid(getuid()) will drop priv. in the situation you described.. I can't say for Solaris because I have not tried it. The solaris machines I have access to are older than solaris 8, possibly 6. There are other people around here that know the details of solaris much more than I.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
smbmnt setuid slackamp Slackware 3 10-03-2006 08:44 AM
setuid int0x80 Linux - Security 3 12-02-2005 01:33 PM
Perl Setuid linchat Fedora 3 02-26-2005 08:19 AM
setuid Help devinWhalen Linux - General 2 12-03-2003 09:57 AM
Setuid SirTurbo Linux - General 1 03-26-2003 06:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration