1. AIX setuid/setgid security hole
Bug: setuid/setgid do not properly limit authority.
Example:
A program running as root,
after successfully calling setgid(100) and setuid(100),
thus allegedly adopting guest/usr authority,
can still delete files from root/security owned directories.
Security impact:
User written programs which begin running as root,
(in my case, a /bin/login replacement),
and appear to safeguard the filesystem by becoming a unprivileged user,
may in fact still have the authority to do significant damage.
Bug status:
- I have begun the tortuous IBM support process. No feedback yet.
- I have heard that a related bug, and an associated workaround,
were posted to this list. Also that they were reported to IBM and CERT,
and ignored by both. ?
Demo:
Under AIX 3.2.1:
% more program.c
#include <unistd.h>
#include <stdio.h>
main (int argc,char**argv) {
if( setgid( 100 ) <0) { perror("setgid failed"); exit(1); }
if( setuid( 100 ) <0) { perror("setuid failed"); exit(1); }
execv(argv[1],&(argv[1]));
perror("execv failed");
exit(1);
% cc -o program program.c
% su
# mkdir foodir
# chown root foodir
# chgrp security foodir
# chmod 775 foodir
# touch foodir/foofile
# chown root foodir/foofile
# chgrp security foodir/foofile
# chmod 775 foodir/foofile
# /bin/ls -dl foodir
drwxrwxr-x 2 root security 512 Dec 17 13:14 foodir
# /bin/ls -l foodir/foofile
-rwxrwxr-x 1 root security 0 Dec 17 13:14 foodir/foofile
# ./program /bin/rm -f foodir/foofile
# /bin/ls -l foodir/foofile
foodir/foofile not found
Note:
If chmod 755 foodir, rather than 775, then permission is correctly denied.
2. How do I make color x-term work with telnet?
3. setuid/setgid PERL CGI script
4. Change cursor shape (and other terminal Qs)
5. setgid & setuid
6. Need advice on PCI SCSI controller and Pentium 90 ?
7. Allow setuid/setgid core files
8. tape drive driver for AIX 5L
9. setuid setgid problem
10. UID_MAX, setuid & setgid
11. setuid/setgid C wrapper code
12. setuid()/setgid()
13. Apache and setgid/setuid problem