SETUID/SETGID security

SETUID/SETGID security

Post by Robert Howle » Sat, 28 Mar 1992 12:07:08



Hi folks,

This may be a FAQ, but I don't seem to have been able to find
a definitive answer :

1.

What are the security problems involved in implementing

a) a setuid/setgid c program
b) a setuid/setgid shell script

2.

How do you overcome these problems ?
--


Unix System Administrator   Phone:    +61-7-834-2895
Department Of Transport     Fax:      +61-7-834-2911

 
 
 

1. AIX setuid/setgid security hole

Bug:  setuid/setgid do not properly limit authority.
Example:
   A program running as root,
   after successfully calling setgid(100) and setuid(100),
   thus allegedly adopting guest/usr authority,
   can still delete files from root/security owned directories.
Security impact:
   User written programs which begin running as root,
   (in my case, a /bin/login replacement),
   and appear to safeguard the filesystem by becoming a unprivileged user,
   may in fact still have the authority to do significant damage.
Bug status:
  - I have begun the tortuous IBM support process.  No feedback yet.
  - I have heard that a related bug, and an associated workaround,
   were posted to this list.  Also that they were reported to IBM and CERT,
   and ignored by both.  ?

Demo:

Under AIX 3.2.1:
% more program.c
#include <unistd.h>
#include <stdio.h>
main (int argc,char**argv) {
  if( setgid( 100 ) <0) { perror("setgid failed"); exit(1); }
  if( setuid( 100 ) <0) { perror("setuid failed"); exit(1); }
  execv(argv[1],&(argv[1]));
  perror("execv failed");
  exit(1);
% cc -o program program.c
% su
# mkdir          foodir
# chown root     foodir
# chgrp security foodir
# chmod 775      foodir
# touch          foodir/foofile
# chown root     foodir/foofile
# chgrp security foodir/foofile
# chmod 775      foodir/foofile
# /bin/ls -dl foodir
drwxrwxr-x   2 root     security     512 Dec 17 13:14 foodir
# /bin/ls -l  foodir/foofile
-rwxrwxr-x   1 root     security       0 Dec 17 13:14 foodir/foofile
# ./program /bin/rm -f foodir/foofile
# /bin/ls -l  foodir/foofile
foodir/foofile not found

Note:
 If chmod 755 foodir, rather than 775, then permission is correctly denied.

2. How do I make color x-term work with telnet?

3. setuid/setgid PERL CGI script

4. Change cursor shape (and other terminal Qs)

5. setgid & setuid

6. Need advice on PCI SCSI controller and Pentium 90 ?

7. Allow setuid/setgid core files

8. tape drive driver for AIX 5L

9. setuid setgid problem

10. UID_MAX, setuid & setgid

11. setuid/setgid C wrapper code

12. setuid()/setgid()

13. Apache and setgid/setuid problem