setuid-root programs and pipes to other processes

setuid-root programs and pipes to other processes

Post by Michael D'Erri » Fri, 12 Aug 1994 12:05:53

A colleague of mine believes that there is a security risk if a
setuid-root process has a pipe open to another process that isn't
supposed to have root privileges.  He claims that there is a way
for the other process to somehow steal root privileges from the
other process.  Although I'm very skeptical about this, I have
little knowledge of the internals of the UNIX O/S, so I don't have
any idea if this is possible (I'm using Solaris 2.x and others).

The specific setup I have is a mail delivery program that runs
external programs like 'procmail' or 'filter'.  The mail delivery
program is a setuid-root process that does the following:

      seteuid (non-root);    // relinquish root at the start
      // parent pipes message to child who exec's the program

      pipe (p1);
      pipe (p2);
      fork ();

      child:  setup_environment ();
              close_unused_pipes ();
              dup_pipes_to_stdinout ();

              // only place where running as root
              seteuid    (root);
              initgroups (user, groupid);
              setgid     (groupid);
              setuid     (userid);

              exec ();
              _exit ();

      parent: close_unused_pipes ();
              pipe_message_to_child ();
              close_write_pipe ();
              read_from_child ();
              close_read_pipe ();
              waitpid ();

      // continue after delivery

Does this look like a sound design?  Are there any hidden security
problems related to what my colleague has told me?

Thanks for your help,

Michael D'Errico


1. Need help with setuid() problems on 386/ix with setuid root program.

I have a program that needs to be able to do the following under ISC 386/ix
(System V R3.2):

        setuid to one of about 3 different accounts ("Account X")
        do some work under that ID.
(*)     setuid back to the ID of the person that originally ran it.
        send some mail to Account X saying what was done.

The program needs to be able to change to one of the 3 or so different
accounts, so It's made setuid root. It doesn't actually want to do its
work under uid root, so it setuid's to whichever account it needs immediately.
[ It can't setuid to ANY account, only to one of the 3 or so ].

The problem is that when the program send the mail to X, I want it to come
addressed from the person that ran the program, not from X.

According to the manual, you can setuid() to the saved-uid from exec();
but I can't get the setuid back to the persons ID to work. (*)

        Can anyone shed some insight on my problem?

/*  Greyham Stoney:                            Australia: (02) 428 6476  *

 *          "BUT THAT'S JUST A BUTTON ON A STRING, BASICLY!!!"           */

2. Compressing filesystem

3. LD_LIBRARY_PATH and setuid-root programs

4. Xinside and Matrox

5. Why is xterm setuid root on some OSes but not others?

6. Netscape - which one?

7. Security holes in VGA setuid-root utils

8. dialup Shell Needed

9. setuid-root and rsh?

10. setuid-root ? basic questions

11. Core dump and setuid-root

12. Safe setuid-root shell script?

13. Help with setuid-root