setuid-root programs and pipes to other processes

setuid-root programs and pipes to other processes

Post by Michael D'Erri » Fri, 12 Aug 1994 12:05:53



A colleague of mine believes that there is a security risk if a
setuid-root process has a pipe open to another process that isn't
supposed to have root privileges.  He claims that there is a way
for the other process to somehow steal root privileges from the
other process.  Although I'm very skeptical about this, I have
little knowledge of the internals of the UNIX O/S, so I don't have
any idea if this is possible (I'm using Solaris 2.x and others).

The specific setup I have is a mail delivery program that runs
external programs like 'procmail' or 'filter'.  The mail delivery
program is a setuid-root process that does the following:

      seteuid (non-root);    // relinquish root at the start
      .
      .
      .
      // parent pipes message to child who exec's the program

      pipe (p1);
      pipe (p2);
      fork ();

      child:  setup_environment ();
              close_unused_pipes ();
              dup_pipes_to_stdinout ();

              // only place where running as root
              seteuid    (root);
              initgroups (user, groupid);
              setgid     (groupid);
              setuid     (userid);

              exec ();
              _exit ();

      parent: close_unused_pipes ();
              pipe_message_to_child ();
              close_write_pipe ();
              read_from_child ();
              close_read_pipe ();
              waitpid ();

      // continue after delivery

Does this look like a sound design?  Are there any hidden security
problems related to what my colleague has told me?

Thanks for your help,

Michael D'Errico
Software.com

 
 
 

1. Need help with setuid() problems on 386/ix with setuid root program.

I have a program that needs to be able to do the following under ISC 386/ix
(System V R3.2):

        setuid to one of about 3 different accounts ("Account X")
        do some work under that ID.
(*)     setuid back to the ID of the person that originally ran it.
        send some mail to Account X saying what was done.

The program needs to be able to change to one of the 3 or so different
accounts, so It's made setuid root. It doesn't actually want to do its
work under uid root, so it setuid's to whichever account it needs immediately.
[ It can't setuid to ANY account, only to one of the 3 or so ].

The problem is that when the program send the mail to X, I want it to come
addressed from the person that ran the program, not from X.

According to the manual, you can setuid() to the saved-uid from exec();
but I can't get the setuid back to the persons ID to work. (*)

        Can anyone shed some insight on my problem?

                                        thanks
                                                Greyham.
--
/*  Greyham Stoney:                            Australia: (02) 428 6476  *

 *          "BUT THAT'S JUST A BUTTON ON A STRING, BASICLY!!!"           */

2. Compressing filesystem

3. LD_LIBRARY_PATH and setuid-root programs

4. Xinside and Matrox

5. Why is xterm setuid root on some OSes but not others?

6. Netscape - which one?

7. Security holes in VGA setuid-root utils

8. dialup Shell Needed

9. setuid-root and rsh?

10. setuid-root ? basic questions

11. Core dump and setuid-root

12. Safe setuid-root shell script?

13. Help with setuid-root