-BEGIN PGP SIGNED MESSAGE-
=
FreeBSD-SA-02:23.stdio Security Advisory
The FreeBSD Project
Topic: insecure
It is interesting to see that old problems with set-uid commands
keep coming back. Allow me to speed up the discussion a bit by
enumerating a few other channels for attack on set-uid commands.
A quick perusal of /usr/include/sys/proc.h reveals a large number
of inputs that a child process may
In message [EMAIL PROTECTED], Wietse Venema write
s:
It is interesting to see that old problems with set-uid commands
keep coming back. Allow me to speed up the discussion a bit by
enumerating a few other channels for attack on set-uid commands.
A quick perusal of /usr/include/sys/proc.h reveals
It's amazing that this has taken so long to resurface. This is an
ancient bug -- see, for example, Henry Spencer's suid man page from
1987
(http://groups.google.com/groups?q=checklist+security+setuid+-linux+group:alt.securityhl=enscoring=rselm=1991May14.101450.830%40convex.comrnum=1
quotes
-BEGIN PGP SIGNED MESSAGE-
=
FreeBSD-SA-02:23.stdio Security Advisory
The FreeBSD Project
Topic: insecure
Topic: insecure handling of stdio file descriptors
They didn't say so, but this work was obviously based on:
RCS file: /cvs/src/sys/kern/kern_exec.c,v
...
revision 1.20
date: 1998/07/02 08:53:04; author: deraadt; state: Exp; lines: +38 -1
for sugid procs ensure that fd 0-2 are
Credits:Joost Pol [EMAIL PROTECTED]
Joost rules. And my apologies to Pine for always being late paying my bills.
Sorry :-)
This is a simple test, executing a setuid process with filedescriptor 2
closed, and then opening a file and seeing what fd it gets.
Linux 2.2.16RedHat AXP
