In message <[EMAIL PROTECTED]>, Wietse Venema write
s:
>It is interesting to see that old problems with set-uid commands
>keep coming back. Allow me to speed up the discussion a bit by
>enumerating a few other channels for attack on set-uid commands.
>
>A quick perusal of /usr/include/sys/proc.h r
It is interesting to see that old problems with set-uid commands
keep coming back. Allow me to speed up the discussion a bit by
enumerating a few other channels for attack on set-uid commands.
A quick perusal of /usr/include/sys/proc.h reveals a large number
of "inputs" that a child process may i
It's amazing that this has taken so long to resurface. This is an
ancient bug -- see, for example, Henry Spencer's suid man page from
1987
(http://groups.google.com/groups?q=checklist+security+setuid+-linux+group:alt.security&hl=en&scoring=r&selm=1991May14.101450.830%40convex.com&rnum=1
quotes
> Credits:Joost Pol <[EMAIL PROTECTED]>
Joost rules. And my apologies to Pine for always being late paying my bills.
Sorry :-)
This is a simple test, executing a setuid process with filedescriptor 2
closed, and then opening a file and seeing what fd it gets.
Linux 2.2.16RedHat AXP
> Topic: insecure handling of stdio file descriptors
They didn't say so, but this work was obviously based on:
RCS file: /cvs/src/sys/kern/kern_exec.c,v
...
revision 1.20
date: 1998/07/02 08:53:04; author: deraadt; state: Exp; lines: +38 -1
for sugid procs ensure that fd 0-2 are allo