Simply call to setuid(getuid()) isn't sufficient, because if an attacker discovery buffer overflow, is possibly to he insert call to setuid in your shellcode, and gain root privilegies.
Pekka Savola wrote:
On Tue, 24 Feb 2004, Andrew Pimlott wrote:
This is complicated slightly by the setuid case, where need to drop the euid before opening any files. Pekka simply calls setuid(getuid()) (which permanently changes back to the running user) to achieve this. This means that we can not run droproot() in the setuid case. (Actually, Pekka's code tries to run droproot after having called setuid, fails, and exits. For example, I compiled tcpdump --with-user=nobody, chmoded it setuid root, and ran it as myself:
% ./tcpdump.setuid Couldn't change to 'nobody' uid=65534 gid=65534
)
Yep, setuid is possibly borked in a few corner cases -- I haven't tested it. I assume folks don't compile with --with-user when they want to enable setuid (pretty seldom, I guess). But with extra checking, this might be avoidable.
My threat analysis is that dropping root and chrooting when tcpdump is run as setuid is not worth the trouble. Switching to the getuid() is sufficient: you'll just hose the account you run tcpdump as, not root.
In my patch, I tried to handle this by only dropping euid before opening
files, so that we can later restore euid and do a full droproot(), which
is (arguably) better than just dropping back to ruid.
My argument against this is that even if you drop euid, if compromised, the attacker can restore the privileges, so you aren't adding much security, just more complexity. I'd either drop the privileges alltogether, or don't drop them at all.
-/* Drop root privileges */
+/* + * Drop privileges. Assumes we currently have euid 0.
+ * Parts cribbed from Wietse Venema's chrootuid.
+ */
IMHO, dropping root and chrooting should be two separate functions, as they serve two distinct purposes.
+ if (mkdtemp(chrootdir) == NULL) + error("couldn't create %s", chrootdir); + if (chdir(chrootdir) != 0) + error("couldn't chdir to %s", chrootdir); + if (rmdir(chrootdir) != 0) + error("couldn't remove %s", chrootdir); + if (chroot(".") != 0) + error("couldn't chroot");
you're rmdir'ing before chroot'ing ?
-- Rodrigo Rubira Branco Seguranc,a & Infra-Estrutura Firewalls Security Corporation [EMAIL PROTECTED] Tel: 55(14) 3234-5665 Cel: 55(14) 9795-1850 Site: http://www.firewalls.com.br
Informativo de Privacidade
As informac,o~es contidas neste "email" e nos arquivos anexados sa~o para o uso
exclusivo do destinata'rio aqui indicado, e podem conter segredos comerciais, de
propriedade intelectual ou outras informac,o~es confidenciais, protegidas pelas
leis aplica'veis. Caso na~o seja o destinata'rio correto, esteja notificado, pelo
presente, que qualquer revisa~o, leitura, co'pia e/ou divulgac,a~o do conteu'do
deste "email" sa~o estritamente proibidas e na~o autorizadas. Por favor,
apague o conteu'do do "email" e notifique o remetente imediatamente.
Obrigado pela cooperac,a~o.
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
