[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    possible security bug if uid of nobody is 65535 or -1
From:       Ian Goldberg <iang () cs ! berkeley ! edu>
Date:       1996-08-27 21:11:31
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

I've seen the user "nobody" on some systems have a uid of -1 or 65535.
(Slackware Linux is such an example.) On most such systems, this will
have interesting interactions with syscalls like setreuid() and chown(),
for which an argument of -1 means "no change".

A program that is setuid root, but uses setreuid() to swap its real and
effective uids will thus remain root if run by the "nobody" user.
Also note that it is easy to run programs as nobody on systems on which
CGI scripts are available (the default is to run them as nobody).

   - Ian

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMiPGz0ZRiTErSPb1AQHB4gP/bZQ9rDz4E+eaCzzFenDHf7Mwb/+F7nUH
JFtZqG43ohONgDmNMl2hHA925sJTsCJ/53e43Bnbn6rtUoEmdkkuMLbJ4XrMPOf3
UQSaAeJw0Datlyb/NM4+ka/23GzPc6TH2OAyAv3Hz+vOOVdtzsrPctW8/pMGT2HQ
ZD4YQUsCMBA=
=h2Hb
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]