[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-arch
Subject:    Re: setegid bug
From:       Mike Meyer <mwm () mired ! org>
Date:       2007-06-07 21:35:39
Message-ID: 18024.31275.733694.236655 () bhuda ! mired ! org
[Download RAW message or body]

In <20070607213650.c02130bf.stas@FreeBSD.org>, Stanislav Sedov <stas@FreeBSD.org> typed:
> Recently several FreeBSD samba users reported a scary problem with
> samba (http://bugzilla.samba.org/?id=3990). Further research in
> cooperation with Timur Bakeyev (timur) showed, that we have a little
> problem with setegid implementation. In FreeBSD (and even in
> 4.4BSD-Lite2) egid of the process is merely groups[0], so calling
> seteuid function we simply override the first of supplementary groups.
> However, POSIX says that not rgid, not any of supplementary groups
> should bot be rewritten in setegid call.
>
> Probably, some of old-school committers remembered the initial
> intention of making egid equal to groups[0]? Probably, I have missed
> something?

The old school in this case is UC Berkeley. I found this behavior in
4.1BSD. Since it lets you violate ass-backwards group security
settings (wherein you create a group "undesirables", and have files
owned by that group with group bits 0 to keep them out) by removing
yourself from that group, I reported it as a security bug to
CSRG. Mike's response was that the security model was the bug, not
this problem.

I suspect it was done that way in the initial implementation, and
nobody has ever felt that it should be fixed.

	<mike
-- 
Mike Meyer <mwm@mired.org>		http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]